Legal
Privacy Policy
Last updated: 2026-05-02
Privacy Policy for the UltraWideo browser extension and dashboard.
1. Who We Are
UltraWideo is operated by Nenad Novaković ("we", "us"), a sole individual based in Serbia. For the purposes of the EU/UK General Data Protection Regulation (GDPR/UK-GDPR) and similar laws, we are the data controller for the personal data processed through our website, the dashboard, and the UltraWideo browser extension.
Contact: contact@uw.wtf.
2. The Short Version
- We collect the minimum we need to run the Service. No selling, no ad targeting, no creepy profiling.
- We use PostHog (EU-hosted) for product analytics and error monitoring. Anonymous visitors are tracked with a random identifier; we only build a personal profile once you sign in to the dashboard.
- The browser extension does not transmit your browsing history, page content, or what you watch to our servers.
- Pro Cloud Sync stores your per-site preferences in our EU database so they follow you across devices. That's it.
- Your account data is stored in the EU (AWS Frankfurt) and encrypted at rest.
- You can delete your account yourself from your account page at any time.
3. What We Collect and Why
a) Account information
Provided by your OAuth provider when you sign in:
- Name, email address, avatar URL, OAuth provider ID
- Account role (e.g. customer, admin)
- Sign-in timestamps
Legal basis: performance of contract (Art. 6(1)(b) GDPR) – to give you an account and let you sign in.
b) License and instance data
- License keys you own, plan, status, expiry
- Per-device "instance" records – a name you provide and a generated identifier – so we can enforce your plan's device limit and validate activations
- Activation, validation, and deactivation timestamps
Legal basis: performance of contract (Art. 6(1)(b) GDPR).
c) Billing data
When you purchase Pro, payment is processed by Lemon Squeezy, our merchant of record. We don't see, store, or have access to your card details. From Lemon Squeezy we receive only what's needed to issue and manage your license – typically your name, email, billing country, subscription status, and an external order/subscription ID.
Legal basis: performance of contract and our legitimate interest in fulfilling and supporting purchases (Art. 6(1)(b) and (f) GDPR).
d) Pro Cloud Sync data
If you're a Pro user, the extension automatically syncs your per-site preferences to your account so they're available on your other devices. Cloud Sync is part of Pro and is enabled for all Pro users. The synced data typically includes:
- Site patterns (e.g. host or URL path) you've configured rules for – these are public website addresses, not private content
- The settings you chose for each site (mode, zoom, position, hidden elements, and similar)
- Global preferences (theme, language, accent color, accepted consents)
- Sync timestamps
We use this data only to sync your settings between your own devices. We don't analyze it, share it, or use it to infer anything about you. It travels over TLS, is stored in our EU database with encryption at rest, and is wiped when you delete your account.
Legal basis: performance of contract (Art. 6(1)(b) GDPR) – Cloud Sync is a core part of the Pro plan you purchased.
e) Cookies
We set the smallest set of cookies we can:
| Cookie | Purpose | Type | Duration |
|---|---|---|---|
Session cookie (set by nuxt-auth-utils) | Keeps you signed in to the dashboard | Strictly necessary | Session / configured TTL |
uw_ref | Remembers a referral code so the right partner gets credit at checkout | Functional | 30 days |
ph_* (set by PostHog) | First-party analytics identifier so we can count unique visits and sessions | Analytics | Up to 1 year |
PostHog is loaded through a reverse proxy on our own domain (/relay-uw), so analytics requests stay first-party and aren't sent to a third-party domain from your browser. We do not use advertising or cross-site tracking cookies, and we don't share analytics data with anyone else. If we ever add advertising or other tracking that requires consent under your local law, we'll add a banner before turning it on.
f) Browser extension – local storage
The extension itself stores your preferences locally in IndexedDB in your browser. Free-tier preferences live only in your browser and are never sent to us. For Pro users, those preferences are also synced to your account as described in section 3(d).
g) What we don't collect
- We don't collect your browsing history, video viewing habits, or the content you watch.
- The extension does not send page content, video data, or URLs to us as part of normal operation. The only exception is Pro Cloud Sync, which syncs the public site patterns (host/path) you've explicitly configured rules for.
- We don't run advertising pixels, fingerprinting scripts, or cross-site trackers on the website.
4. How We Use Your Data
- Authenticate you and run your account
- Issue and validate Pro licenses, and enforce plan limits
- Sync your Pro preferences across your devices
- Send transactional email (sign-in alerts, license activation, account or billing changes – never marketing without opt-in)
- Improve the Service and diagnose errors via product analytics and exception data from PostHog (see sections 5 and 6)
- Comply with legal obligations and protect the Service against abuse
5. Where Your Data Lives
- Database: Neon PostgreSQL, hosted on AWS in Frankfurt, Germany (eu-central-1). Encrypted at rest by the provider; encrypted in transit via TLS.
- Email: Resend (EU/US infrastructure), used only for transactional email triggered by your account.
- Site delivery: Cloudflare and the underlying Nuxt/NuxtHub hosting.
- Analytics & error monitoring: PostHog Cloud EU (Frankfurt) – see section 6.
- Payments: Lemon Squeezy (merchant of record).
6. Third-Party Processors
We share data only with the providers that help us run the Service:
- GitHub / Google – OAuth sign-in. We receive your basic profile only.
- Lemon Squeezy – payments and merchant of record. See their privacy policy.
- Neon – managed PostgreSQL database hosting in EU.
- Cloudflare – DDoS protection and content delivery.
- Resend – transactional email delivery.
- PostHog – product analytics and error monitoring, hosted in the EU (Frankfurt) and accessed through a reverse proxy on our domain. We use it to count pageviews, understand which features get used, and capture uncaught exceptions so we can fix bugs. Anonymous visitors are tracked with a random identifier; profiles are only created for users who sign in to the dashboard. See PostHog's privacy policy.
Where a processor is located outside the EU/EEA, transfers are covered by appropriate safeguards (Standard Contractual Clauses, adequacy decisions, or equivalent).
7. Data Retention
- Account data – kept as long as your account is active.
- License and instance records – kept while the license is active and for a limited period afterward (typically up to 24 months) to support renewals, abuse prevention, and tax/accounting obligations.
- Cloud Sync data – kept while your Pro plan is active and removed when you delete your account.
- Billing records – kept for as long as required by tax law (typically up to 10 years) by Lemon Squeezy and, in summary form, by us.
- Backups – automatic database backups expire on a rolling schedule (typically 30 days).
When you delete your account, we delete or anonymize your personal data within 30 days, except where we're legally required to keep certain records longer.
8. Your Rights
If you're in the EU, EEA, UK, Switzerland, California, or another jurisdiction with similar laws, you have the right to:
- Access the data we hold about you
- Correct inaccurate or incomplete data
- Delete your data ("right to be forgotten")
- Restrict or object to certain processing
- Withdraw consent at any time, where processing is based on consent
- Lodge a complaint with your local data protection authority
Some of these you can do yourself: edit your profile through your OAuth provider, and delete your account from your account page (after cancelling any active subscription in the billing portal). For anything else – including data access requests or copies of your data – email contact@uw.wtf and we'll respond within 30 days.
We don't make automated decisions with legal or significant effects about you.
9. Children's Privacy
The Service is not directed at children under 13, and we don't knowingly collect personal data from them. If you believe a child has provided us personal data, please contact us and we'll delete it.
10. Security
We take reasonable technical and organizational measures to protect your data: TLS in transit, encryption at rest, OAuth-only authentication (we never see your passwords), HTTP-only session cookies, scoped database access, and ongoing dependency updates. No system is bulletproof, so if we ever detect a breach affecting your data, we'll notify you and the relevant authorities as required by law.
11. Changes to This Policy
We may update this policy from time to time. We'll update the "last revised" date at the top of this page. For material changes, we'll do our best to notify you in-app or by email.
12. Contact
Privacy questions, data requests, or anything you'd like clarified: contact@uw.wtf.