Privacy Policy

Last updated: 2026-05-19

What Ullr is

Ullr is a self-hosted personal dashboard. This instance is run by Tucker on infrastructure they control. Data the instance handles never leaves that server except in the specific cases listed under Third-party services below.

What data we collect

Ullr stores the following data, all inside this instance:

  • Account info you provide at sign-up: name, email, password (hashed with Argon2id — the plaintext is never stored).
  • Calendar data you authorize Ullr to read from Google Calendar, CalDAV servers, or ICS feeds: event titles, times, locations, descriptions, attendees, recurrence rules, and per-instance overrides.
  • Activity data if you connect Strava: workouts, distances, durations, GPS routes, heart-rate summaries.
  • Content you create: tasks, tags, board notes, training plans, meal logs (including photos), uploaded documents (including OCR text), chat history.
  • Location you enter during setup (label, latitude, longitude, timezone) — used to fetch weather and traffic.
  • Operational metadata: session cookies, notification history, cron job run times, error logs.

How we use that data

  • To render the dashboard and the features you signed up for.
  • To compose proactive notifications (morning briefing, weather-on-events, traffic, training adjustments). The composed text combines your calendar / weather / task signals into short messages.
  • To answer your Cmd-K questions over your own data (chat, query, quick-add intent classification).

Ullr does not run analytics, telemetry, or advertising. There is no usage tracking back to any external service.

Where the data lives

Everything is stored in a SQLite database file on this server — no cloud storage, no third-party database. Secrets (OAuth tokens, third-party API keys, encrypted backups of integration credentials) are encrypted at rest with AES-256-GCM before being written to disk, using a key the operator provides at boot (`ULLR_ENCRYPTION_KEY`). The key is not stored in the database.

Third-party services Ullr talks to

Some features make outbound network calls. In each case the call is initiated by you (by connecting the integration), the data sent is the minimum needed for the feature, and the third party is governed by their own privacy policy.

  • Google Calendar — calendar metadata + event reads/writes for calendars you connect via OAuth. Ullr's use of Google API data follows the Google API Services User Data Policy, including the Limited Use requirements. Google Calendar data is only used to provide the user-facing calendar features in this app; it is not transferred to or sold to anyone, not used for advertising, and not read by humans except where required for security or legal reasons.
  • CalDAV servers (iCloud, Fastmail, Nextcloud, etc.) — same data as Google, but pulled from the server you chose.
  • Strava — read-only activity sync if you connect your account.
  • Open-Meteo — receives your configured latitude/longitude to return a weather forecast. No account required; no identifier sent.
  • Google Distance Matrix API (only if you configure a traffic API key) — receives event location strings to estimate drive time. Sent over HTTPS to Google.
  • Anthropic or OpenAI (whichever you configure) — receives the prompts Ullr composes for notification text, chat, document/meal extraction, and quick-add parsing. The data passed varies by feature; for chat and quick-add it includes structured summaries of your calendar/tasks/etc. so the LLM can reason over them. Governed by your chosen provider's API terms.
  • ntfy (the public service at ntfy.sh or a server you self-host) — receives the notification title + body + click URL when push is configured. Bodies are short composed messages, not raw data dumps.

No data is sent to advertisers. No data is sold. Ullr does not share data between users on the same instance beyond what the household sharing features intentionally expose (family-shared board tasks).

Retention and deletion

  • Data persists until you delete it. There is no automatic expiration aside from session cookies (which expire on sign-out or after the configured lifetime).
  • Each feature has a delete action in the UI (delete a task, delete an event, delete an uploaded document, clear chat, etc.).
  • You can export the entire database via /settings/backup and import it elsewhere.
  • To wipe everything, stop the server and delete data/ullr.db. The operator can also remove your user account via /admin, which cascade-deletes your records.
  • To revoke Google's connection at the source, visit Google Account → Third-party apps with access.

Your rights

Because Ullr is self-hosted, you have direct access to the underlying database. You can request export, deletion, or correction at any time by contacting the operator below — and as an instance user you can do all three yourself through the UI.

Cookies

Ullr sets a single first-party HTTP-only session cookie after sign-in so the server can remember you. There are no third-party cookies, no tracking pixels, and no advertising identifiers.

Changes to this policy

If this policy changes, the "Last updated" date above is bumped. Material changes will also surface as a one-time notice on next sign-in.

Contact

Questions, requests, or concerns: crazyott07@gmail.com.