Privacy Policy

This notice explains how Ullor collects, uses, stores, and shares personal information when you use our website, mobile app, and related online services.

Effective October 6, 2025

1. Overview

Ullor ("Ullor", "we", "us" or "our") provides a platform that lets people list, discover, and reserve gear rentals through our web and mobile applications, application programming interfaces, messaging tools, and customer support channels (collectively, the "Services"). This Privacy Policy describes the personal information we collect about you, how we use and share that information, and the choices you have. By using the Services, you agree to the practices described here. If you do not agree, you should not use the Services.

We may update this policy to reflect changes in our practices or the law. When we make material changes, we will update the date above and, when appropriate, provide additional notice.

You must be at least 18 years old to create an Ullor account, list gear, or complete bookings. Parents or legal guardians may use their own accounts to reserve gear that a minor will use, and they remain responsible for the reservation and for any information they choose to share about the minor.

2. Information We Collect

Information you provide directly

  • Account and profile details: When you create an Ullor account or request early access we collect your name, email address, password (stored as an Argon2id hash), early access verification code, and any optional profile information you share, such as a display name, biography, avatar, or demographic details. If you sign in with Google, we receive your name, email address, and profile photo from Google.
  • Host and listing information: Hosts provide details about their gear and location, including phone number, street address, city, state, postal code, county, pickup and drop-off instructions, availability windows, pricing, and photos. Uploaded media is processed and stored in Amazon Web Services (AWS) Simple Storage Service (S3).
  • Transactions and activity: When you reserve gear or interact with other members, we record reservation dates and times, costs, plan selections, ratings and reviews, saved listings, conversations with other members, Stripe customer IDs, and Stripe Connect payout account IDs. If you reserve gear for a minor’s use, any details you choose to share about that minor (for example, their name for pickup coordination) are treated as part of the reservation record and remain your responsibility.
  • Communications: We store messages sent through Ullor chat (encrypted at rest), support requests, reservation issue reports, and feedback or net promoter score (NPS) responses you submit. We also log the fact that transactional emails (such as verification links, reservation updates, and message notifications) were sent via Mailgun.
  • Payment-related details: Ullor does not store your full payment card information. We create Stripe customers and payment intents on your behalf and retain Stripe-issued identifiers, your booking address, tax calculations, and the IP address supplied to Stripe Tax or Stripe Radar to help detect fraud and calculate taxes.

Information collected automatically

  • Device and usage information: When you access the Services, our servers and hosting provider automatically log your IP address, browser type, operating system, referring pages, and the pages and searches you perform. We use this information to operate, secure, and troubleshoot the Services. We currently do not load third-party advertising or behavioral analytics scripts.
  • Security signals: We track failed login attempts, session identifiers, and token expiration timestamps to prevent unauthorized access. For mobile sessions we issue time-limited bearer tokens.
  • Location interactions: When you use location features, address lookups are sent to Mapbox Geocoding APIs and Radar’s autocomplete service. We randomize listing coordinates shown on shared maps until a reservation is confirmed to help protect hosts’ precise addresses.
  • Cookies and local storage: We use strictly necessary cookies and similar technologies described in Section 5 to keep you signed in and protect sign-in flows.

Information from other sources

  • When you connect a Google account we receive the limited profile information noted above.
  • Hosts and renters may submit reviews and ratings about one another, which we associate with your profile.
  • We may receive confirmation from payment processors or service partners (such as Stripe) about completed transactions, compliance checks, or payout status updates.

3. How We Use Personal Information

  • Provide and improve the Services: To create and manage accounts, publish listings, display search results (including randomized map pins), facilitate reservations, and remember your selections.
  • Process payments and payouts: To create Stripe payment intents and Connect accounts, calculate taxes, detect fraud, and remit funds.
  • Communicate with you: To send verification links, reservation confirmations, payment updates, message notifications, policy changes, and service announcements by email or in-app notifications.
  • Provide support and resolve issues: To respond to messages you send to support@ullor.com, investigate reservation issues, and follow up on feedback.
  • Maintain safety and integrity: To monitor suspicious activity, enforce our Terms of Service, prevent spam, and protect Ullor members and partners.
  • Comply with legal obligations: To satisfy tax, accounting, and regulatory requirements, and to respond to lawful requests from authorities.

4. How We Share Personal Information

With other Ullor users

Information needed to complete a transaction is shared with the relevant counterparty. For example, hosts see the renter’s name and contact information when a reservation is confirmed, and renters receive host details and pickup instructions. Messages you send through Ullor chat are delivered to the intended recipient using encrypted storage and secure transport, but the message content is visible to the participants and to our real-time messaging provider for delivery.

With service providers

We rely on carefully selected vendors to operate the Services. These partners access personal information only to perform services for us and under appropriate contractual safeguards:

  • Cloud infrastructure and database providers: host our application, databases, logging, and scheduling services.
  • File storage providers: store listing, profile, and equipment images that you upload.
  • Payment, payout, and tax processors: process customer payments, manage host payouts, perform compliance checks, and calculate applicable taxes. Ullor does not store full payment card numbers.
  • Email delivery platforms: send verification emails, reservation updates, and message notifications.
  • Real-time communication services: enable encrypted member messaging and delivery of chat notifications.
  • Mapping and geolocation providers: power address autocomplete, geocoding, and map views using the location data you submit.

For legal and organizational reasons

  • To comply with applicable law, legal process, or governmental requests.
  • To protect the rights, property, or safety of Ullor, our users, or the public.
  • In connection with a merger, acquisition, financing, or sale of all or a portion of our business; if that happens we will provide notice and any required options.

We do not sell or rent your personal information to third parties for their own marketing purposes.

5. Cookies and Similar Technologies

We use a small number of required cookies and local storage values so the Services function properly:

  • auth_session: a secure, HttpOnly cookie that stores your session token so you stay signed in. Server-side sessions expire after roughly 30 days or sooner if you sign out.
  • google_oauth_state: a short-lived cookie that protects the Google sign-in flow (PKCE) and is deleted once the sign-in completes.
  • login_verifier: a temporary cookie used during early-access Google sign-ups to confirm you presented the invite code.

Because these cookies are essential, our Services may not function correctly without them. You can configure your browser to block cookies, but you may not be able to sign in or complete transactions. We currently do not set advertising or cross-site tracking cookies.

6. Data Retention

  • Account, profile, listing, reservation, and message data are retained for as long as your account is active and as necessary to provide the Services, resolve disputes, and comply with legal obligations.
  • Financial and tax records (including Stripe identifiers, invoices, and payout histories) are retained for the periods required by tax, payment network, and bookkeeping rules.
  • Security logs, session tokens, and mobile bearer tokens are retained for limited periods needed to monitor abuse and secure the Services, typically up to 30 days unless extended for security investigations.
  • If you request account deletion, we will deactivate your account, remove or anonymize personal profile data, and retain only the information we must keep to meet legal, regulatory, or contractual requirements.

7. Security

We employ administrative, technical, and physical safeguards designed to protect personal information, including TLS encryption in transit, Argon2id password hashing, encrypted message storage (AES-256-GCM), role-based internal access controls, rate limiting on authentication, and monitoring for unusual activity. No system is perfectly secure, so we encourage you to use a strong, unique password and keep your credentials confidential. If you believe your account has been compromised, contact us immediately at support@ullor.com.

8. Your Choices and Rights

  • You can view and update profile details, host settings, and listings directly in the Ullor app.
  • You may unsubscribe from non-essential emails by following the instructions in those messages. Transactional emails (such as reservation updates) will continue while your account is active.
  • To request access, correction, portability, or deletion of your personal information, email support@ullor.com. We may need to verify your identity before honoring a request.
  • Your privacy rights may vary based on where you live. We will respect the rights available to you under applicable law.

9. Minors

Ullor accounts are available only to individuals 18 years of age or older. We do not knowingly create accounts for, or collect personal information directly from, individuals under 18. Parents or legal guardians may make reservations through their own accounts for a minor’s use of the rented gear, but they are responsible for supervising the minor, providing only the information necessary to fulfill the reservation, and ensuring the minor’s conduct complies with our Terms of Service. If we learn that an underage person has created an account or provided personal information in violation of this policy, we will delete the information as soon as reasonably practicable. Parents or guardians who believe a minor has engaged directly with Ullor should contact us immediately.

10. Changes to This Policy

We may revise this policy from time to time. The “Effective” date at the top shows when it was last updated. We will post the updated policy on this page and, if the changes are significant, provide additional notice such as an email or in-product alert.

11. Contact Us

Questions or concerns about this Privacy Policy or our data practices can be sent to support@ullor.com. You can also reach us through the in-app support tools.