Legal

Privacy Policy: How We Protect Your Data

Learn how Ultralytics collects, uses, and protects your personal data. Our privacy policy ensures transparency and compliance with global data protection laws.

June 22, 2026

Link to this section1. About Ultralytics#

This Privacy Policy (“Policy”) explains how Ultralytics Inc. (“Ultralytics,” “us,” or “we”) collects, uses, stores, shares, processes, and protects personal information across our website, Ultralytics Platform, YOLO models, and related services. It also describes your rights and choices regarding your personal information, and how to contact us to learn more about our privacy practices.

Ultralytics operates in different capacities when processing personal data depending on the context of your interaction with us:
(i) Controller - Website Users: Ultralytics acts as a data controller when you visit our website, subscribe to our newsletter, respond to a sales inquiry, or otherwise interact with us directly. We use this data to provide and improve our services, manage our relationship with you, and for the other purposes described in this Policy.
(ii) Processor - Where our Customers use the Ultralytics Platform to upload, manage, annotate, and process datasets and computer vision models, Ultralytics acts as a data processor on behalf of those Customers. In this context, the Customer is the data controller, and Ultralytics processes personal data solely in accordance with the Customer’s documented instructions under the Ultralytics Data Processing Agreement (“DPA”), which is available at https://www.ultralytics.com/legal/ultralytics-data-processing-agreement and incorporated into the Ultralytics Terms of Service.

For clarity, where Customers use the Ultralytics Platform to upload, manage, annotate, or process datasets and models for their own purposes, Ultralytics acts as a processor in relation to that Customer content. Ultralytics may, however, act as an independent controller in relation to account administration, billing, security, service operations, and direct commercial interactions. If a Customer voluntarily makes content publicly available through the Community, Ultralytics may process such publicly available content for its own purposes as described in the Terms of Service and this Privacy Policy.
For the avoidance of doubt, where you download and independently deploy Ultralytics YOLO open-source models outside the Ultralytics Platform, Ultralytics does not process personal data on your behalf. You are solely responsible for determining the purposes and means of any personal data processing in connection with your own deployment of YOLO models, and for compliance with applicable data protection laws.

Link to this section2. Scope and Applicability#

This Policy applies to all current and prospective Ultralytics customers, including those using our open-source models and Ultralytics Platform, newsletter subscribers, sales questionnaire respondents, and anyone interacting with our products, services, and website. It also covers end-users, partners, and other individuals whose personal information we process in the course of providing our Services.
This Privacy Policy does not address our privacy practices relating to Ultralytics job applicants, employees and other employment-related individuals, nor data that is not subject to applicable data protection laws (such as deidentified or publicly available information). This Privacy Policy is also not a contract and does not create any legal rights or obligations not otherwise provided by law.

Link to this section3. Definitions#

Personal Data / Personal Information: Any information relating to an identified or identifiable individual, such as names, email addresses, phone numbers, IP addresses, and other identifiers.
Controller: The entity that determines the purposes and means of processing personal data.
Processor: The entity that processes personal data on behalf of the controller.
Services: Our website, Ultralytics Platform, YOLO models, and all related products and services.
You: The individual using our Services or whose personal data we process.

Link to this section4. Personal Information We Collect#

The categories below describe personal data that Ultralytics may process, either as a controller for its own purposes or as a processor on behalf of Customers. Personal data processed by Ultralytics as a data processor on behalf of Customers through the Ultralytics Platform is governed by the Ultralytics Data Processing Agreement (DPA).

We collect a limited scope of personal information from individuals using our Services, and in certain cases, with your explicit consent. We may obtain this information directly from you, through your use of our Services, or from third parties. The categories include:

Registration and Account Information: Name, email address, company role/title, credentials for account creation and access.
Customer Account and Relationship Data: Contact details, company information, billing details.
Customer Support and Communication Data: Email address, support request details.
Usage Data and Technical Data: Device identifiers, operating system, browser type, IP address, pages visited, interaction metrics.
Business Partner Information: Names, job titles, contact details of business partners.
Marketing Communications: Name, email address, preferences for updates and promotions.
Third-Party Information: Information from third-party services for marketing and operational purposes.
Newsletter and Event Data: Email address, IP address, registration time, and engagement metrics for newsletters and events.
Cookies and Tracking Data: Session and device identifiers, page visit timestamps or session duration.
Ultralytics Platform - Customer Content Data: Datasets, images, videos, annotations, model inputs/outputs uploaded by customers.
Ultralytics Platform - System Logs: Activity logs, access logs, system events related to customer use.

We may aggregate or anonymize data for statistical analysis, product development, and marketing strategies.

Link to this section5. How We Use Personal Information (Purposes and Legal Basis)#

The table below summarizes the main categories of personal data processed by Ultralytics, the purposes of such processing, Ultralytics’ role (controller or processor), and the applicable legal basis under data protection law:

Category of Data	Description of Data	Purpose of Processing	Ultralytics Role	Legal Basis	Additional Notes
Registration and Account Information	Name, email address, login credentials, account details	Account creation, authentication, account management	Controller	Contract	Applies to all users interacting directly with Ultralytics
Customer Account & Relationship Data	Contact details, company information, billing details	Customer relationship management, billing, administration	Controller	Contract / Legal obligation	Includes invoicing, compliance, record-keeping
Support and Communication Data	Emails, support requests, troubleshooting data	Providing support, resolving issues, improving service quality	Controller / Processor	Contract	Role depends on whether support relates to Ultralytics Platform data
Usage and Technical Data	IP address, device info, logs, usage metrics	Platform operation, security, performance monitoring, service improvement	Controller	Legitimate interest	Limited to internal analytics and service optimization
Business Partner Information	Contact details of partners and prospects	Managing partnerships, demos, commercial interactions	Controller	Legitimate interest	B2B context
Marketing Communications	Name, email, preferences, interaction history	Sending newsletters, updates, and marketing communications	Controller	Consent / Legitimate interest	Opt-out always available; consent required where applicable
Third Party Information	Information from third-party services	Marketing and operational purposes	Controller	Legitimate interest	Limited to internal analytics and marketing optimizations
Newsletter and Event Data	Email address, IP address, registration time, and engagement metrics	Newsletters and events	Controller	Consent	Limited to event attendees
Cookies and Tracking Data	Device identifiers, session data, browsing behavior	Website functionality, analytics, personalization, marketing	Controller	Consent / Legitimate interest	Subject to cookie consent requirements and CMP implementation
Public datasets and projects voluntarily made available through Community features	Datasets, images, videos, annotations, model inputs/outputs, and other content voluntarily made publicly available by users through the Community features of the Ultralytics Platform	Operation, development, evaluation, training, fine-tuning, and improvement of machine learning systems	Controller	Legitimate interest	This processing applies only to content voluntarily made public through Community features and does not apply to content stored or processed within Enterprise accounts
Ultralytics Platform - Customer Content Data	Datasets, images, videos, annotations, model inputs/outputs uploaded by customers	Providing Platform services (training, processing, annotation, model execution)	Processor	N/A (Customer determines legal basis)	Processing governed by the DPA; Ultralytics acts only on instructions
Ultralytics Platform - System Logs	Activity logs, access logs, system events related to customer use	Security, monitoring, fraud prevention, incident detection	Processor	N/A (Customer determines legal basis)	Limited to service provisioning and security purposes

We share your personal information only as necessary:

Ultralytics Group Affiliates: We share personal information with our group affiliates - Ultralytics Ltd (UK) and Ultralytics AI Spain, S.L. - where necessary to provide the Services and manage our business operations. Each affiliate processes personal data in accordance with this Policy.
Ultralytics group affiliates may act as independent controllers for certain processing activities (such as commercial interactions, marketing, and business relationship management). However, where such affiliates support the provision of the Ultralytics Platform, they act as intra-group subprocessors on behalf of Ultralytics Inc., in accordance with the Data Processing Agreement (DPA).
Service Providers and Subprocessors: We use trusted third parties for hosting, analytics, support, and communications. Where personal data is transferred outside the EEA or UK, we ensure appropriate safeguards are in place, including EU Standard Contractual Clauses and the UK Addendum where applicable. For transfers in the context of the Ultralytics Platform, please refer to the Data Processing Agreement (DPA). See our current list of subprocessors at: Ultralytics Subprocessors.
Business Transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of the transaction.
Legal Obligations: We may disclose information to comply with legal requirements or protect rights, property, or safety.
Aggregated/Anonymized Data: We may share anonymized data that cannot identify you.

Link to this section7. International Data Transfers#

When you access our website or use our Services, your personal data may be transferred to and processed in countries outside your jurisdiction, including the United States. This may involve either the direct provision of personal data to us or transfers by us or third parties acting on our behalf. Where such transfers occur we use the following safeguards:

Adequacy Decisions: Where applicable, we rely on adequacy decisions issued by the European Commission pursuant to Article 45 of the GDPR (or equivalent UK decisions) which confirm that certain third countries offer an adequate level of data protection.
Standard Contractual Clauses (SCCs): For transfers to jurisdictions that do not benefit from an adequacy decision, we rely on the European Commission's Standard Contractual Clauses (Commission Decision 2021/914), or their UK Addendum and Swiss equivalents, in data protection agreements with customers, affiliates, and subprocessors where applicable. For transfers from Switzerland, we apply the EU SCCs as modified for Swiss law, with the FDPIC as the competent supervisory authority. For transfers of personal data processed by Ultralytics as a data processor on behalf of business customers through the Ultralytics Platform, the applicable transfer mechanisms are set out in the Ultralytics Data Processing Agreement (DPA).

Link to this section8. Data Retention#

We retain personal information only as long as necessary for the purposes described in this Policy, or as required by law.
The criteria used to determine the period of time for which personal data about you will be retained varies depending on the legal basis under which we process your personal data:

Contract: Where we process personal data on the basis of a contract, we generally retain the information for the duration of the contract plus an additional limited period necessary to comply with applicable law or representing the statute of limitations for legal claims that could arise from the contractual relationship.
Legitimate Interest: Where we are processing personal data based on legitimate interests, we generally will retain the information for a reasonable period of time based on the particular interest, taking into account the fundamental interests and the rights and freedoms of data subjects.
Legal Obligation: Where we are processing personal data based on a legal obligation, we generally will retain the information for the period of time necessary to fulfill the legal obligation plus some additional limited period of time that represents the statute of limitations for legal claims that could arise from the legal obligation.
Consent: Where we are processing personal data based on your consent, we generally will retain the information for the period of time necessary to fulfill the purposes for which you have provided your consent.

Ultralytics Platform: Personal data processed by Ultralytics as a data processor on behalf of business customers through the Ultralytics Platform is retained and deleted in accordance with the Ultralytics Data Processing Agreement (DPA) and the relevant Customer's instructions.

Legal hold: In certain circumstances, we may need to apply a “legal hold” that retains information beyond our typical retention period where we face threat of legal claim. In that case, we will retain the information until the hold is removed, which typically means the claim or threat of claim has been resolved. In all cases, in addition to the purposes and legal bases identified above, we consider the amount, nature and sensitivity of personal data, as well as the potential risk of harm from unauthorized use or disclosure of personal data, in determining the relevant retention period.

Retention periods by product line: In addition to the legal bases above, the following periods apply to data collected across Ultralytics products. For the Ultralytics Platform (SaaS), technical logs, access logs, and system backups are retained for up to 12 months and then deleted or anonymized. For Ultralytics YOLO open-source packages, anonymized usage analytics and crash reports are collected by default and may be disabled at any time. See our Data Collection documentation for opt-out instructions.

Once retention is no longer reasonably necessary, we will either delete or anonymize the personal data or, if that is not possible (for example, because the personal data has been stored in backup archives), we will securely store it and isolate it from further active processing until deletion or anonymization is possible.

Link to this section9. Security Measures#

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, loss, misuse, alteration, or destruction, taking into account the nature, scope, context, and purposes of processing, and the risks to your rights and freedoms. These measures include, among others, encryption of data in transit and at rest, access controls and authentication requirements, vulnerability management and penetration testing, and incident response procedures.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you without undue delay in accordance with applicable data protection law. For business customers using the Ultralytics Platform, the Technical and Organizational Measures (TOMs) applicable to Ultralytics' processing as a data processor are described in detail in Exhibit C of the Ultralytics Data Processing Agreement.
For more details on our security practices, see our Trust Center.

Link to this section10. Cookies and Tracking Technologies#

We use cookies and similar technologies to collect information about your interactions with our websites and services. Types include:

Strictly Necessary Cookies (Always Active): Enable basic website functionality.
Marketing Cookies: Deliver advertising that is more relevant to you and your interests.
Personalization Cookies: These cookies allow our website to remember the choices you make (such as your username, language, or the region you are in).
Analytics Cookies: Help us understand how our website performs, how visitors interact with the site, and whether there may be technical issues.

You can manage your cookie preferences via our cookie banner, browser settings or website preferences which allow you to update the cookie preferences.

Link to this section11. Your Rights and Choices#

Where applicable, and in line with legal requirements, we aim to be transparent about how we use your personal information so you can make informed choices. You can set your preferences during data collection and update them at any time by reaching out to us.

Marketing Emails - if you’d prefer not to receive marketing emails from us, you can unsubscribe using the link included in those emails, or contact us directly at privacy@ultralytics.com.
Ultralytics Platform Account Information - to delete your account and associated personal data, use the self-service option within the account interface. If you are experiencing technical issues deleting your account and you wish to request deletion of associated personal data, please contact us at support@ultralytics.com.

Link to this section12. Supplemental Notice for EEA, UK, and Switzerland Residents#

This section provides additional information for individuals located in the European Economic Area (EEA), the United Kingdom (UK), and Switzerland, as required by applicable data protection law including the GDPR, UK GDPR, and Swiss FADP.
Legal Basis for Processing
We process your personal data only where we have a valid legal basis to do so. The legal bases we rely on, and the purposes for which we rely on each basis, are described in Section 5 (How We Use Personal Information) of this Policy.
Rights Regarding Ultralytics Platform Processing
Where personal data is processed by Ultralytics through the Ultralytics Platform on behalf of a business customer, Ultralytics acts solely as a data processor under the instructions of that customer, who is the data controller. The rights and obligations governing such processing, including data subject assistance, breach notification, and international transfer safeguards, are set out in the Ultralytics Data Processing Agreement, available at https://www.ultralytics.com/legal/ultralytics-data-processing-agreement.

Link to this sectionController Details and Privacy Contacts#

If you live in the European Economic Area (EEA) or Switzerland, Ultralytics AI Spain, S.L., with its registered office at Carrera de San Jerónimo, 15, Madrid 28014, Spain, is the controller responsible for the processing of your personal data.
If you live in the UK, Ultralytics Ltd, with its registered office at 78 York Street, London, England, W1H 1DP, is the controller responsible for the processing of your personal data.
You may contact our Data Protection Officer for the EEA, UK, and Switzerland at dpo@ultralytics.com.

Link to this sectionYour Rights Where Ultralytics Acts as Controller#

Subject to the conditions and limitations set out in applicable data protection law, you have the following rights in respect of your personal data processed by Ultralytics as a controller:

Access: You have the right to obtain confirmation of whether we process your personal data and, if so, to receive a copy of it (Article 15 GDPR).
Rectification: You have the right to request correction of inaccurate or incomplete personal data we hold about you (Article 16 GDPR).
Erasure: You have the right to request deletion of your personal data in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected (Article 17 GDPR).
Restriction: You have the right to request that we restrict processing of your personal data in certain circumstances, for example where you contest its accuracy (Article 18 GDPR).
Portability: Where processing is based on your consent or performance of a contract and carried out by automated means, you have the right to receive your personal data in a structured, commonly used, machine-readable format (Article 20 GDPR).
Objection: You have the right to object to processing based on legitimate interests at any time on grounds relating to your particular situation. You also have the right to object at any time to processing of your personal data for direct marketing purposes (Article 21 GDPR).
Withdrawal of Consent: Where processing is based on your consent, you have the right to withdraw consent at any time without affecting the lawfulness of processing carried out prior to withdrawal (Article 7(3) GDPR).

Link to this sectionAdditional Questions or Complaints#

If you have a concern about our processing of personal data, we would appreciate the opportunity to address it directly before a complaint is filed. Please contact us at privacy@ultralytics.com in the first instance. You also have the right to lodge a complaint with the data protection authority where you reside, where you work, or where an alleged infringement has occurred:

European Economic Area: https://edpb.europa.eu/about-edpb/board/members_en
United Kingdom: https://ico.org.uk/global/contact-us/
Switzerland: https://www.edoeb.admin.ch/en/contact-2

We would, however, appreciate the chance to handle your concerns directly prior to a complaint being filed, so please contact us directly at privacy@ultralytics.com if you have any concerns.

Link to this sectionPurposes and Legal Bases of Processing#

When we process your personal data, we will do so in reliance on the following lawful bases:

Contract: Where the processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract with you. This applies to any processing where you sign a contract with us, for example when you become our customer or deliver services to us as a vendor or contractor. This may also include processing necessary for the performance of our Terms of Use.
Legitimate Interest: Where the processing is necessary for the purposes of a legitimate interest that are not overridden by your interests or fundamental rights and freedoms (e.g., to provide, maintain, and improve our products and services, conduct data analytics, and communicate with you regarding our services).
Legal Obligation: Where the processing is necessary to comply with our legal obligations (e.g., to maintain a record of your personal data to comply with laws and regulations related to bookkeeping, accounting, taxation, and employment).
Consent: Where we have your consent for the processing (e.g., when you opt in to receive marketing communications from us). When consent is the legal basis for our processing of your personal data, you may withdraw your consent at any time.

You are not required to provide personal data to us, but we do rely on your personal data to provide certain of our products and services. For example, we need your personal data to facilitate and deliver an order that you request. If you choose not to provide us with your personal data, we may not be able to provide you with a service or product you request. We will inform you at the point that we collect personal data from you if the provision of certain personal data is mandatory or optional for receipt of our products and services.
If you have questions about the legal bases we rely on, feel free to reach out via the contact details listed in the “Contact Us” section or review the “Your Choices and Rights” section for more information.

Link to this sectionAutomated Decision-Making and Profiling#

We do not conduct automated processing of personal data, including profiling, for the purposes of making decisions about you. Where we conduct analytics or usage analysis, this involves human oversight and does not result in automated decisions that affect your rights or interests.

Link to this section13. Supplemental Notice for United States Residents#

We collect and disclose the following categories of personal information for business purposes:

Identifiers/contact information
Commercial information
Internet or network activity
Geolocation data
Inferences drawn
Account log-in credentials
Professional or employment-related information
Audio, electronic, visual, or similar information (where applicable, such as support call recordings)

You have the right to:

Know what personal information we collect and how we use it
Request access, correction, or deletion of your information
Opt-out of the sale or sharing of your personal information
Non-discriminatory treatment for exercising your rights

To exercise your rights, contact us at privacy@ultralytics.com.

Link to this section14. Children’s Privacy#

Our Services are not directed to, and we do not intend to, or knowingly, collect or solicit personal data from children. For the purposes of US law (COPPA), this means children under the age of 13. For the purposes of the GDPR and UK GDPR, this means individuals below the applicable age of digital consent in their jurisdiction (16 years in most EEA Member States; 13 years in the UK), unless verifiable parental or guardian consent has been obtained.
If an individual below the applicable age has provided personal data to us, we encourage their parent or guardian to contact us at privacy@ultralytics.com to request removal of that data from our systems. If we learn that we have collected personal data from a child below the applicable age without appropriate consent, we will delete it promptly.

Link to this section15. Third-Party Services and Links#

Our Services may include links to third-party services, applications, and websites with their own privacy policies. We are not responsible for the privacy practices of these entities and we encourage you to review their privacy policies before providing personal data to them.

Link to this section16. Changes to This Policy#

We may periodically update this Privacy Policy to reflect new services, features, or regulatory requirements. Significant changes will be communicated through our services or direct notification to users. The updated Policy will indicate the date it was last revised. Continued use of our Services following the effective date of an updated Policy constitutes acceptance of the revised terms to the extent permitted by applicable law.

Link to this section17. Contact Us#

If you have any questions or complaints about this Privacy Policy or our data handling practices, please contact us at privacy@ultralytics.com. You can contact our Data Protection Officer at dpo@ultralytics.com⁠ in matters related to personal data processing. You can also contact us at the following mail address:
Ultralytics Inc.
5001 Judicial Way
Frederick, MD 21703
United States