🚧 PollyX is still under construction — we're putting the finishing touches on it and will be fully live and accepting orders soon.

Polly
PollyX Assistant · Online
Hi! I'm Polly 👋 I can answer any questions about PollyX — how reports work, what's included, pricing, or anything else. What would you like to know?

Suggested questions

Powered by AI · PollyX

Back to home
PollyX

Privacy Policy

Last updated: 12 May 2025 · Effective date: 12 May 2025

This Privacy Policy explains how PollyX ("we", "us", "our") collects, uses, stores and protects your personal data. It is written in compliance with the EU General Data Protection Regulation (GDPR) (Regulation 2016/679) and applicable national data protection laws.

1. Data Controller

The data controller responsible for your personal data is:

PollyX

If you have any questions about how we handle your personal data, or wish to exercise any of your rights under the GDPR, please contact us at the email above. We will respond within 30 days.

2. What Data We Collect and Why

2.1 Account Data

When you create an account we collect your email address and a hashed password (we never store your plaintext password). This data is necessary to provide you with access to the service.

  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
  • Retention: for the lifetime of your account; deleted within 30 days of account closure

2.2 Payment Data

We use LemonSqueezy to process payments. LemonSqueezy acts as our merchant of record and handles the transaction on our behalf. We do not store your credit card numbers or full payment details — these are handled entirely by LemonSqueezy and its PCI-DSS compliant payment partners. We retain transaction records (amount, date, plan purchased) for legal and tax compliance purposes.

  • Legal basis: performance of a contract; legal obligation (Art. 6(1)(b) and (c) GDPR)
  • Retention: 7 years (EU tax record requirements)

2.3 Report Input Data

When you generate a report you provide information such as a company name, industry, location, website URL and competitor names. This data is used solely to generate the report you requested.

  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
  • Retention: stored as part of your report; deleted with your account or on request

2.4 Generated Report Content

Reports are generated using DeepSeek (AI synthesis) together with Tavily (live web search), and are stored in your account so you can access them at any time. Your report inputs are sent to these providers to produce the report. Reports contain the AI-generated analysis and source references — no additional personal data beyond your inputs.

  • Legal basis: performance of a contract (Art. 6(1)(b) GDPR)
  • Retention: indefinitely while your account is active; deleted within 30 days of account closure or upon request

2.5 Usage and Technical Data

We collect basic server logs (IP address, browser type, pages visited, timestamps) to maintain the security and performance of the service. We do not use this data for advertising or profiling.

  • Legal basis: legitimate interests — ensuring system security and stability (Art. 6(1)(f) GDPR)
  • Retention: 90 days

3. Third-Party Processors

We use a small number of trusted third-party services to operate PollyX. Each acts as a data processor under a written Data Processing Agreement (DPA):

ProcessorPurposeLocation
SupabaseAuthentication and database (stores your account and reports)EU (AWS Frankfurt)
VercelWebsite hosting and request processingUSA (SCCs apply)
LemonSqueezyPayment processing (merchant of record)USA (SCCs apply)
DeepSeekAI report generation — receives your report inputs (e.g. company name, industry, focus)China (see International Data Transfers below)
TavilyLive web search during report generation — receives search queries containing the report subjectUSA (SCCs apply)
Trigger.devRuns report-generation jobs — processes report inputs and your emailUSA (SCCs apply)
ResendSends transactional emails — receives your email address and message contentUSA (SCCs apply)
Google (YouTube Data API)Fetches public YouTube video data for reportsUSA (SCCs apply)
GDELT ProjectPublic news intelligence — no personal data transmittedUSA (public data only)

SCCs = Standard Contractual Clauses approved by the European Commission for international data transfers.

4. International Data Transfers

Some of our processors operate outside the European Economic Area (EEA). For processors in the United States, we rely on the EU Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914. Your account data and reports stored in Supabase reside within the EU (AWS eu-central-1, Frankfurt).

DeepSeek (China): report generation uses DeepSeek, whose processing takes place in China. When you generate a report, the inputs you provide (such as the company name, industry, location and analysis focus) are transmitted to DeepSeek to produce the report. China has not received an EU adequacy decision; we rely on appropriate safeguards and your initiation of the report as the basis for this transfer. Do not include personal or confidential information in your report inputs if you would prefer it not be processed outside the EEA.

5. Your Rights Under the GDPR

As a data subject under the GDPR you have the following rights. To exercise any of them, email us at contact@pollyx.org.

Right of access (Art. 15)
You can request a copy of all personal data we hold about you.
Right to rectification (Art. 16)
You can ask us to correct inaccurate or incomplete personal data.
Right to erasure (Art. 17)
You can request that we delete your personal data ('right to be forgotten'), subject to legal retention requirements.
Right to restriction of processing (Art. 18)
You can ask us to pause processing of your data in certain circumstances.
Right to data portability (Art. 20)
You can request your data in a structured, machine-readable format (JSON).
Right to object (Art. 21)
You can object to processing based on legitimate interests, including for direct marketing.
Right to withdraw consent
Where processing is based on consent, you may withdraw it at any time without affecting prior processing.
Right to lodge a complaint
You have the right to lodge a complaint with your national supervisory authority. In Spain: Agencia Española de Protección de Datos (www.aepd.es). In the EU: your local Data Protection Authority.

We will respond to all requests within 30 calendar days. In complex cases we may extend this by a further 60 days, in which case we will notify you.

6. Cookies

PollyX uses only strictly necessary cookies to maintain your authenticated session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under the EU ePrivacy Directive.

CookiePurposeExpiry
sb-access-tokenSupabase authentication session token1 hour
sb-refresh-tokenSupabase session refresh token7 days

7. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or disclosure. These include:

  • All data in transit is encrypted using TLS 1.2+
  • All data at rest is encrypted (AES-256) by Supabase/AWS
  • Passwords are stored as bcrypt hashes — never in plaintext
  • Access to production systems is restricted to authorised personnel
  • Payment data never touches our servers — handled entirely by LemonSqueezy

Authorised PollyX administrators may access account information — including your email address and the subjects of the reports you generate — strictly for the purposes of operating, supporting and securing the service. Administrators cannot view your password, which is stored only as a one-way bcrypt hash and is never accessible to anyone, including us.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.

8. Children's Privacy

PollyX is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@pollyx.org and we will delete it promptly.

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes we will notify you by email (to the address on your account) and update the "Last updated" date at the top of this page at least 14 days before the changes take effect. Continued use of PollyX after the effective date constitutes acceptance of the updated policy.

10. Contact Us

For any privacy-related questions, requests, or complaints:

Response time: within 30 calendar days