🚧 PollyX is still under construction — we're putting the finishing touches on it and will be fully live and accepting orders soon.
Suggested questions
Powered by AI · PollyX
Last updated: 12 May 2025 · Effective date: 12 May 2025
The data controller responsible for your personal data is:
If you have any questions about how we handle your personal data, or wish to exercise any of your rights under the GDPR, please contact us at the email above. We will respond within 30 days.
When you create an account we collect your email address and a hashed password (we never store your plaintext password). This data is necessary to provide you with access to the service.
We use LemonSqueezy to process payments. LemonSqueezy acts as our merchant of record and handles the transaction on our behalf. We do not store your credit card numbers or full payment details — these are handled entirely by LemonSqueezy and its PCI-DSS compliant payment partners. We retain transaction records (amount, date, plan purchased) for legal and tax compliance purposes.
When you generate a report you provide information such as a company name, industry, location, website URL and competitor names. This data is used solely to generate the report you requested.
Reports are generated using DeepSeek (AI synthesis) together with Tavily (live web search), and are stored in your account so you can access them at any time. Your report inputs are sent to these providers to produce the report. Reports contain the AI-generated analysis and source references — no additional personal data beyond your inputs.
We collect basic server logs (IP address, browser type, pages visited, timestamps) to maintain the security and performance of the service. We do not use this data for advertising or profiling.
We use a small number of trusted third-party services to operate PollyX. Each acts as a data processor under a written Data Processing Agreement (DPA):
| Processor | Purpose | Location |
|---|---|---|
| Supabase | Authentication and database (stores your account and reports) | EU (AWS Frankfurt) |
| Vercel | Website hosting and request processing | USA (SCCs apply) |
| LemonSqueezy | Payment processing (merchant of record) | USA (SCCs apply) |
| DeepSeek | AI report generation — receives your report inputs (e.g. company name, industry, focus) | China (see International Data Transfers below) |
| Tavily | Live web search during report generation — receives search queries containing the report subject | USA (SCCs apply) |
| Trigger.dev | Runs report-generation jobs — processes report inputs and your email | USA (SCCs apply) |
| Resend | Sends transactional emails — receives your email address and message content | USA (SCCs apply) |
| Google (YouTube Data API) | Fetches public YouTube video data for reports | USA (SCCs apply) |
| GDELT Project | Public news intelligence — no personal data transmitted | USA (public data only) |
SCCs = Standard Contractual Clauses approved by the European Commission for international data transfers.
Some of our processors operate outside the European Economic Area (EEA). For processors in the United States, we rely on the EU Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914. Your account data and reports stored in Supabase reside within the EU (AWS eu-central-1, Frankfurt).
DeepSeek (China): report generation uses DeepSeek, whose processing takes place in China. When you generate a report, the inputs you provide (such as the company name, industry, location and analysis focus) are transmitted to DeepSeek to produce the report. China has not received an EU adequacy decision; we rely on appropriate safeguards and your initiation of the report as the basis for this transfer. Do not include personal or confidential information in your report inputs if you would prefer it not be processed outside the EEA.
As a data subject under the GDPR you have the following rights. To exercise any of them, email us at contact@pollyx.org.
We will respond to all requests within 30 calendar days. In complex cases we may extend this by a further 60 days, in which case we will notify you.
PollyX uses only strictly necessary cookies to maintain your authenticated session. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie consent banner is required for strictly necessary cookies under the EU ePrivacy Directive.
| Cookie | Purpose | Expiry |
|---|---|---|
| sb-access-token | Supabase authentication session token | 1 hour |
| sb-refresh-token | Supabase session refresh token | 7 days |
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, loss or disclosure. These include:
Authorised PollyX administrators may access account information — including your email address and the subjects of the reports you generate — strictly for the purposes of operating, supporting and securing the service. Administrators cannot view your password, which is stored only as a one-way bcrypt hash and is never accessible to anyone, including us.
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.
PollyX is not directed at children under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@pollyx.org and we will delete it promptly.
We may update this Privacy Policy from time to time. When we make material changes we will notify you by email (to the address on your account) and update the "Last updated" date at the top of this page at least 14 days before the changes take effect. Continued use of PollyX after the effective date constitutes acceptance of the updated policy.
For any privacy-related questions, requests, or complaints: