Privacy Policy

1. Data Controller

Polymata ("we", "us", "our") is the data controller for personal data processed through the polymata.co platform. We are an individual publisher based in France. For all privacy enquiries, contact us at [email protected].

2. Data We Collect

We collect only the data necessary to provide the Service:

• Account data: email address and password (stored as a one-way Argon2 hash — we cannot recover your password).
• Profile data: Kindle email address, if you choose to provide it for automatic book delivery.
• Generation data: the prompts you submit, the books generated from them, generation status, word count, and cost metadata.
• Transaction data: credit purchases, credit consumption events, and Stripe session identifiers (not card data — see Section 5).
• Technical data: server-side logs (request timestamps, error traces) retained for debugging. No IP addresses are stored beyond what your hosting provider retains in standard web server logs.

We do not collect your name, address, phone number, or any sensitive personal data (health, religion, political views, etc.).

3. How We Use Your Data

We use your data solely to:

• Create and manage your account and authenticate your sessions
• Process credit purchases and maintain your credit balance
• Generate ebooks from your prompts and deliver them to you
• Send your generated book to your Kindle address, if configured
• Send transactional emails (welcome, book ready, payment confirmation)
• Respond to support requests you initiate
• Detect and prevent fraud, abuse, and technical errors

We do not use your data for advertising, behavioural profiling, or sale to third parties. We do not send marketing emails unless you have explicitly opted in.

4. Legal Basis for Processing (GDPR)

If you are in the European Economic Area, we process your personal data on the following legal bases:

• Performance of a contract (Art. 6(1)(b) GDPR): account management, book generation, payment processing, and delivery — all necessary to provide the Service you requested.
• Legitimate interests (Art. 6(1)(f) GDPR): security logging, fraud prevention, and service improvement — balanced against your rights and not overriding them.
• Legal obligation (Art. 6(1)(c) GDPR): where applicable, e.g. retaining transaction records for tax purposes.

We do not rely on consent as a legal basis for any processing, except where the law specifically requires it (e.g. optional marketing emails).

5. Third-Party Processors

We share data with the following third-party processors, each bound by a Data Processing Agreement and GDPR-compliant safeguards:

• Stripe (Stripe, Inc. / Stripe Payments Europe): payment processing. We never see or store your card number or bank details. Stripe receives your email address and purchase amount to generate a Checkout session. Stripe Privacy Policy →
• OpenAI (OpenAI, LLC): AI language model provider. Your book generation prompts and system instructions are sent to OpenAI's API for processing. OpenAI does not use API data to train its models by default. OpenAI API Data Usage →
• IONOS: web hosting and email delivery infrastructure. Hosted in EU. Standard server logs (access, error) may be retained by IONOS per their own policy.
• Google (Alphabet Inc.): Google Fonts, loaded via CDN for typography. Google receives a request from your browser when loading fonts. Google Privacy Policy →

We do not use any advertising networks, social media trackers, or analytics services (no Google Analytics, no Meta Pixel, no Hotjar).

6. Cookies & Local Storage

We use the minimum possible:

• Session cookie: a single, strictly necessary cookie that keeps you logged in during your browser session. It contains no personal data — only an opaque session identifier. It expires when you close your browser or log out.
• Local storage: a single flag set when you dismiss the cookie consent banner, so it does not reappear. No data leaves your device.

We do not set any tracking cookies, advertising cookies, or third-party cookies. Google Fonts requests a browser-level cache that may set a cookie managed by Google under their own policy.

Because the only cookie we set is strictly necessary for the Service to function, we do not require consent to set it under ePrivacy Directive Article 5(3). We nonetheless display an informational banner on your first visit.

7. Your Prompts & AI Processing

The topic descriptions and learning goals you enter are sent to the OpenAI API to generate your book. By submitting a prompt, you consent to this processing. We recommend that you do not include any personal data, confidential information, or sensitive information in your prompts.

We do not read, review, or share your individual prompts except where required by law or where necessary to investigate abuse. Prompts are stored in our database associated with your account and retained for the duration described in Section 8.

8. Data Retention

• Account data: retained for the life of your account. Deleted within 30 days of a verified account deletion request.
• Generated books and prompts: retained for the life of your account to allow re-download. Deleted with your account.
• Server logs: rotated and deleted after 90 days.

You may request deletion of your account and all associated data at any time (see Section 10). Transaction records may be retained in anonymized or aggregated form after account deletion where required by law.

9. Security

We implement the following technical and organizational measures to protect your data:

• Passwords hashed - irreversible, never stored in plain text
• All data transmitted over HTTPS / TLS
• CSRF tokens on all state-changing requests
• Content Security Policy (CSP) headers on all pages
• No third-party tracking scripts served from our domain

No security measure is infallible. In the event of a data breach affecting your personal data, we will notify you.

10. Your Rights

Under GDPR (if you are in the EEA) and applicable data protection law, you have the following rights:

• Access (Art. 15): request a copy of the personal data we hold about you.
• Rectification (Art. 16): request correction of inaccurate data.
• Erasure (Art. 17): request deletion of your account and personal data ("right to be forgotten"), subject to legal retention obligations.
• Restriction (Art. 18): request that we restrict processing of your data in certain circumstances.
• Portability (Art. 20): receive your data in a structured, machine-readable format.
• Objection (Art. 21): object to processing based on legitimate interests.

To exercise any of these rights, email [email protected] with "Privacy Request" in the subject line. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

11. International Transfers

Some of our third-party processors (OpenAI, Stripe) are based in the United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism. You can request a copy of applicable SCCs by contacting us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The "Last updated" date at the top of this page indicates when the Policy was last revised. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

13. Contact & Complaints

For any privacy question or to exercise your rights: [email protected].