Privacy Policy

Last updated: 29 April 2026 · Effective immediately

1. Data Controller

Polymata ("we", "us", "our") is the data controller for personal data processed through the polymata.co platform. For all privacy enquiries, contact us at [email protected].

2. Data We Collect

We collect only the data necessary to provide the Service:

  • Account data: email address and password (stored as a secure one-way hash — we cannot recover your password).
  • Profile data: Kindle email address, if you choose to provide it for automatic book delivery.
  • Generation data: the prompts you submit, the books generated from them, generation status, word count, and operational metadata needed to provide the Service.
  • Transaction data: credit purchases, credit consumption events, and Stripe session identifiers (not card data — see Section 5).
  • Technical data: limited technical and security logs used to operate, troubleshoot, and protect the Service.

We do not collect your name, address, phone number, or any sensitive personal data (health, religion, political views, etc.).

3. How We Use Your Data

We use your data solely to:

  • Create and manage your account and authenticate your sessions
  • Process credit purchases and maintain your credit balance
  • Generate ebooks from your prompts and deliver them to you
  • Send your generated book to your Kindle address, if configured
  • Send transactional emails (welcome, book ready, payment confirmation)
  • Respond to support requests you initiate
  • Detect and prevent fraud, abuse, and technical errors

We do not use your data for advertising, behavioural profiling, or sale to third parties. We do not send marketing emails unless you have explicitly opted in.

5. Third-Party Processors

We share data with the following third-party processors, each bound by a Data Processing Agreement and GDPR-compliant safeguards:

  • Stripe (Stripe, Inc. / Stripe Payments Europe): payment processing. We never see or store your card number or bank details. Stripe receives your email address and purchase amount to generate a Checkout session. Stripe Privacy Policy →
  • OpenAI (OpenAI, LLC): AI language model provider. The inputs needed to generate your book are sent to OpenAI for processing. OpenAI does not use API data to train its models by default. OpenAI API Data Usage →
  • Hosting and email infrastructure provider: infrastructure used to operate the Service and deliver transactional emails. Standard server logs may be retained by this provider under its own policy.
  • Google (Alphabet Inc.): Google Fonts, loaded via CDN for typography. Google receives a request from your browser when loading fonts. Google Privacy Policy →

We do not use any advertising networks, social media trackers, or analytics services (no Google Analytics, no Meta Pixel, no Hotjar).

6. Cookies & Local Storage

We use the minimum possible:

  • Session cookie: a single, strictly necessary cookie that keeps you logged in during your browser session. It contains no personal data — only an opaque session identifier. It expires when you close your browser or log out.
  • Local storage: a single flag set when you dismiss the cookie consent banner, so it does not reappear. No data leaves your device.

We do not set any tracking cookies, advertising cookies, or third-party cookies. Google Fonts requests a browser-level cache that may set a cookie managed by Google under their own policy.

Because the only cookie we set is strictly necessary for the Service to function, we do not require consent to set it under ePrivacy Directive Article 5(3). We nonetheless display an informational banner on your first visit.

7. Your Prompts & AI Processing

The topic descriptions and learning goals you enter are sent to the OpenAI API to generate your book. By submitting a prompt, you consent to this processing. We recommend that you do not include any personal data, confidential information, or sensitive information in your prompts.

We do not read, review, or share your individual prompts except where required by law or where necessary to investigate abuse. Prompts are stored with your account and retained for the duration described in Section 8.

8. Data Retention

  • Account data: retained for the life of your account. Deleted within 30 days of a verified account deletion request.
  • Generated books and prompts: retained for the life of your account to allow re-download. Deleted with your account.
  • Server logs: rotated and deleted after 90 days.

You may request deletion of your account and all associated data at any time (see Section 10). Transaction records may be retained in anonymized or aggregated form after account deletion where required by law.

9. Security

We implement the following technical and organizational measures to protect your data:

  • Passwords are protected using irreversible one-way hashing and are never stored in plain text
  • Data is transmitted over encrypted connections
  • Requests that change account or service data include anti-abuse protections
  • Access to account data is limited to what is necessary to provide and support the Service
  • No advertising or behavioural tracking scripts are served from our domain

No security measure is infallible. In the event of a data breach affecting your personal data, we will notify you.

10. Your Rights

Under GDPR (if you are in the EEA) and applicable data protection law, you have the following rights:

  • Access (Art. 15): request a copy of the personal data we hold about you.
  • Rectification (Art. 16): request correction of inaccurate data.
  • Erasure (Art. 17): request deletion of your account and personal data ("right to be forgotten"), subject to legal retention obligations.
  • Restriction (Art. 18): request that we restrict processing of your data in certain circumstances.
  • Portability (Art. 20): receive your data in a structured, machine-readable format.
  • Objection (Art. 21): object to processing based on legitimate interests.

To exercise any of these rights, email [email protected] with "Privacy Request" in the subject line. We will respond within 30 days. We may ask you to verify your identity before fulfilling a request.

11. International Transfers

Some of our third-party processors (OpenAI, Stripe) are based in the United States. Where data is transferred outside the EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission as the transfer mechanism. You can request a copy of applicable SCCs by contacting us.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes by email. The "Last updated" date at the top of this page indicates when the Policy was last revised. Continued use of the Service after the effective date constitutes acceptance of the revised Policy.

13. Contact & Complaints

For any privacy question or to exercise your rights: [email protected].

Terms of Service → Try Polymata →