Legal

Privacy Policy

How we collect, process, and protect your data when you use the Polyvia AI multimodal intelligence platform.

Last updated: May 10, 2026

1. Introduction

Polyvia AI (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website and use our multimodal intelligence platform (the “Service”). It applies to all users and is designed to comply with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and the California Consumer Privacy Act (CCPA/CPRA).

2. Information We Collect

We collect the following categories of information:

Account & profile information

  • Name, email address, password, and company / organisation name.
  • Profile preferences and communication settings.

Content you upload or import

  • Documents, images, audio, and structured data you upload directly to the Service.
  • Files and metadata you choose to import from connected third-party sources (see Section 4).
  • Chat queries, prompts, annotations, and any other content you submit while using the Service.

Billing & payment information

  • Plan, billing address, tax identifiers, and invoice history. Card details are processed by our payment provider, Stripe — we never see or store your full card number (see Section 5).

Usage & technical information

  • Log data (IP address, browser type, device identifiers, timestamps), pages viewed, features used, and processing volumes against your plan quotas.
  • Cookies and similar technologies. On your first visit we ask for your consent: a strictly necessary cookie remembers that choice and keeps you signed in, while analytics(privacy-friendly, cookieless traffic measurement) load only if you opt in. You can accept, reject, or change your selection at any time via Cookie settings in the footer.

API access information

  • API keys, request metadata (endpoint, timestamp, status, response size), and the content of API requests and responses for the duration necessary to fulfil and audit them (see Section 6).

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the Service.
  • Process documents, audio, and other content through our retrieval and AI pipelines so we can return results to you.
  • Authenticate users and protect accounts from unauthorised access.
  • Process payments, prevent fraud, and manage subscriptions.
  • Send technical notices, security alerts, billing receipts, and customer support messages.
  • Monitor and analyse usage and performance trends to improve quality, reliability, and capacity planning.
  • Comply with legal obligations and enforce our terms.

We do not sell your personal data, and we do not use the content you upload, import, or send via the API to train foundation models without your explicit opt-in.

4. Third-Party Integrations & Imported Content

Polyvia AI lets you connect external sources so you can import documents and data directly into the platform. Currently supported integrations include:

  • Google Drive
  • Microsoft OneDrive
  • Dropbox
  • Notion
  • Amazon S3
  • Slack

When you connect one of these services we use OAuth (or, for S3, the credentials you provide) to access only the files, channels, pages, or objects you explicitly select for import, along with the metadata required to display and re-sync them (file name, size, MIME type, modified time, author, channel name, message timestamp, and similar fields).

We do not browse, scan, copy, or share content beyond what you select. Imported content is stored in your Polyvia workspace and processed under the same terms as content you upload directly. You can disconnect any integration at any time from the in-app settings; once disconnected, we revoke the OAuth tokens or credentials and stop syncing new content.

Google user data

We do not access, use, store, or share your Google user data for any purpose other than providing the document import and processing functionality you have explicitly requested.

Limited Use Disclosure

Polyvia AI’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

Microsoft, Dropbox, Notion, Slack, and Amazon S3

Use of data received from Microsoft Graph (OneDrive), Dropbox, Notion, Slack, and Amazon S3 is similarly limited to providing the import, retrieval, and chat features you have explicitly enabled. Each provider’s own terms and privacy policy continue to apply to your account with that provider.

5. Payments & Stripe

We use Stripe as our payment processor. When you subscribe to a paid plan, you submit your payment details directly to Stripe through their secure interface. Stripe acts as an independent controller for the payment information you provide and is PCI-DSS Level 1 certified.

We receive only a tokenised reference to your payment method, the last four digits of your card, the card brand, expiry month/year, billing country, and the status of each charge. We never see, store, or transmit your full card number or CVC. Refer to Stripe’s privacy policy for details on how they handle payment data.

6. API Access & Programmatic Use

Data on the platform may be accessed programmatically via the Polyvia API using API keys you generate from your workspace. Each API request is authenticated and authorised against the issuing workspace, and is rate-limited and metered against your plan.

  • Scope. API calls can only access data within the workspace that issued the key. Cross-workspace access is never permitted.
  • Logging. We log request metadata (endpoint, timestamp, IP, status code, latency) for security, abuse prevention, billing, and debugging. Request and response bodies may be retained for a short period to support diagnostics and audit.
  • Key rotation & revocation. You can rotate or revoke API keys at any time. Revoked keys stop working immediately.
  • No model training. Content sent through the API is not used to train foundation models without your explicit opt-in.

7. Subprocessors & Service Providers

We rely on a small set of vetted subprocessors to operate the Service, including cloud hosting and infrastructure providers, our payment processor (Stripe), email delivery, analytics, error reporting, and the large-language-model providers powering our AI features. Each subprocessor is bound by data-protection terms equivalent to or stricter than those in this policy. A current list is available on request to support@polyvia.ai.

8. Legal Basis for Processing (GDPR)

If you are in the European Economic Area (EEA) or the United Kingdom, our legal basis for processing your personal data depends on the data concerned and the context. We process data because:

  • It is necessary to perform our contract with you (delivering the Service).
  • You have given us consent (e.g., optional analytics or marketing).
  • It is in our legitimate interests to operate, secure, and improve the Service, provided your rights do not override those interests.
  • It is necessary to comply with our legal obligations.

9. Data Retention

We retain your account data for as long as your account is active and for a reasonable period afterwards to comply with legal, tax, and audit obligations, resolve disputes, and enforce our agreements. Content you upload, import, or generate is retained while your workspace exists; you can delete individual items or your entire workspace at any time. Backups are purged on a rolling schedule (typically within 30 days of deletion).

10. International Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. Where required, we rely on Standard Contractual Clauses, the EU–US Data Privacy Framework, or other approved transfer mechanisms to ensure your data is protected to a standard equivalent to that in your home jurisdiction.

11. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access the personal data we hold about you.
  • Rectify data that is inaccurate or incomplete.
  • Erase your data, subject to lawful retention requirements.
  • Restrict or object to certain processing activities.
  • Port your data in a structured, machine-readable format.
  • Withdraw consent at any time where processing relies on consent.
  • Lodge a complaint with your local data protection authority.

To exercise any of these rights, email support@polyvia.ai. We respond within the timeframes required by applicable law.

12. Data Security

We use industry-standard technical and organisational measures to protect your information, including TLS in transit, encryption at rest, least-privilege access controls, audit logging, and regular security reviews of our infrastructure and dependencies. No system is perfectly secure, but we aim to minimise risk and respond promptly to any incident.

13. Children’s Privacy

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us so we can delete it.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes to the Service, our practices, or applicable law. When we make material changes, we will notify you via the Service or email and update the “Last updated” date above.

15. Contact Us

If you have questions about this Privacy Policy or how we handle your data, contact us at support@polyvia.ai.