Polyrook Privacy Policy

Date of Last Revision — 27 May 2025

Welcome to Polyrook LLC (“Polyrook,” “we,” “us,” or “our”). We provide users (“you,” “User”) with AI-driven 3-D asset creation tools, APIs, and community features (collectively, the “Services”). This Privacy Policy (“Policy”) explains how we collect, use, share, store, and protect information in connection with the Services. By accessing or using the Services, you acknowledge you have read and understood this Policy. If any section conflicts with applicable law, that law controls where required.

1. Definitions

“Personal Data”: Any information that identifies, relates to, describes, or can reasonably be linked to an individual (“data subject”), including “personal information” under the CCPA and “personal data” under the GDPR.
“Processing”: Any operation performed on Personal Data (collection, storage, use, disclosure, erasure, etc.) whether automated or not.
“Controller / Processor”: Roles ascribed by the GDPR. Polyrook is the Data Controller unless we act solely on a customer’s documented instructions (e.g., certain Enterprise API workloads), in which case Polyrook is the Processor.
“Cookies”: Small text files or similar technologies stored on a device to remember preferences, authenticate sessions, or measure usage.

2. Scope of this Policy

This Policy applies to Personal Data that we process through:

polyrook.com and sub-domains;
our REST & GraphQL APIs and SDKs;
official Polyrook desktop or mobile apps;
plug-ins for Unreal, Unity, Blender, or similar;
customer-support channels, surveys, and events.

It does not apply to third-party websites or services that link to or from our Services; their privacy practices are governed by their own policies.

3. Information We Collect

A. Information you provide

Account & authentication data. Email address, username, password hashes, multi-factor tokens.
Billing & payment data. Name, billing address, VAT/Tax ID, card last 4 digits (processed via PCI-DSS compliant provider; Polyrook never stores full card numbers).
AI Input & content. Text prompts, images, 3-D meshes, textures, chat messages, comments, forum posts, support tickets.
Surveys & marketing prefs. Voluntary responses, interests, event RSVPs, beta opt-ins.
Third-party integrations. OAuth tokens (e.g., Google, GitHub), social-media handles, or platform IDs you choose to link.

B. Information we collect automatically

Usage logs. IP address, device type, operating system, browser version, referring URL, pages viewed, API request metadata, crash reports.
Cookie & analytics data. Session identifiers, authentication cookies, first-party analytics (Amplitude), and limited third-party analytics (e.g., Plausible, which is cookie-free by default).
Approximate location. Derived from IP address (city-level granularity) to enforce export controls, rate-limit abuse, and localize content.

C. Information from third parties

Payment processors. Transaction IDs, failure codes.
Identity providers. Name, verified email, avatar URL when you log in with Google, GitHub, Apple, etc.
Marketing partners. Campaign performance metrics, lead-generation data (subject to applicable law and your consent).

4. How We Use Personal Data

Provide, operate, and maintain the Services.
Create or administer your Account and authenticate you.
Generate AI Output, store your 3-D assets, render previews, and serve downloads.
Process payments, send invoices, and manage subscriptions.
Improve and personalize the Services, develop new features, and conduct internal research (incl. model training unless you opt out in settings).
Communicate with you about updates, security alerts, and relevant administrative or marketing messages (you may opt out of marketing).
Detect, investigate, and prevent fraud, abuse, or security incidents.
Comply with legal obligations, enforce our Terms, and defend Polyrook’s rights.

5. Legal Bases for EU/UK Users

If you reside in the European Economic Area (“EEA”), the United Kingdom, or Switzerland, our legal bases for processing depend on the context but are typically:

Contractual necessity — to deliver the Services you request (Art. 6 (1)(b) GDPR).
Legitimate interests — to improve, secure, and market our Services (Art. 6 (1)(f) GDPR). We balance these interests against your rights.
Consent — for non-essential cookies, marketing emails, or model-training opt-ins (Art. 6 (1)(a) GDPR). You may withdraw consent at any time.
Legal obligation — to meet tax, accounting, or sanctions-screening requirements (Art. 6 (1)(c) GDPR).

Cloud & infrastructure providers (AWS, GCP, Cloudflare) for hosting, storage, and CDN delivery.
Payment processors (Stripe, PayPal) for billing.
Analytics & error-monitoring vendors (Plausible, Sentry) under DPAs.
Customer-support tools (Intercom, Zendesk) to resolve tickets.
Advertising & marketing partners (Google Ads, LinkedIn) — only when you consent to cookies or click a campaign link.
Corporate events — merger, acquisition, or asset sale (with contractual safeguards).
Law-enforcement or regulators when legally required or to protect rights, safety, or property.

7. Cookies & Similar Technologies

We use (a) essential cookies for log-in and load-balancing, (b) analytical cookies to understand performance, and (c) advertising cookies only with your consent. You may manage preferences via the Cookie Settings banner or your browser. Polyrook does not respond to DNT signals due to lacking standards.

8. Data Security

Polyrook maintains a SOC 2 Type II audited program with:

Encryption in transit (TLS 1.3) and at rest (AES-256).
Least-privilege IAM, single-tenant VPCs, and network segmentation.
Automated vulnerability scans, annual penetration tests, incident response plan, and 24/7 log monitoring.
Employee security training and NDAs; background checks for privileged roles.

9. International Data Transfers

We operate globally. When transferring Personal Data outside the EEA/UK/Switzerland we rely on:

European Commission Standard Contractual Clauses;
UK International Data Transfer Addendum;
Adequacy decisions or other lawful mechanisms recognised by regulators.

10. Data Retention

We keep Personal Data only for as long as necessary to fulfil the purposes described or as required by law (e.g., 7 years for tax records). AI Input & Output associated with a Free plan is retained for 18 months by default; Enterprise customers may configure custom retention or immediate deletion.

11. Your Privacy Rights

Depending on your jurisdiction, you may have the right to:

Access and obtain a copy of Personal Data we hold about you;
Correct inaccurate or incomplete Personal Data;
Delete or anonymize Personal Data (subject to legal holds);
Object to or restrict processing, especially for direct marketing;
Port Personal Data to another service (machine-readable format);
Withdraw consent at any time (does not affect prior processing);
Lodge a complaint with a supervisory authority (e.g., ICO, CNIL, or your local DPA).

Submit requests by emailing privacy@polyrook.com. We will verify your identity and respond within 30 days (15 business days for PRC residents).

12. California Consumer Privacy Act (CCPA/CPRA)

Polyrook does not “sell” Personal Data as defined by the CPRA. We disclose identifiers and internet activity to analytics and advertising partners only with your opt-in. You may exercise California privacy rights (access, delete, correct, limit, opt-out) via the methods in Section 11. We honour GPC signals for opt-out of targeted advertising.

13. Children’s Privacy

The Services are not directed to children under 13 (or 16 in the EEA). We do not knowingly collect Personal Data from children. If you believe a child has provided us Personal Data, contact us; we will delete it as required by law.

14. Policy Updates

We may revise this Policy periodically. Material changes will be announced via in-app notice or email at least 15 days before effective. Continued use after the effective date constitutes acceptance.

15. How to Contact Us

Email: privacy@polyrook.com
Postal: Polyrook LLC, 548 Market St #92731, San Francisco, CA 94104, USA