Polia AI Privacy Policy

Effective Date: 13 May 2025

Legal entity. Plot Twist LLC, a California limited-liability company, doing business as "Polia AI" (collectively, "Polia AI," "we," "our," or "us").
Headquarters & single privacy contact. 18375 Ventura Blvd., Ste 105, Tarzana, CA 91356 USA • [email protected]
EU Article 27 representative. European Data Protection Office (EDPO), Avenue Huart Hamoir 71, 1030 Brussels, Belgium.
UK Article 27 representative. EDPO UK, 8 Northumberland Avenue, London WC2N 5BY, United Kingdom

Table of Contents

1. Introduction & Scope
2. Definitions
3. Our Roles Under Global Privacy Laws
4. Age & Children's Privacy
5. Categories & Sources of Personal Information
6. Purposes & Legal Bases for Processing
7. Sensitive Information & HIPAA Prohibition
8. Data-Retention Schedule
9. Cookies, SDKs, Analytics & Advertising Technologies
10. Disclosures, "Sales," "Sharing" & Sub-Processors
11. International Transfers & Transfer-Impact Assessments
12. Security, Incident Response & SOC 2 Commitment
13. Business Continuity & Disaster Recovery
14. Automated Decision-Making & Profiling Transparency
15. Your Privacy Rights — Full-Account Termination Model
16. Do-Not-Track, Global Privacy Control & Cookie Links
17. U.S. State-Specific Disclosures
18. Governing Law, Arbitration & Class-Action Waiver
19. Changes to This Policy
20. Contact Information
21. Appendices
    • — Sub-Processor Registry
    • — Legitimate-Interest & Transfer-Impact Summaries

---

1. Introduction & Scope

Polia AI operates an artificial-intelligence-enabled business-automation software-as-a-service platform ("Services") accessed primarily via a Telegram conversational interface and any successor or additional channel. Users employ the Services to (i) generate written, visual, and audiovisual content; (ii) schedule and post directly to connected social-media accounts; (iii) draft, send, and manage email; (iv) capture and route leads; (v) manage calendars and bookings; (vi) initiate print-on-demand fulfilment; and (vii) orchestrate workflows via API, webhook, or low-code tools.

Binding effect. By accessing or using the Services or transmitting any data to Polia AI, you acknowledge that you have read and accepted this Privacy Policy. If you disagree with any provision, discontinue all use immediately.

2. Definitions

• Personal Information / Personal Data — information that identifies or relates to an individual or household.
• Processing — any operation on Personal Information, automated or otherwise.
• Regulatory terms ("Controller," "Processor," "Service Provider," "Sell," "Share," "Targeted Advertising," "Sensitive Personal Information") carry the meanings assigned by GDPR, UK GDPR, CCPA/CPRA, and comparable laws.
• Connected-Account Credentials — OAuth tokens, API keys, IMAP/SMTP passwords, calendar scopes, or similar artefacts granting Polia AI authority over external accounts.
• User Content — prompts, instructions, files, media, metadata, and AI outputs created or stored via the Services.

3. Our Roles Under Global Privacy Laws

Context	Polia AI Role	Data-Subject Relationship
Public websites, marketing, analytics	Controller	Visitors / prospects
Customer workspaces & automations	Processor / Service Provider	End-users / leads of the customer
Data forwarded to third-party platforms	Shared or independent controller(s)	Governed by third-party terms

Where Polia AI acts as Processor/Service-Provider, it processes data strictly on the customer's documented instructions under a data-processing agreement incorporating Standard Contractual Clauses as required.

4. Age & Children's Privacy

• Services are intended solely for individuals eighteen (18) years of age or older.
• A self-attested date-of-birth gate is collected and logged at onboarding.
• Data from individuals under 18 is deleted upon discovery.

5. Categories & Sources of Personal Information

Category	Illustrative Examples	Primary Sources
Identifiers	Legal name, alias, postal address, email, phone, IP, device ID, social handle	User forms; telemetry
Account Data	Username, hashed password, plan tier, billing history	User; payment processors
Connected-Account Credentials	OAuth tokens, API keys, refresh tokens	User authorisations
Content & Communications	Chat logs, social captions, emails, calendar invites	Telegram; external APIs
Commercial Data	POD SKUs, shipping addresses, order totals	Payments; POD vendors
Internet / Network Activity	Cookies, pixel tags, SDK events, click-stream	Automatic collection
Geolocation	City/Country via IP; precise GPS if granted	IP mapping; OS
Lead-Management Data	CRM IDs, form entries, lead score	Webhooks; CRMs
Biometric / Voiceprint	Voice embeddings for TTS/STS	Audio uploads; ElevenLabs
Inference Data	Behaviour segments, propensity scores	Internal ML models
Contact-Book Data	Contacts imported by Telegram	Telegram API

6. Purposes & Legal Bases for Processing

6.1 Purposes

1. Account creation, authentication, and credential management.
2. Provision, maintenance, and personalisation of the Services.
3. Execution of user-initiated automations.
4. Content generation and enhancement by AI.
5. Logging, auditing, troubleshooting, security.
6. Research, analytics, product development, and AI-model training (where consented).
7. Advertising and campaign measurement (opt-in in EEA/UK/Switzerland).
8. Fraud detection, spam mitigation, and protection of rights.
9. Legal compliance.
10. Corporate governance and transactions.
11. Any additional purpose expressly consented to by the User.

6.2 Legal Bases (EEA/UK/CH)

Basis	Example Processing	Effect if You Object / Withdraw
Consent	Marketing emails, non-essential cookies, model training	Account terminated (see §15)
Contract	Core automations	Service unusable
Legitimate Interest	Security logging, minimal analytics	Objection terminates account
Legal Obligation	Tax, subpoenas	Processing mandatory
Vital Interest	Emergency disclosures	N/A

7. Sensitive Information & HIPAA Prohibition

• Polia AI is not a HIPAA covered entity or business associate; submission of PHI is forbidden.
• Automated filters purge suspected PHI within 24 hours; incidents may be reported to [email protected] (subject "PHI").
• Biometric/voice data is processed only with explicit consent, retained ≤ 3 years, then destroyed.

8. Data-Retention Schedule (summary)

Data	Standard Retention	Deletion Trigger
Account & Billing	7 years after last transaction	Statutory limit
OAuth/API Tokens	90 days inactivity	Auto purge
User Content	24 months	Schedule or request
Security Logs	3 years	Rolling purge
Marketing Lists	Until opt-out or 24 months inactivity	Unsubscribe
Voice Embeddings	≤ 3 years	Secure erase
Legal Hold	While litigation/audit active	Counsel release

9. Cookies, SDKs, Analytics & Advertising

Polia AI and its vendors use cookies, local storage, SDKs, and pixels for session management, analytics, experimentation, single-sign-on, and advertising. EEA/UK/Swiss visitors must affirmatively opt in to non-essential cookies. Global opt-out tools (Google Analytics add-on, NAI/DAA portals, mobile OS ad-ID settings) are supported.

10. Disclosures; "Sales," "Sharing," and Sub-Processors

10.1 Recipients

Polia AI may disclose Personal Information to cloud hosts, AI-model vendors, email/SMS gateways, analytics providers, payment processors, advertising-technology partners, corporate affiliates, transaction counterparties, governmental entities, and any third party authorised by the User.

10.2 Sale/Share

Certain disclosures to advertising partners constitute a "sale" or "sharing" under CCPA/CPRA. A California opt-out request ("Do Not Sell/Share") immediately terminates the User's account under Section 15.

10.3 Sub-Processors

An illustrative list appears in Appendix B. Polia AI may add, replace, or remove sub-processors at any time, and the Privacy Policy may not be updated contemporaneously. Users may obtain the latest registry by emailing [email protected]. Continued use constitutes acceptance of any sub-processor changes.

11. International Transfers & Transfer-Impact Assessments

Data may be processed globally. Polia AI relies on Standard Contractual Clauses, the UK IDTA, and other valid mechanisms; encryption and contractual safeguards mitigate government-access risk. Appendix C summarises our transfer-impact analysis.

12. Security, Incident Response, SOC 2 Commitment

• Transport encryption: TLS 1.3; storage encryption: AES-256; least-privilege IAM, MFA, continuous vulnerability scanning, quarterly penetration tests.
• No exculpatory disclaimers. We commit to "commercially reasonable and industry-standard" safeguards.
• Incident response plan aligned with ISO 27035; 72-hour regulatory notice where required.
• SOC 2 Type II audit in progress (target completion Q1 2026).

13. Business Continuity & Disaster Recovery

ISO 22301-aligned continuity plan; redundant multi-AZ hosting; four-hour RTO; quarterly failover testing documented.

14. Automated Decision-Making & Profiling

Lead-scoring and fraud-signal algorithms are advisory; no legally significant decision is automated. Objection to profiling triggers account termination (§15).

15. Your Privacy Rights — Full-Account Termination Model

Except for unsubscribing from marketing communications, any exercise of statutory rights (access, deletion, correction, portability, restriction, objection, withdrawal of consent, opt-out of sale/share) results in immediate account closure and deletion of associated data.

1. Submit request: email [email protected] with subject "Privacy Rights Request."
2. Verification: reply-to identity check + one-time code.
3. Fulfilment: request processed, account closed; confirmation within statutory deadline (30 days GDPR; 45 days most U.S. states).

Marketing-only opt-out: click "unsubscribe" in emails or reply STOP (or /stop) to SMS/Telegram.

16. Do-Not-Track, GPC, Cookie Links

Legacy DNT signals are ignored. Browser-based Global Privacy Control ("GPC") signals are treated as CCPA sale/share opt-outs and therefore trigger account termination. Page footer links include "Privacy Policy," "Cookie Notice," and "Do Not Sell/Share My Personal Information" (the last initiates account closure).

17. U.S. State-Specific Disclosures

This Policy complies with CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, FL DBR, TX DPSA, and TN TIPA.

17.1 California "Shine the Light" Postal-Only Procedure

1. Draft a letter (8.5 × 11 inch, 12-pt Times New Roman) with header "STL REQUEST – Cal. Civ. Code § 1798.83."
2. Include full legal name, California street address, and the certification: "I certify under penalty of perjury that I am a current California resident as defined in 18 CCR § 17014." Sign and date.
3. Attach copies of a California photo ID (last four digits of ID number visible) and a utility bill or bank statement issued within 30 days showing the same address (account numbers redacted).
4. Send via USPS Certified Mail, Return Receipt Requested to:
   

   Polia AI – Shine the Light Desk
               18375 Ventura Blvd., Suite 105
               Tarzana, CA 91356 USA

   Postmark window: 1 January – 31 March for the prior calendar year.
5. Polia AI may send one deficiency notice; failure to cure within 30 days abandons the request.
6. Verified requests receive a First-Class-Mail response within 30 days listing categories of Personal Information disclosed for third-party marketing or stating "none."
7. One request per year; service-provider disclosures are exempt. STL requests are distinct from CCPA requests (which cause account termination).

18. Governing Law, Arbitration & Class-Action Waiver

• Governing law: Federal Arbitration Act and California law.
• Binding arbitration: JAMS Streamlined Rules, Los Angeles County; individual basis only; confidential.
• Users may opt out of arbitration within 30 days of first acceptance by emailing [email protected] (subject "Arbitration Opt-Out").
• EEA/UK/Swiss residents retain GDPR Art. 77–79 rights.

19. Changes to This Policy

Polia AI may amend this Policy at any time; material changes receive 30 days' notice via banner or email. Continued use after the effective date constitutes acceptance.

20. Contact Information

Data Protection Officer
Plot Twist LLC d/b/a Polia AI
18375 Ventura Boulevard, Suite 105
Tarzana, California 91356 USA
[email protected]

21. Appendices

Appendix A — Detailed Retention Matrix

(Available upon request to [email protected].)

Appendix B — Current Sub-Processor Registry (Illustrative)

Provider	Purpose	Primary Location	Transfer Mechanism
Amazon Web Services	Cloud hosting	USA	SCCs
Google Cloud Platform	AI inference	USA/EU	SCCs
OpenAI	Large-language-model inference	USA	SCCs
Anthropic	Large-language-model inference	USA	SCCs
Twilio	SMS/RCS delivery	USA	SCCs
SendGrid	Email delivery	USA	SCCs
Stripe	Payment processing	USA	PCI DSS + SCCs
Printful	Print-on-Demand fulfilment	USA/EU	SCCs

An updated list is available on written request to [email protected].

This registry is illustrative only; Polia AI may add, replace, or remove sub-processors at any time without dedicated notice.

Appendix C — Legitimate-Interest & Transfer-Impact Summaries

Polia AI's legitimate-interest assessment finds that security logging and minimal first-party analytics are necessary and proportionate; data is pseudonymised, retained for limited periods, and subject to user-initiated account closure. Transfer-impact assessment confirms that encryption, access controls, and contractual supplementary measures mitigate foreign-government-access risk.

---

All sections of this Privacy Policy are intended to be severable; if any provision is held unenforceable, the remainder shall remain in full force and effect.

© 2025 Plot Twist LLC d/b/a Polia AI. All rights reserved.