Privacy Policy
Your privacy matters. This policy explains how Polyscopea collects, uses, protects, and shares your personal information across our global Story Intelligence Platform.
Table of Contents
1. Introduction & Scope
1.1 About This Policy
This Privacy Policy (“Policy”) describes how Polyscopea (“we,” “us,” “our,” or the “Platform”) collects, uses, discloses, retains, and protects information about individuals (“you,” “your,” or “users”) who access or use our Story Intelligence Platform, including our website, applications, APIs, AI-powered analysis tools, and all related services (collectively, the “Services”). Polyscopea is an AI-powered story intelligence platform that tracks, analyzes, and connects evolving narratives across sectors including markets, technology, regulation, venture capital, geopolitics, energy, and health.
1.2 Scope of Application
This Policy applies to all personal data processed by Polyscopea, regardless of the medium or method of collection. It covers information gathered through:
- Our website and web application accessible at https://polyscopea.com
- Account registration, authentication, and profile management
- Subscription purchases and payment processing
- AI agent analysis, story tracking, and research report generation
- Email communications, in-app notifications, and newsletters
- Customer support interactions and feedback submissions
- Cookies, analytics, and similar tracking technologies
- Any offline interactions where personal data is collected in connection with our Services
1.3 Data Controller
Polyscopea acts as the data controller for personal data processed through the Platform. As the data controller, we determine the purposes and means of processing your personal data. For questions about how we process your data, please contact our Data Protection Officer using the details provided in Section 18 of this Policy.
1.4 Agreement to This Policy
By accessing or using our Services, you acknowledge that you have read, understood, and agree to the collection, use, and disclosure of your information as described in this Policy. If you do not agree with the terms of this Policy, you must not access or use the Services. For users in jurisdictions where consent is required as a legal basis for processing (such as the European Economic Area), we will obtain your explicit consent where necessary before processing your personal data.
1.5 Relationship to Other Documents
This Policy should be read in conjunction with our Terms of Service, Cookie Policy, and any service-specific addendums or data processing agreements. In the event of a conflict between this Policy and any other agreement you have with Polyscopea, the terms of this Policy shall govern with respect to privacy and data protection matters unless explicitly stated otherwise in a written agreement signed by an authorized representative of Polyscopea.
2. Information We Collect
We collect several categories of information to provide, improve, and secure our Services. The types of data we collect depend on how you interact with the Platform and the features you use.
2.1 Personal Data You Provide Directly
- Account Information: Full name, email address, username, and password (stored in hashed form using bcrypt). When registering, you select a user role (reader, analyst, editor) that determines your access level within the Platform.
- Profile Information: Biography, professional affiliation, areas of interest, preferred language selection (from our ten supported languages: English, Arabic, French, Spanish, German, Chinese, Japanese, Portuguese, Russian, and Turkish), and display preferences including theme settings.
- Subscription and Billing Data: Subscription tier selection (Free, Professional at $29/month, or Enterprise at $99/month), billing address, payment method details (processed through our third-party payment processor, Tap Payments), and transaction history. We do not store full credit card numbers on our servers.
- User-Generated Content: Bookmarks, saved searches, story tracking preferences, research report requests, editorial review submissions, annotations, and any notes or comments you create within the Platform.
- Communication Data: Messages sent through our contact forms, customer support requests, feedback submissions, and any other communications you direct to us.
2.2 Usage Data (Automatically Collected)
- Activity Logs: Pages and stories viewed, features used, search queries entered, stories bookmarked, research reports accessed, AI agent tasks initiated, and timestamps of all interactions. These are recorded in our activity_log database table.
- Interaction Data: Click patterns, scroll depth, time spent on individual stories or research reports, navigation paths through the Platform, and frequency of feature usage.
- Referral Data: The URL of the website that referred you to Polyscopea, the pages you visit on our Platform, and the links you click within our Services.
- Performance Data: Page load times, application errors or crashes encountered, and feature-specific performance metrics.
2.3 Device and Technical Data
- Device Identifiers: IP address (which may be used to approximate geographic location at the city or region level), browser type and version, operating system and version, screen resolution, and device type (desktop, tablet, mobile).
- Connection Information: Internet service provider, connection speed, and network type.
- Browser Data: Language preferences, time zone setting, and installed browser plugins or extensions that may affect Platform functionality.
2.4 AI-Generated and Derived Data
- Story Analysis Data: AI-generated summaries, trend analyses, sentiment assessments, narrative arc tracking, and story interconnection mappings produced by our six specialized AI agent types (source discovery, verification, analysis, connection mapping, report generation, and monitoring).
- Trust and Credibility Scores: Algorithmically computed scores assigned to stories, sources, and developments based on source verification, cross-referencing, and temporal consistency analysis.
- Personalization Data: Derived interest profiles, content recommendations, and relevance scores generated based on your usage patterns, bookmarks, and stated preferences.
- Research Outputs: AI-generated research reports, sector analyses, and intelligence briefs compiled from publicly available sources and processed through our analytical pipeline.
2.5 Cookies and Tracking Technologies
We use cookies and similar tracking technologies to collect and store information when you visit our Platform. For a detailed description of the cookies we use and how to manage them, please refer to Section 12 of this Policy. The types of tracking technologies we employ include:
- Session Cookies: Temporary cookies that expire when you close your browser, used to maintain your session state, language preference, and authentication status.
- Persistent Cookies: Cookies that remain on your device for a set period, used to remember your preferences (such as theme selection and language settings), recognize returning users, and facilitate the “remember me” login functionality.
- Analytics Technologies: Tools that help us understand how users interact with our Platform, including page views, session duration, and feature engagement metrics.
3. How We Use Your Information
We process your personal data for the following purposes, each supported by one or more legal bases described in Section 4.
3.1 Service Delivery and Platform Operations
- Creating, maintaining, and securing your user account and authentication credentials
- Providing access to Platform features based on your subscription tier (Free, Professional, or Enterprise) and user role (reader, analyst, editor, or admin)
- Processing and fulfilling subscription orders, managing billing cycles, and handling payment transactions through our payment processor
- Delivering story tracking, AI-powered analysis, research reports, and intelligence briefings
- Managing your bookmarks, saved searches, notification preferences, and other personalized features
- Providing customer support and responding to your inquiries, feedback, and complaints
3.2 AI Processing and Analysis
- Running our six specialized AI agent types to discover, verify, analyze, connect, report on, and monitor evolving stories and narratives across covered sectors
- Generating trust and credibility scores for stories, sources, and developments through automated algorithmic assessment
- Producing AI-generated research reports, sector analyses, and story connection mappings
- Continuously improving our AI models’ accuracy, relevance, and reliability through aggregated performance analysis (not using individual personal data for model training without explicit consent)
3.3 Personalization and Recommendations
- Tailoring content recommendations and story feeds based on your interests, reading history, and stated preferences
- Adjusting the Platform interface based on your language, theme, and accessibility preferences
- Providing sector-specific and topic-specific alerts and notifications aligned with your tracking preferences
3.4 Analytics and Platform Improvement
- Analyzing aggregated usage patterns to understand how our Services are used and to identify areas for improvement
- Conducting A/B testing and feature experiments to optimize the user experience
- Monitoring Platform performance, uptime, and reliability
- Generating aggregated, anonymized statistical reports about Platform usage trends
3.5 Communications
- Sending transactional communications including account verification emails, password reset notifications, subscription confirmations, and payment receipts
- Delivering in-app notifications about story updates, new developments, AI analysis completions, and editorial review status changes
- Sending marketing communications, newsletters, and product updates (only with your consent where required by law, with an opt-out mechanism in every communication)
- Providing important service announcements including security alerts, policy changes, and maintenance notifications
3.6 Security and Fraud Prevention
- Detecting, preventing, and investigating unauthorized access, security incidents, fraud, and other malicious activities
- Enforcing our Terms of Service and other applicable policies
- Verifying user identity and preventing account compromise
- Maintaining audit logs for security and compliance purposes
3.7 Legal Compliance
- Complying with applicable laws, regulations, legal processes, and governmental requests
- Establishing, exercising, or defending legal claims
- Fulfilling tax, accounting, and financial reporting obligations
- Responding to lawful requests from public authorities, including national security or law enforcement requirements
4. Legal Basis for Processing
Under the General Data Protection Regulation (GDPR) and similar data protection laws, we are required to identify a lawful basis for each processing activity. We rely on the following legal bases under Article 6(1) of the GDPR:
4.1 Performance of a Contract — Article 6(1)(b)
Processing necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract. This basis applies to account creation, delivering Platform features per your subscription tier, processing payments, and providing customer support.
4.2 Legitimate Interests — Article 6(1)(f)
Processing necessary for the purposes of our legitimate interests, provided those interests are not overridden by your fundamental rights and freedoms. We have conducted legitimate interest assessments for the following:
- Improving and optimizing Platform performance, features, and user experience through analytics
- Detecting and preventing fraud, security incidents, and abusive behavior
- Operating our AI agents and algorithmic systems to deliver story intelligence services
- Conducting internal research and development to enhance our analytical capabilities
- Generating aggregated, anonymized insights about Platform usage trends
- Sending direct marketing communications to existing customers about similar services (where permitted under applicable law, subject to your right to opt out)
4.3 Consent — Article 6(1)(a)
Processing based on your freely given, specific, informed, and unambiguous consent. You may withdraw your consent at any time without affecting the lawfulness of processing carried out before withdrawal. We rely on consent for sending marketing emails where consent is required by law, placing non-essential cookies on your device, processing special categories of personal data (if any), and any processing not covered by another legal basis.
4.4 Legal Obligation — Article 6(1)(c)
Processing necessary for compliance with a legal obligation, including tax and accounting obligations related to payments, responding to lawful data access requests from regulatory authorities, maintaining records as required by data protection and electronic commerce regulations, and compliance with AML/KYC regulations where applicable.
4.5 Vital Interests — Article 6(1)(d)
In rare circumstances, we may process personal data where it is necessary to protect the vital interests of the data subject or another natural person. This basis is only invoked in emergency situations, such as contacting emergency services or responding to an imminent threat to life.
5. AI & Automated Decision-Making
Polyscopea is an AI-powered platform, and artificial intelligence is integral to our Services. We are committed to transparency about how our AI systems operate and how they affect you. This section provides information as required under Article 22 of the GDPR.
5.1 Our AI Agent Types
| Agent Type | Function | Data Processed |
|---|---|---|
| Source Discovery | Identifies and collects publicly available sources relevant to tracked stories | Public web data, RSS feeds, news sources |
| Verification | Cross-references information across multiple sources to assess accuracy | Source content, metadata, publication history |
| Analysis | Performs sentiment analysis, trend detection, and narrative arc tracking | Story content, historical data, sector context |
| Connection Mapping | Identifies relationships between stories, entities, and developments | Story metadata, entity data, temporal data |
| Report Generation | Compiles AI-generated research reports and intelligence briefs | Aggregated analysis outputs, report parameters |
| Monitoring | Continuously tracks developments and triggers notifications for significant changes | Story updates, threshold parameters, alert preferences |
5.2 Trust and Credibility Scoring
Our Platform computes trust and credibility scores for stories and sources using algorithmic methods. These scores are derived from factors including: the number and diversity of corroborating sources, the historical reliability of the originating publication, temporal consistency of reported information, factual verification results, and editorial review status. Trust scores are displayed as informational tools and do not constitute automated decision-making that produces legal effects or similarly significant effects on individuals. You may request a human review of any trust score by contacting our editorial team.
5.3 Content Personalization
We use automated processing to personalize the content displayed to you on the Platform, including recommending stories, research reports, and sector coverage areas based on your viewing history, bookmarks, stated interests, and subscription tier. This personalization enhances your experience and does not restrict your access to any publicly available content. You can influence your recommendations by modifying your profile interests, bookmarks, and notification settings.
5.4 Safeguards for Automated Processing
- Human Oversight: All AI-generated content undergoes editorial review processes. AI analyses, trust scores, and reports are subject to human verification before being designated as editorially reviewed.
- Transparency: AI-generated content is clearly labeled on the Platform. Users can distinguish between AI-generated analysis and editorially reviewed content through visual indicators.
- Right to Contest: You have the right to contest any automated decision or score and to request human intervention through your profile settings or our support team.
- Regular Audits: We conduct periodic audits of our AI systems to assess accuracy, identify potential biases, and ensure our algorithms operate as intended.
- No Solely Automated Decisions with Legal Effects: We do not make decisions based solely on automated processing that produce legal effects concerning you or similarly significantly affect you, without your explicit consent or unless authorized by applicable law with appropriate safeguards.
5.5 AI Model Training
We do not use your personal data to train our AI models without your explicit consent. Improvements to our AI agents are based on aggregated, anonymized performance data and publicly available training datasets. If we wish to use any identifiable user data for AI model training purposes in the future, we will seek your prior informed consent and provide you with the ability to opt out.
6. Data Sharing & Third Parties
We do not sell your personal data. We share your information only in the circumstances described below and only to the extent necessary to fulfill the stated purpose.
6.1 Service Providers and Data Processors
We engage trusted third-party companies to perform services on our behalf. These service providers act as data processors under contract and are obligated to process your data only as instructed and to maintain appropriate security measures:
- Cloud Infrastructure and Hosting: Providers that host our servers, databases, and application infrastructure with appropriate redundancy and security.
- Payment Processing: Tap Payments, our payment gateway, processes subscription payments. Tap Payments receives only data necessary to process your payment and is PCI-DSS compliant. We do not store full payment card details on our servers.
- AI and Machine Learning Services: Third-party AI providers (including DeepSeek) that support our AI agent operations under strict data processing agreements.
- Email Delivery: Email service providers that deliver transactional emails, notifications, and marketing communications on our behalf.
- Analytics Providers: Services that help us understand Platform usage through aggregated analytics data, configured to minimize personal data collection.
6.2 Legal Requirements and Law Enforcement
We may disclose your personal data if we believe in good faith that such disclosure is necessary to comply with a legal obligation, court order, or lawful government request; protect the rights, property, or safety of Polyscopea, our users, or the public; prevent or investigate possible wrongdoing, fraud, or security issues; or enforce our Terms of Service. Where permitted by law, we will notify affected users of such requests and will challenge requests that are overly broad or unlawful.
6.3 Business Transfers
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal data may be transferred as part of that transaction. We will provide notice before your personal data becomes subject to a different privacy policy and will ensure that the receiving entity commits to honoring the protections described in this Policy or provides equivalent or greater protections.
6.4 Aggregated and Anonymized Data
We may share aggregated, anonymized, or de-identified data with third parties for research, marketing, analytics, and other purposes. This data cannot reasonably be used to identify you.
6.5 With Your Consent
We may share your personal data with third parties when you have given us explicit consent to do so, including when you voluntarily choose to share research reports, bookmarks, or analyses with other users or external parties through Platform features designed for that purpose.
7. International Data Transfers
Polyscopea operates globally and serves users across multiple jurisdictions. Your personal data may be transferred to, stored in, and processed in countries other than the country in which you reside, which may have different data protection laws.
7.1 Transfer Mechanisms
When we transfer personal data internationally, we ensure appropriate safeguards are in place:
- Adequacy Decisions: Where the European Commission has determined that a third country provides an adequate level of data protection, we may transfer data in reliance on that adequacy decision.
- Standard Contractual Clauses (SCCs): For transfers to countries without an adequacy decision, we use the European Commission’s Standard Contractual Clauses (as updated in June 2021) with supplementary measures as required by the Schrems II decision.
- Binding Corporate Rules: Where applicable, we rely on approved binding corporate rules of our service providers authorized by a competent data protection authority.
- Derogations: In limited circumstances, we may transfer data based on applicable derogations under Article 49 of the GDPR, such as your explicit consent or necessity for contract performance.
7.2 Supplementary Measures
- AES-256-GCM encryption for sensitive data both in transit and at rest
- Pseudonymization and data minimization techniques applied before cross-border transfers where feasible
- Strict access controls limiting access to transferred data to authorized personnel only
- Regular assessments of the legal framework in receiving countries, including government access and surveillance laws
- Contractual commitments from recipients to notify us of any government access requests and to challenge disproportionate or unlawful requests
7.3 Transfer Impact Assessments
For each significant international data transfer, we conduct a Transfer Impact Assessment (TIA) evaluating the legal framework in the receiving country, the nature of data transferred, the transfer mechanism, and any supplementary measures needed. We maintain records of these assessments and update them periodically or when material legal changes occur.
8. Data Retention
We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law.
8.1 Retention Schedule
| Data Category | Retention Period | Justification |
|---|---|---|
| Account Data | Duration of account + 30 days after deletion request | Contract performance; grace period |
| Activity Logs | 24 months from creation | Legitimate interests (security, analytics) |
| Payment Records | 7 years from transaction date | Legal obligation (tax/accounting) |
| Subscription Data | Duration of subscription + 12 months | Contract performance; dispute resolution |
| AI Agent Task Records | 18 months from completion | Legitimate interests (improvement, auditability) |
| Research Reports | Duration of account + 6 months | Contract performance |
| Bookmarks & Preferences | Duration of account | Contract performance |
| Email Queue Records | 90 days from sending | Legitimate interests (deliverability) |
| Notifications | 12 months from creation | Contract performance |
| Cookie Data | Varies (see Section 12) | Consent or legitimate interests |
| Support Records | 3 years from resolution | Legitimate interests (QA, disputes) |
| Security/Audit Logs | 3 years from creation | Legitimate interests; legal obligation |
8.2 Account Deletion
When you request deletion of your account, we will delete or anonymize your personal data within 30 days, except for data we are legally required to retain. During the 30-day grace period, you may contact us to reactivate your account. After the grace period, deletion is permanent and irreversible.
8.3 Anonymization
Where possible, we anonymize personal data rather than deleting it, so it can continue to be used for analytical and statistical purposes in a form that cannot identify you. Anonymized data is no longer personal data under applicable law and may be retained indefinitely.
9. Data Security
We take the security of your personal data seriously and implement comprehensive technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction.
9.1 Encryption
- Data at Rest: Sensitive personal data is encrypted using AES-256-GCM (Advanced Encryption Standard with 256-bit keys in Galois/Counter Mode), providing both confidentiality and authenticity. Our core Encryption service manages key generation, rotation, and cryptographic operations.
- Data in Transit: All communications are encrypted using TLS 1.2 or higher (TLS 1.3 preferred). We enforce HTTPS across all endpoints and use HSTS headers to prevent protocol downgrade attacks.
- Password Security: User passwords are hashed using bcrypt with a cost factor sufficient to resist brute-force attacks. We never store passwords in plaintext. Password reset tokens are cryptographically generated, time-limited, and single-use.
9.2 Access Controls
- Role-Based Access: The Platform implements RBAC with four user roles (reader, analyst, editor, admin), each with defined permissions following the principle of least privilege.
- Middleware Enforcement: Our AuthMiddleware and RoleMiddleware components enforce authentication and authorization checks on every request.
- Administrative Access: Server infrastructure, databases, and admin tools are restricted to authorized personnel through multi-factor authentication, VPN access, and individually assigned credentials. All administrative actions are logged.
9.3 Infrastructure Security
- Regular security patches to our server OS, PHP 8.2 runtime, MySQL database, and all dependencies
- Web application firewall (WAF) protecting against SQL injection, XSS, CSRF, and other OWASP Top 10 vulnerabilities
- Input validation and output encoding throughout our MVC framework
- Rate limiting and throttling to protect against brute-force and DoS attacks
- Encrypted database backups stored at a separate geographic location
9.4 Incident Response
We maintain a documented data breach incident response plan:
- Detection and Containment: Continuous monitoring systems with immediate containment procedures to limit breach scope and impact.
- Assessment: Rapid assessment of breach nature, scope, severity, affected data subjects, and data categories involved.
- Notification: Notification to the relevant supervisory authority within 72 hours of becoming aware of a breach (Article 33 GDPR). Where the breach is likely to result in high risk to individuals, we also notify affected individuals without undue delay (Article 34).
- Remediation: Corrective measures including root cause analysis, system hardening, and process improvements.
- Documentation: Comprehensive documentation of all incidents, facts, effects, and remedial actions.
9.5 Security Limitations
While we implement robust security measures, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your personal data and encourage you to use a strong, unique password, keep your credentials confidential, and log out when using shared devices.
10. Your Rights
Depending on your jurisdiction, you have various rights with respect to your personal data. We have implemented processes to facilitate the exercise of each right described below.
10.1 Rights Under the GDPR (EU/EEA Residents)
- Right of Access (Art. 15): Obtain confirmation of processing and a copy of your personal data with supplementary processing information.
- Right to Rectification (Art. 16): Have inaccurate data corrected and incomplete data completed. You can update most information directly in your profile settings.
- Right to Erasure (Art. 17): Request deletion when data is no longer necessary, you withdraw consent, or data has been unlawfully processed.
- Right to Restriction (Art. 18): Request restriction of processing when you contest data accuracy or processing is unlawful and you prefer restriction over erasure.
- Right to Data Portability (Art. 20): Receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller.
- Right to Object (Art. 21): Object to processing based on legitimate interests or direct marketing at any time. For direct marketing, we will cease processing immediately.
- Rights Related to Automated Decisions (Art. 22): Not be subject to solely automated decisions producing legal effects or similarly significant effects, subject to exceptions.
- Right to Withdraw Consent: Withdraw consent at any time without affecting the lawfulness of prior processing.
- Right to Lodge a Complaint: Lodge a complaint with a supervisory authority in your EU Member State.
10.2 Rights Under the CCPA/CPRA (California Residents)
- Right to Know: Request disclosure of categories and specific pieces of personal information collected, sources, purposes, and third-party recipients.
- Right to Delete: Request deletion of personal information, subject to certain exceptions.
- Right to Correct: Request correction of inaccurate personal information.
- Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. If our practices change, you will have the right to opt out.
- Right to Limit Use of Sensitive Personal Information: Limit use to purposes necessary to perform requested services.
- Right to Non-Discrimination: We will not discriminate against you for exercising privacy rights.
10.3 Rights Under the LGPD (Brazil Residents)
Under the Lei Geral de Protecao de Dados, you have rights including: confirmation of processing, access to data, correction of inaccurate data, anonymization or blocking of unnecessary data, data portability, deletion of data processed with consent, information about third-party sharing, information about denying consent and its consequences, and revocation of consent.
10.4 Rights Under POPIA (South Africa Residents)
Under the Protection of Personal Information Act, you have rights including: notification that personal information is being collected, access to and correction of your personal information, and objection to processing. You may lodge a complaint with the Information Regulator of South Africa.
10.5 Exercising Your Rights
To exercise any of the rights described above, you may:
- Submit a request through your account settings at https://polyscopea.com/?page=profile&tab=settings
- Email our Data Protection Officer at the address provided in Section 18
- Send a written request by postal mail to the contact address in Section 19
We will verify your identity before processing your request. We will respond within 30 days (or within the timeframe required by your local law). There is no fee for exercising your rights, unless your request is manifestly unfounded or excessive.
11. Children’s Privacy
Polyscopea’s Services are not directed to children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children under this age.
11.1 Age Restrictions
Our Terms of Service require users to be at least 16 years of age. In the United States, we comply with COPPA, which restricts collection from children under 13. In the EEA, we comply with the age thresholds set by individual Member States under Article 8 of the GDPR (ranging from 13 to 16 depending on the Member State).
11.2 Parental Notification
If we become aware that we have collected personal data from a child under the applicable age without verifiable parental consent, we will take immediate steps to delete that data. If you are a parent or guardian and believe your child has provided personal data to us, please contact us immediately using the information in Section 19.
11.3 Age Verification
We include age acknowledgment provisions in our registration process and Terms of Service. We reserve the right to implement additional age verification measures in the future if required by applicable law.
12. Cookies & Tracking Technologies
12.1 What Are Cookies
Cookies are small text files stored on your device when you visit a website. They are widely used to make websites function properly, improve efficiency, and provide reporting information. Cookies set by Polyscopea are “first-party cookies.” Cookies set by third parties enabling features through our website are “third-party cookies.”
12.2 Cookies We Use
| Cookie Name | Type | Purpose | Duration |
|---|---|---|---|
| PHPSESSID | Essential | Maintains session state and authentication | Session |
| polyscopea_theme | Functional | Stores preferred theme (light/dark) | 1 year |
| polyscopea_lang | Functional | Stores preferred language setting | 1 year |
| polyscopea_remember | Functional | Enables persistent login | 30 days |
| polyscopea_consent | Essential | Records cookie consent preferences | 1 year |
12.3 Cookie Categories
- Strictly Necessary (Essential): Essential for core functionality (session management, authentication, security). Cannot be disabled. No consent required under the ePrivacy Directive.
- Functional: Enable enhanced functionality and personalization (language, theme, login status). Platform functions without these but experience may be degraded.
- Analytics: Help us understand visitor interactions through aggregated and anonymized data including page views, session duration, and navigation paths.
12.4 Managing Cookie Preferences
- Browser Settings: Most browsers allow you to refuse cookies, delete existing cookies, or set alerts. Disabling essential cookies may prevent use of certain features.
- Platform Settings: We provide cookie preference controls allowing you to accept or reject non-essential cookie categories.
- Do Not Track: We respond to DNT signals by disabling non-essential analytics tracking for users who have enabled this setting.
13. Email Communications & Notifications
13.1 Types of Communications
- Transactional Emails: Account verification, password resets, subscription confirmations, payment receipts, and security alerts. These are essential and sent regardless of marketing preferences.
- In-App Notifications: Story updates, new developments, AI analysis completions, editorial review status changes, and system announcements delivered within the Platform’s notification center.
- Email Notifications: Configurable alerts about story developments, new research reports, and periodic digests based on your notification preferences.
- Marketing Communications: Product updates, feature announcements, newsletters, and promotional content. Sent only with your consent, with an unsubscribe mechanism in every message.
13.2 Managing Notification Preferences
Manage your notification preferences at any time through your profile settings at https://polyscopea.com/?page=profile&tab=settings. You can choose which email notifications you receive, adjust digest frequency, and unsubscribe from marketing emails using the unsubscribe link included in every message.
13.3 Email Queue Processing
Our email queue system processes outbound emails containing your email address and message content, retained for 90 days for deliverability monitoring. Bounced or failed emails are logged for quality assurance and email list hygiene.
14. Subscription & Payment Data
14.1 Subscription Tiers
Polyscopea offers three subscription tiers: Free ($0/month), Professional ($29/month), and Enterprise ($99/month). Your subscription tier determines available features. We record your tier, start/end dates, renewal status, and any tier changes.
14.2 Payment Processing
All payment transactions are processed through Tap Payments, our PCI-DSS compliant third-party payment gateway. Tap Payments collects your payment card information directly. We store only a tokenized reference, the last four digits of your card, transaction amount, currency, status, and a unique transaction identifier. We never store your full credit card number, expiration date, or CVV.
14.3 Payment Transaction Records
We maintain payment transaction records including amount, currency, payment method reference, status (pending, completed, failed, refunded), and timestamps. These records are retained for 7 years in compliance with tax and accounting regulations. You can view your payment history through your account settings.
14.4 Refunds and Disputes
If you request a refund or file a payment dispute, we may share relevant transaction data with Tap Payments and your card-issuing bank, including account information, transaction history, and service usage records during the disputed period.
15. Third-Party Links & Services
15.1 External Links
Our Platform contains links to external websites including news sources, research publications, and reference materials cited in stories and research reports. We do not control these websites and are not responsible for their privacy practices, content, or security. We encourage you to review the privacy policy of every website you visit after leaving our Platform.
15.2 Third-Party CDNs and Resources
Our Platform loads resources from third-party content delivery networks (Google Fonts for typography, Tailwind CSS for styling, Lucide for iconography). When your browser loads these resources, the CDN provider may receive your IP address and browser information. These providers have their own privacy policies.
15.3 Embedded Content
Some stories and research reports may include embedded content from third-party sources (charts, maps, multimedia). Embedded content from other websites behaves as if you visited the originating website directly, which may collect data, use cookies, and monitor your interaction.
16. Regional Privacy Addendums
The following region-specific provisions apply to users in the identified jurisdictions. Where a regional addendum conflicts with the general provisions, the addendum prevails for users in that jurisdiction.
16.1 European Union / European Economic Area
Processing is governed by the GDPR and UK GDPR. In addition to Section 10.1 rights:
- You may contact our EU representative for data processing matters (details in Section 18).
- We conduct Data Protection Impact Assessments (DPIAs) for high-risk processing including our AI agent operations and trust scoring.
- We maintain a Record of Processing Activities (ROPA) as required by Article 30.
- For cross-border processing, we follow the one-stop-shop mechanism under the lead supervisory authority.
16.2 California, United States
In addition to the CCPA/CPRA rights in Section 10.2:
- Shine the Light: Under California Civil Code Section 1798.83, California residents may request information about third-party marketing disclosures. We do not disclose personal information to third parties for direct marketing.
- Categories Collected (past 12 months): Identifiers (name, email, IP); commercial information (subscription/payment data); internet activity (usage logs); geolocation (approximate, from IP); professional information; and inferences drawn from the above.
- Authorized Agents: California residents may designate an authorized agent to submit privacy requests with proof of authorization.
- Financial Incentives: We do not offer financial incentives or price differences in exchange for retention or sale of personal information.
16.3 Brazil (LGPD)
Personal data processing is governed by the LGPD (Law No. 13,709/2018). Legal bases include consent, legal obligation, contract execution, legitimate interests, and credit protection. You may petition the ANPD regarding our practices. Our DPO (Encarregado) contact details are in Section 18.
16.4 Middle East and North Africa
- Saudi Arabia: We comply with the Personal Data Protection Law (PDPL), respecting rights to information, access, correction, destruction, and consent withdrawal.
- United Arab Emirates: We comply with Federal Decree-Law No. 45 of 2021 on Personal Data Protection.
- Qatar: We comply with Law No. 13 of 2016 on Protection of Personal Data Privacy.
- Bahrain: We comply with the Personal Data Protection Law (Law No. 30 of 2018).
- All financial data processing through Tap Payments complies with relevant local financial regulations and central bank requirements.
16.5 Japan (APPI)
We handle “personal information” under the Act on the Protection of Personal Information with due care. Cross-border transfers comply with Article 28 of the APPI, ensuring recognized data protection regimes or appropriate contractual safeguards. You may make disclosure, correction, and cessation-of-use requests as provided under the APPI.
16.6 China (PIPL)
- Processing is based on lawful bases under Article 13 of the PIPL including consent, contract necessity, and legal obligation.
- Separate consent is obtained and impact assessments conducted before processing sensitive personal information.
- Cross-border transfers comply with Articles 38-43, including CAC security assessments, recognized certifications, or standard contracts with overseas recipients.
- You have rights to know, decide, restrict, refuse, access, copy, port, correct, delete, and request explanation of processing rules.
16.7 Turkey (KVKK)
- Processing is based on conditions in Articles 5 and 6 of the KVKK (Law No. 6698) including explicit consent, contract necessity, legal obligation, and legitimate interests.
- Cross-border transfers follow Article 9 with adequate protection through contractual commitments and KVKK Board approvals where required.
- Under Article 11, you have rights to learn whether data is processed, request processing information, learn the purpose, know third-party recipients, request correction, request deletion or destruction, and object to automated processing outcomes.
- You may file a complaint with the KVKK Board if your rights have been violated.
17. Changes to This Policy
17.1 Policy Updates
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will update the “Last Updated” date and version number at the top of this Policy.
17.2 Notification of Material Changes
For material changes that significantly affect how we process your data or reduce your rights, we will provide prominent notice through email notification, a banner on the Platform, an in-app notification, or a combination of these methods.
17.3 Consent for Material Changes
Where required by applicable law (particularly in the EU/EEA where consent is the legal basis), we will obtain your renewed consent before implementing material changes. If you do not consent, you may discontinue use and request deletion of your account and data.
17.4 Version History
We maintain an archive of previous versions. You may request access to prior versions by contacting us. The current version is 2.0.0, effective 2026-03-01.
18. Data Protection Officer
18.1 DPO Appointment
In accordance with Article 37 of the GDPR, Polyscopea has appointed a Data Protection Officer responsible for overseeing our data protection strategy and ensuring compliance with applicable privacy laws. The DPO operates independently and reports directly to the highest management level.
18.2 DPO Responsibilities
- Monitoring compliance with the GDPR, other data protection laws, and internal policies
- Advising on and monitoring Data Protection Impact Assessments
- Serving as the contact point for data subjects and supervisory authorities
- Cooperating with supervisory authorities
- Guiding privacy by design and privacy by default in new feature development
18.3 Contact the DPO
Data Protection Officer
Polyscopea — Story Intelligence Platform
Email: dpo@polyscopea.com
Contact our DPO for any questions, concerns, or requests related to data protection and privacy, including exercising your data subject rights.
19. How to Contact Us
If you have any questions, concerns, or complaints about this Privacy Policy or our data processing practices, please contact us:
Data Subject Rights Requests
Email: dpo@polyscopea.com
Response time: Within 30 days (as required by law)
19.1 Supervisory Authorities
If you are not satisfied with our response, you have the right to lodge a complaint with the relevant supervisory authority. A list of EU/EEA authorities can be found on the EDPB website. For other jurisdictions, please contact the relevant local data protection authority.
19.2 Effective Date
This Privacy Policy is effective as of 2026-03-01 and supersedes all prior versions. Current version: 2.0.0, last updated 2026-03-05.