Privacy Notice

The data controller is Polyx Studio. You can reach our privacy team at privacy@polyx.digital. We do not have a designated Data Protection Officer because the scale of our processing does not require one under GDPR Article 37, but the privacy team is your first point of contact for any data-related question.

We collect only what we need to deliver the Service:

• Account data — email address, display name, optional avatar, hashed password.
• Payment metadata — billing country, last 4 digits of card, transaction IDs returned by Stripe. We never see your full card number, CVV, or PIN.
• Usage data — generation prompts, uploaded reference images, generated outputs, credit transactions, asset purchases.
• Technical data — IP address (for rate limiting and abuse prevention), user agent, language preference, anonymised event analytics.
• Communications — emails you send to support, in-app messages.

Under GDPR Article 6 we rely on the following legal bases:

• Contract — to register your account, run generations, deliver assets, process payments, and send transactional emails.
• Legitimate interest — to prevent fraud and abuse, secure the Service, and improve product quality through anonymised analytics.
• Consent — for non-essential cookies and any marketing communications. You can withdraw consent at any time.
• Legal obligation — to keep tax records, respond to lawful requests from authorities, and comply with anti-money-laundering rules.

We share the minimum personal data necessary with carefully selected sub-processors:

• Stripe (Ireland / USA) — payment processing.
• Mailgun (EU region) — transactional email delivery.

Each sub-processor is bound by a Data Processing Agreement that meets GDPR requirements. The current full list of sub-processors and the associated DPAs are available on request from privacy@polyx.digital.

We do not sell your personal data. We do not use your prompts, uploads, or generated assets to train third-party models.

• Account data — for as long as your account is open, plus 30 days for grace deletion.
• Generation prompts & outputs — for as long as your account is open. You can delete individual generations at any time from your dashboard.
• Payment records & invoices — kept for 6 years as required by UK / EU tax law.
• Server logs — anonymised after 30 days.

If GDPR applies to you, you have the following rights:

• Access — request a copy of the personal data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure — delete your account and personal data (the “right to be forgotten”).
• Restriction — limit how we use your data while a dispute is resolved.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interest.
• Withdraw consent — at any time, where consent is the legal basis.
• Lodge a complaint — with your local supervisory authority if you believe we are mishandling your data.

Email privacy@polyx.digital to exercise any of these rights. We respond within 30 days.

All data is hosted on infrastructure located in the European Union. Data is encrypted in transit using TLS 1.3 and at rest using strong industry-standard ciphers. Access is restricted to authorised engineers and is logged.

If we ever suffer a personal-data breach, we will notify the relevant supervisory authority within 72 hours and, where there is a high risk to your rights, we will notify you directly.

We use only the cookies necessary to keep you signed in and the optional cookies that you explicitly consent to via the cookie banner. See the Cookie Notice for the full list and how to manage your preferences.

Polyx is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us so we can delete it.

We may update this Privacy Notice from time to time. The latest version is always published here with an updated “Effective from” date. Material changes will be communicated by email at least 14 days before they take effect.