Polymatic – Privacy Policy

Effective date: November 3, 2025 Controller: Socialcap AB (“Polymatic”, “we”, “us”, “our”) Address for privacy matters: Katarinavägen 15, Stockholm, Sweden Contact (privacy requests): polymaticai@proton.me Data Protection Officer (DPO): None appointed

This Privacy Policy explains how we collect, use, disclose, and protect information when you use Polymatic’s websites, apps, and services (the “Service”). If you do not agree, please do not use the Service.

1) What we collect

1.1 Information you provide

  • Account details: email, username/handle, password hash (or passkey metadata)

  • Profile & preferences: learning interests, language, notification settings

  • Learning data: courses chosen, progress, scores, quiz answers, streaks, time-on-task, notes

  • AI interactions: prompts, messages, and generated outputs

  • Communications: support tickets, bug reports, feedback, attachments

  • Marketing preferences: email subscriptions, opt-in/opt-out status

1.2 Information collected automatically

  • Telemetry: IP address, device identifiers, operating system, browser, screen size, time zone, coarse location (country/region), referral URL, session timestamps

  • Cookies/local storage: identifiers used for login, preferences, analytics, and fraud prevention

  • Anti-fraud signals: request velocity, device/behavioral patterns, risk scores

1.3 Wallet & on-chain data

  • Wallet address(es) you connect to Polymatic

  • On-chain activity relevant to claims or rewards (transaction IDs, timestamps). We do not collect or store private keys or seed phrases.

1.4 Information we do not intentionally collect

  • Special categories of personal data (e.g., health, biometrics, religion)

  • Precise GPS location

  • Government identifiers

  • Children’s data (the Service is for 18+ only)

2) Purposes & lawful bases (GDPR Art. 6)

Purpose
Examples
Legal basis

Provide the Service

accounts, learning features, rewards

Contract

Security & anti-fraud

abuse detection, incident response, audits

Legitimate interests

Analytics & improvement

usage metrics, performance, UX research

Legitimate interests (non-essential cookies by consent)

Marketing communications

newsletters, product updates

Consent (withdraw anytime)

Cookies

strictly necessary vs. optional

Legitimate interests/necessity for essential; consent for non-essential

Legal compliance

tax, court orders, sanctions

Legal obligation

You may object to processing based on legitimate interests, and you may withdraw consent at any time (it will not affect prior lawful processing).

3) How we use information

  • Operate and maintain accounts, learning content, rewards, and features

  • Personalize learning paths and track progress

  • Monitor, prevent, and detect fraud/abuse, and ensure platform integrity

  • Measure performance and improve product quality

  • Send service messages (transactional) and, with consent, marketing emails

  • Comply with legal obligations and enforce our Terms of Service

4) Cookies & similar technologies

  • Essential cookies: sign-in, security, service continuity (cannot be turned off without breaking the Service)

  • Analytics/performance cookies: usage metrics and diagnostics (require consent)

  • Marketing cookies (if used): only with prior consent

  • Local storage may be used for preferences, session state, and anti-fraud IDs

We honor Global Privacy Control (GPC) signals for advertising/marketing where applicable. You can change your cookie preferences at any time via our consent banner.

5) Disclosures of personal data

We share personal data only as necessary to operate the Service:

  • Processors (service providers): cloud hosting, databases, analytics, error monitoring, email delivery, CDN/DDoS, and similar vendors operating under data processing agreements and instructions from us

  • Corporate transactions: merger, acquisition, financing, or asset sale (data transferred with appropriate protections)

  • Legal & safety: to comply with law, lawful requests, or to protect rights, safety, and security

  • With your direction or consent: for example, connecting a wallet or enabling integrations

We maintain an up-to-date list of processors and will provide it on request.

6) International transfers

We are based in Sweden. If data is transferred outside the EEA/UK (for example to trusted service providers), we use appropriate safeguards such as the EU Standard Contractual Clauses and documented transfer impact assessments, plus technical and organizational measures.

7) Data retention

We keep data only as long as needed for the purposes described:

  • Account & learning history: retained up to 24 months after last activity, then deleted or anonymized

  • AI chat logs: retained up to 12 months

  • Telemetry & server logs: retained up to 12 months

  • Marketing records (consent, unsubscribes): retained up to 24 months

  • Support tickets: retained up to 24 months

  • Anti-fraud risk data: retained up to 24 months (pseudonymized where feasible)

  • On-chain records: public and immutable; while we cannot delete blockchain entries, we minimize off-chain linkages where possible

We may retain limited data longer if required by law or to establish, exercise, or defend legal claims.

8) Security

We apply industry-standard technical and organizational measures, including encryption in transit and at rest, hashed passwords or passkeys, role-based access controls, least-privilege administration, audit logs, dependency monitoring, and vulnerability management. No system is perfectly secure; users should protect their accounts and devices.

9) Automated decision-making & profiling

We use automated risk scoring to detect fraud and abuse and to protect the Service. These processes do not produce legal or similarly significant effects about you. You may request human review where applicable.

10) Your rights (EEA/UK)

You have the right to access, rectify, erase, restrict, and port your personal data; to object to processing based on legitimate interests; and to withdraw consent at any time. To exercise rights, email polymaticai@proton.me. We may request reasonable information to verify your identity and will respond within 30 days, subject to legal allowances.

You also have the right to lodge a complaint with the Swedish Authority for Privacy Protection (IMY) or your local supervisory authority.

11) California notice (CPRA)

We do not “sell” personal information for money. We do not “share” personal information for cross-context behavioral advertising without your consent. California residents may request access, deletion, and correction; and may opt out of sale/sharing. To exercise rights, email polymaticai@proton.me. We honor GPC signals for sale/sharing opt-outs where applicable.

12) Children

The Service is intended for adults 18+. We do not knowingly collect personal data from individuals under 18. If you believe a minor has provided data, contact us and we will take appropriate action.

13) Wallets & blockchain specifics

  • Your wallet address may be considered personal data when it can be linked to you.

  • On-chain transactions are public and irreversible. We cannot delete or edit blockchain entries.

  • We will never request your private keys or seed phrase. Protect them at all times.

14) Changes to this Policy

We may update this Policy from time to time. If changes are material, we will provide reasonable notice (for example, in-product or by email). Continued use of the Service after the effective date means you accept the updated Policy.

15) Contact us

Controller: Socialcap AB Address: Katarinavägen 15, Stockholm, Sweden Email: polymaticai@proton.me

Last updated