Privacy Policy

Version: 1.0 (First publication)
Last Updated: 2026-03-02
Effective Date: 2026-03-02

1. Introduction

This Privacy Policy explains how Polyatomic OÜ ("Polyatomic," "we," "us," or "our") collects, uses, and protects information when you visit our website at https://polyatomic.ai (the "Website"), subscribe to our newsletter, or otherwise communicate with us in connection with the Website.

For the purposes of applicable data protection laws, Polyatomic OÜ is the data controller (and, where relevant under certain U.S. laws, the "business") for the processing described in this Privacy Policy.

We are committed to protecting your privacy and processing your data in compliance with applicable privacy and data protection laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and other privacy laws in the jurisdictions where we offer our Website and services.

Our Privacy Approach: We have designed our Website and services to minimize data collection and avoid the use of advertising tracking. We do not use tracking cookies, do not engage in cross-site tracking, and do not share your data with third-party advertisers. Where we process personal data to operate and secure the Website, we rely primarily on legitimate interest as our legal basis, as permitted under GDPR Article 6(1)(f). Where we send newsletter communications, we rely on your consent (see Sections 4.1 and 7).

2. Who We Are

Polyatomic OÜ is a company registered in the Republic of Estonia.

Legal Name	Polyatomic OÜ
Registry Code	17403854
D‑U‑N‑S® Number	987998041
VAT Number	EE102942354
EORI Number	EE17403854
EUID	EE-17403854
LEI Code	89450075W5W6HFOUWN46
UK VAT Number	GB510146151
Address	Tornimäe tn 5, 10145 Tallinn, Estonia
Email	contact@polyatomic.ai
Phone	+372 600 3360

For privacy-related inquiries, including data subject rights requests, please contact us at contact@polyatomic.ai.

3. Areas We Serve

We provide our services to users in the following regions:

European Union (all member states)
European Economic Area (Norway, Iceland, Liechtenstein)
Switzerland
United Kingdom
United States
Canada
Australia
New Zealand

This Privacy Policy is designed to comply with the data protection laws applicable in all of these jurisdictions, to the extent those laws apply to our processing activities.

4. Information We Collect

4.1 Newsletter Subscription Data

When you subscribe to our newsletter or updates, we collect and store:

Data	Purpose	Retention
Email address	To send you updates and communications	Until you unsubscribe
Subscription timestamp	To record when you subscribed	Until you unsubscribe
Verification timestamp	To record when you confirmed your email	Until you unsubscribe
Subscription status	To manage your subscription (pending/verified)	Until you unsubscribe
Internal subscriber ID	Internal record management (random identifier)	Until you unsubscribe
IP address at signup	Rate limiting and fraud prevention	Up to 90 days

Double Opt-In: When you submit your email address, we send a verification email to confirm your subscription. Your subscription is only activated after you click the verification link in that email. Unverified subscriptions are automatically deleted after 24 hours.

4.2 Automatically Collected Technical Data

When you visit our Website, our servers necessarily receive certain technical information from your browser (for example, to route traffic and deliver the requested content). We process this data to operate and secure the Website. As described below, we do not retain these identifiers for analytics; we retain full technical details only when a security event is triggered (see Section 6).

Data	Purpose	Stored?
IP address	Route traffic, security (rate limiting)	Not stored for analytics; stored only for security events (see Section 6)
User-Agent string	Derive device/browser/OS categories; detect abuse	Stored only as aggregated categories for analytics; stored in full only for security events (see Section 6)
Referrer header	Traffic source classification; detect abuse	Stored only as referrer category/domain for analytics; stored in full only for security events (see Section 6)
Accept-Language header	Detect browser language; security analysis	Not stored for analytics; stored only for security events (see Section 6)
TLS fingerprint (JA3/JA4)	Bot/automation detection, security analysis	Kept in memory briefly; stored only for security events (see Section 6)

4.3 Data We Do NOT Collect

We explicitly do not collect:

Third-party tracking cookies or advertising pixels
Cross-site tracking / cross-context behavioral advertising
Browser fingerprinting for marketing or advertising (e.g., canvas/audio/WebGL)
Precise geographic location (city-level or below)
Browsing history across other websites
Personal data from third-party sources
Payment or financial information (we do not sell products on this Website)
Sensitive personal data (health, religious beliefs, political opinions, etc.)

5. How We Use Your Information

5.1 Newsletter Communications

If you subscribe to our newsletter, we use your email address to:

Send you a verification email to confirm your subscription
Send periodic updates about Polyatomic, our products, and services
Notify you of important announcements

Every email we send includes an unsubscribe link. You can unsubscribe at any time by clicking this link or by contacting us at contact@polyatomic.ai.

5.2 Website Operation and Security

We process technical data to:

Deliver web pages and content to your browser
Protect against automated abuse, spam, and attacks
Enforce rate limits to prevent service disruption
Detect and block malicious traffic (bots, scanners, attackers)

5.3 Anonymous Analytics

We collect privacy-preserving analytics to understand how our Website is used and to measure its performance. We design this analytics system so that the data we retain is aggregated:

Stored as statistical counts only (no per-user event logs)
Does not create user IDs or session IDs
Does not use third-party analytics services
Does not use tracking cookies or local storage for cross-site tracking
Does not build user profiles or track you across other websites
Uses short-lived, strictly necessary first-party cookies to protect forms and analytics integrity (see Section 11)

Some technical identifiers (such as IP addresses) are necessarily processed at the time of a request to deliver the Website and to compute coarse, aggregate statistics (for example, country-level distribution). We do not store IP addresses for analytics purposes and we retain only aggregate counters.

Server-side metrics we collect:

Page view counts (daily aggregates)
Traffic sources (referrer domain categorized as direct/search/social/community/referral)
UTM campaign parameters (if present in the URL)
Device type distribution (mobile/desktop/tablet, derived from User-Agent)
Browser family distribution (Chrome/Firefox/Safari/Edge/other)
Operating system distribution (Windows/macOS/iOS/Android/Linux)
Country-level geographic distribution (from IP lookup at request time; IP address is not stored for analytics purposes)

Client-side JavaScript analytics: We use a first-party JavaScript module (no third-party libraries) to collect additional anonymous, aggregate performance and usage metrics. This script does not set any cookies, does not create user or session identifiers, and does not perform cross-site tracking. All data is sent to our own servers and stored as aggregate counters only. The following client-side metrics are collected:

Scroll depth (bucketed: 0%, 25%, 50%, 75%, 100%)
Section visibility (which page sections are viewed)
Button/link click counts (e.g., "Join waitlist" clicked — stored as aggregate counter by button name)
Time on page (bucketed server-side: <10s, 10–30s, 30–60s, 1–3m, 3m+; raw duration never stored)
Core Web Vitals performance metrics (LCP, CLS, INP, TTFB — classified server-side as good/needs-improvement/poor)
Viewport width (bucketed server-side by device category; exact pixel width never stored)
Color scheme preference (light/dark)
Outbound link click counts (destination domain sent transiently; stored server-side in fixed-size aggregate buckets, never full URL)
Newsletter form funnel stages (e.g., "focused email field", "submitted form" — aggregate counts per stage)
Proof-of-work solve time (bucketed server-side; raw timing never stored)

This script respects the Do Not Track browser setting: if enabled, no client-side analytics data is collected.

Analytics integrity token: To prevent automated analytics poisoning, we set a short-lived, HttpOnly cookie (_at) and require it for analytics recording. We do not store this token in our database; it expires automatically.

Legal Basis: Where the collected data qualifies as anonymous/aggregated and cannot identify an individual, it is not treated as personal data under GDPR (see Recital 26). To the extent that any transient processing involves personal data (for example, IP addresses processed at request time), we process it under our legitimate interests in operating, measuring, and securing the Website, and we retain only aggregated results.

6. Security Logging

To protect our Website, users, and infrastructure, we log detailed information when security events are triggered. This is distinct from anonymous analytics and involves processing personal data.

6.1 When Security Logging Occurs

Security logging is triggered only in specific circumstances, such as:

Rate limit violations (too many requests in a short period)
Suspected automated abuse (bot detection, honeypot triggers)
Invalid or malicious requests (SQL injection attempts, XSS patterns, path traversal)
Vulnerability scanning (requests to known scanner paths like /wp-admin, /.env, etc.)
Failed form submissions from the same IP address (repeated failures)

Normal visitors who browse the Website normally do not trigger security logging.

6.2 What We Log for Security Events

When a security event is triggered, we may log:

Data	Purpose
IP address	Identify and block malicious actors
Timestamp	Correlate attack patterns
Request details (HTTP method, URL path, query string)	Analyze attack signatures
Request headers (User-Agent, Origin, Referer, Accept-Language, Content-Type)	Detect bot/scanner patterns and correlate security events
Country code (from IP lookup)	Identify attack origins
TLS fingerprint hashes (JA3/JA4)	Detect automation and correlate security events
Network metadata (ASN, hosting provider, Tor/proxy/datacenter indicators)	Identify attack sources and infrastructure patterns
Event classification (event type, severity, structured details)	Categorize and prioritize security responses

6.3 Legal Basis for Security Logging

We process this personal data under GDPR Article 6(1)(f) — Legitimate Interest, combined with:

GDPR Recital 47: Processing for fraud prevention constitutes a legitimate interest
GDPR Recital 49: Processing for network and information security constitutes a legitimate interest

We have conducted a Legitimate Interest Assessment (LIA) and determined:

Purpose: We have a legitimate interest in preventing fraud, abuse, and security threats
Necessity: We cannot effectively prevent abuse without identifying abusive actors
Balancing: Individual rights are not overridden because:
- Only security-triggering requests are logged (not all traffic)
- Data is used only for security purposes (not marketing or profiling)
- Retention is limited to 90 days by default (up to 1 year for active investigations)
- Users can request access to their security data

6.4 Security Data Retention

Data Type	Retention Period
Security event logs	90 days by default (up to 1 year for active investigations)
TLS fingerprint security records	90 days
IP blocklist entries	Until reviewed or expired
IP reputation scores	Up to 90 days after last activity

7. Legal Basis for Processing

We rely on the following legal bases under GDPR Article 6(1):

Processing Activity	Legal Basis	GDPR Article
Newsletter subscription	Consent (you actively submit your email)	Article 6(1)(a)
Sending verification emails	Legitimate interest (confirming your request and preventing abuse)	Article 6(1)(f)
Sending newsletter emails	Consent (confirmed via double opt-in)	Article 6(1)(a)
Rate limiting and abuse prevention	Legitimate interest	Article 6(1)(f)
Security logging	Legitimate interest (fraud prevention, network security)	Article 6(1)(f)
Anonymous analytics	Legitimate interest (Website measurement using aggregated counters)	Article 6(1)(f)

8. Data Retention

We retain your data only as long as necessary for the purposes described in this Policy:

Data Category	Retention Period
Verified newsletter subscribers	Until you unsubscribe
Pending (unverified) subscriptions	Automatically deleted after 24 hours
Unsubscribed email addresses	Retained as a suppression record to honor your unsubscribe, until deletion is requested
Newsletter signup IP address	Up to 90 days
Security logs	90 days by default (up to 1 year for active investigations)
Anonymous analytics	Daily/hourly aggregates up to 90 days; monthly rollups retained indefinitely (aggregate counts only)

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

9.1 Rights Under GDPR (EU/EEA/UK)

Right	Description
Right to Access	Request a copy of the personal data we hold about you
Right to Rectification	Request correction of inaccurate data
Right to Erasure	Request deletion of your personal data
Right to Restrict Processing	Request that we limit how we use your data
Right to Data Portability	Receive your data in a portable format
Right to Object	Object to processing based on legitimate interest
Right to Withdraw Consent	Withdraw consent at any time (e.g., unsubscribe from newsletter)

9.2 Rights Under Other Laws

Switzerland (FADP): Right to access and, where applicable, request correction or deletion of personal data
California (CCPA/CPRA): Right to know, delete, correct, and opt-out of "sales" (we do not sell personal data)
Other U.S. States: Depending on your state and our processing activities, you may have rights similar to access, deletion, correction, and opt-out of certain uses (for example, targeted advertising; we do not engage in cross-context behavioral advertising)
Canada (PIPEDA/Quebec Law 25): Right to access, correct, and challenge compliance
Australia (Privacy Act): Right to access and correct personal information
New Zealand (Privacy Act 2020): Right to access and correct personal information

9.3 How to Exercise Your Rights

To exercise any of these rights, please contact us at:

Email: contact@polyatomic.ai

Subject Line: Privacy Request - [Your Request Type]

Please include:

Your email address (if the request relates to newsletter subscription)
A description of your request
Any relevant details to help us locate your data

We will respond to your request within 30 days. For complex requests, we may extend this period by an additional 60 days, in which case we will inform you of the extension.

9.4 Exercising Rights Over Security Data

If you believe your IP address may have been logged due to a security event (see Section 6), you can request access to or deletion of this data:

To request access to security logs:

Email contact@polyatomic.ai with subject line: "Security Data Access Request"
Provide the IP address(es) you want to query (you can find your IP at sites like whatismyip.com)
Provide approximate dates when you visited our Website
We will search our security logs and provide any records associated with your IP address within 30 days

To request deletion of security logs:

Email contact@polyatomic.ai with subject line: "Security Data Deletion Request"
Provide the IP address(es) you want removed from our logs
We will delete the records within 30 days, unless an exception applies (see Section 9.5)

Note: We can only locate security data using IP addresses. If your IP address has changed since the security event, we may not be able to locate all relevant records.

9.5 Limitations on Rights

In certain circumstances, we may refuse or limit your request:

Security data: We may refuse deletion requests if the data is needed for ongoing security investigations or defense of legal claims (GDPR Article 17(3)(e))
Anonymous data: Rights do not apply to anonymous/aggregated data, as it cannot identify you
Verification: We may require you to verify your identity before processing your request

10. Unsubscribing from Communications

You can unsubscribe from our newsletter at any time by:

Clicking the unsubscribe link in any email we send you
Contacting us at contact@polyatomic.ai with the subject "Unsubscribe Request"

Upon receiving your unsubscribe request, we will:

Stop sending you newsletter emails
Mark your subscription as unsubscribed and retain a minimal record to ensure we honor your opt-out

Note: Unsubscribing will not affect any security logs associated with your IP address, which are retained separately under our legitimate interest in fraud prevention.

11. Cookies and Tracking Technologies

11.1 We Do Not Use Advertising or Cross-Site Tracking

We do not use cookies or similar technologies for advertising, cross-site tracking, or third-party analytics. We do not participate in advertising networks or cross-context behavioral advertising.

11.2 Strictly Necessary Cookies

We may use strictly necessary cookies that are exempt from consent requirements under applicable cookie rules (including the ePrivacy Directive (Article 5(3)) and, in the UK, PECR):

Cookie	Purpose	Duration
`_at`	Protect analytics from automated poisoning (integrity token)	2 hours
`csrf_token`	CSRF protection for the newsletter signup form	2 hours

These cookies:

Are used to protect our forms and analytics endpoints from abuse
Are not used for advertising or cross-site tracking
Are deleted after use or expiration
Have security attributes (Secure, SameSite=Strict; HttpOnly where applicable)

11.3 No Cookie Banner Required

Because we do not use non-essential cookies, we do not request cookie consent via a banner on our Website. We still provide this section so you are informed about the strictly necessary cookies we use. If our cookie use changes, we will update this Policy accordingly.

12. Data Security

We implement appropriate technical and organizational measures to protect your data:

Encryption in Transit: All traffic is encrypted using TLS 1.2 or higher (HTTPS)
Encryption at Rest: Database files are protected with filesystem-level permissions
Access Controls: Server access is restricted to authorized personnel only
Rate Limiting: Protection against brute-force and denial-of-service attacks
Proof-of-Work: Anti-spam measure for form submissions
Input Validation: All user input is validated and sanitized
Security Headers: HSTS, CSP, X-Frame-Options, and other security headers are enforced

No system is 100% secure. While we implement industry-standard security measures, we cannot guarantee absolute security. We will notify affected users and relevant authorities if a data breach occurs, as required by applicable law.

13. International Data Transfers

13.1 Data Processing Location

Our core Website infrastructure (web servers and databases) is hosted on servers located in Germany (European Union), specifically at Hetzner Online GmbH's data center in Falkenstein, Germany.

13.2 Transfers Outside the EU/EEA

Our core Website infrastructure and databases are hosted in the European Union. However, if you contact us by email, your message is processed by our email provider (Google Workspace), which may involve processing outside the EU/EEA. Where required, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms.

If we were to transfer data outside the EU/EEA in the future, we would ensure adequate protection through:

EU Standard Contractual Clauses (SCCs): Approved by the European Commission
UK Addendum: For transfers from the UK
Adequacy Decisions: Where the destination country has been recognized as providing adequate protection

13.3 Sub-Processors

We use the following sub-processors to provide our services:

Sub-Processor	Role	Location	Data Processed
Hetzner Online GmbH	Infrastructure hosting	Falkenstein, Germany (EU)	Website infrastructure and databases (subscriber database, analytics/security logs)
Google Workspace	Email and collaboration (internal tool)	Global	Emails sent to our @polyatomic.ai addresses (message content and metadata)

Hetzner Online GmbH is a German company subject to GDPR. We have a Data Processing Agreement (DPA) in place with Hetzner that ensures they process data only according to our instructions and implement appropriate security measures.

In addition to the service providers listed above, we may disclose information if required to comply with applicable law, lawful requests, or to protect the rights, property, and security of Polyatomic, our users, or others.

Hetzner Contact Information:

Company: Hetzner Online GmbH
Address: Industriestr. 25, 91710 Gunzenhausen, Germany
Privacy Policy: https://www.hetzner.com/legal/privacy-policy

14. Third-Party Services

14.1 Infrastructure Hosting (Hetzner)

Our Website and database are hosted on infrastructure provided by Hetzner Online GmbH, a German hosting provider. Hetzner acts as a Data Processor (sub-processor) under GDPR Article 28.

Provider	Hetzner Online GmbH
Role	Infrastructure hosting (Data Processor)
Data Center Location	Falkenstein, Germany (EU)
Data Processed	Website infrastructure and databases (subscriber database, analytics/security logs)
DPA Status	Data Processing Agreement in place

For more information, see Hetzner's privacy policy at https://www.hetzner.com/legal/privacy-policy

14.2 Email (Sending and Receiving)

Email receiving and internal communications: We use Google Workspace as an internal email and collaboration tool. If you email us (for example at contact@polyatomic.ai), your email address, message content, and any attachments are processed and stored by Google Workspace so that we can receive and respond to you.

Email sending (newsletter and verification): Verification and newsletter emails are sent from our own mail server running on our infrastructure. We do not use a third-party email delivery platform for sending (e.g., SendGrid/Mailgun/Postmark).

14.3 No Third-Party Analytics

We do not use third-party analytics services such as Google Analytics, Facebook Pixel, or similar tools. All analytics are processed in-house and are anonymized.

14.4 No Advertising Networks

We do not display advertisements or participate in advertising networks. We do not share your data with advertisers.

15. Children's Privacy

Our Website and services are not intended for children under the age of 16 (or the applicable age of digital consent in your jurisdiction). In the United States, our Website is not directed to children under 13.

We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at contact@polyatomic.ai, and we will delete the data promptly.

16. Links to Other Websites

Our Website may contain links to third-party websites (e.g., social media profiles). We are not responsible for the privacy practices of these external sites. We encourage you to review their privacy policies before providing any personal data.

17. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes:

We will update the "Last Updated" date at the top of this Policy
For significant changes, we may notify newsletter subscribers by email
The updated Policy will be posted on this page

We encourage you to review this Policy periodically to stay informed about how we protect your data.

18. Complaints

If you believe we have not handled your personal data in accordance with applicable law, you have the right to lodge a complaint with a supervisory authority.

EU/EEA Residents

You may contact your local Data Protection Authority. For Estonia (our country of establishment):

Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon)

Website: https://www.aki.ee/en
Email: info@aki.ee
Address: Tatari 39, 10134 Tallinn, Estonia

UK Residents

Information Commissioner's Office (ICO)

Website: https://ico.org.uk
Phone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

Other Jurisdictions

Please contact your local data protection authority or privacy regulator. Depending on your location, this may include, for example, the Swiss Federal Data Protection and Information Commissioner (FDPIC), the Office of the Privacy Commissioner of Canada, the Office of the Australian Information Commissioner (OAIC), the Office of the Privacy Commissioner (New Zealand), or the relevant U.S. state regulator.

19. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

19.1 Categories of Personal Information

We may collect the following categories of personal information:

Category	Examples	Collected?
Identifiers	Email address, IP address	Yes
Internet Activity	Interaction with our Website (aggregate page views, referrer domains)	Yes (aggregate only)
Geolocation	Precise location	No (country-level only for analytics)
Professional/Employment	Job title, employer	No
Inferences	Preferences, characteristics	No

19.2 No Sale or Sharing

We do not "sell" or "share" your personal information as defined under CCPA/CPRA. We do not disclose personal information to third parties for monetary or other valuable consideration, nor do we share it for cross-context behavioral advertising.

19.3 Your California Rights

You have the right to:

Know what personal information we collect
Delete your personal information
Correct inaccurate personal information
Opt-out of sale/sharing (not applicable — we do not sell or share)
Non-discrimination for exercising your rights

To exercise these rights, contact us at contact@polyatomic.ai.

20. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us:

Polyatomic OÜ

Email: contact@polyatomic.ai
Phone: +372 600 3360
Address: Tornimäe tn 5, 10145 Tallinn, Estonia

We aim to respond to all inquiries within 5 business days.

21. Summary

What We Do	What We Don't Do
Collect your email for newsletter signup (with your consent)	Use tracking cookies
Send verification emails (double opt-in)	Share data with advertisers
Protect against abuse and fraud	Sell your personal data
Collect anonymous, aggregated analytics	Track you across websites
Log security events under legitimate interest	Profile you for marketing
Host core services in the EU	Transfer data internationally for advertising or without safeguards
Include unsubscribe links in every email	Make unsubscribing difficult
Honor your data subject rights	Ignore privacy requests

Thank you for trusting Polyatomic with your data.
We take your privacy seriously.