Legal

Privacy Policy

Last updated: 15 May 2026

This notice explains how Polara AI processes personal data collected via polara-ai.com, under Regulation (EU) 2016/679 (GDPR) and Italian Legislative Decree 196/2003 (Privacy Code).

1. Data controller

Luca Edward Villa — sole proprietor of Polara AI
VAT: IT12844070966
Registered office: Milan, Italy
Email: luca@polara-ai.com
No DPO has been appointed; for any data-protection enquiry contact the controller directly by email.

2. What data we collect, and how

We only collect data you actively provide through one of three channels on the site:

a) Contact form

  • Name, email, company (optional), message.
  • IP address for technical rate-limiting (held in volatile memory only, discarded after 1 hour).

b) Readiness Audit (5-question form)

  • Answers to the 5 questions (company description, repetitive task, number of tools, hours lost per week).
  • Name, email, company name (optional).
  • IP address for rate-limiting (1 hour).

c) AI chatbot

  • The content of the messages you send to the chatbot. Conversation is not persisted server-side: it lives in browser-session memory for the duration of your visit. We do not profile or link conversations to any identity.
  • IP address for rate-limiting (1 minute).
  • If you spontaneously share name or email during the conversation, that data is processed under the consent legal basis.

We do not collect: third-party browsing data (Google Analytics, Meta Pixel, etc.), profiling cookies, biometric data, or special-category data (GDPR art. 9).

3. Purposes and legal basis

Purpose Legal basis
Replying to enquiries sent via the contact form Data subject's consent (GDPR art. 6.1.a)
Generating and emailing the Readiness Audit report Data subject's consent (GDPR art. 6.1.a)
Interacting with the AI chatbot for information about Polara services Pre-contractual measures at the data subject's request (GDPR art. 6.1.b)
Adding contacts to Polara's sales CRM Controller's legitimate interest in managing the sales pipeline (GDPR art. 6.1.f)
Technical security measures (rate-limiting, anti-spam) Legitimate interest in protecting the service (GDPR art. 6.1.f)

4. Recipients (external processors)

Your data is shared with the following providers, each bound by a GDPR art. 28 processor agreement or equivalent safeguards:

  • IONOS SE (Germany, EU) — SMTP email server for message delivery. IONOS privacy policy.
  • Railway Corp. (USA) — hosting infrastructure for the API powering the form, audit, and chatbot. Extra-EU transfer protected by the EU Commission's Standard Contractual Clauses. Railway privacy policy.
  • Anthropic PBC (USA) — provider of the language model (Claude) powering the chatbot and audit generation. Data submitted is not used to train the models (zero-data-retention configured at workspace level). Extra-EU transfer covered by SCCs. Anthropic privacy policy.
  • Attio Ltd. (UK/USA) — CRM where lead contacts are stored. The UK is recognised by the EU Commission as offering an adequate level of protection (2021 Adequacy Decision). Attio privacy policy.

We do not sell, rent, or share your data with third parties for commercial purposes.

5. Retention period

  • Contact form and Audit: data is kept in the CRM for the duration of the commercial relationship; after 24 consecutive months of inactivity it is deleted or anonymised.
  • Emails sent: stored in the controller's IONOS mailbox according to their email retention policy (max 5 years for tax/accounting purposes).
  • Technical logs / rate-limiting: held in volatile memory for max 1 hour.
  • Chatbot conversations: not persisted. The history exists only in the user's browser session and is cleared on page refresh.

6. Your rights

Under GDPR articles 15-22 you have the right to:

  • Access your personal data;
  • Rectify inaccurate or incomplete data;
  • Erase ("right to be forgotten");
  • Restrict processing;
  • Port your data in a structured format;
  • Object to processing based on legitimate interest;
  • Withdraw consent at any time (without affecting lawfulness of processing before withdrawal);
  • Lodge a complaint with the Italian Data Protection Authority (garanteprivacy.it).

To exercise any of these rights, email luca@polara-ai.com with "GDPR" in the subject. Reply guaranteed within 30 days.

7. Automated decision-making and AI

The chatbot and audit use an AI model (Anthropic Claude) to generate responses and suggestions. These are informational processes: no automated decision producing legal or similarly significant effects is made on the sole basis of the model's output. Every proposed engagement from Polara is the result of a human evaluation by the controller.

8. Security

We adopt reasonable technical and organisational measures: TLS/HTTPS across all channels, multi-factor authentication on critical accounts, rate-limiting, HTTP security headers, CRM access limited to the controller only. No system is 100% invulnerable; if a breach poses a risk to your rights you will be notified under GDPR art. 34.

9. Changes

We may update this notice to reflect regulatory changes or site evolution. The "last updated" date is shown at the top of the page. Material changes will be communicated to users registered in the CRM.

← Back to homepage