← Back to Polypick

Privacy Policy

Last updated: May 2, 2026

This Privacy Policy explains what Polypick collects, why we collect it, who we share it with, and your choices. We try to keep it short and human.

What we collect

You give us

• Email + password (or a Google ID, if you sign in with Google) to create an account.
• Screenshots you upload for analysis. These are sent to our LLM provider for identification and analysis, then deleted once the job completes. We don't archive them.
• Messages you send to the AI Coach or Support form, so we can respond and improve the product.

We collect automatically

• IP address, derived country and timezone, browser, OS, and device type — recorded at signup and login for fraud prevention and analytics.
• Usage: which pages you visit, which tools you use, and basic timestamps.
• Session cookies to keep you signed in. We don't use third-party advertising cookies.

From our payment processor

• If you upgrade, our processor (Whop) tells us your subscription status. We never receive your full card number; that's stored on Whop / Stripe's side.

How we use it

• To run the service — sign you in, run analyses, render your dashboard, deliver picks.
• To send transactional notifications (e.g. payment receipts, account alerts).
• To detect abuse and rate-limit by IP.
• To improve Polypick — debugging, performance, product analytics.

Who we share it with

• Azure OpenAI and OpenRouter (LLM providers) — receive screenshots and prompts to generate analysis. They process under their own privacy terms; we don't allow training on our data.
• Whop — handles checkout and billing.
• MongoDB Atlas — hosts our database.
• AWS — hosts the application (Elastic Beanstalk on EC2).
• Google (only if you sign in with Google) — for OAuth identity.

We don't sell your data and we don't share it with advertisers.

Cookies

We use a single first-party session cookie to keep you signed in. No third-party tracking, no ad cookies, no fingerprinting.

Retention

• Account data: kept while your account is active and for up to 90 days after deletion (for legal/billing records).
• Uploaded screenshots: deleted as soon as the analysis completes (within minutes).
• Logs and analytics: 90 days.

Your rights

You can:

• Access or correct your profile from your account settings.
• Cancel your subscription any time.
• Request deletion of your account and personal data by emailing hi@polypick.app.
• If you're in the EU/UK, you have GDPR rights (access, rectification, erasure, portability). If you're in California, you have CCPA rights — same email applies.

Children

Polypick isn't for anyone under 18. We don't knowingly collect data from children.

International transfers

Our servers and providers may be in the US or other regions. By using Polypick you accept that your data may be processed in those locations under standard contractual clauses where required.

Security

We use HTTPS for everything, hash passwords with bcrypt, store sessions encrypted-at-rest in MongoDB Atlas, and limit secrets to environment configuration. No system is perfect — please report any vulnerability to hi@polypick.app.

Changes

If we make material changes to this policy, we'll notify you by email or in-app before they take effect.

Contact

Email hi@polypick.app for any privacy question or request.