Privacy Policy - Polaris

1. Introduction

Welcome to Polaris ("Company," "we," "us," or "our"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our procurement readiness and business maturity platform (the "Platform" or "Services").

We are committed to protecting your privacy and handling your data in an open and transparent manner. This Privacy Policy is designed to comply with the General Data Protection Regulation (GDPR) for users in the European Economic Area (EEA) and the United Kingdom, and the California Consumer Privacy Act (CCPA) for California residents.

By using our Platform, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use our Services.

1.1 Data Controller

For the purposes of the GDPR, Polaris is the data controller responsible for your personal data. Our contact details are provided in Section 16 of this Privacy Policy.

2. Information We Collect

We collect several types of information from and about users of our Platform:

2.1 Personal Data

Personal data refers to information that identifies you as an individual. We collect the following categories of personal data:

Identity Data: Full name, username, title, date of birth
Contact Data: Email address, telephone number, physical address
Professional Data: Job title, employer, professional credentials
Account Data: Username, password (encrypted), account preferences
Financial Data: Payment card details (processed by Stripe), billing address, purchase history

2.2 Business Data

As a procurement readiness platform, we collect business-related information including:

Business name, structure, and registration details
SAM.gov registration information and UEI number
Business certifications and credentials (8(a), HUBZone, SDVOSB, WOSB, etc.)
NAICS codes and industry classifications
Business capability statements and past performance records
Assessment responses and maturity evaluation results
Evidence documents and supporting materials
Contract history and procurement experience

2.3 Usage Data

We automatically collect certain information when you access and use our Platform:

IP address and approximate geographic location
Browser type, version, and operating system
Device type and unique device identifiers
Pages visited, time spent, and navigation patterns
Referring website addresses
Date and time stamps of Platform access
Feature usage and interaction data
Error logs and performance metrics

2.4 Cookies and Tracking Data

We use cookies and similar tracking technologies to collect information about your browsing activities. See Section 13 for detailed information about our use of cookies.

3. How We Use Your Information

We use your personal information for the following purposes:

3.1 Service Delivery

Creating and managing your user account
Providing access to assessment tools and resources
Processing business maturity evaluations
Generating readiness reports and recommendations
Facilitating connections with service providers and partners

3.2 Platform Operations

Authenticating your identity and maintaining security
Processing payments and managing subscriptions
Providing customer support and responding to inquiries
Sending transactional emails and notifications
Enforcing our Terms of Service and policies

3.3 AI-Powered Features

Providing AI coaching and personalized recommendations
Generating improvement suggestions based on assessment results
Offering strategic guidance for procurement readiness
Automating action plan creation and next steps

3.4 Analytics and Improvement

Analyzing Platform usage to improve user experience
Conducting research and statistical analysis
Monitoring performance and identifying issues
Developing new features and services

3.5 Marketing and Communications

Sending promotional communications (with your consent)
Notifying you of updates and new features
Conducting surveys and collecting feedback

3.6 Legal and Compliance

Complying with legal obligations and regulations
Responding to legal requests and preventing fraud
Protecting our rights and the safety of users

4. Legal Basis for Processing (GDPR)

Under the GDPR, we must have a lawful basis for processing your personal data. We rely on the following legal bases depending on the type of processing:

4.1 Consent

Where you have given us clear, affirmative consent to process your personal data for specific purposes. You may withdraw your consent at any time by contacting us or adjusting your account settings.

We rely on consent for:

Marketing and promotional communications
Sharing your profile with resource partners for referrals
Using optional cookies and analytics
AI-powered personalization features

4.2 Contractual Necessity

Where processing is necessary for the performance of a contract to which you are a party, or to take steps at your request prior to entering into a contract.

We rely on contractual necessity for:

Creating and managing your user account
Providing assessment services and generating reports
Processing payments for subscriptions and purchases
Matching you with service providers you request
Customer support and service delivery

4.3 Legitimate Interests

Where processing is necessary for our legitimate interests or those of a third party, except where such interests are overridden by your interests or fundamental rights.

Our legitimate interests include:

Improving and optimizing our Platform and services
Ensuring Platform security and preventing fraud
Analyzing usage patterns to enhance user experience
Maintaining records for business administration
Conducting internal research and analytics

4.4 Legal Obligation

Where processing is necessary to comply with a legal obligation to which we are subject.

This includes:

Responding to valid legal requests and court orders
Maintaining records required by law
Complying with tax and financial regulations
Reporting illegal activities to authorities

5. Data Sharing and Disclosure

We may share your personal information in the following circumstances:

5.1 Service Providers and Partners (User-Initiated)

When you choose to connect with service providers or request referrals to resource partners, we share relevant information to facilitate these connections. This sharing occurs only with your explicit consent.

5.2 Sponsoring Agencies

If you register through a sponsoring agency (economic development organization, business incubator, etc.), that agency may have access to your assessment progress and results for program monitoring purposes.

5.3 Third-Party Service Providers

We engage the following categories of third-party service providers:

Payment Processing - Stripe

We use Stripe to process payments securely. Stripe collects and processes payment card information according to PCI-DSS standards. We do not store full credit card numbers on our servers.Stripe Privacy Policy

AI Services - OpenAI

We use OpenAI's services to power our AI coaching and recommendation features. Assessment data and queries may be processed by OpenAI systems to generate personalized guidance.OpenAI Privacy Policy

Government Data - SAM.gov

We integrate with SAM.gov (System for Award Management) to verify business registration and retrieve publicly available entity information. This helps validate business credentials and procurement eligibility.SAM.gov Privacy Policy

Email Services - Resend

We use Resend to deliver transactional emails and notifications. Your email address and message content are processed through their systems.Resend Privacy Policy

Additional third-party providers include:

Cloud hosting and infrastructure providers
Analytics and monitoring tools
Customer support platforms
Authentication services (Google OAuth)

5.4 Legal Requirements

We may disclose your information when required by law, including in response to:

Valid subpoenas, court orders, or legal processes
Government or regulatory investigations
Protection of our legal rights and property
Prevention of fraud or security threats
Protection of public safety

5.5 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of assets, your information may be transferred to the acquiring entity. We will notify you of any such change and its implications for your data.

5.6 We Do Not Sell Personal Information

Important: Polaris does not sell, rent, or trade your personal information to third parties for their marketing purposes. We do not share your personal information with third parties for monetary consideration.

6. Data Retention

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected and to comply with legal obligations. Our retention periods are as follows:

6.1 Retention Periods

Data Type	Retention Period
Active account data	Duration of account plus 30 days
Assessment results	7 years (for audit and compliance)
Financial/transaction records	7 years (legal requirement)
Evidence uploads	Duration of account plus 90 days
Analytics data (anonymized)	Up to 26 months
Server logs	90 days
Marketing consent records	Duration of consent plus 3 years

6.2 Deleted Account Data

When you delete your account, we will delete or anonymize your personal data within 30 days, except where we are required to retain certain data for legal or compliance purposes.

6.3 Legal Hold

If there is ongoing litigation, investigation, or dispute, we may retain relevant data for longer periods as required by law or legal counsel.

7. Data Security

We implement comprehensive technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction.

7.1 Technical Measures

Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
Password Security: Bcrypt hashing with industry-standard salt rounds
Authentication: Secure JWT tokens with automatic expiration
Multi-Factor Authentication: Optional MFA/2FA for enhanced account security
Network Security: Firewalls, intrusion detection, and DDoS protection

7.2 Organizational Measures

Access Controls: Role-based access control (RBAC) limiting data access
Principle of Least Privilege: Employees access only data necessary for their role
Security Training: Regular training for all personnel with data access
Vendor Assessment: Security review of third-party service providers

7.3 Monitoring and Auditing

Comprehensive audit logging of system access and changes
Regular security assessments and penetration testing
Automated threat monitoring and alerting
Incident response procedures and breach notification protocols

7.4 Breach Notification

In the event of a data breach that affects your personal data, we will notify you and the relevant supervisory authorities within 72 hours as required by the GDPR.

8. Your Rights Under GDPR

If you are located in the European Economic Area (EEA) or the United Kingdom, you have the following rights under the General Data Protection Regulation:

8.1 Right of Access (Article 15)

You have the right to request a copy of the personal data we hold about you. We will provide this information free of charge within one month of your request. You can also access much of your data directly through your account dashboard.

8.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data and completion of incomplete personal data. You can update most information directly through your profile settings.

8.3 Right to Erasure / Right to be Forgotten (Article 17)

You have the right to request deletion of your personal data when:

The data is no longer necessary for its original purpose
You withdraw consent and there is no other legal basis
You object to processing and there are no overriding legitimate grounds
The data has been unlawfully processed
The data must be erased to comply with a legal obligation

8.4 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (JSON or CSV) and transmit it to another controller. This right applies to data processed based on consent or contract.

8.5 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing when:

You contest the accuracy of the data (pending verification)
The processing is unlawful but you prefer restriction over erasure
We no longer need the data but you require it for legal claims
You have objected to processing pending verification of legitimate grounds

8.6 Right to Object (Article 21)

You have the right to object to processing based on legitimate interests, including profiling. You also have the absolute right to object to processing for direct marketing purposes at any time.

8.7 Right to Withdraw Consent

Where processing is based on your consent, you have the right to withdraw that consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.8 Right to Lodge a Complaint

Supervisory Authority: You have the right to lodge a complaint with a supervisory authority if you believe our processing of your personal data infringes the GDPR. For EEA residents, this is typically the data protection authority in your country of residence. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.

8.9 Automated Decision-Making (Article 22)

You have the right not to be subject to decisions based solely on automated processing that significantly affect you. Our AI coaching features provide recommendations but do not make automated decisions with legal or similarly significant effects. Human review is available upon request.

9. Your Rights Under CCPA

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA):

9.1 Right to Know

You have the right to request that we disclose:

The categories of personal information we have collected about you
The categories of sources from which personal information is collected
The business or commercial purpose for collecting personal information
The categories of third parties with whom we share personal information
The specific pieces of personal information we have collected about you

9.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions. We will delete your personal information within 45 days of receiving a verifiable request, or notify you if an exception applies.

9.3 Right to Correct

You have the right to request correction of inaccurate personal information we maintain about you.

9.4 Right to Opt-Out of Sale/Sharing

Do Not Sell or Share My Personal Information: Polaris does not sell or share your personal information for cross-context behavioral advertising. We do not sell personal information for monetary consideration. No opt-out is necessary as we do not engage in these practices.

9.5 Right to Limit Use of Sensitive Personal Information

You have the right to limit the use and disclosure of sensitive personal information to that which is necessary to perform services or provide goods reasonably expected.

9.6 Right to Non-Discrimination

Non-Discrimination: We will not discriminate against you for exercising your CCPA rights. We will not deny services, charge different prices, provide a different level of service, or suggest you will receive different treatment for exercising your privacy rights.

10. California Privacy Rights (CCPA Specific Disclosures)

10.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

Category	Examples	Collected
Identifiers	Name, email, phone, IP address	Yes
Personal information (Cal. Civ. Code § 1798.80)	Name, address, telephone, financial info	Yes
Commercial information	Purchasing history, products purchased	Yes
Internet/network activity	Browsing history, interaction with website	Yes
Geolocation data	Approximate location from IP address	Yes
Professional/employment information	Job title, business information	Yes
Inferences	Business maturity level, procurement readiness	Yes

10.2 Business Purposes for Collection

We collect personal information for the following business purposes:

Providing and improving our Platform and Services
Processing transactions and payments
Communicating with users about their accounts and Services
Providing customer support
Personalizing user experience and recommendations
Analyzing usage patterns to improve Services
Ensuring security and preventing fraud
Complying with legal obligations

10.3 Sources of Personal Information

Directly from you when you register or use our Services
Automatically through cookies and tracking technologies
From third-party services (Google OAuth, SAM.gov)
From sponsoring agencies (if applicable)

10.4 Shine the Light (Cal. Civ. Code § 1798.83)

California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. As stated above, we do not share personal information with third parties for their direct marketing purposes.

11. International Data Transfers

Your personal data may be transferred to and processed in countries other than your country of residence, including the United States. These countries may have different data protection laws than your jurisdiction.

11.1 Transfer Safeguards

When we transfer personal data internationally, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs): We use EU-approved SCCs with third-party providers
Data Processing Agreements: Binding agreements with all data processors
Adequacy Decisions: Transfers to countries recognized by the EU as providing adequate protection
Supplementary Measures: Additional technical and organizational measures where necessary

11.2 Data Localization

Our primary data processing occurs in the United States. By using our Services, you consent to the transfer and processing of your data in the United States, subject to the safeguards described above.

12. Children's Privacy

Age Restriction: Our Platform is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children under 16 years of age. This age threshold complies with GDPR requirements for consent.

If we become aware that we have collected personal data from a child under 16 without verification of parental consent, we will take immediate steps to delete that information from our servers.

If you believe we have collected information from a child under 16, please contact us immediately at privacy@polarisplatform.com.

13. Cookies and Tracking Technologies

We use cookies and similar tracking technologies to collect and store information about your use of our Platform.

13.1 Types of Cookies We Use

Cookie Type	Purpose	Duration
Essential Cookies	Required for Platform functionality, authentication, security	Session / 30 days
Preference Cookies	Remember user settings and preferences	1 year
Analytics Cookies	Understand usage patterns and improve services	26 months
Performance Cookies	Monitor performance and error reporting	Session

13.2 Managing Cookies

You can manage your cookie preferences at any time through our Cookie Settings page or through your browser settings. Note that disabling essential cookies may affect Platform functionality.

13.3 Do Not Track

Some browsers have a "Do Not Track" feature. We currently do not respond to Do Not Track signals as there is no industry-wide standard for compliance. We will update this policy if a standard is adopted.

14. Third-Party Links

Our Platform may contain links to third-party websites, applications, or services. We are not responsible for the privacy practices of these third parties. We encourage you to read the privacy policies of any third-party sites you visit.

Third-party links on our Platform may include:

Government websites (SAM.gov, SBA.gov)
Service provider websites
Educational resources and industry publications
Social media platforms

15. Changes to Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make changes:

We will update the "Last Updated" date at the top of this policy
For material changes, we will notify you via email or prominent notice on our Platform
We will provide at least 30 days' notice before significant changes take effect
We will request your consent where required by law

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

16. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Polaris Privacy Team

General Privacy Inquiries: privacy@polarisplatform.com

Data Protection Officer (DPO): dpo@polarisplatform.com

Legal Department: legal@polarisplatform.com

Customer Support: support@polarisplatform.com

We will respond to your inquiries within 30 days in accordance with applicable data protection regulations. For GDPR-related requests, we will respond within one month.

17. How to Exercise Your Rights

You can exercise your privacy rights through the following methods:

17.1 Self-Service Options

Account Settings: Update personal information and preferences directly in your profile
Privacy Dashboard: Access your data, download exports, and manage consents at /dashboard/privacy
Cookie Settings: Manage cookie preferences at /dashboard/cookies
Email Preferences: Unsubscribe links in all marketing emails

17.2 Formal Requests

For requests that cannot be handled through self-service options:

Email your request to privacy@polarisplatform.com
Include your full name, email address associated with your account, and specific request
For security, we may need to verify your identity before processing
We will acknowledge your request within 5 business days
We will complete most requests within 30 days (or one month for GDPR)

17.3 Authorized Agents

You may designate an authorized agent to make requests on your behalf. The agent must provide written authorization signed by you, and we may still require verification of your identity.

17.4 Appeals

If we deny your request, we will provide an explanation. You have the right to appeal our decision by contacting us at privacy@polarisplatform.com with "Privacy Appeal" in the subject line. You may also lodge a complaint with the relevant supervisory authority.