We process only what customers send us, only for the workflows they configure, and we delete it when the relationship ends. No model training on customer data. No third-party sharing.
Last updated: 2026-05-31
Operational data customers explicitly send into Polymr, documents, drawings, BOMs, emails, ERP records, plus minimal account metadata (user email, role, login timestamps). For website visitors, we collect IP address, page paths, referrer, browser/device class, and timestamps via privacy-preserving analytics.
Customer operational data is used only to power the workflows that customer has configured. No model training on customer data, no cross-tenant analytics, no third-party data sharing. Website analytics are aggregate-only and used to improve the site.
Essential cookies (session, preference) are always set. Analytics cookies fire only after explicit consent via the cookie banner. We do not use advertising or cross-site tracking cookies. You can clear cookies anytime in your browser.
Customer documents and operational data are retained for the life of the contract. On termination, all customer data is deleted within 30 days. Audit logs are retained per the customer's configured retention policy. Website analytics retained 13 months in aggregate.
Polymr employees access customer data only when explicitly authorized by the customer for support or implementation purposes. All such access is logged and reviewable.
A current list of infrastructure sub-processors (cloud hosting, observability, email transport, error reporting) is available on request. Customers are notified at least 30 days before material changes.
You can request access, export, correction, restriction, or deletion of personal data at any time. Customers can self-serve via their admin console or submit a request through the contact form. We respond within statutory timeframes. Standard DPA available.
Polymr operates primarily on US infrastructure. For EU/UK customers, Standard Contractual Clauses (SCCs) and UK Addendum are available under the DPA. We do not transfer personal data to jurisdictions without adequacy.
Encryption in transit (TLS 1.2+) and at rest (AES-256). Per-tenant logical isolation. Least-privilege internal access. Detailed security posture lives on the security page.
Polymr is a B2B service for industrial manufacturers and is not directed to children under 16. We do not knowingly collect data from children.
Disclaimer. This page is a plain-language summary of Polymr's privacy commitments and is not a substitute for the full Data Processing Addendum (DPA) and contract, which govern in case of conflict. Nothing on this page constitutes legal advice.
Full privacy policy, DPA, and SCCs available on request via the contact form.
