Version: 2.0 — Update date: February 11, 2025.

Polaria Technologies Data Protection Policy

1. Introduction

Polaria Technologies is a SaaS publisher specializing in AI chatbots such as RAG (Retrieval-Augmented Generation), offering instant conversation solutions integrating AI and customer data. Data protection is an integral part of the DNA of Polaria Tech, which is publicly committed as a GDPR-compliant provider, dedicated to the security and confidentiality of the information processed. Your privacy is a top priority for the company, which ensures that data is stored and managed securely.

This personal data protection policy describes Polaria Technologies' commitments in terms of confidentiality, with reference to applicable laws, in particular Regulation (EU) 2016/679 of April 27, 2016 (RGPD) and French law No. 78-17 of January 6, 1978 as amended, known as the “Data Protection Act”. Polaria Tech ensures that all of these legal provisions are respected throughout the life cycle of the data processed.

2. Fundamental principles

Polaria Technologies strictly applies the fundamental principles of personal data protection:

Minimization of collected data: Only personal data that is strictly necessary for the purposes pursued are collected and processed. In accordance with the principle of proportionality of the GDPR, the information recorded must be relevant and limited to what is essential for the activity or service in question.

Precise and legitimate purposes: Data is collected only for a specific, explicit and legitimate purpose. Polaria Tech is committed to using data only for clearly defined and legal purposes, brought to the attention of its customers and users. No data is processed in a way that is incompatible with these initial purposes.

Confidentiality and integrity: Polaria Tech guarantees the confidentiality and integrity of the personal data processed. This includes preventing unauthorized access, illegitimate disclosure, or alteration of data. In accordance with the security principles provided by the regulations, the company ensures that only duly authorized persons can access personal information, and establishes mechanisms to detect any unauthorized changes.

3. Compliance commitments

Polaria Technologies demonstrates an exemplary commitment to compliance with the GDPR and associated regulations:

Strict compliance with the RGPD: All regulatory obligations are respected. Polaria Tech adopts a “Privacy by Design and by Default” approach (data protection by design and by default), maintains its register of processing activities and has appointed a Data Protection Officer (DPO) responsible for ensuring regulatory compliance. The company regularly educates its teams on good data protection practices and sets up internal compliance control processes.
Processing located in the EU: Polaria Tech ensures that all processing of personal data takes place exclusively within the European Union. In particular, the data is hosted on secure servers located in France, via the OVH infrastructure, guaranteeing a sovereign and secure architecture. This European sovereignty ensures that data always benefits from the level of protection required by European standards.
Absence of transfers outside the EEA without guarantees: Polaria Tech undertakes not to transfer personal data to countries located outside the European Economic Area (EEA), unless the recipient has an adequate level of protection or appropriate guarantees in accordance with the GDPR. In practice, an international transfer only takes place if there is a solid legal basis, for example if the destination country benefits from an adequacy decision by the European Commission or if approved standard contractual clauses are in place. These measures guarantee a level of data protection equivalent to that in force in the EU in case of necessary exceptions.

4. Advanced security measures

In order to ensure optimal data protection, Polaria Technologies deploys cutting-edge security measures, both technically and organizationally:

Encryption of data in transit and at rest: All personal data managed by Polaria Tech is encrypted during transmission over the network (via TLS/HTTPS protocols) and when stored on our servers. Encryption makes information unreadable to any unauthorized person, ensuring its confidentiality even in the event of interception. In addition, this mechanism contributes to maintaining the integrity of the data: any unauthorized alteration would be detected during decryption, which protects against fraudulent changes.
Secure hosting in France: Polaria Tech's technical infrastructures are hosted in highly secure data centers located in France (OVH provider). These datacenters meet the most stringent physical and logical security standards (access control, 24/7 surveillance, system redundancy) in order to protect data against intrusions, disasters or any other incident. This location in France also ensures the sovereignty of the data processed, which remains under French and European jurisdiction.
Access restriction and traceability: Polaria Technologies applies a rigorous access management policy based on the principle of least privilege. Only employees who are duly authorized and need to access the data as part of their duties can do so. Each access to sensitive information is logged in detail, making it possible to trace who accessed what data and when. Regular authorization checks, the use of robust authentications (for example, multi-factor authentication), and internal audits help prevent inappropriate access to data.
Backups and recovery plan: Regular data backups are performed to prevent any risk of accidental loss or alteration. Polaria Tech has implemented a plan for business recovery and data restoration in the event of a major incident (failure, disaster, cyber attack, etc.), making it possible to quickly restore the service and the integrity of the information. These backups are themselves protected (encrypted and stored in a secure location) and are kept for a defined period of time before being deleted.

In addition to these measures, Polaria Tech carries out periodic security tests and vulnerability analyses to identify possible flaws and correct them without delay. The entire security system is regularly updated to incorporate industry best practices and comply with evolving protection standards.

5. Roles and responsibilities of the parties

As part of the services provided, data protection is based on a clear distribution of roles between the various stakeholders:

Polaria Tech as a subcontractor: Polaria Technologies generally acts as a subcontractor within the meaning of the RGPD for the processing of personal data carried out on behalf of its customers. This means that Polaria processes data only according to the documented instructions of its customers (who are the data controllers) and for the purposes they have determined. According to the legal definition, a subcontractor is the entity that processes personal data on behalf of another body responsible for the processing. Polaria Tech is committed to complying with all obligations incumbent on subcontractors (article 28 of the RGPD), in particular: the strict confidentiality of data processed on behalf of its customers, the implementation of adequate security measures, the assistance of the customer in compliance with its own obligations (for example for impact assessments or the exercise of the rights of individuals, see section 6), and the prompt notification of any data breach to the customer. A Data Processing Agreement is systematically concluded with each customer in order to frame this relationship and to specify the responsibilities of each customer, in accordance with legal requirements.
Customers (businesses/administrations) as data controllers: Polaria Tech customers, whether public bodies or private companies, are the data controllers of the data they entrust to the chatbot platform. As such, they determine the purposes and means of the treatments carried out via Polaria's solutions. It is their responsibility to ensure the legality of the data collected (for example by informing end users about the use of a chatbot and data collection, or by collecting consent when necessary) and to ensure that only relevant data is transmitted to Polaria Tech. Customers must also respond to requests from data subjects concerning their data (with the support of Polaria Tech if necessary) and, more generally, comply with all GDPR obligations incumbent on data controllers. Polaria Tech provides its customers with all reasonable assistance to help them be in compliance, for example by providing information on its treatments to allow customers to document their records, or by giving contractual guarantees of security and confidentiality.
Subsequent subcontractors of Polaria Tech: Polaria Technologies may, to provide its service, use third party service providers who are themselves subcontractors (for example for hosting, maintenance or certain functionalities). The use of any subsequent subcontractor is subject to the prior consent of the client responsible for processing, in accordance with the RGPD. Polaria ensures that each of its service providers applies data protection measures equivalent to its own. Strict contractual commitments to privacy, security, and GDPR compliance are imposed on these partners. Polaria Tech remains fully responsible to its customers for any processing carried out by a subsequent subcontractor it has appointed. In the event of a change or addition of a subcontractor, Polaria will inform its customers so that they can exercise their right of objection or obtain the appropriate information.

In summary, Polaria Tech assumes the responsibility to protect the data that is entrusted to it as a subcontractor, while its customers maintain control and responsibility for the data they delegate to it. Each of the parties undertakes to scrupulously respect its legal and contractual obligations in order to ensure maximum protection of the personal information concerned.

6. User rights and procedures

Polaria Technologies attaches particular importance to respecting the rights of the persons whose data is processed. In accordance with the RGPD, each user or person concerned has the following rights:

Right of access: you can obtain confirmation that your personal data is processed by Polaria Tech (or by our customers via our services) and, if necessary, receive a copy of the data concerning you, as well as information on the purposes of the treatment, the recipients, the retention period, etc.
Right to rectification: you can request the correction of inaccurate or incomplete data concerning you, in order to rectify, as soon as possible, the erroneous information stored by Polaria or by our customers.
Right to erasure (right to be forgotten): you can request the deletion of your personal data as soon as possible, in particular if they are no longer necessary for the purposes for which they were collected or if you withdraw your consent (in cases where consent was the legal basis). This right is exercised in accordance with the exceptions provided by law (for example, Polaria or the customer may have to keep certain data to comply with a legal obligation).
Right to limitation of processing: you have the right to request the temporary freezing of the processing of your data in certain situations (for example, while a dispute over the accuracy of the data is resolved). When the limitation is granted, the data concerned is marked so that they are no longer subject to any operation other than conservation.
Right to portability: on request, in the cases provided for by the RGPD, you can receive the personal data that you have provided to Polaria Tech (or its client) in a structured, commonly used and machine-readable format, or request that they be transmitted directly to another data controller if this is technically possible. This right facilitates the reuse of your personal data with other services.
Right to object: you can object, for reasons relating to your particular situation, at any time, to your data being processed specifically, in particular if the processing is based on the legitimate interest of the data controller. In the event of opposition, Polaria Tech (or its client) will stop processing the data concerned, unless there are legitimate and compelling reasons requiring continued processing or for the establishment, exercise or defense of legal rights. In addition, you can object to receiving marketing communications from us at any time, without justification.
Right to withdraw your consent: where the processing of your data is based on your consent (for example, if you have consented to the chatbot to process some of your information), you have the option of withdrawing this consent at any time. The withdrawal of consent does not have a retroactive effect, and therefore will not affect the lawfulness of the treatments carried out before this withdrawal, but does mean that we will stop using your data for the future in the context in question.
Right to file a complaint with a supervisory authority: in addition to the above rights, if you consider that your rights are not respected, you have the right to file a complaint with the competent data protection authority. In France, the supervisory authority is the CNIL (Commission Nationale de l'Informatique et des Libertés). You can contact the CNIL (via its site cnil.fr or by post) for any complaint concerning the processing of your personal data.

Procedures for exercising your rights: You can exercise your rights at any time by sending a request to the Polaria Tech Data Protection Officer (see section 9 for contact details). If your request concerns data processed by Polaria Tech on behalf of a customer (case where Polaria is a subcontractor), we will forward your request without delay to the customer concerned (data controller) and assist them in following up on it, in accordance with our contractual commitments. No automated decisions that produce legal effects will be taken in respect of you without your explicit consent or without an appropriate legal basis, in accordance with the regulations.

Polaria Tech strives to respond to any request as soon as possible and in any event within the period of one month provided for by the GDPR (which may be extended to two months taking into account the complexity and number of requests). The exercise of these rights is free of charge, except for obvious abuse (repeated or unfounded requests) where reasonable fees may be charged in accordance with the law. An identity verification may be requested in case of reasonable doubt about the identity of the applicant, in order to protect the confidentiality of the data.

7. Data retention period

Polaria Technologies only keeps personal data for as long as is strictly necessary for the purposes for which it was collected, or to comply with its contractual legal obligations. The fundamental principle applied is that of limiting storage: data cannot be kept indefinitely. An appropriate retention period is defined for each category of data, according to their nature and the purpose of the processing.

Concretely:

Operational data related to the chatbot service (for example, conversation content, knowledge bases provided by the customer) is retained for the duration of the contract between Polaria Tech and the customer, in order to provide the service correctly. Some data may be deleted sooner at the request of the customer or user if this is compatible with the operation of the service.
Customer account data (such as contact information of customer administrators, login credentials, etc.) are retained for the duration of the contractual relationship. At the end of the contract, Polaria Tech may keep some of this information for the period necessary to manage the termination, to comply with legal obligations (e.g. to keep invoices and accounting data for the legal term of 10 years), or to ascertain or exercise legal rights if necessary.
End-user data (for example, information about employees or end customers who interacted with our customer's chatbot) is in principle stored according to the parameters defined by each customer responsible for processing. Polaria Tech only performs interim storage as part of the service, and no longer disposes of them once the customer has recovered or deleted them according to their own policies. Polaria encourages its customers to define retention policies in accordance with the recommendations of the CNIL and the RGPD, and provides them with the tools to easily export or delete data.

Once the defined retention periods have expired, Polaria Tech carries out the secure deletion of personal data or their irreversible anonymization, so that it is no longer possible to identify the persons concerned. Deletions are done in a way that prevents data from being restored later (for example, by overwriting backups). As far as technical safeguards are concerned, they are purged as soon as they exceed the established retention period.

Polaria Tech may keep data longer in archived form, separate from the active system, when required by law (for example, keeping connection logs for security or evidence in case of litigation). In this case, archived data is only accessible on a restricted basis and for the purposes required by law, before being definitively deleted at the end of the imposed period.

8. Data Breach Management

Despite all the preventive measures in place, Polaria Technologies has also established a rigorous system for managing security incidents, and in particular personal data breaches. A data breach is any incident, actual or suspected, that results in the destruction, loss, alteration, unauthorized disclosure, or unauthorized access to personal data.

Detection and reactivity: Polaria Tech has surveillance and alert systems to quickly detect security anomalies (intrusion attempts, suspicious activity, etc.). When a security incident occurs, an emergency internal procedure is triggered: identification of the nature and extent of the breach, immediate measures to contain the incident (e.g. isolating an affected server, revoking compromised accesses) and assessing the risk for those involved. The incident is recorded in an internal incident register, in accordance with article 33 (5) of the GDPR, describing the facts, effects and corrective measures taken.

Notification to authorities and individuals: If the personal data breach is likely to cause a risk to the rights and freedoms of natural persons, Polaria Tech (in coordination with the client responsible for processing, if applicable) undertakes to notify the incident to the competent supervisory authority (the CNIL in France) as soon as possible and, if possible, within 72 hours after becoming aware of it. This notification will include all required information (nature of the breach, categories and volume of data concerned, number of persons affected, probable consequences, measures taken or proposed to remedy it, etc.). If the 72-hour deadline is exceeded, the notification will be accompanied by the reasons for the delay, in accordance with the regulations.

If the breach is likely to result in a high risk to the rights and freedoms of individuals (for example, disclosure of sensitive data that may result in significant harm), Polaria Tech will also promptly inform affected individuals about the occurrence of the incident, potentially compromised data, and recommendations to protect themselves (e.g. password change, increased vigilance against possible fraud attempts). This notification to individuals will be made unless the client responsible for processing prefers to carry out this communication himself — in any case Polaria will assist the customer in this process if necessary.

Management and continuous improvement: After an incident is under control, Polaria Tech focuses on analyzing the root causes of the breach and implementing the necessary corrective actions to prevent it from happening again. A post-incident report can be provided to the customer, including event details and lessons learned. Polaria makes a point of transparency towards its customers in the event of an incident, and remains available for any additional assistance (for example, helping to answer questions from end users or CNIL investigations).

In summary, Polaria Technologies has implemented a genuine data security crisis management strategy: foresight (proactive protection measures), rapid detection, effective reaction, transparent communication and continuous improvement. These efforts aim to minimize the impact of possible incidents and to best protect the privacy of users.

9. Contact and additional information

DPO contact: Polaria Technologies has appointed a Data Protection Officer (DPO) responsible for ensuring regulatory compliance and serving as a point of contact for questions relating to personal data. For any questions, requests, or concerns about your data or the exercise of your rights (section 6 above), you can contact our DPO:

Name of the DPO: Raphaël Buchard
E-Mail: privacy (at) polaria (dot) com
Postal address: Polaria Technologies, 15 rue des Halles, 75001 Paris, France.

The Polaria Tech DPO is your privileged contact for everything related to data protection. We are committed to providing a diligent and comprehensive response to each request.

Evolution of the data protection policy: This policy may be updated to reflect legal, regulatory, technical or organizational changes affecting data protection, or to integrate new functionalities or services offered by Polaria Tech. In the event of a material change in our practices, we will notify customers (for example via an email or a notification on the site) and/or obtain their consent when required by law. We encourage you to check this page regularly for the most current version. The date of the last update in the header of the document indicates when changes were last made to the document.

By choosing Polaria Technologies, you are choosing a partner that is strongly committed to data sovereignty and protection. Our company makes every effort to earn your trust, by ensuring a high level of confidentiality, security and compliance for your data. For any additional information on our data protection approach, do not hesitate to contact us — we remain at your disposal to support you transparently on these essential issues.