Introduction and Scope
1.1 About This Policy
This Privacy Policy ("Policy") applies to all information collected, processed, or generated in connection with your use of the Polylight Capital website, web application, APIs, data products, subscription services, analytical tools, and all related services and infrastructure (collectively, the "Platform"). This Policy applies to all Users of the Platform, including registered subscribers, API clients, free-tier users, and visitors to our public-facing website.
1.2 Controller Identity
Polylight Capital, a California limited liability company headquartered in Pasadena, California, is the data controller and operator responsible for personal information collected through the Platform under applicable U.S. law.
1.3 Scope of Application
This Policy covers: (a) information you provide directly to Polylight Capital; (b) information automatically collected when you access or use the Platform; (c) information derived or inferred from your interactions with the Platform; (d) information obtained from third-party data sources and integrated into our systems; and (e) aggregated, derived, or anonymized data generated from any of the foregoing. This Policy does not apply to information collected by third-party services, websites, or applications that may be accessed through links on the Platform.
1.4 Relationship to Terms of Service
This Policy is incorporated into and forms a part of Polylight Capital's Terms and Conditions. Capitalized terms used but not defined in this Policy have the meanings given to them in the Terms and Conditions. In the event of any inconsistency between this Policy and the Terms and Conditions on matters of data collection and use, this Policy shall govern.
Information We Collect
2.1 Information You Provide Directly
We collect information that you actively provide to us, including:
- Account Registration Data: Full name, email address, username, password (stored in hashed/encrypted form), company name, job title, professional role, and organizational affiliation;
- Eligibility and Verification Data: Information provided to verify your eligibility for specific subscription tiers, including accredited investor status, institutional affiliation, professional credentials, and government-issued identification documents where required;
- Subscription and Payment Data: Billing name, billing address, payment method details (processed and stored by our PCI-compliant payment processors — we do not store full payment card numbers), and Subscription tier selection;
- Communications Data: Content of messages, inquiries, support requests, dispute notifications, feedback, and other communications you direct to us;
- Survey and Research Data: Responses to optional surveys, user research sessions, beta program participation, and feedback forms;
- Professional Profile Data: Trading history representations, investment experience declarations, risk tolerance self-assessments, and other professional background information voluntarily submitted in connection with Platform onboarding or eligibility determinations.
2.2 Information Automatically Collected
When you access or use the Platform, we and our service providers automatically collect certain technical and operational information, including:
- Log Data: IP address, access timestamps, pages and features accessed, query parameters, HTTP headers, referrer URLs, exit pages, session duration, and error logs;
- API Activity Data: API endpoint calls, request parameters, response codes, latency measurements, and API key usage patterns;
- Usage Metrics: Feature interaction data, dashboard navigation patterns, data query histories, alert configurations, Algorithmic Output views, report generation activity, and search queries submitted to the Platform;
- Performance Data: Page load times, rendering performance metrics, client-side error data, and other telemetry relevant to Platform performance optimization.
2.3 Information from Third-Party Sources
We may receive information about you from third-party sources and combine it with information we collect directly, including identity verification and KYC/AML data from compliance providers; professional profile data from business networking platforms; fraud risk signals from fraud prevention services; payment and financial verification data from payment processors; and public records, regulatory filings, and sanctions screening results from compliance data providers.
2.4 Inferred and Derived Data
We derive and infer information about you based on your interactions with the Platform, including inferences regarding investment interests, analytical focus areas, trading activity patterns, risk appetite indicators, product engagement levels, feature preferences, potential eligibility for premium features, and anomalous or potentially abusive usage patterns.
Cookies and Tracking Technologies
3.1 Overview
Polylight Capital uses cookies, pixel tags, web beacons, local storage objects, session storage, fingerprinting techniques, and other tracking technologies (collectively, "Tracking Technologies") to operate and improve the Platform, authenticate users, personalize experiences, analyze usage, and support our legitimate business and security operations.
3.2 Categories of Cookies
| Category | Purpose | Can Be Disabled? |
|---|---|---|
| Strictly Necessary | Authentication, session management, security enforcement, load balancing, fraud prevention. Required for Platform operation. | No — essential to service delivery |
| Functional | Remembering your preferences, language settings, dashboard configurations, display options, and account settings across sessions. | Yes — may affect Platform functionality |
| Analytics & Performance | Measuring usage patterns, feature adoption, error rates, and performance metrics to improve the Platform. May include third-party analytics tools. | Yes — via cookie preferences |
| Behavioral & Targeting | Understanding user behavior, usage intensity, and feature interactions to inform product development and, where applicable, personalized content delivery. | Yes — via cookie preferences |
| Security & Fraud Prevention | Detecting malicious activity, bot traffic, scraping attempts, account takeovers, and abusive usage patterns. | No — required for security |
3.3 Third-Party Analytics
We may use third-party analytics services, including but not limited to Google Analytics, Mixpanel, Segment, Amplitude, or similar platforms. These services may set their own cookies and collect information in accordance with their own privacy policies. We configure such services to anonymize IP addresses to the extent technically feasible.
3.4 Managing Cookies
You may manage your cookie preferences through our cookie consent interface (where available), your browser settings, or opt-out tools provided by specific analytics providers. Note that disabling certain cookies may impair your ability to use core Platform features, including authentication.
Browser and Device Metadata
4.1 Metadata Collected
When you access the Platform, our systems automatically collect browser and device metadata, including: browser type, version, and rendering engine; operating system and device type; screen resolution, color depth, and viewport dimensions; installed fonts and plugins; device hardware characteristics; network connection type and approximate connection speed; timezone, locale settings, and language preferences; User-Agent string and Accept-Language headers; and battery status on supported mobile browsers.
4.2 Purpose of Metadata Collection
Browser and device metadata is used for: authenticating sessions and detecting account takeover attempts; optimizing Platform rendering and performance for your specific device and browser configuration; generating device fingerprints for fraud prevention and abuse detection; identifying and blocking automated bots, scrapers, and unauthorized access tools; enforcing geographic access restrictions; and aggregated analytics on platform compatibility.
4.3 Device Fingerprinting
Polylight Capital may employ device fingerprinting techniques that combine multiple browser and device characteristics to create a probabilistic device identifier for fraud prevention, security monitoring, and access control purposes. Device fingerprints may be correlated with your account for security investigation purposes and are processed in accordance with this Policy and applicable law.
User Behavioral Analytics
5.1 Behavioral Data Collection
Polylight Capital collects and processes detailed behavioral analytics regarding how you interact with the Platform, including: click patterns, hover events, and mouse movement data; scroll depth and content engagement metrics; navigation paths and session flow data; time-on-page and time-on-feature measurements; feature usage frequency and intensity; query patterns and search behavior; Algorithmic Output access and usage patterns; report generation and export behavior; and A/B test participation and response data.
5.2 Purpose of Behavioral Analytics
Behavioral analytics data is used to: improve Platform usability, product design, and feature prioritization; personalize the Platform experience and content recommendations; identify and resolve friction points in user workflows; detect anomalous or potentially abusive usage behavior; optimize AI System and model performance based on real-world usage patterns; conduct internal research and development; and generate aggregate insights about Platform adoption and usage trends.
5.3 Session Recording
We may use session recording tools to record and replay user interactions with the Platform for purposes of UX research, bug identification, and product improvement. Session recordings are anonymized or pseudonymized to the extent practicable and are stored only as long as necessary for their operational purpose. Session recordings do not capture passwords, payment card numbers, or other sensitive authentication credentials.
AI System Training and Optimization Disclosures
6.1 Use of Data for AI Improvement
Polylight Capital operates as an AI-driven quantitative analytics company whose continued operational effectiveness depends on the ongoing training, calibration, validation, and improvement of our AI Systems and quantitative models. Subject to the terms of your Subscription agreement and applicable law, Polylight Capital may use data derived from Platform usage — including behavioral data, usage patterns, query structures, feedback, and interaction data — for: training, fine-tuning, retraining, and improving Polylight Capital's proprietary machine learning and AI models; calibrating model performance and validating predictive accuracy; developing new analytical features and data products; identifying model failure modes and areas for improvement; and improving the relevance, accuracy, and usefulness of Algorithmic Outputs.
6.2 Anonymization for AI Training
To the extent we use personal information in AI System training and optimization, we apply aggregation, anonymization, pseudonymization, and differential privacy techniques designed to prevent the re-identification of individual users from training datasets. However, we cannot guarantee that all data used in AI training is completely free of individual-level signals, and we rely on our commitment to appropriate technical safeguards to protect user privacy in AI training contexts.
6.3 No Third-Party Model Training
Polylight Capital does not sell, license, or transfer your personal data to third parties for the purpose of training competing AI systems. User Data and behavioral analytics collected through the Platform are used exclusively for Polylight Capital's internal model development and Platform improvement purposes, subject to the disclosure provisions in this Policy.
How We Use Your Information
7.1 Primary Uses
Polylight Capital processes personal information for the following primary purposes:
- Service Delivery: Providing, operating, maintaining, and improving the Platform and delivering your subscribed services;
- Account Management: Creating and managing your account, processing Subscription registrations, and handling billing and payment;
- Authentication and Security: Verifying your identity, preventing unauthorized access, detecting and responding to security threats, and enforcing our Terms and Conditions;
- Customer Support: Responding to your inquiries, resolving disputes, and providing technical assistance;
- Compliance and Legal Obligations: Complying with applicable laws, regulations, court orders, and lawful governmental requests;
- Research and Development: Improving existing features, developing new products, training and refining AI Systems, and advancing quantitative analytics capabilities;
- Analytics and Business Intelligence: Understanding Platform usage, measuring operational performance, and informing business decisions;
- Communications: Sending service announcements, policy updates, security alerts, billing notifications, and (where consented) marketing communications.
7.2 Secondary and Derived Uses
In addition to primary uses, Polylight Capital may process personal information for secondary purposes reasonably compatible with the original collection purpose, including: anonymized and aggregated statistical analysis; fraud prevention research and model development; academic or industry research conducted in partnership with qualified institutions; compliance monitoring and audit functions; and internal testing, quality assurance, and operational diagnostics.
Broad Operational Data Usage
8.1 Operational Flexibility
Polylight Capital operates complex, multi-layered AI infrastructure and quantitative analytics systems that generate, process, and transmit large volumes of data in connection with Platform operations. To support these operations at scale, Polylight Capital claims and reserves the right to use data arising from Platform interactions — including aggregated, derived, anonymized, and pseudonymized data — for a broad range of operational purposes, including without limitation: infrastructure monitoring, capacity planning, and performance optimization; anomaly detection and system integrity monitoring; feature development research and product roadmap prioritization; internal risk management, compliance program development, and regulatory reporting; training, evaluating, and deploying AI-based security and fraud detection systems; producing industry research and analytical publications using only anonymized and aggregated data; and licensing anonymized, aggregated market usage intelligence to unaffiliated third parties, subject to the constraints in Section 14.
8.2 Operational Data Retention
Operational data, including infrastructure logs, system telemetry, and aggregated analytics, may be retained beyond the retention periods applicable to personal information where such operational data no longer contains or is reasonably linked to personally identifiable information.
Legal Bases for Processing
9.1 Applicable Legal Bases
To the extent applicable data protection law (including the California Consumer Privacy Act as amended by the California Privacy Rights Act, and, where applicable, the EU General Data Protection Regulation) requires a legal basis for processing personal information, Polylight Capital processes personal information on the following grounds:
- Contractual Necessity: Processing necessary to perform our contract with you, including delivering your Subscription services, managing your account, and processing payments;
- Legitimate Interests: Processing necessary for Polylight Capital's legitimate business interests, including fraud prevention, security operations, AI System improvement, product development, and analytics, where those interests are not overridden by your rights;
- Legal Obligations: Processing necessary to comply with applicable law, regulation, or governmental order;
- Consent: Processing based on your freely given, specific, informed, and revocable consent, including for non-essential cookies and marketing communications.
Data Sharing and Disclosure
10.1 We Do Not Sell Personal Information
Polylight Capital does not sell your personal information to third parties for monetary consideration as that term is defined under the California Consumer Privacy Act. We do not share your personal information with third-party advertisers for the purpose of targeted advertising directed at you based on your personal information.
10.2 Permitted Disclosures
We may share your personal information with third parties in the following circumstances:
- Service Providers: With vendors, contractors, and service providers who process data on our behalf under written data processing agreements, including cloud infrastructure providers, payment processors, identity verification providers, analytics platforms, security services, and communications providers;
- Legal Compliance: When required by applicable law, regulation, legal process (including subpoenas, court orders, and civil discovery), or governmental authority;
- Law Enforcement: When disclosure is reasonably necessary to prevent or address fraud, security threats, violations of our Terms and Conditions, or illegal activity;
- Business Transfers: In connection with a merger, acquisition, restructuring, asset sale, financing, or similar corporate transaction as described in Section 19;
- Protection of Rights: When necessary to protect the rights, property, safety, or operations of Polylight Capital, our users, or the public;
- With Your Consent: For any other purpose with your express prior consent.
10.3 Aggregate and Anonymized Data
Subject to Section 14, we may share aggregated, anonymized, or de-identified data — from which individual identifying information has been removed — with partners, research institutions, industry publications, or the public for purposes including market research, industry benchmarking, academic research, or promotional purposes.
Third-Party Vendors and Integrations
11.1 Infrastructure and Cloud Providers
Polylight Capital relies on enterprise-grade cloud computing infrastructure, database services, content delivery networks, and related hosting services provided by major cloud vendors. These providers process data on Polylight Capital's behalf under data processing agreements that impose strict confidentiality, security, and data use obligations consistent with applicable law.
11.2 Payment Processing
Payment information is processed by PCI-DSS-compliant third-party payment processors. Polylight Capital does not store, process, or transmit full payment card numbers on its own systems. Our payment processors' data practices are governed by their respective privacy policies and applicable payment card industry standards.
11.3 Identity Verification and Compliance
We may use third-party identity verification, KYC (Know Your Customer), AML (Anti-Money Laundering), and sanctions screening providers to verify user eligibility and comply with applicable regulations. These providers may process government identification documents, biometric data, and other identity-related information and are subject to applicable financial services compliance requirements.
11.4 Financial Data Providers
The Platform integrates with third-party financial data providers, market data vendors, news aggregators, regulatory data sources, and event data platforms. Users should be aware that their use of Platform features that interact with third-party data may generate usage signals accessible to those third-party providers under the applicable data sharing terms of those integrations.
11.5 Vendor Due Diligence
Polylight Capital conducts reasonable due diligence on critical third-party vendors and requires vendors with access to personal information to maintain appropriate security standards and to use personal information only for the purposes for which it was shared.
Data Security
12.1 Security Measures
Polylight Capital implements and maintains a comprehensive information security program designed to protect personal information against unauthorized access, disclosure, alteration, destruction, and loss. Our security measures include: end-to-end encryption of data in transit using TLS 1.2 or higher; encryption of sensitive data at rest; access controls based on the principle of least privilege; multi-factor authentication requirements for all internal system access; regular security vulnerability assessments and penetration testing; intrusion detection and prevention systems; security information and event management (SIEM) systems for real-time threat detection; incident response procedures; employee security awareness training; and contractual security requirements for all data processors.
12.2 No Absolute Security Guarantee
No security system is impenetrable, and Polylight Capital cannot guarantee absolute security of your personal information. Despite our best efforts, unauthorized access, data breaches, hardware or software failures, and other circumstances beyond Polylight Capital's reasonable control may compromise the security of your data.
12.3 Breach Notification
In the event of a data security breach that Polylight Capital reasonably determines is likely to result in a risk to the rights and freedoms of affected individuals, Polylight Capital will provide required notifications in accordance with applicable data breach notification laws, including California's data breach notification statute (California Civil Code §§ 1798.29 and 1798.82) and other applicable state and federal requirements.
Data Retention
13.1 Retention Principles
Polylight Capital retains personal information for as long as necessary to fulfill the purposes for which it was collected, including satisfying applicable legal, regulatory, tax, accounting, contractual, and business record-keeping requirements.
13.2 Retention Schedules
| Data Category | Retention Period | Basis |
|---|---|---|
| Account registration and identity data | Duration of account + 7 years after closure | Legal and regulatory obligations; dispute resolution |
| Subscription and payment records | 7 years from transaction date | Tax, accounting, and financial recordkeeping law |
| Usage logs and access records | 2–5 years depending on category | Security, fraud investigation, legal proceedings |
| Communications and support records | 5 years from last interaction | Dispute resolution, legal proceedings |
| API activity logs | 3 years | Security monitoring, abuse investigation |
| Marketing preferences and consent records | 3 years after last marketing interaction | Legal compliance, consent documentation |
| Anonymized and aggregated analytics | Indefinitely (no personal data) | Research, development, operational planning |
| Security incident records | 7 years | Legal obligations, regulatory requirements |
| KYC / compliance verification records | As required by applicable regulation (typically 5–7 years) | Regulatory compliance |
13.3 Extended Retention for Legal Holds
Polylight Capital may retain personal information beyond the standard retention periods above if such information is subject to a litigation hold, regulatory investigation, audit, or dispute that reasonably requires extended preservation.
13.4 Deletion and Anonymization
Upon the expiration of applicable retention periods (and subject to any active legal holds), Polylight Capital will delete or anonymize personal information in accordance with industry-standard data destruction practices.
Aggregated and Anonymized Data
14.1 Rights to Aggregated Data
Polylight Capital reserves broad rights to aggregate, anonymize, de-identify, and statistically process data arising from Platform operations for any legitimate business purpose, including commercial, research, and analytical purposes. Aggregated and anonymized data is not subject to the personal information restrictions described elsewhere in this Policy.
14.2 Standard of Anonymization
Polylight Capital applies anonymization processes designed to prevent the re-identification of individual users from aggregated datasets, consistent with applicable privacy law standards and industry best practices for data de-identification. However, Polylight Capital acknowledges that absolute re-identification prevention is technically impossible, and our commitment is to apply reasonable and industry-standard safeguards against re-identification.
14.3 Commercial Use of Aggregated Data
Polylight Capital may develop, license, sell, publish, or otherwise commercialize market intelligence, industry benchmarks, analytical reports, and other data products derived from aggregated and anonymized Platform usage data. Such products will not include any personally identifiable information and will be structured to prevent the attribution of insights to any identifiable individual user.
Communications and Marketing
15.1 Transactional Communications
Polylight Capital will send you transactional communications that are necessary in connection with your account and Subscription, including account verification emails, billing and payment notifications, security alerts, service announcements, policy update notices, and scheduled maintenance communications. Transactional communications cannot be fully opted out of without terminating your account, as they are necessary for Platform operations.
15.2 Marketing and Promotional Communications
With your consent (where required by applicable law) or on the basis of our legitimate interests, we may send you marketing communications about Polylight Capital's services, new features, industry insights, events, and promotional offers. Marketing communications are subject to your right to opt out at any time.
15.3 Opt-Out Rights
You may opt out of marketing communications at any time by: (a) clicking the unsubscribe link in any marketing email; (b) updating your communication preferences in your account settings; or (c) submitting an opt-out request to legal@polylightcapital.com. We will process opt-out requests within ten (10) business days.
California Privacy Rights — CCPA/CPRA
16.1 Applicability
This Section 16 applies specifically to California residents and supplements the rest of this Privacy Policy. It describes rights available to California consumers under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA/CPRA"), to the extent Polylight Capital is subject to such obligations.
16.2 Categories of Personal Information Collected
In the preceding twelve (12) months, Polylight Capital has collected the following categories of personal information from California consumers: Identifiers (name, email, IP address, username); Commercial Information (subscription purchase history, payment records, service usage); Internet or Electronic Network Activity (browsing behavior, search queries, API usage, interaction data); Geolocation Data (general location derived from IP address); Professional or Employment-Related Information (job title, company affiliation, investor status); Inferences (profiles reflecting preferences, analytical interests, and usage patterns); and Sensitive Personal Information (government ID information where submitted for eligibility verification).
16.3 California Consumer Rights
California residents have the following rights under the CCPA/CPRA, subject to applicable exceptions:
- Right to Know: The right to request disclosure of the categories and specific pieces of personal information collected about you, the purposes for collection, and the categories of third parties with whom we share your information;
- Right to Delete: The right to request deletion of personal information we have collected about you, subject to certain exceptions;
- Right to Correct: The right to request correction of inaccurate personal information we maintain about you;
- Right to Opt Out of Sale/Sharing: The right to opt out of the "sale" or "sharing" of your personal information as defined under CCPA/CPRA. Polylight Capital does not sell personal information for monetary consideration;
- Right to Limit Use of Sensitive Personal Information: The right to direct us to limit the use and disclosure of sensitive personal information to purposes necessary to provide the requested services;
- Right to Non-Discrimination: The right not to receive discriminatory treatment for exercising CCPA/CPRA rights.
16.4 Submitting California Privacy Requests
California residents may submit CCPA/CPRA rights requests by emailing legal@polylightcapital.com with the subject line "California Privacy Request." We will verify your identity before processing your request and will respond within the timeframes required by applicable law (generally forty-five (45) days, with a possible extension of an additional forty-five (45) days where reasonably necessary).
16.5 Authorized Agent Requests
You may designate an authorized agent to submit CCPA/CPRA requests on your behalf by providing written authorization or a valid power of attorney. We may require verification of both the agent's authority and your own identity before processing requests submitted through authorized agents.
16.6 Shine the Light
California Civil Code Section 1798.83 ("Shine the Light") permits California residents to request information regarding our disclosure of certain categories of personal information to third parties for direct marketing purposes. Polylight Capital does not share personal information with third parties for their direct marketing purposes without your consent.
International Visitors
17.1 U.S.-Based Operations
The Platform is operated from the United States, and personal information collected through the Platform is stored and processed in the United States. If you are accessing the Platform from outside the United States, your personal information will be transferred to and processed in the United States, which may have different data protection laws than your country of residence. By using the Platform, you consent to such transfer and processing.
17.2 European Economic Area and United Kingdom
If you are located in the European Economic Area ("EEA") or the United Kingdom ("UK"), please note that Polylight Capital's Platform is not currently directed at EEA or UK residents and is not designed to comply with the EU General Data Protection Regulation ("GDPR") or UK GDPR. Residents of the EEA or UK should exercise caution before using the Platform and are advised to review the applicable legal requirements in their jurisdiction.
17.3 Other International Jurisdictions
Users accessing the Platform from jurisdictions with specific privacy legislation — including Canada (PIPEDA/CPPA), Australia (Privacy Act 1988), Brazil (LGPD), Singapore (PDPA), Japan (APPI), or other applicable regimes — are responsible for understanding the privacy laws applicable to them. Polylight Capital will comply with applicable international privacy law to the extent legally required.
Children's Privacy
18.1 No Collection from Children
The Platform is not directed at individuals under the age of eighteen (18) and Polylight Capital does not knowingly collect personal information from anyone under eighteen (18). If we become aware that we have inadvertently collected personal information from a child under eighteen (18), we will take steps to delete such information promptly. If you believe we may have collected information from or about a minor, please contact us immediately at legal@polylightcapital.com.
18.2 COPPA Compliance
Polylight Capital's Platform is not directed to children under the age of thirteen (13), and Polylight Capital does not knowingly collect personal information from children under thirteen (13) within the meaning of the Children's Online Privacy Protection Act ("COPPA"). If we learn that personal information has been collected from a child under thirteen (13), we will delete such information in accordance with COPPA requirements.
Business Transfers and Restructuring
19.1 Corporate Transactions
Personal information is a business asset. In the event of a merger, acquisition, investment, financing, change of control, reorganization, sale of all or substantially all of Polylight Capital's assets, bankruptcy, dissolution, or similar corporate transaction, personal information collected through the Platform may be transferred to, disclosed to, and processed by the acquiring entity, successor organization, or other parties involved in such transaction, subject to applicable law.
19.2 Pre-Transaction Diligence
Personal information may be disclosed to potential acquirers, investors, lenders, or business partners during the due diligence process associated with a potential corporate transaction, subject to appropriate confidentiality protections.
19.3 Post-Transaction Notice
If a corporate transaction results in a material change to how personal information is used that is inconsistent with this Policy, we will provide notice of such change as required by applicable law.
Fraud Prevention and Security Monitoring
20.1 Fraud Prevention Activities
Polylight Capital conducts comprehensive fraud prevention and security monitoring activities across the Platform, including: real-time analysis of account access patterns, transaction behaviors, and API usage to identify potentially fraudulent or malicious activity; device fingerprinting and behavioral biometrics to flag potentially compromised accounts; screening of account registration data against known fraud databases and sanctions lists; velocity checks on account creation, login attempts, and data access requests; cross-account pattern analysis to identify coordinated abuse campaigns or bot networks; IP reputation analysis and geolocation-based access risk scoring; and machine learning-based fraud models trained on historical Platform abuse patterns.
20.2 Fraud Investigation Disclosures
In connection with fraud prevention investigations, Polylight Capital may share information with law enforcement agencies, financial regulators, payment networks, fraud intelligence consortia, and other parties where such disclosure is necessary to prevent, investigate, or report fraud, financial crime, or security threats.
20.3 Security Monitoring Retention
Data generated in connection with security monitoring and fraud prevention activities may be retained for longer periods than other categories of personal information where necessary to support ongoing security investigations, develop fraud detection models, or meet regulatory requirements related to financial crime prevention.
Service Improvement Rights
21.1 Product Development
Polylight Capital reserves broad rights to use data generated through Platform operations to improve, develop, and extend Platform services, including: identifying usage patterns that indicate demand for new features; testing and validating new AI models and analytical capabilities; improving the accuracy, relevance, and performance of Algorithmic Outputs; optimizing the Platform's user experience and interface design; developing new data products and analytical services; and expanding into new markets, analytical domains, or service verticals.
21.2 A/B Testing and Experimentation
Polylight Capital may conduct A/B tests, multivariate experiments, and controlled product trials in which different versions of the Platform are presented to different Users. Participation in such experiments is implicit in your use of the Platform and does not require separate consent. Data generated from experimentation is used exclusively for product improvement purposes and is subject to this Policy.
21.3 Performance Benchmarking
Polylight Capital uses operational data, including usage metrics, system performance data, and aggregate behavioral analytics, for internal benchmarking of Platform performance, AI model quality, and service delivery metrics. Such benchmarking is essential to maintaining the quality and competitiveness of Polylight Capital's services.
Your Privacy Choices and Rights
22.1 Account Information Access and Correction
You may access, review, and update your account information at any time through your account settings within the Platform. If you are unable to access or correct certain information through the Platform interface, you may submit a request to legal@polylightcapital.com and we will assist you within a reasonable timeframe.
22.2 Data Portability
Where required by applicable law, you have the right to receive a copy of personal information you have provided to us in a structured, machine-readable format. You may submit data portability requests to legal@polylightcapital.com. Polylight Capital will fulfill data portability requests to the extent technically feasible and legally required, subject to appropriate identity verification.
22.3 Deletion Requests
You may request deletion of your personal information by closing your account or submitting a deletion request to legal@polylightcapital.com. Deletion requests will be honored subject to applicable legal limitations, including retention obligations arising from financial, regulatory, or legal requirements and the existence of active disputes or legal proceedings.
22.4 Withdrawal of Consent
Where processing is based on your consent, you may withdraw such consent at any time by contacting legal@polylightcapital.com or using the opt-out mechanisms described in this Policy. Withdrawal of consent does not affect the lawfulness of processing that occurred prior to withdrawal.
Do Not Track
23.1 Do Not Track Signals
Some browsers transmit "Do Not Track" ("DNT") signals indicating a user preference against behavioral tracking. Polylight Capital's Platform does not currently respond to DNT signals from browsers in a manner that changes data collection or processing practices. This is because there is no universally accepted technical standard for interpreting DNT signals, and Polylight Capital relies on this Policy and applicable law to govern data collection rather than browser-level signals. If a recognized, legally operative standard for DNT compliance develops, Polylight Capital will evaluate updating its practices accordingly.
Links to Third-Party Sites and Services
24.1 Third-Party Links
The Platform may contain links to third-party websites, data sources, exchanges, news outlets, regulatory databases, research publications, and other external resources. These third-party sites are not operated by or under the control of Polylight Capital, and Polylight Capital is not responsible for the privacy practices, data security, or content of any third-party site. We encourage you to review the privacy policies of any third-party sites you visit through links on our Platform before providing personal information to them.
Policy Updates and Changes
25.1 Right to Update
Polylight Capital reserves the right to update, modify, or replace this Privacy Policy at any time. When we make material changes to this Policy, we will notify you by updating the "Last Updated" date at the top of this page, posting a notice on the Platform, or sending an email to your registered account address. Material changes will become effective as specified in the notice.
25.2 Continued Use as Acceptance
Your continued use of the Platform after the effective date of any updated Privacy Policy constitutes your acceptance of the updated Policy. If you do not agree with the updated Policy, you must discontinue use of the Platform and may request deletion of your personal information as described in Section 22.3.
25.3 Historical Versions
Prior versions of this Privacy Policy are available upon request from legal@polylightcapital.com. We retain historical versions for a period of at least seven (7) years.
Contact Information and Privacy Requests
26.1 Privacy Contact
For questions, concerns, or requests relating to this Privacy Policy or Polylight Capital's data practices, please contact us at:
All privacy inquiries, California privacy requests, data deletion requests, and general legal notices:
legal@polylightcapital.com
26.2 Response Timeframes
We will acknowledge privacy requests within five (5) business days of receipt and will respond substantively within forty-five (45) calendar days. Complex or high-volume requests may require additional time, and we will notify you of any required extension in accordance with applicable law.
26.3 California Regulatory Complaints
California residents who believe their privacy rights have been violated may file a complaint with the California Privacy Protection Agency ("CPPA") at cppa.ca.gov, or with the California Attorney General, in addition to exercising rights directly with Polylight Capital. We encourage you to contact us directly first so we have the opportunity to address your concerns.