1. Introduction

Bluepolar LLC ("Bluepolar," "we," "us," or "our") provides a security posture management platform for data warehouses. This Privacy Policy explains how we collect, use, disclose, and protect information when you use our platform and services (collectively, the "Service"). It applies to all users of the Service, including account holders, team members, and visitors to our website.

2. Information We Collect

Account Information. When you create an account, we collect your name, email address, organization name, and password. If you sign up via SSO, we receive your name and email from your identity provider.

Usage Data. We automatically collect information about how you interact with the Service, including pages visited, features used, timestamps, browser type, and IP address.

Data Warehouse Metadata. When you connect your data warehouse, the Service queries metadata such as role hierarchies, user configurations, network policies, access controls, and security settings. We analyze this metadata to generate security scores and recommendations. We do not access or store your actual data warehouse contents.

Payment Information. Payment processing is handled by a third-party payment processor. We do not directly collect or store credit card numbers or bank account details. Our payment processor may share with us limited information such as the last four digits of your card, billing address, and transaction status.

Identity Provider Data. If you configure an identity provider (IdP) integration, we may receive user and group directory information from your IdP for the purpose of mapping access controls and provisioning.

3. How We Use Information

We use the information we collect to:

Provide, maintain, and improve the Service.
Analyze your data warehouse security configuration and generate security scores and recommendations.
Process payments and manage your subscription.
Send transactional communications such as account verification, billing notices, and security alerts.
Respond to your requests and provide customer support.
Detect, prevent, and address technical issues and security incidents.

4. How We Share Information

We do not sell your personal information. We may share information with:

Service Providers: Third parties that help us operate the Service, including payment processors, database infrastructure providers, and cloud hosting providers. These providers are contractually obligated to protect your information.
Legal Requirements: When required by law, regulation, legal process, or enforceable governmental request.
Business Transfers: In connection with a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction.
With Your Consent: When you explicitly authorize us to share information.

5. Data Security

We implement industry-standard security measures to protect your information. Data warehouse connection credentials are encrypted at rest using AES-256 encryption. All data transmitted between your browser and our servers is protected with TLS encryption. We regularly review our security practices and update them as necessary.

6. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. If you request account deletion, we will delete your personal information within 30 days, except where we are required to retain it for legal or compliance purposes. Cached data warehouse metadata is retained only for the duration needed to deliver the Service and is refreshed on a regular schedule.

7. Your Rights

Depending on your jurisdiction, you may have the right to:

Access: Request a copy of the personal information we hold about you.
Correction: Request that we correct inaccurate or incomplete information.
Deletion: Request that we delete your personal information.
Export: Request a portable copy of your data in a commonly used format.
Objection: Object to certain processing of your information.

To exercise any of these rights, contact us at legal@bluepolar.ai. We will respond within the time frame required by applicable law.

8. California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act (collectively, "CCPA"), provides you with additional rights regarding your personal information.

Categories of personal information we collect. In the preceding 12 months, we have collected the following categories of personal information described in Cal. Civ. Code §1798.140:

Identifiers (e.g., name, email address, IP address, account identifiers).
Commercial information (e.g., subscription plan, billing history).
Internet or other electronic network activity (e.g., usage logs, pages visited, feature interactions).
Professional or employment-related information (e.g., role within your organization).
Inferences drawn from the above to generate security recommendations for your account.

Sources, purposes, and disclosures. We collect this information directly from you, from your use of the Service, and from your identity provider (when configured). We use it for the purposes described in Section 3 and disclose it only to the categories of recipients described in Section 4.

Your CCPA rights. You have the right to (i) know what personal information we collect, use, disclose, and retain; (ii) request deletion of your personal information; (iii) request correction of inaccurate personal information; (iv) opt out of any sale or sharing of personal information; and (v) not receive discriminatory treatment for exercising any of these rights.

No sale or sharing. We do not sell personal information, and we do not share personal information for cross-context behavioral advertising, as those terms are defined under the CCPA.

To submit a request, email legal@bluepolar.ai from the email address associated with your account. Authorized agents may submit requests on your behalf with written, signed permission and verification of identity.

9. European Economic Area, United Kingdom, and Switzerland (GDPR)

If you are located in the European Economic Area (EEA), the United Kingdom, or Switzerland, the following additional disclosures apply to processing of your personal data under the EU and UK General Data Protection Regulations (collectively, "GDPR").

Controller. Bluepolar LLC is the controller of personal data collected through the Service, except where we process personal data on behalf of a customer (for example, your organization's administrators), in which case we act as a processor and our Data Processing Addendum governs.

Lawful bases. We process personal data on the following lawful bases:

Performance of a contract (Art. 6(1)(b)) — to provide the Service to you or your organization.
Legitimate interests (Art. 6(1)(f)) — to secure, improve, and support the Service, prevent fraud, and communicate about your account.
Legal obligation (Art. 6(1)(c)) — to comply with applicable law.
Consent (Art. 6(1)(a)) — where you have given consent, which you may withdraw at any time.

Your GDPR rights. You have the right to access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority.

International transfers. Personal data may be transferred to and processed in the United States. Where required, we rely on the European Commission's Standard Contractual Clauses (and the UK Addendum where applicable) as the lawful transfer mechanism.

A Data Processing Addendum (DPA) is available on request to legal@bluepolar.ai.

10. Cookies & Tracking

We use minimal cookies necessary for the operation of the Service, including session cookies for authentication and preference storage. We may use analytics tools to understand how the Service is used. We do not use third-party advertising trackers.

11. Third-Party Services

The Service integrates with third-party services including data warehouse providers, payment processors, and identity providers. When you use these integrations, the respective third party's privacy policy applies to the data they process. We encourage you to review their policies.

12. Children's Privacy

The Service is not directed at individuals under the age of 13. We do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected such information, we will take steps to delete it promptly.

13. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence, including the United States. We take appropriate safeguards to ensure your information is protected in accordance with this Privacy Policy regardless of where it is processed.

14. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service prior to the changes taking effect. Your continued use of the Service after the effective date constitutes acceptance of the updated policy.

15. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us at legal@bluepolar.ai.

Bluepolar LLC
New Jersey, United States