Platform
Platform OverviewEmail MarketingSMS MarketingWhatsAppPush NotificationsRCS MessagingAI CampaignsAnalyticsAutomationCustomer Data Platform
Solutions
SolopreneursGrowing TeamsEnterpriseE-CommerceSaaSConsumer AppsMarketplaces
More
PricingBlogLaunch PlaybookCompany
Get StartedLog in

GDPR & Data Protection

Last Updated: April 27, 2026

Our position

PolarGX treats every visitor and end user the same, no matter where they live. We apply the strictest applicable privacy standard — typically the EU General Data Protection Regulation (GDPR) — to all processing globally. That means default-deny consent on tracking, the same data subject rights for everyone, and no geo-discrimination in what we ask or what we share.

This page covers GDPR specifically. For our broader data practices see the Privacy Policy; for security controls see the Security Policy.

1. Roles: controller and processor

For data we collect about visitors and customers (e.g., website visitors, account holders, leads), PolarGX is the data controller. We determine what is collected and why.

For data our customers upload or send through PolarGX (e.g., end-user contact lists, message recipients), PolarGX is the data processor. The customer is the controller and remains responsible for the lawful basis of that data. We process it only on documented instructions per our Data Processing Agreement.

2. Lawful basis for processing

We rely on the following lawful bases under GDPR Article 6:

  • Contract — to provide the Services to a customer.
  • Legitimate interest — to operate, secure, and improve the Services, prevent abuse, and respond to support requests, balanced against the rights of data subjects.
  • Consent — for analytics and marketing cookies, you must opt in via our consent banner. Consent is freely given, specific, informed, and revocable.
  • Legal obligation — to comply with applicable laws (tax, AML, court orders).

3. Your rights as a data subject

Regardless of where you live, the following rights apply to your personal data processed by PolarGX:

  • Right of access — request a copy of the personal data we hold about you.
  • Right to rectification — correct inaccurate or incomplete data.
  • Right to erasure ("right to be forgotten") — request deletion of your personal data, subject to retention obligations we may have.
  • Right to restrict processing — limit how we use your data while a question is resolved.
  • Right to data portability — receive your data in a structured, machine-readable format.
  • Right to object — object to processing based on legitimate interest, or to direct marketing at any time.
  • Right to withdraw consent — at any time, with effect from that point forward. Use the "Cookie preferences" link in the site footer or contact us.
  • Right to lodge a complaint — with your local data protection authority, though we'd appreciate the chance to address your concern first.

To exercise any right, email privacy@polargx.com. We respond within 30 days.

4. Data Processing Agreement (DPA)

We provide a standard Data Processing Agreement to all customers on request, pre-signed by PolarGX. The DPA covers Article 28 GDPR requirements including:

  • Subject matter, duration, nature, and purpose of processing
  • Categories of personal data and data subjects
  • Sub-processor authorization and notification
  • Security measures and breach notification
  • Standard Contractual Clauses for international transfers
  • Data subject request handling and assistance
  • Return or deletion of data at end of services

Request a DPA at privacy@polargx.com.

5. International data transfers

PolarGX may transfer personal data to countries outside the EEA, UK, or your local jurisdiction. Where we do, we rely on lawful transfer mechanisms:

  • Standard Contractual Clauses (SCCs) — the EU Commission's 2021 SCCs and the UK's International Data Transfer Addendum, executed with all relevant sub-processors.
  • Adequacy decisions — where applicable (e.g., UK adequacy for EU transfers).
  • Supplementary measures — encryption in transit and at rest, contractual restrictions on access, and transfer impact assessments where required.

6. Sub-processors

We maintain a current list of sub-processors used to deliver the Services. The list is available on our Trust Center and is updated when changes occur. Customers can subscribe to notifications of new or replaced sub-processors.

7. Retention

We retain personal data only as long as necessary for the purposes for which it was collected, plus any retention period required by law (e.g., financial records). Customers can configure retention policies for end-user data within the platform. When a customer terminates the Service, customer data is deleted within 30 days unless legally required to retain it.

8. Contact

Data protection questions, DPA requests, sub-processor inquiries, or data subject requests:
Email: privacy@polargx.com