Effective date: 1 February 2024 · Last updated: 10 April 2024
This Privacy Policy covers (a) PolDex Inc. ("PolDex", "we") as a company operating the PolDex extraction API infrastructure, and (b) personal data collected in connection with operating that service.
This policy does not cover data that customer organisations submit through the API for processing. That data is governed by our Data Processing Agreement.
We collect:
- Contact email address provided at API key initialisation
- Organisation name
- API key metadata (issuance timestamp, prefix hash, rotation history)
- Job metadata (job ID, status, schema, processing timestamps)
- Credit and billing transaction records
- Webhook delivery attempt logs (endpoint URL, delivery status, retry count)
- Standard server logs (IP address, user agent, request path, HTTP status)
Customer content means the documents and document URLs submitted for extraction, and the structured extraction output produced from them.
Operational data means the rest: job metadata, billing records, log entries, and API key metadata.
Customer content is not used to operate, improve, or train PolDex systems beyond the specific extraction request it was submitted for. Customer content is subject to the data retention terms in section 5.
Operational data is used to:
- Authenticate API requests
- Enforce credit balance and billing rules
- Deliver and retry webhook payloads
- Monitor service reliability and job status
- Comply with legal obligations
We do not sell personal data. We do not share personal data with third parties for their own marketing purposes.
- Job metadata and structured extraction output: retained 90 days by default
- Raw document content and worker disk: deleted after extraction completes (typically minutes)
- API key metadata: retained for the lifetime of the key plus 90 days after rotation or deletion
- Server logs: retained 30 days
Explicit deletion requests for structured output can be submitted via POST /v1/jobs/{id}/delete. Operational metadata may be retained for audit and billing reconciliation.
PolDex processes data using the following AWS services:
- Amazon S3 — document storage
- Amazon SQS — job queue
- Amazon RDS (PostgreSQL) — structured data and ledger
- Amazon Bedrock — model inference
- AWS Fargate — compute
- Amazon SES — email notifications
All processing occurs in AWS regions subject to AWS Data Processing Addendum. The full subprocessor list is available on request.
Data is encrypted in transit (TLS 1.2+) and at rest (AES-256 via AWS KMS). Access to production systems is restricted by IAM policy with least-privilege principles. API keys are stored as hashed values only — the raw key is shown once and is not recoverable by PolDex.
Depending on your jurisdiction, you may have rights to access, correct, delete, or port your personal data. To exercise these rights, email privacy@poldex.io.
We will respond within 30 days. Identity verification may be required before fulfilling data subject requests.
PolDex is incorporated in the United States. Data may be processed in AWS US regions. If you are located in the European Economic Area or United Kingdom, transfers to the US are governed by Standard Contractual Clauses where applicable.
We will notify API key holders of material changes to this policy by email at least 14 days in advance of the effective date. Continued use of the API after the effective date constitutes acceptance.
Privacy questions: privacy@poldex.io
Data subject requests: privacy@poldex.io
PolDex Inc.