← BACK TO POLARIS

PRIVACY POLICY

LAST UPDATED · 19 MAY 2026

This Privacy Policy explains how Polaris Records Ltd (“we”, “us”, “our”) handles personal data when you use the Polaris promotion tracking platform (the “Service”). We are the data controller for personal data processed through the Service.

If you have any questions about this policy or your data, contact us at legal@polarisrecords.net.

1. Who can use Polaris

Polaris is an invite-only platform. You can only create an account using a referral code issued by an existing member. The Service is not aimed at people under the age of 16, and we do not knowingly collect personal data from anyone under that age. If you believe we hold data about a child under 16, contact us and we will investigate.

2. What we collect

We only collect what we need to run the Service:

  • Account details: your name, email address, and a one-way hashed copy of your password (we never store passwords in readable form).
  • Account state: the role assigned to your account, whether it is active, the referral code used to sign up, and your notification preferences.
  • Session data: for each device you sign in on, we record the browser and operating system (parsed from the user-agent string), the IP address the request came from, when the session started, and when it was last seen. This powers the Sessions screens and lets you (or an administrator) revoke suspicious devices.
  • Activity logs: we record security-relevant events such as sign-ins, sign-outs, session revocations, password changes, and role or status changes. Each entry can include the actor, the affected user, an IP address and a device label.
  • Service data: the records you create while using the Service — campaigns, creators, videos, sounds, invoices, cover-art jobs and similar. This may incidentally include personal data about third parties (for example, creator names or contact details) that you choose to add.

We do not use analytics, advertising, tracking pixels, or any third-party scripts. We do not buy, sell or rent personal data, and we do not share personal data with any third party for marketing. We do not carry out any automated decision-making or profiling that produces legal or similarly significant effects on you.

3. Why we process it (legal basis)

  • Contract (UK GDPR Art. 6(1)(b)): to provide the Service to you after you create an account.
  • Legitimate interests (UK GDPR Art. 6(1)(f)): to keep the Service secure — specifically, to authenticate sign-ins, run session management, maintain audit logs, and investigate suspected abuse. We have limited what we collect to what we need for these purposes, and you can object to this processing under section 9.
  • Legal obligations (UK GDPR Art. 6(1)(c)): where the law requires us to keep records or respond to a lawful request from a court, regulator or law enforcement.

We do not rely on consent for the processing described above, so there is no consent for you to withdraw. You can stop using the Service at any time.

4. Cookies

We use a small number of cookies, all of which are strictly necessary for the Service to work. They are exempt from the consent requirement under regulation 6(4) of the Privacy and Electronic Communications Regulations because they are essential for a service you have requested:

  • Session token cookie — stores your signed sign-in token so we know you are authenticated.
  • CSRF token cookie — protects your sign-in flow from cross-site request forgery.
  • Callback URL cookie — remembers where to send you after you complete a sign-in flow.

All three are first-party, set by our authentication library (NextAuth). In production they are HttpOnly, Secure, and same-site. We do not use analytics, advertising, or other tracking cookies, and we do not embed third-party scripts.

5. Who can see your data

  • You can see your own account, your sessions, and the records you have access to.
  • Other authorised members of Polaris may see records relevant to their role — for example, administrators can see user accounts and campaigns.
  • The platform owner has access to all data in the Service for security and operational reasons, including the ability to view and revoke active sessions.
  • No third parties receive your personal data. The Service is self-hosted on infrastructure we operate; we have not engaged any external processor for analytics, email, payments or storage.
  • Authorities may receive specific data where we are required by law to disclose it (for example, in response to a valid court order or regulatory request). Where we are legally permitted to do so, we will tell you first.

If this changes — for example, if we engage an email provider — we will update this policy and tell you in the Service before the change takes effect.

6. How long we keep it

  • Account data is kept while your account is active. If your account is deleted by an administrator, the account record is removed and the device sessions tied to it are purged at the same time.
  • Sessions are automatically deleted seven days after they expire, via a database time-to-live index.
  • Activity logs are retained for as long as we reasonably need them for security and accountability. We do not commit to a fixed period in this policy, but we review them periodically and delete what is no longer needed.
  • Service data (your campaigns, creators, videos, invoices and so on) is kept while your account exists or until you delete it through the Service.

7. Security

Passwords are hashed with bcrypt before they are stored. Sessions can be revoked by you, by an administrator, or automatically when you change your password. We log sign-ins and revocations so that unusual activity can be investigated. In production the Service is delivered over HTTPS and authentication cookies are HttpOnly, Secure and same-site. No system is perfectly secure; you can help by using a strong, unique password and by signing out of devices you don’t recognise from Settings → Sessions.

8. Where your data is held

Your data is stored on servers we operate in the European Economic Area. Because we do not use third-party processors, no transfer of your personal data to a country outside the United Kingdom or EEA takes place for processing on our behalf. Transfers from the UK to the EEA are permitted under UK GDPR without additional safeguards.

9. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you (Art. 15).
  • Have inaccurate personal data corrected (Art. 16).
  • Have your personal data erased in certain circumstances, including where it is no longer needed for the purposes we collected it, where you have objected to processing, or where it has been processed unlawfully (Art. 17).
  • Restrict our processing in certain circumstances (Art. 18).
  • Receive a copy of the personal data you provided to us in a portable format (Art. 20).
  • Object to our processing where we rely on legitimate interests (Art. 21).

To exercise any of these rights, email legal@polarisrecords.net. We will respond within one month, as required by Art. 12(3), and may ask you to verify your identity before acting on the request. Some of these rights are not absolute and may not apply in every case — if a request is refused we will tell you why.

10. Complaints

If you have a complaint about how we handle your personal data, please tell us first by emailing legal@polarisrecords.net. We will acknowledge your complaint within 30 days and explain what we plan to do about it.

You also have the right to complain at any time to the UK Information Commissioner’s Office (ICO): ico.org.uk/make-a-complaint.

11. Changes to this policy

If we make material changes to this policy, we will update the “Last updated” date at the top and, where practical, notify you in the Service. Continued use of the Service after a change indicates acceptance of the updated policy.

12. Company details

Polaris Records Ltd
Company registered in England & Wales, no. 15293821
Registered office: Suite A, 82 James Carter Road, Mildenhall, Suffolk, England, IP28 7DE
Contact: legal@polarisrecords.net