POLYMAI STANDARD FORM
Service Terms
Version 2026.06 - review copy
1. Agreement Structure
These Service Terms govern services provided by Polymai or the Polymai contracting entity identified in an order form ("Polymai") to the customer identified in that order form ("Customer"). An agreement is formed only when an order form, statement of work, subscription confirmation, or written acceptance references these terms and is accepted by both parties.
If an order form conflicts with these Service Terms, the order form controls for that order only. Additional signed schedules, including the Data Processing Addendum, AI Processing Addendum, security schedule, or support terms, apply only when referenced by the order form or otherwise accepted in writing.
2. Services and Deliverables
Polymai may provide app planning, AI-assisted code generation, implementation support, preview review, readiness checks, publishing assistance, support, and related advisory services. Deliverables may include briefs, plans, source files, configuration artifacts, SQL, Edge Functions, UI screens, screenshots, test output, deployment notes, and handoff documentation.
Polymai is not responsible for work outside the agreed scope. Unless expressly stated, services do not include legal advice, regulated professional advice, guaranteed production uptime, managed hosting, security monitoring, penetration testing, tax advice, payment processing, or operation of Customer's business process.
3. Customer Responsibilities
Customer is responsible for providing accurate instructions, lawful content, required approvals, account access, provider credentials through approved secure channels, business rules, acceptance feedback, and all decisions about launching or using a generated app. Customer must not provide secrets, regulated data, or sensitive personal data unless the order form permits it and appropriate safeguards are in place.
Customer is solely responsible for its production use of deliverables, including user notices, consents, regulatory compliance, accessibility requirements, payment and tax obligations, data retention, backup decisions, and review by Customer's own legal, security, and compliance advisors.
4. Third-Party Services
Deliverables may interoperate with third-party services such as AI providers, Supabase, GitHub, hosting providers, email providers, payment providers, analytics tools, and customer-selected APIs. Third-party services are governed by their own terms, pricing, security, regions, availability, and data practices.
Polymai is not liable for third-party outages, changes, deprecations, API limits, security events, pricing changes, account suspensions, deliverability failures, payment disputes, or data processing by providers outside Polymai's direct control.
5. Acceptance and Changes
Unless an order form states otherwise, deliverables are accepted when Customer approves them, uses them in production, or fails to reject them with specific material nonconformity details within seven days after delivery. Polymai will use commercially reasonable efforts to correct accepted in-scope defects reported during the agreed review period.
Requests outside the agreed scope, including new features, material design changes, data model changes, new integrations, production hardening, compliance review, or provider reconfiguration, are handled as separate work and may require additional fees and timelines.
6. Fees, Taxes, and Suspension
Customer will pay all fees in the order form without setoff or deduction. Fees are non-cancelable and non-refundable except as expressly stated. Customer is responsible for taxes, payment provider fees, hosting charges, AI usage, repository charges, email charges, database charges, and other third-party costs.
Polymai may suspend services for overdue amounts, security risk, misuse, unlawful instructions, missing approvals, or Customer's failure to provide required information, provided Polymai gives reasonable notice when practical.
7. Intellectual Property
Customer retains ownership of Customer materials. Subject to full payment, Customer receives ownership of custom deliverables created specifically for Customer, excluding Polymai background technology, templates, know-how, generic components, pre-existing materials, workflows, prompts, evaluation methods, automation, and reusable patterns.
Polymai retains all rights in its platform, methods, tooling, templates, libraries, non-customer-specific improvements, and generalized learnings. Customer grants Polymai a limited license to use Customer materials to provide the services, maintain project context, troubleshoot, and comply with the agreement.
8. AI Output and Generated Code
AI-assisted work may contain errors, omissions, insecure code, hallucinated assumptions, third-party dependency risks, or output requiring human review. Polymai uses review, preview, and contract checks as quality controls, but no AI-generated output should be treated as guaranteed, legally reviewed, security-certified, or production-ready without Customer acceptance and any required expert review.
9. Confidentiality
Each party must protect the other party's non-public information using at least reasonable care and may use it only to perform or receive services. Confidentiality obligations do not apply to information that is public without breach, independently developed, rightfully received from a third party, or required to be disclosed by law.
10. Warranties and Disclaimers
Polymai will perform services in a professional and workmanlike manner. Except for that limited warranty, services and deliverables are provided "as is" and "as available" to the maximum extent permitted by law. Polymai disclaims implied warranties of merchantability, fitness for a particular purpose, non-infringement, uninterrupted operation, error-free output, revenue results, compliance outcomes, model accuracy, and security certification.
11. Limitation of Liability
To the maximum extent permitted by law, neither party is liable for indirect, incidental, special, consequential, exemplary, punitive, lost profit, lost revenue, lost goodwill, lost data, business interruption, or substitute service damages. Polymai's aggregate liability for all claims arising out of or relating to the services is limited to the fees paid by Customer to Polymai for the affected services during the three months before the event giving rise to liability, or EUR 1,000 if no fees were paid.
The limitations apply regardless of the theory of liability and even if a remedy fails of its essential purpose. Nothing limits liability that cannot legally be limited, including fraud, intentional misconduct, or liability that applicable law prohibits excluding.
12. Termination and Effect
Either party may terminate for material breach if the breach is not cured within fourteen days after written notice. Polymai may terminate immediately for unlawful instructions, security risk, non-payment, or misuse. On termination, Customer must pay all accrued fees and Polymai may stop work. Sections intended to survive, including fees, confidentiality, intellectual property, disclaimers, liability limits, and dispute terms, survive.
13. Governing Law
The governing law and venue are those stated in the order form. If none are stated, Swedish law governs, excluding conflict-of-law rules, and disputes are submitted to the courts of Stockholm, Sweden, unless mandatory law requires otherwise.
POLYMAI STANDARD FORM
Privacy Notice
Version 2026.06 - review copy
1. Scope and Controller
This Privacy Notice explains how Polymai processes personal data when visitors use polymai.com, submit contact or package forms, participate in sales or support discussions, or engage Polymai for app planning and build services. The controller is the Polymai contracting entity or website operator identified in the applicable order form or contact channel.
2. Categories of Personal Data
Polymai may process contact details, business role, company name, project descriptions, communications, website metadata, support requests, billing and commercial records, repository or project identifiers, screenshots, logs, configuration metadata, and information voluntarily provided in prompts or project materials.
Customer should not provide special categories of personal data, government identifiers, payment card data, health data, children's data, passwords, private keys, service role keys, or other highly sensitive information unless expressly agreed in writing and required safeguards are in place.
3. Purposes and Legal Bases
Polymai processes personal data to respond to requests, prepare proposals, provide services, build and troubleshoot apps, maintain project context, send administrative messages, secure systems, comply with law, manage billing, and improve service quality. Legal bases may include contract performance, legitimate interests, consent where requested, and legal obligation.
4. Sharing and Providers
Polymai may share personal data with infrastructure, AI, email, repository, hosting, analytics, payment, support, and professional service providers as needed for the relevant service. Customer-selected providers may process data under Customer's own account and terms.
5. International Transfers
Data may be processed in the European Economic Area, United States, or other regions depending on the configured providers, customer accounts, model endpoints, hosting choices, and support workflows. Where required, Polymai relies on appropriate transfer mechanisms such as standard contractual clauses, adequacy decisions, provider data processing terms, or customer instructions.
6. Retention
Polymai retains personal data for as long as needed for the purposes described, including active services, legal obligations, security, dispute handling, and business records. Lead and support records are retained while there is an active commercial relationship or reasonable business need, unless deletion is required earlier by law or agreement.
7. Rights Requests
Depending on applicable law, individuals may request access, correction, deletion, restriction, portability, objection, or withdrawal of consent. Polymai may need to verify identity and may direct requests about Customer-controlled app data to the relevant Customer. Individuals may also contact their local data protection authority.
8. Security
Polymai uses administrative, technical, and organizational safeguards designed for AI-assisted app development, including secret-boundary rules, project scoping, provider configuration review, access limitation, and server-side handling of privileged work. No system is perfectly secure, and Customer remains responsible for securing Customer accounts and production environments.
9. Changes and Contact
Polymai may update this notice as services, providers, law, or workflows change. Material changes are reflected by updating the version or effective date. Privacy requests should be sent through the contact channel in the order form or the public Polymai contact form.
POLYMAI STANDARD FORM
Data Processing Addendum
Version 2026.06 - review copy
1. Roles and Applicability
This Data Processing Addendum applies when Polymai processes personal data on behalf of Customer as processor under GDPR or similar data protection laws. Customer is controller unless the order form states otherwise. Polymai processes personal data only to provide the agreed services and in accordance with Customer's documented instructions.
2. Processing Details
Subject matter: AI-assisted app planning, build, preview, repair, support, and related service workflows. Duration: the term of the order plus deletion or return period. Nature and purpose: receiving project context, generating and reviewing app artifacts, troubleshooting, configuring provider boundaries, and supporting Customer requests.
Categories of data subjects may include Customer personnel, contractors, prospects, end users, and individuals contained in project materials. Categories of personal data may include contact details, account identifiers, project descriptions, app content, support communications, metadata, screenshots, logs, and Customer-provided sample data.
3. Instructions and Restricted Data
Customer instructs Polymai to process personal data as necessary to provide the services, comply with the agreement, and follow lawful written instructions. Customer must not submit restricted data unless the order form specifically authorizes it. Polymai may refuse or suspend processing that it reasonably believes is unlawful, unsafe, outside scope, or unsupported by available safeguards.
4. Confidentiality and Personnel
Polymai ensures that personnel authorized to process personal data are subject to confidentiality obligations and receive access only as needed for the services. Polymai remains responsible for personnel handling personal data under this DPA.
5. Security Measures
Polymai maintains technical and organizational measures appropriate to the service, including access limitation, secret separation, server-side handling of privileged work, provider configuration review, environment separation where practical, logging proportional to support needs, and project artifact scoping. Customer is responsible for security of Customer-managed accounts, production configurations, and end-user access.
6. Subprocessors
Customer authorizes Polymai to use subprocessors necessary for the services. Polymai will impose written data protection obligations on subprocessors materially consistent with this DPA. Polymai will provide information about material subprocessors and changes through the public subprocessor list, order form, or written notice where required.
7. International Transfers
Where personal data is transferred internationally, Polymai will use appropriate safeguards required by applicable law, such as standard contractual clauses, adequacy decisions, or provider transfer mechanisms. Customer acknowledges that selected AI, repository, email, hosting, and cloud providers may determine processing regions based on Customer configuration and account settings.
8. Data Subject Requests and Assistance
Polymai will provide reasonable assistance for data subject requests, security incidents, DPIAs, regulator inquiries, and compliance information when Customer cannot reasonably handle the request without Polymai. Assistance outside ordinary support may require professional services fees.
9. Personal Data Breach
Polymai will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data processed by Polymai. Notice will include available information about the incident, likely consequences, and mitigation measures, subject to investigation progress and legal restrictions.
10. Deletion, Return, and Audit
Upon termination or written request, Polymai will delete or return Customer personal data in its possession unless retention is required by law, security, dispute resolution, backups, or legitimate business records. Polymai may satisfy audit obligations by providing security documentation, summaries, third-party reports, or written responses. Onsite audits require reasonable notice, confidentiality, scope limits, and no disruption to Polymai operations.
11. Liability and Precedence
This DPA does not expand Polymai's liability beyond the limitations in the Service Terms unless mandatory law prohibits the limitation. If this DPA conflicts with the Service Terms on data protection matters, this DPA controls for those matters only.
POLYMAI STANDARD FORM
Security Schedule
Version 2026.06 - review copy
1. Security Model
Polymai's security model is designed around AI-assisted software generation and service-aware app delivery. Controls focus on keeping secrets out of browser code, separating privileged work into server-side boundaries, preserving project structure, and making app setup reviewable through files, screenshots, and readiness checks.
2. Access Controls
Access to customer project materials is limited to authorized personnel and tools needed to provide the services. Customer account access should be provided through approved provider mechanisms, scoped tokens, or temporary collaboration access. Customer must not send service role keys, database passwords, private keys, or webhook secrets through public forms or ordinary chat unless Polymai explicitly approves the channel.
3. Secrets and Configuration
Generated browser files may contain only frontend-safe values such as publishable keys and public project URLs. Provider secrets, API keys, service role keys, webhook signing secrets, and database credentials belong in provider environments, Supabase Edge Function environment variables, GitHub secrets, local developer environments, or other approved secret stores.
4. App Data Boundaries
When a generated app uses Supabase or similar data services, Polymai plans app-scoped schemas, policies, storage paths, and runtime configuration where practical. Privileged actions such as AI calls, email, payments, webhooks, scraping, and background tasks are planned for Edge Functions or comparable server-side boundaries.
5. Review and Change Controls
Polymai uses scoped changes, registry/load-order tracking, syntax checks, contract checks, visual screenshots, and human review to reduce generated-code risk. These controls are not a substitute for Customer's production security review, penetration testing, compliance certification, or monitoring obligations.
6. Incident Handling
Polymai will investigate suspected incidents affecting Customer project materials or Polymai-controlled processing. Polymai will notify affected customers as required by contract or law. Customer is responsible for incidents in Customer-controlled accounts, production environments, user access, provider billing, and third-party services outside Polymai control.
7. Customer Security Responsibilities
Customer is responsible for identity management, access reviews, provider account security, production deployment decisions, backup settings, logging and monitoring, end-user authorization, data classification, legal notices, and approval of any app handling sensitive or regulated data.
POLYMAI STANDARD FORM
AI Processing Addendum
Version 2026.06 - review copy
1. AI-Assisted Services
Polymai may use AI systems to understand project goals, draft briefs, generate code, summarize context, inspect errors, prepare handoffs, improve UI copy, and repair checks. AI use is part of the service workflow unless the order form restricts it.
2. Customer Instructions and Data Minimization
Customer instructs Polymai to provide only the project context reasonably needed for the task. Customer must minimize personal data and must not provide sensitive, regulated, or confidential information beyond what is necessary and authorized. Polymai may redact, summarize, or refuse materials that appear excessive or unsafe for AI processing.
3. AI Providers and Model Controls
AI processing may occur through business or API accounts with providers such as OpenAI or other customer-approved models. Provider data-use, retention, abuse monitoring, region, and training controls depend on the account, endpoint, model, configuration, and provider terms in effect. Where a customer requires a specific model, region, or retention setting, it must be stated in the order form.
4. Human Review and Output Risk
AI output may be inaccurate, incomplete, insecure, duplicative, or unsuitable for production use. Polymai applies human review and app checks, but Customer remains responsible for approving deliverables before production use and for obtaining specialist review where required, including legal, security, accessibility, tax, medical, financial, or regulated-domain review.
5. Prohibited AI Inputs
Unless expressly agreed, Customer must not provide payment card data, passwords, private keys, service role keys, health records, children's data, biometric identifiers, government IDs, criminal offense data, trade secrets not required for the task, or data subject to heightened legal restrictions.
6. No Autonomous Production Decisions
Unless separately scoped, Polymai's AI use is for app building and repair, not autonomous operation of Customer's production business, automated legal decisions, employment decisions, credit decisions, medical advice, or other high-impact determinations about individuals.
7. Ownership and Restrictions
Rights in deliverables are governed by the Service Terms. Customer must comply with applicable AI provider terms and must not use deliverables to infringe third-party rights, evade safety controls, generate unlawful content, or misrepresent AI-generated output as independently certified or professionally reviewed.
POLYMAI STANDARD FORM
Subprocessor List
Version 2026.06 - review copy
1. Applicability
This list describes common subprocessors and provider categories used for Polymai services. Actual subprocessors depend on the package, customer accounts, region, feature choices, and order form. Customer-selected providers may act as Customer's processors or independent providers under Customer's own terms.
2. Core Provider Categories
Provider category
Purpose
Data involved
AI model provider
Planning, code generation, summarization, repair support
Project prompts, code snippets, screenshots, logs, app context
Supabase or database provider
App data, auth, storage, Edge Functions, lead capture
Configured app records, account identifiers, files, function payloads
Repository and publishing provider
Source control, deployment, static hosting, workflow automation
Source files, commits, build logs, repository metadata
Transactional email provider
Lead notifications and app email when configured
Recipient, sender, message body, delivery metadata
Payment provider
Checkout, subscriptions, webhooks, invoices when configured
Payment metadata, customer identifiers, transaction status
Support and diagnostics tools
Issue investigation, screenshots, logs, customer communication
Support messages, diagnostic context, limited account metadata
3. Common Named Providers
Common providers may include OpenAI for AI processing, Supabase for database/auth/storage/functions, GitHub for repository and publishing workflows, Resend or a comparable email provider for transactional email, Stripe for payments when configured, and hosting or CDN providers selected for the customer deployment.
4. Change Notice and Objection
Polymai may update subprocessors as services evolve. Where required by law or signed DPA, Polymai will provide notice of material new subprocessors and a reasonable opportunity to object on data protection grounds. If the parties cannot resolve a reasonable objection, the affected service may be suspended or terminated as described in the agreement.
5. Regional Processing
Processing regions vary by provider, customer configuration, model endpoint, repository location, and hosting environment. Region commitments must be stated in the order form or applicable provider configuration. Public examples and demo apps should not be used to infer a production customer's processing region.