Legal

Privacy Policy

Last updated: April 20, 2026 · Effective January 1, 2025

This Privacy Policy explains how Polycreek ("we", "us", "our"), a 501(c)(3) nonprofit organization (EIN 87-1801969), collects, uses, and safeguards information in two distinct contexts: (a) visitors to polycreek.org, and (b) customers of the Aletheia API and the end users whose conversations those customers send to us for scoring.

1. Scope of this policy

This policy applies to polycreek.org and any Polycreek-operated service that links to it. It does not cover third-party sites, including our donation processor (Zeffy) or external platforms we reference.

Two very different data relationships exist at Polycreek, and we treat them separately in the sections below:

  • Part A — Website visitors. Anyone who browses polycreek.org, subscribes to our newsletter, submits our contact form, or creates a user account.
  • Part B — Aletheia API customers and their end users. Organizations that integrate the Aletheia API, and the end users whose messages those organizations send us for grooming-detection scoring.

Part A — Website Visitors

A.1 Information we collect

Information you provide directly:

  • Name, email address, organization, and message content you submit via contact forms.
  • Email address when you subscribe to our newsletter.
  • Account credentials (name, email, hashed password) when you create a member account for the Aletheia API dashboard.

Information we collect automatically:

  • IP address, browser type, operating system, device type, referring URLs, and pages visited.
  • Session cookies required for login and CSRF protection. See our Cookie Policy for the full list.
  • Aggregate traffic analytics (page views, bounce rates) used to improve the site. We do not deploy cross-site tracking or advertising cookies.

A.2 How we use website data

  • Operate, secure, and improve the website.
  • Respond to contact-form inquiries and partner outreach.
  • Send newsletters (only to subscribers; opt-out link is in every email).
  • Authenticate users and provide access to the member dashboard.
  • Comply with legal obligations, enforce our Terms, and protect rights, property, or safety.

A.3 Third parties we share data with

We do not sell or rent personal data. We share limited data only with trusted service providers acting on our behalf, under confidentiality obligations:

  • Email delivery: our transactional and newsletter email provider.
  • Hosting and infrastructure: our application hosting and storage providers.
  • Donation processing: Zeffy processes donations on Polycreek's behalf and applies its own privacy policy to payment data.
  • Legal compliance: when required by law, subpoena, or court order, or to respond to a credible threat to child safety.

Part B — Aletheia API

B.1 Who is covered

Part B applies when a customer organization (a "Platform") integrates the Aletheia API and transmits conversation data from its end users to Polycreek for automated grooming-risk scoring. In this context, the Platform is typically the data controller and Polycreek is the data processor.

B.2 What we process

  • Conversation content submitted by the Platform for scoring.
  • Technical metadata (timestamps, message IDs, opaque user pseudonyms) necessary for classification and reporting.
  • API credentials and usage telemetry required for authentication, rate-limiting, and billing.

B.3 Zero data retention

Aletheia is engineered for zero retention of conversation content. Messages submitted to the API are scored in memory and discarded. No message content is persisted to Polycreek databases or backups. The only data we keep is:

  • Score results and risk-tier outcomes (no message text).
  • Anonymized metrics used to monitor model performance.
  • For cases flagged as critical and confirmed by human review: structured evidence packages required for NCMEC CyberTipline reporting. These are retained only for the period required by law and by NCMEC.

B.4 CSAM and reporting obligations

Polycreek is a registered NCMEC reporter. If Aletheia identifies content that appears to depict child sexual abuse or exploitation, Polycreek — as required by US federal law (18 U.S.C. § 2258A) — prepares and submits a report to the NCMEC CyberTipline. We never store CSAM. Hash-based matching uses Microsoft PhotoDNA under a signed SLA. Submitting data that includes illegal content against Aletheia's Terms does not waive our reporting obligations.

B.5 Data processing agreements

Enterprise Platforms sign a Data Processing Agreement (DPA) with Polycreek that defines processing purposes, sub-processor usage, data residency, and deletion obligations. DPAs can accommodate GDPR Article 28 requirements, UK data transfers (IDTA), and sector-specific rules.

3. Data Security

We implement reasonable technical and organizational safeguards: encrypted transport (TLS 1.2+), encrypted storage for sensitive data at rest, least-privilege access controls, regular dependency patching, and logging of access to production systems. No method of transmission over the Internet is 100% secure, and no organization can guarantee absolute security, but we take our obligations seriously and disclose breaches when required.

4. Your Rights

Depending on your jurisdiction, you may have some or all of the following rights:

  • Access: request a copy of the personal data we hold about you.
  • Correction: request that we correct inaccurate or incomplete data.
  • Deletion: request that we delete your personal data ("right to erasure").
  • Restriction: request that we limit the processing of your data.
  • Portability: request a machine-readable copy of data you provided.
  • Objection: object to processing for direct marketing or on other grounds.
  • Withdraw consent: for processing based on consent, you may withdraw at any time.

To exercise any of these rights, submit a data subject request or email privacy@polycreek.org. We verify identity before fulfilling requests and respond within 30 days, as required by GDPR Art. 12 and CCPA §1798.130. If Part B applies to you (your data reached us through a Platform using Aletheia), direct your request to the Platform first; we will assist them in fulfilling it.

5. Children's Privacy

Our website is not directed to children under 13, and we do not knowingly collect personal data from children through it. If we learn we have collected such data, we will delete it promptly. Aletheia, by contrast, exists precisely to protect children — it processes conversation metadata from Platforms on whose services minors may appear, strictly for safety classification and lawful reporting purposes, as described in Part B.

6. International Transfers

Polycreek is based in the United States. If you access the site or use the API from outside the US, data may be transferred to and processed in the US. For Platforms or users subject to GDPR, UK GDPR, or similar regimes, we rely on Standard Contractual Clauses and any additional safeguards the applicable law requires.

7. Third-Party Links

polycreek.org contains links to external websites (NCMEC, Candid, ProPublica, Zeffy, our partners, etc.). We are not responsible for the privacy practices of those sites; review their policies before providing any information.

8. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices, technology, legal obligations, or operations. Material changes will be announced on this page and, when appropriate, emailed to registered users. The "Last updated" date above reflects the most recent revision.

9. Contact

Questions, requests, or complaints regarding this Privacy Policy or our data practices:

  • Email: contact@polycreek.org
  • Mail: Polycreek, 1905 Sherman Street, Suite 200, Denver, CO 80203, United States