Privacy Policy

April 27, 2026

Privacy Policy

April 27, 2026


1. Introduction

This Privacy Policy explains how WEBZERO PTE. LTD. ("WebZero", "we", "us", or "our") collects, uses, stores, and protects your information when you use Polar — including polargtm.com, the Polar web application, the Polar Luma Importer Chrome Extension, and the Polar RFID Module (collectively, the "Service").

By accessing or using any part of the Service, you acknowledge that you have read and understood this Policy. If you are using Polar on behalf of an organisation, you confirm you have the authority to bind that organisation to these terms.

The Processor processes personal data on behalf of the Controller in connection with the provision of the Polar event management platform. Processing begins when the Controller first imports or creates attendee data in Polar and continues for the duration of the Service Agreement. Upon termination, Section 10 applies.

This Privacy Policy explains how the Polar Luma Importer Chrome Extension ("Extension") collects, uses, and protects your information. The Extension is operated by WebZero ("we", "us", or "our").

By installing and using the Extension, you agree to the collection and use of information in accordance with this policy.

2. Extension Purpose

The Polar Luma Importer Extension has a single purpose: to help Luma event organizers import their event data and guest lists into Polar for identity resolution, community analytics, and targeted outreach campaigns.

3. Data We Collect


3. Scope of Processing

3.1 Categories of Data Subjects

Event attendees, registrants, and guests whose data is imported into Polar by the Controller.

3.2 Types of Personal Data

Data Category

Examples

Identity data

Full name

Contact data

Email address

Registration data

Answers to event-specific registration questions, check-in status

Attendance data

Event attendance records, session participation (aggregated)

 

3.3 Nature and Purpose of Processing

Storage, organisation, retrieval, and analysis of event attendee data to enable the Controller to manage events, track attendance, segment attendees, generate follow-up tasks, and measure event outcomes. Processing includes identity resolution across multiple events within the Controller's workspace.

3.4 RFID Module

Where the Controller uses the Polar RFID Module, all raw RFID data is processed entirely on the Controller's local hardware. Only aggregated statistics (total check-ins, session traffic counts, peak attendance windows) are transmitted to and stored by the Processor. Individual RFID identifiers and granular movement data never leave the Controller's local device. The Polar RFID Module does not perform spatial tracking, behavioural profiling, or individual movement analysis.

4. Processor Obligations

The Processor shall:

(a) Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by applicable law, in which case the Processor shall inform the Controller of that legal requirement before processing unless prohibited by law.

(b) Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit (HTTPS/TLS), encryption at rest (AES-256), row-level security isolating each workspace's data, and role-based access controls.

(d) Not engage another processor without prior written authorisation of the Controller. The Controller hereby provides general written authorisation for the sub-processors listed in Section 6. The Processor shall inform the Controller of any intended changes to sub-processors, giving the Controller the opportunity to object.

(e) Assist the Controller in responding to requests from data subjects exercising their rights under GDPR Articles 15-22.

(f) Assist the Controller in ensuring compliance with obligations under GDPR Articles 32-36, taking into account the nature of processing and the information available to the Processor.

(g) At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage.

(h) Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits and inspections.

5. Controller Obligations

The Controller shall:

(a) Ensure that there is a valid legal basis for the processing of personal data instructed to the Processor.

(b) Provide appropriate privacy notices to data subjects whose data is processed through Polar.

(c) Respond to data subject requests from their attendees and instruct the Processor accordingly.

(d) Ensure that any registration questions configured in Luma or other source platforms comply with applicable data protection law.

6. Authorised Sub-processors

Sub-processor

Purpose

Location

Transfer Mechanism

Supabase

Database, authentication, file storage

EU — Frankfurt (AWS eu-central-1)

N/A (EU-to-EU)

PostHog

Anonymous product analytics

EU

N/A (EU-to-EU)

Postmark

Transactional email delivery (to workspace users only, never to imported attendees)

United States

Standard Contractual Clauses (Art. 46 GDPR)

 

The current list of sub-processors is maintained in Section 6 of the Polar Privacy Policy at polargtm.com/privacy. The Processor shall notify the Controller at least 14 days before adding or replacing a sub-processor. If the Controller objects on reasonable data protection grounds, the parties shall discuss in good faith. If no resolution is reached, the Controller may terminate the Service Agreement.

7. International Data Transfers

The Processor stores all primary data within the European Union (Supabase, Frankfurt). Where data is transferred to sub-processors outside the EU (currently Postmark, United States), such transfers are protected by Standard Contractual Clauses under GDPR Article 46. The Processor does not transfer personal attendee data outside the EU except through authorised sub-processors listed in Section 6.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller's data. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address the breach. The Processor shall assist the Controller in meeting its own notification obligations under GDPR Articles 33 and 34.

9. Audits

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct or commission an audit of the Processor's data processing activities, with reasonable notice and during business hours. The Processor shall cooperate with any such audit. Audits shall be limited to once per year unless a data breach or regulatory investigation requires additional review.

10. Data Return and Deletion

Upon termination of the Service Agreement, the Processor shall, at the Controller's election, either return all personal data in a structured, machine-readable format (CSV or JSON) or delete all personal data within 30 days, including any copies held in backups. The Processor shall confirm deletion in writing. This obligation does not apply to data the Processor is required to retain under applicable law, or to anonymised/aggregated data that cannot be linked to any individual.

11. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Service Agreement, except that neither party may limit its liability for breaches of its data protection obligations to the extent prohibited by applicable law.

12. Term

This DPA shall remain in effect for the duration of the Service Agreement. Sections 8, 9, 10, and 11 shall survive termination.

13. Governing Law

This DPA is governed by the laws of the Federal Republic of Germany, without regard to conflict of law principles. The courts of Cologne (Köln) shall have exclusive jurisdiction over any disputes arising from this DPA.

14. Signatures

 

Data Controller

Data Processor

Organisation: ____________________

Name: ____________________

Title: ____________________

Date: ____________________

Signature: ____________________

Organisation: WEBZERO PTE. LTD.

105 Cecil Street, #18-18 The Octagon

Singapore 069534 | UEN: 202501128K

Name: 

Title: 

Date: ____________________

Signature: ____________________

 

For data protection inquiries:

Email: privacy@polargtm.com

Web: polargtm.com/privacy

3.1 Event Metadata from Luma

When you browse your Luma event management pages, the Extension captures event metadata including:

  • Event name and date

  • Event ID

  • Registration questions configured for the event

3.2 User-Provided Data


  • Polar API Key: You provide this to authenticate with Polar

  • CSV Files: Guest lists you explicitly choose to upload to Polar

  • Email Address: Your Polar account email for identification

3.3 Analytics Data

We collect anonymous usage analytics via PostHog to improve the Extension:

  • Extension installation and update events

  • Feature usage (e.g., uploads, connection status)

  • Error events for debugging

We do not track your browsing history, web activity outside Luma domains, or any personally identifiable information beyond what you explicitly provide.

4. Data We Do NOT Collect

  • Health information

  • Financial or payment information

  • Authentication credentials (passwords, PINs)

  • Personal communications (emails, messages)

  • Location data (GPS, IP-based location)

  • Browsing history outside of Luma domains

5. How We Use Your Data

  • Event Import: To capture and display Luma event metadata for upload to Polar

  • Authentication: To verify your Polar account and enable data uploads

  • Data Processing: To upload your guest lists to Polar for identity resolution

  • Product Improvement: Anonymous analytics help us improve the Extension

6. Data Storage

6.1 Local Storage

The following data is stored locally on your device using Chrome's storage API:

  • Polar API key (encrypted)

  • Captured event metadata (last 20 events)

  • User preferences (auto-capture toggle)

  • Anonymous analytics identifier

6.2 Server Storage

When you upload data to Polar, it is stored on our secure servers hosted on Supabase. This data is protected by row-level security (RLS) policies ensuring only you can access your data.

7. Data Sharing

We do not sell or share your personal data with third parties except:

  • Polar: Data you explicitly choose to upload

  • PostHog: Anonymous usage analytics (no personal data)

  • Legal Requirements: If required by law or legal process

8. Remote Code

The Extension does not use remote code. All JavaScript is bundled within the extension package. The Extension makes HTTP requests to external APIs (Polar for data upload, PostHog for analytics) but does not load or execute any external JavaScript, WebAssembly, or dynamic code.

9. Permissions Explained

storage

Required to persist your Polar API key, captured events, and preferences across browser sessions.

activeTab

Required to read event data from the currently active Luma page when you interact with the Extension.

Host Permissions (lu.ma, luma.com, api.lu.ma, api2.luma.com)

Required to run content scripts on Luma pages and intercept Luma API responses to capture event metadata. These permissions are strictly limited to Luma's domains.

10. Your Rights

You have the right to:

  • Access: View all data the Extension has stored locally via Chrome's developer tools

  • Delete: Clear all local data by clicking "Disconnect" in the Extension or uninstalling it

  • Opt-out: Disable auto-capture to prevent automatic event data collection

  • Data Export: Request an export of your Polar data via your account settings

  • Account Deletion: Request deletion of your Polar account and all associated data

11. Security

We implement appropriate technical and organizational measures to protect your data, including:

  • HTTPS encryption for all data transmission

  • Row-level security (RLS) for database isolation

  • Secure API key storage in Chrome's local storage

  • No server-side storage of your Luma credentials

12. GDPR Compliance

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR), including the right to access, rectify, port, and erase your data. To exercise these rights, contact us at the email below.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date.

14. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data rights, please contact us:

Email: privacy@polargtm.com

Website: polargtm.com