Privacy Policy

Effective Date: 03/29/2026

This Privacy Policy outlines how Polystate, operated by Amagi Labs LLC (“Polystate”, “we”, “us”, or “our”), collects, uses, stores, and protects your personal data when you access or use our digital platforms, including the website www.polystate.io, web applications, and all related services (the “Platform”). This Policy is designed to comply with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and relevant international privacy standards, with transparency and accountability at its core.

Polystate applies EU/EEA data protection principles to all its processing activities. We serve a global clientele seeking second residencies, digital visas, offshore structuring, tax planning, and international relocation. We strive to uphold internationally recognized data protection principles regardless of user location.

1. Data Controller

Amagi Labs LLC is the data controller for all personal data collected via our Platform. We determine the purposes and means of data processing in accordance with applicable laws.

2. EU Representative

Although Amagi Labs LLC is established in the United States, our services are directed at individuals in the European Union. In accordance with GDPR Article 27, our EU representative for data protection matters is:

3. Who This Policy Applies To

This Privacy Policy applies to:

• Individuals using our website, app, or contacting us via forms
• Clients receiving consultation, communication, or onboarding
• Users creating or managing a personal or business account
• All persons interacting with our digital products or services globally

4. What Data We Collect

We may collect the following categories of data, either directly from you, automatically, or via third-party processors operating on our behalf:

a) Data You Provide Directly

• Full name, email address, phone number
• Date of birth, nationality, and place of birth
• Company name, professional identifiers (e.g., Legal ID, registration documents)
• Location preferences, residency interests, and citizenship information
• Information submitted in forms, inquiries, chat messages, or service requests
• Identity documents (passport data, national ID), supporting materials, and visa/residency application documents submitted for service fulfillment
• Passwords, account settings, and profile preferences
• Assessment and audit questionnaire responses

b) Identity Document Data

• Passport number, issue date, expiry date, and country of issuance
• National identity document number
• Uploaded document scans (passport, national ID, or other identity documents)

Identity document metadata is processed on the basis of contract performance (GDPR Art. 6(1)(b)) to deliver the services you requested. Where you upload identity document scans to your secure Data Vault, processing is based on your explicit consent obtained before upload. This data is encrypted in transit and at rest, accessible only to authorized personnel directly involved in your service request, and never used for marketing or profiling.

c) Automatically Collected Data

• IP address, browser metadata, device identifiers, and operating system
• Session logs, login timestamps, user actions, and interaction history
• Technical diagnostics and security logs

d) Communication and Engagement Data

• Email opens, replies, and unsubscribe actions
• Contact through marketing or onboarding sequences
• Customer service records

We do not knowingly collect personal data from children under 16 years of age. If we become aware of such a collection, we will delete the information without undue delay.

5. Legal Basis and Purposes of Processing

All data processing activities are based on at least one of the legal grounds under Article 6 of the GDPR:

You have the right to withdraw your consent at any time, without affecting the lawfulness of prior processing.

6. Cookies and Tracking Technologies

Our Platform uses cookies and similar technologies to support functionality, security, personalization, and analytics. These include:

a) Essential Cookies

• Enable login, session management, CSRF protection, and secure access.
• Cannot be disabled and do not require prior consent.

b) Functional Cookies

• Remember user preferences and account settings.

c) Analytics and Marketing Cookies

With your explicit consent, we use the following third-party tools for analytics, session recording, and advertising measurement:

• Google Analytics — anonymized usage data and page view tracking
• Microsoft Clarity — session recording and heatmap analysis
• Meta Pixel — conversion tracking and retargeting for Meta platforms
• LinkedIn Insight Tag — conversion tracking for LinkedIn advertising
• X (Twitter) Pixel — conversion tracking for X advertising

These cookies are only activated when you select “Accept All” in our cookie consent banner. You may withdraw consent at any time by clearing your browser's local storage or adjusting your cookie preferences. Cookie usage complies with the ePrivacy Directive and GDPR.

7. Third-Party Service Providers

We do not sell your personal data. We share data with the following service providers, who process data on our behalf under appropriate contractual safeguards:

We may also share data with:

• Cloud hosting and infrastructure providers
• Email, communication, and CRM service vendors
• Payment processors (if applicable)
• Legal, tax, or immigration professionals working under confidentiality
• Residency and tax residency service fulfillment partners, including Nomad Layer Co. (Próspera ZEDE, Honduras), who process your identity documents and application materials to deliver residency services on your behalf
• Government immigration authorities when you use our arrival card automation services (at your instruction and on your behalf)
• Supervisory or enforcement authorities, where required by law

Stripe collects billing address and tax identification information directly during checkout. We do not store your payment card details — all card data is handled entirely within Stripe's PCI DSS-compliant infrastructure.

Some of these recipients may be located outside the EU/EEA. Where applicable, we ensure lawful transfers through:

• European Commission adequacy decisions
• Standard Contractual Clauses (SCCs)
• Supplementary technical and contractual safeguards

8. Arrival Card and Immigration Form Services

When you use our arrival card automation services, your identity and travel data (including name, date of birth, passport number, and travel details) is submitted directly to the relevant government immigration portal (e.g., Malaysia Immigration Department, Singapore ICA) on your behalf and at your instruction.

We act as your processor for this submission. The receiving government authority is an independent data controller subject to its own privacy policies and data protection laws. We retain a record of each submission for service delivery and support purposes.

You may request deletion of your submission records at any time by contacting [email protected].

9. AI-Assisted Tools

Our Platform includes an AI-powered assistant (Noma AI) that provides general informational guidance on topics such as visa eligibility, tax residency, and international structuring.

• This tool does not make automated decisions about you. Its outputs are informational only and do not produce legal effects or similarly significant consequences.
• No personal profile data is transmitted to the AI service. Only the text of your query is processed.
• We track aggregate usage metrics (message count, estimated token count) per user for rate-limiting purposes. Message content is not stored.

AI-generated responses should not be relied upon as legal, tax, or immigration advice. Please refer to our Legal Disclaimer for full terms.

10. Data Retention

We retain personal data only as long as necessary for the purposes described in this policy. Specific retention periods are as follows:

Upon expiration of the applicable retention period, data is securely deleted or irreversibly anonymized.

11. Data Security Measures

We apply a combination of security measures, including:

• HTTPS encryption and TLS-secured communication
• Encryption at rest for stored identity documents and sensitive data
• Role-based access controls and data minimization
• Two-factor authentication (2FA) for administrative access
• Logging and monitoring of unusual behavior
• Routine audits and internal data access policies
• Row-level security (RLS) policies on database tables

While we implement best practices, no digital infrastructure can be guaranteed to be 100% secure. Users are responsible for maintaining the confidentiality of their credentials.

12. Your Rights

Under the GDPR and where applicable under other international frameworks, you may:

• Request access to your data (Art. 15 GDPR)
• Request rectification of inaccurate or outdated information (Art. 16)
• Request erasure of personal data (“right to be forgotten”) (Art. 17)
• Restrict or object to processing (Art. 18, 21)
• Receive your data in a structured, portable format (Art. 20)
• Withdraw consent at any time (Art. 7(3))
• Object to automated decision-making and profiling (Art. 22)

To exercise your rights, contact: [email protected]. We may request identity verification to prevent unauthorized disclosures.

We will respond to all data subject requests within one calendar month of receipt. If a request is particularly complex or we receive a high volume of requests, we may extend this period by up to two additional months, in which case we will notify you of the extension and the reasons within the initial one-month period.

If you reside in the European Union, you have the right to lodge a complaint with your local supervisory authority. You may also contact us directly at [email protected] for clarification or resolution.

13. External Links and Third-Party Services

Our Platform may link to third-party websites or services. We are not responsible for the privacy practices of those third parties. We recommend reviewing their privacy policies before engaging with external services.

14. Changes to This Privacy Policy

We may amend this Privacy Policy to reflect legal, technical, or operational updates. The latest version will always be available at www.polystate.io/privacy-policy. Where changes are material, we will provide notification through the Platform or by email.

15. Dispute Resolution

We are not obligated to participate in dispute resolution proceedings before a consumer arbitration board and do not voluntarily participate in such proceedings. EU consumers may contact their local alternative dispute resolution (ADR) body or supervisory authority directly.

Contact Details

We are committed to upholding your privacy and supporting your freedom to pursue global opportunity securely and transparently.