Poly.app AI File Browser – Privacy Analysis (2025)

Summary

Poly.app markets itself as an “intelligent file browser”, or more specifically “intelligent cloud file browser” that lets you store, browse, research and organize your personal files and media with AI, across web and desktop (Poly App).

Recent announcements show Poly emerging from stealth with $8M in seed funding, led by Felicis with participation from Bloomberg Beta, NextView, Figma Ventures, AI Grant, Wing Ventures, and MVP Ventures. (TechCrunch)

The company explicitly aims to rebuild the file browser, positioning itself as a replacement for Finder or File Explorer

From a privacy perspective, we consider this product high-risk:

• Poly encourages users to connect or upload large parts of their digital life (documents, images, audio, video) (robotwisser)
• The product is powered by AI that can search, summarize, tag, and generate across formats. (Poly App)
• According to their Privacy Policy, Poly sends data to third-party AI platforms (specifically naming Gemini and Claude), uses extensive tracking and analytics, retains data broadly, and permits sharing with corporate partners, authorities, and “service providers.” (Poly App, Privacy Policy)

Read on for our analysis of the below, through the lens of your digital privacy and independence:

• What does Poly do?
• How does Poly handle your data?
• What does Poly’s privacy policy mean?
• AI Exposure & Third-Party Risk of Poly App
• Poly App’s Data Sharing & Corporate Control
• Poly’s Data Retention & De-Identification
• Security Posture & Controls
• Who is at risk?
• How does Poly compare to similar apps?
• Our perspective

1. What Poly.app Actually Does

1.1 Poly App’s Product vision

Poly’s public materials describe it as an AI-powered file browser and cloud hosting service that lets you store, browse, research and organize files with AI, on web and desktop. (Poly App)

The Poly homepage, launch materials and founder interviews highlight that Poly:

• Makes every document, image, audio, and video searchable, understandable, and generative.
• Layers intelligence directly into the file browsing experience, syncing local files to the cloud.
• Allows users to ask an AI agent about their documents, images, videos, and audio and receive context-aware answers across their file system.
• Is designed to replace Finder / File Explorer, described by the CEO as “an intelligent interface that can help search, understand, and create across terabytes of information… like having an LLM with infinite context from your life.” (GlobalNewsWire)

1.2 Company, founders, and backing

Poly is:

• A YC-backed (S22) startup, headquartered in San Francisco. (TechCrunch)
• Founded by Abhay Agarwal (CEO) and Sam Young, originally in 2022. (CryptoRank)
• Recently re-launched publicly after ~two years in stealth with an $8M seed round. (AIM Media House)

Earlier coverage shows Poly initially focusing on web-first generative AI for 3D assets and textures before pivoting to file systems after user research surfaced file organization as a major pain point (AIM Media House)

The context: Poly appears to be a growth-oriented, venture-backed AI file system. Nothing our research surfaced indicated prioritization of user privacy.

2. How Poly App Handles Your Files

2.1 Deep ingestion of personal content

Marketing materials and the product site describe Poly as being able to handle:

• Documents, PDFs, presentations
• Images and design files
• Videos and audio
• “Terabytes of your files” across formats (GlobalNewsWire)

A Poly founder’s YC Thread explains the feature scope of Poly’s AI integration:

“syncs local files to the cloud” and allows the AI interface to handle “renaming, moving, tagging, annotating, and organizing files for you.” as well as “read URLs, youtube links … search the web and even download files”

To us, this suggests Poly is not just a frontend for your folders; it’s an indexing layer on top of whatever you give it access to, without cloud copies and semantic representations of your files, living on Poly’s infrastructure – based on our assessment.

2.2 AI-centric analysis

Across multiple announcements and coverage, Poly emphasizes that it:

• Uses AI to tag, summarize, and organize information.
• Supports multimodal search, answering questions about documents, images, videos, and audio.
• Can act as an “intelligent interface” over “terabytes of information,” akin to having an LLM, with all shared files as context.

Poly’s privacy policy confirms that Poly leverages third-party AI platforms such as Gemini and Claude as service providers, meaning user data will be processed by external LLM vendors.

3. What does Poly App’s Privacy Policy Mean & Allow?

(All statements in this section are based on the Nov 5, 2025 Poly Corporation privacy policy)

Poly’s own privacy policy states that it collects:

• Contact and profile data (name, alias, email, addresses, phone, username, password, social links)
• Transactional and payment data (orders, transaction history; payment via Stripe)
• Marketing and communication data (preferences, engagement with emails, texts, chats)
• User-generated content (UGC) including photos, music, videos, works of authorship, and any content you generate or share on the Service
• Rich metadata, including how, when, and where content was collected, by whom, how it was edited, and user-added tags and geographic data
• Automatic telemetry, including device characteristics, IP address, general or precise location, online activity data, and email interaction data, collected via cookies, local storage, and web beacons

The policy further permits Poly to:

• Use your data to provide, operate, and personalize the Service (including AI-assisted features)
• Create aggregated, de-identified, or anonymous data from personal information and share it with third parties “for any lawful business purpose”
• Share personal information with service providers, explicitly including artificial intelligence platforms such as Gemini or Claude
• Share data with authorities and private parties for compliance and protection purposes
• Disclose data in corporate transactions (investments, financing, mergers, sales, bankruptcy)
• Expose profile data and UGC to other users and the public, where users choose (or misconfigure) sharing settings

Crucially, the policy states that Poly:

• Does not respond to “Do Not Track” signals
• May retain personal information for as long as it has an ongoing relationship with you and as long thereafter as needed for legal, accounting, reporting, or “legitimate” business purposes
• Cannot guarantee the security of your personal information, despite using technical and organizational safeguards

These are permissive, business-friendly terms – not strict, privacy-minimal ones.

4. AI Exposure & Third-Party Risk of Poly App

4.1 External AI vendors (Gemini, Claude)

The policy explicitly lists “artificial intelligence platforms such as Gemini or Claude” as service providers. That means some portion of:

• Your files or chunks of files
• Your prompts and questions
• The summaries or transformations
• Associated metadata

…may be sent to external LLM providers to power Poly’s AI functionality.

Poly’s public messaging emphasizes AI as the core of the product, including instant search, summarization, tagging, and cross-format understanding.

However, neither the policy nor public materials clearly state:

• Whether Poly disables training on user data within Gemini/Claude
• How long those vendors retain logs
• Whether embeddings or other derivatives are reused
• What exact payloads (full files vs. snippets vs. embeddings) are sent

Given the lack of explicit restrictions, our risk-aware assumption is that:

User content can be processed and temporarily or persistently stored by external AI vendors, under their own privacy policies and subject to their jurisdictions.

4.2 AI as “LLM with infinite context from your life”

Press coverage quotes Poly’s CEO describing the product as:

“It’s like having an LLM with infinite context from your life.” (GlobalNewsWire)

Powerful metaphor – sharp warning to anyone that cares about their privacy or digital independence.

To build an “LLM with infinite context from your life,” Poly must:

• Index large portions of your digital history
• Build and store semantic representations of your files
• Potentially use vector databases and embeddings linked to your identity

This goes far beyond simple cloud storage. It may be a precursor to life-scale behavioral and content modeling.

5. Poly App’s Data Sharing & Corporate Control

5.1 Service providers, analytics & marketing

The privacy policy authorizes Poly to share data with:

• Hosting and infrastructure providers
• AI platforms (Gemini, Claude)
• Email and communication vendors
• Website and data analytics providers

External news and the product site confirm that Poly integrates sophisticated AI and cloud infrastructure to support its file browser UX (Investors Hangout)

Although specific analytics vendors are not named in the privacy policy, the combination of:

• Email interaction tracking
• Web beacons in messages
• Online activity logs

This indicates a typical SaaS telemetry stack rather than a minimal-logging, privacy-focused approach. Not all apps need privacy at the forefront, but the ones that want to store massive amounts of your personal information, should be built for privacy.

5.2 Law enforcement and government access

The policy states Poly may share data with law enforcement, government authorities, and private litigants where it believes disclosure is necessary or appropriate for compliance, protection, or legal defense.

There is:

• No explicit commitment to notify users before or after such disclosures
• No mention of transparency reports or warrant canaries

Given that Poly is headquartered in the United States and uses global cloud and AI providers, user data can be subject to U.S. and other jurisdictions’ data access regimes.

5.3 Corporate transactions & data as an asset

The policy includes a standard but broad corporate transactions clause, allowing Poly to disclose personal information to:

• Prospective investors or acquirers
• Successors or assigns in a merger, sale of assets, or similar transaction
• Third parties in insolvency, bankruptcy, or receivership scenarios

Because Poly’s core business is an AI-indexed store of user files and metadata, this clause may allow the transfer of all user data in typical M&A contexts. Effectively, your data could move to a successor entity.

External sources confirm Poly’s growth trajectory and investor backing, which make such transactions plausible over the medium term.

6. Poly.App Retention, De-Identification & “Any Lawful Business Purpose”

6.1 Long-term retention

The privacy policy states Poly may retain personal information:

• For as long as you have an account
• For additional periods determined by legal requirements, dispute resolution, and “legitimate needs”

There are no specific maximum retention periods for key categories such as:

• File content
• Embeddings / semantic indexes
• Metadata
• Logs

This means that, in practice, your data and derivatives may be retained indefinitely, unless and until the company decides otherwise.

6.2 De-identified data reuse

Poly’s policy explicitly allows it to create aggregated, de-identified, or anonymous data from personal information and use or share it, “for any lawful business purposes.”

This could include, for example:

• Training internal models
• Building analytics products
• Producing investor metrics
• Deriving aggregate usage insights sold or shared with partners

While de-identification reduces direct re-identification risk, it does not eliminate the privacy impact of long-term behavioral modeling, especially when data originates from intimate personal files. Long-term retention, combined with deep ingestion could theoretically result in detailed user profiles that are beyond your control.

7. Security Posture & Technical Controls

7.1 Public positioning

External coverage frames Poly as an “intelligent cloud file browser” and notes that it syncs local files to the cloud and layers AI over them.

The homepage highlights features like Shared Drives, “Fluent UI,” and “Hide from AI,” suggesting some in-product controls over whether files are included in AI search.

7.2 What’s not promised

Neither the policy you supplied nor the public materials promise:

• End-to-end encryption of user files
• Zero-knowledge design where Poly cannot read your content
• Strict on-device-only processing for sensitive categories

However, Poly does acknowledge that:

“Security risk is inherent in all Internet and information technologies, and we cannot guarantee the security of your personal information.”

For a platform whose purpose is to centralize and thoroughly analyze, and manage your files, the lack of concrete, user-visible security guarantees is a major privacy limitation.

8. Who Is Most at Risk?

Given the product design and policy, we consider Poly risky for people that fit the description/s below:

• Everyday consumers centralizing personal photos, documents, and life admin in Poly face high risk if accounts are compromised, shared incorrectly, or heavily mined by AI.
• Professionals with confidentiality obligations (lawyers, journalists, therapists, consultants) face critical risk if client files or notes are uploaded to Poly and processed via external AI or shared with third parties.
• Creators and knowledge workers storing unreleased projects, drafts, and assets see very high risk, as their competitive edge often lies in unpublished content.
• Minors, though “not intended users,” would be especially vulnerable if they used Poly, because the system is not technically constrained to block them and UGC/metadata can reveal location, identity, and social graphs.

9. How Poly Compares to Other Models

A Poly App Founder YC thread explicitly positions Poly against Dropbox, Google Drive, and NotebookLM-style AI overlays, describing it as “Dropbox + NotebookLM + Perplexity for terabytes of your files.”

Compared to:

• Standard cloud storage (Drive/Dropbox)
  • Similar centralization and cloud dependence
  • But Poly adds deeper, default AI processing across all modalities, increasing exposure to AI vendors and derived-data reuse.
• Privacy-first local tools (e.g., local search indexers, end-to-end encrypted vaults)
  • These tools typically minimize server-side access and avoid sharing raw content with third parties.
  • Poly instead builds a cloud-side AI brain over your files, with broad sharing and retention rights.

In other words: Poly optimizes for AI convenience, not for privacy guarantees or independence.

10. Final Words

Our philosophy here is simple:

• Your data should never quietly become an asset for corporate transactions.
• AI should serve the user, not train on their private life without explicit opt-in.
• Privacy controls should be in the foreground, and technically sound.

By design, Poly:

• Is built to ingest large portions of your personal and professional data.
• Builds rich AI-level understanding of that data, including semantic and behavioral representations.
• Relies on third-party AI platforms like Gemini and Claude as processing backends (per its own privacy policy).
• Retains and reuses de-identified forms of that data for any lawful business purpose.
• Gives itself discretion to disclose data to authorities and corporate partners.

From a pro-privacy, pro-consumer standpoint, we would describe Poly’s current model as:

A powerful, polished AI file system that comes with a high to critical privacy risk for users who value confidentiality, long-term control, or regulatory compliance.