SiteBloom
Back to Writing

Polsia claims a $3M ARR and streams all user chats via public URL

· Updated March 9, 2026

Polsia.com talks non-stop about its ARR but exposes the live stream of all user chats via a public URL and inflates the ARR value.

software-engineering generative-models security

Polsia has been building viral momentum as a fully automated business builder. The marketing strategy is to talk about how much money the site is making, how fast it is growing, and how agents are doing the work.

3m ARR claim
Polsia claiming $3M ARR on X.

A clever part of the marketing is the live page where visitors see that revenue hockey stick, see the emails flying out, and watch the messages flow:

polsia live page screenshot
Polsia's live dashboard showing growth, emails, and user activity.

Watch the messages flow?

The public message stream.

The messages come from an endpoint containing .../public/live/... in the path. This isn’t an exploit this is just running your entire product in public and advertising that you do it in a live dashboard.

The messages flash by but a simple curl command lets anyone read the messages at leisure.

And they will find the stream contains every message users send to the model, their usernames, the thinking process of the agent, and every message the agent sends to the user.

Polsia also provides extra data on all its users as the agent follows these steps during the onboarding:

1. Research the user (Charles Windsor, [email], London, United Kingdom)
2. Research their idea (custom design creator platform for home/business)
3. Save user context
4. Save user profile
5. Name the company
6. Create market research report
7. Then follow Mini Cycle 1 phases (welcome email → ...)

The onboarding agent searches for any information it can find: real businesses, listed addresses, LinkedIn, etc. to build a profile of the user. And everything it finds goes into the stream.

I expect the hundreds of users paying $49 a month do not know that anyone can just read their conversations and know exactly who they are.

To make it worse, the public dashboard shows ad campaigns and the public response contains far more data on the ads than the UI displays. Each ad can be tied to a company, the ads’ impressions, click-through rates, and total spend are all there, allowing the spending of each company to be summed up.

Product Quality

As well as user information, the stream contains gems like this as the agent thinks through its work:

All 4 products share infrastructure — be careful with deployments

  • Products: vv.polsia.app, xx.polsia.app, yy.polsia.app, zz.polsia.app

Those were not sites of the same user… Perhaps a sign that the sites being built have their own security flaws? I checked a few of the sites, not for exploits, just to see how they are and I would say that Polsia is following the conventional wisdom of launching early and iterating:

Collage of polsia generated sites
Examples of websites generated by Polsia.

Very few sites have calls to action. Users are paying for ads to sites with no sign up page. The one site I found with a Stripe connection allowed you to access a chatbot on the site after closing the Stripe page without subscribing by… clicking confirm in the pop up that asked if you had subscribed! I hope that user has not gone viral because they will have a nasty surprise when they check their OpenAI bill.

None of these sites can be making any money and I do not think they have a chance of making money in future. Yet the marketing is all about ARR.

Inflated ARR

As a rule, I suspect any company using their revenue in their marketing is one to be careful of. I understand the game to draw in investors and attention, but it’s usually an attempt by founders to create a self-fulfilling prophecy and choosing that marketing tactic says something about their character. The best companies let other people talk about their revenues.

So is Polsia’s claimed ARR accurate? On 01.03 Polsia was claiming $1M+ ARR. The public dashboard response contained more data about the platform than is displayed in the UI:

{
  "metrics": {
    "arr": 443208,
    "dau": 1439,
    "mrr": 36934,
    "arpu": 62,
    "computed_at": "2026-03-01T08:00:00.415Z",
    "paying_users": 592,
    "cost_per_task": 1.45,
    "daily_ai_cost": 8643.03,
    "top_referrers": {
      "fb": 36.8,
      "direct": 59.2,
      "producthunt": 2.4,
      "fzbvy-cebzcgfvgf": 0.2,
      "xxx@gmail.com": 0,
      "xxx@gmail.com": 0.1,
      "xxx@gmail.com": 0.3,
      "xxx@gmail.com": 0,
      "xxx@gmail.com": 1,
      "xx@yy.com": 0
    },
    "active_companies": 1208,
    "satisfaction_pct": 0,
    "paid_churn_detail": "5/19",
    "trial_to_paid_pct": 19.2,
    "messages_yesterday": 7142,
    "paid_churn_30d_pct": 26.3,
    "wow_arr_growth_pct": 1.6,
    "satisfaction_detail": "0/0",
    "trial_to_paid_detail": "92/478",
    "new_signups_yesterday": 936,
    "tasks_completed_yesterday": 3312
  }
}

I believe the presented $1M ARR comes from multiplying the actual ARR by the wow_arr_growth_pct. Maybe that’s a fair forecast, I don’t know. By 06.03 the displayed ARR was 2 million and the numbers looked like:

{
  "metrics": {
    "arr": 923232,
    "dau": 3383,
    "mrr": 76936,
    "arpu": 64,
    "computed_at": "2026-03-06T08:05:00.782Z",
    "paying_users": 1193,
    "cost_per_task": 1.61,
    "daily_ai_cost": 18461.15,
    "active_companies": 2968,
    "satisfaction_pct": 0,
    "paid_churn_detail": "18/49",
    "trial_to_paid_pct": 26.5,
    "messages_yesterday": 16288,
    "paid_churn_30d_pct": 36.7,
    "wow_arr_growth_pct": -3.2,
    "satisfaction_detail": "0/0",
    "trial_to_paid_detail": "179/675",
    "new_signups_yesterday": 1911,
    "tasks_completed_yesterday": 6706
  }
}

It is my opinion that ARR focused marketing of low quality products is the tech equivalent of “trading experts” selling Get Rich courses via YouTube ads. However, it is not illegal to tweet an inflated ARR and distribution is the hardest part. People are signing up. People are paying. Perhaps that’s enough to raise money? And fix the security issues in Polsia. And the quality of the sites it makes. And the security flaws in the sites it creates. And any resulting trust issues.

The future will have agents that do a lot of the work running businesses. Perhaps Polsia, AI Slop wittily reversed, will make it.

Disclosure

I contacted the founder via email on 01.03.26 and I sent a DM on twitter. The only response I got was from his concerned AI assistant that promised me the issue would be raised with the highest priority. The agent has not fixed the issue as of 09.03.26 and the ARR tweets keep coming.

I also tried contacting a podcast he had appeared on which has been hyping his product daily to thousands of followers on X and asked them to forward the issue to him. No response.

I do not know how to reach the founder. I do not feel I am responsible to spend time chasing down his real contact given that this is not an exploit. It is a URL he has labelled “public” on the page that he has pinned on X. The number of users exposed is growing each day so I hope he sees this and asks one of his agent employees to fix it.

AI email responses saying it will fix the issues
Polsia's AI email response to my second request that it fix the issue.
Polsia tweets about not automated email
Polsia's automated email strategy.

Last thing, I don’t wish people to fail. I like new apps and I like exploring everything people are creating with AI. I just think this particular app is set up in an irresponsible way.

Discuss

Hacker News X