Privacy Policy

Last Updated: February 2, 2026 | Effective: February 2, 2026

Your Privacy Matters. This Privacy Policy explains how GenieOptimize collects, uses, shares, and protects your information. We comply with GDPR (EU), CCPA/CPRA (California), and major global privacy laws.

1. Introduction & Controller Information

1.1 Who We Are

Data Controller: GenieOptimize (operated by r6lab Radoslaw Jozefowicz)
Address: ul. Akacjowa 3, 55-003 Krzykow, Poland
EU VAT/NIP: PL9730929262
Email: privacy@genieoptimize.com

1.2 Scope

This Privacy Policy applies to all users of GenieOptimize services including: website visitors, dashboard users, API consumers, SDK integrators, and subscribers.

1.3 EU Representative

EU Representative: [Name]
Address: [EU Address]
Email: privacy@genieoptimize.com (Subject: "EU Representative")

2. Information We Collect

2.1 Information You Provide

Category	Data Types	Purpose
Account Info	Name, email, password hash	Account creation, authentication
Billing Info	Payment method (via Stripe), billing address	Payment processing
Profile Data	Company name, website URL, industry	Service customization
Support Data	Messages, attachments, feedback	Customer support
Website Content	URLs submitted for analysis, page content	AI optimization generation

2.2 Information Collected Automatically

Category	Data Types	Collection Method
Usage Data	Pages viewed, features used, time spent	Application logs
Technical Data	IP address, browser type, device type, OS	Server logs, analytics
Performance Data	Load times, API response times, errors	Monitoring tools
SDK Data	SDK installation status, optimization injection success	SDK beacon, API calls
Cookies	Session ID, preferences, analytics	Browser cookies

2.3 Information from Third Parties

Authentication Providers (Clerk): OAuth profile data (Google, GitHub)
Payment Processor (Stripe): Payment confirmation, subscription status
AI Providers: Processing metadata (no training data)

2.4 Information We Do NOT Collect

Visitor personal data from websites using our SDK
Browsing behavior across third-party sites
Sensitive data (health, biometric, political views) without explicit consent
Children's data (under 18, or under 16 in EU)

3. How We Use Your Data

3.1 Primary Purposes

Service Delivery: Provide AI analysis, generate schema optimizations, generate Recommendation Intelligence, deliver SDK functionality
Account Management: Create accounts, authenticate users, manage subscriptions
Billing: Process payments, send invoices, manage subscription lifecycle
Analytics: Track optimization health, injection success, usage metrics (displayed in dashboard)
Support: Respond to inquiries, troubleshoot issues, provide assistance
Communication: Send service updates, security alerts, billing notifications

3.2 Secondary Purposes

Product Improvement: Analyze aggregated usage to enhance features
Security: Detect fraud, prevent abuse, protect infrastructure
Legal Compliance: Meet regulatory requirements, respond to legal requests
Marketing: Send promotional emails (with consent, unsubscribe available)

3.3 AI Processing

Important: Your website content is sent to third-party AI providers (primarily Anthropic Claude and OpenAI GPT-4o) for analysis and Recommendation Intelligence generation. These providers:

Process data under their own terms/policies
Do NOT use your data for model training (per enterprise agreements)
May log requests for abuse prevention and system monitoring
Are bound by data processing agreements (DPAs) with Standard Contractual Clauses
Used to generate: content analysis, optimization rules, recommendation intelligence (use cases, competitive positioning, feature mappings, customer profiles)

4. Legal Bases for Processing (GDPR)

4.1 EU/EEA Users

Under GDPR Article 6, we process data based on:

Purpose	Legal Basis	GDPR Article
Account creation, service delivery	Contract performance	Art. 6(1)(b)
Payment processing	Contract performance	Art. 6(1)(b)
Legal obligations (tax, AML)	Legal obligation	Art. 6(1)(c)
Marketing communications	Consent	Art. 6(1)(a)
Product improvement, analytics	Legitimate interest	Art. 6(1)(f)
Fraud prevention, security	Legitimate interest	Art. 6(1)(f)

4.2 Legitimate Interest Balancing

Where we rely on legitimate interest, we've balanced our interests against your rights:

Product improvement: Enhances Services for all users; uses aggregated data
Security/fraud: Protects users and infrastructure; minimal intrusion
Analytics: Improves user experience; anonymized where possible

You may object to legitimate interest processing (see Section 7).

5. Data Sharing & Third Parties

5.1 Service Providers (Processors)

Provider	Purpose	Data Shared	Location
Anthropic	AI analysis, Recommendation Intelligence (Claude)	Website content, URLs, product data	US
OpenAI	AI analysis, Recommendation Intelligence (GPT-4o)	Website content, URLs, product data	US
AWS	Hosting, database, CDN	All service data	US (us-east-1)
Stripe	Payment processing	Billing info, email	US (GDPR-compliant)
Clerk	Authentication	Email, name, OAuth profile	US

All processors bound by Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs) for EU data.

5.2 We Do NOT Share Data With

Advertisers or data brokers
Social media platforms (except OAuth login)
Marketing aggregators
Third parties for their own purposes

5.3 Legal Disclosures

We may disclose data when required by law:

Court orders, subpoenas, warrants
Government/regulatory requests
Fraud investigations
Protection of rights/safety

We will notify you unless legally prohibited.

5.4 Business Transfers

In event of merger, acquisition, or asset sale, your data may transfer. We'll notify you and ensure continued protection under this policy or equivalent.

6. International Data Transfers

6.1 Primary Locations

Infrastructure: AWS us-east-1 (United States)
AI Processing: US-based providers
Payment: Stripe (US, with global operations)

6.2 EU/EEA to US Transfers

Safeguards under GDPR Chapter V:

Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914
Adequacy Decisions: Where applicable (e.g., EU-US Data Privacy Framework participants)
Supplementary Measures: Encryption in transit/at rest, access controls, audit logs

6.3 Other Regions

UK: UK Addendum to SCCs (per UK GDPR)
Switzerland: Swiss-US Privacy Shield equivalent measures
Other Countries: Appropriate safeguards per local law

6.4 Transfer Impact Assessment

We've conducted Transfer Impact Assessments (TIAs) per Schrems II requirements, concluding appropriate safeguards exist.

7. Your Privacy Rights

7.1 GDPR Rights (EU/EEA/UK)

Under GDPR, you have the right to:

Right of Access (Art. 15)

Request copies of your personal data
Receive information about processing
First copy free; reasonable fee for additional copies

Right to Rectification (Art. 16)

Correct inaccurate personal data
Complete incomplete data

Right to Erasure / "Right to Be Forgotten" (Art. 17)

Delete data when no longer necessary
Withdraw consent (where consent is basis)
Object to legitimate interest processing
Data processed unlawfully

Exceptions: Legal obligations, legal claims, public interest

Right to Restrict Processing (Art. 18)

While accuracy disputed
Processing unlawful but you oppose erasure
We no longer need data but you need it for claims
Pending objection verification

Right to Data Portability (Art. 20)

Receive data in structured, machine-readable format (JSON/CSV)
Transmit to another controller
Applies to automated processing based on consent/contract

Right to Object (Art. 21)

Object to processing based on legitimate interest
Object to direct marketing anytime (absolute right)

Automated Decision-Making (Art. 22)

Right not to be subject to solely automated decisions with legal/significant effects
Note: Our AI generates recommendations, but you control implementation

Right to Lodge Complaint

File complaint with supervisory authority
EU: Your country's Data Protection Authority
UK: Information Commissioner's Office (ICO)

7.2 CCPA/CPRA Rights (California)

California residents have the right to:

Right to Know (CCPA § 1798.100)

Categories of personal information collected
Sources of information
Business purposes for collection
Categories of third parties shared with
Specific pieces of information collected

Right to Delete (CCPA § 1798.105)

Request deletion of personal information
Exceptions: Legal obligations, security, internal uses

Right to Opt-Out of Sale/Sharing (CCPA § 1798.120)

We do NOT sell personal information
No "sharing" for cross-context behavioral advertising

Right to Correct (CPRA § 1798.106)

Correct inaccurate personal information

Right to Limit Use of Sensitive Personal Information (CPRA § 1798.121)

Limit use of sensitive data (if collected)
Note: We do not collect sensitive categories unless necessary

Right to Non-Discrimination (CCPA § 1798.125)

No discrimination for exercising CCPA rights
No denial of service, different prices, or reduced quality

7.3 Exercising Your Rights

To exercise any rights:

Email: privacy@genieoptimize.com (for all privacy, GDPR, CCPA, and EU representative inquiries)
Subject: "Privacy Rights Request - [Right Type]"
Include: Account email, specific request, verification info
Response Time: 30 days (GDPR), 45 days (CCPA) - may extend with notice

Verification Process

To prevent unauthorized disclosure, we verify your identity through:

Email confirmation
Account login verification
Additional verification for sensitive requests

Authorized Agents (CCPA)

California residents may designate authorized agents. Agent must provide:

Written authorization from you
Proof of agent's identity
You may need to verify identity directly

8. Data Retention & Security

8.1 Retention Periods

Data Type	Retention Period	Reason
Account data	Account lifetime + 90 days	Service provision, account recovery
Billing records	7 years	Tax/accounting requirements
Support tickets	3 years	Customer service improvement
Usage logs	1 year	Analytics, security
Marketing consent	Until withdrawal	Legal compliance
Anonymized analytics	Indefinitely	Product improvement

8.2 Security Measures

Technical Safeguards:

Encryption: TLS 1.3 in transit, AES-256 at rest
Access Controls: Role-based access (RBAC), least privilege
Authentication: Multi-factor authentication (MFA) available
Monitoring: 24/7 security monitoring, intrusion detection
Backups: Encrypted backups, regular disaster recovery testing
Vulnerability Management: Regular penetration testing, security audits

Organizational Safeguards:

Employee training on data protection
Confidentiality agreements
Incident response plan
Regular security policy reviews

8.3 Breach Notification

In event of data breach affecting personal data:

Authorities: Notified within 72 hours (GDPR Art. 33)
Affected Individuals: Notified without undue delay if high risk (GDPR Art. 34)
CCPA: Notification per California Civil Code § 1798.82
Content: Nature of breach, data affected, mitigation steps, contact info

9. Cookies & Tracking Technologies

9.1 Cookie Types

Type	Purpose	Consent Required	Expiry
Strictly Necessary	Authentication, session management	No (ePrivacy exception)	Session / 30 days
Functional	Preferences, settings	Yes (implied by use)	1 year
Analytics	Usage statistics (aggregated)	Yes (explicit consent)	1 year
Marketing	Email campaign tracking	Yes (explicit consent)	90 days

9.2 Your Cookie Choices

Cookie Banner: Manage preferences on first visit
Dashboard Settings: Update preferences anytime
Browser Settings: Block/delete cookies (may affect functionality)
Do Not Track (DNT): We respect DNT signals

9.3 Third-Party Cookies

Clerk (Auth): Authentication cookies
Stripe (Payment): Payment processing
AWS CloudFront: CDN caching

See Cookie Policy for full details.

10. Children's Privacy

10.1 Age Restrictions

General: Services not for under-18
EU/UK: Not for under-16 (GDPR Art. 8)
COPPA (US): No knowing collection from under-13

10.2 Parental Verification

We do not knowingly collect personal data from children. If we discover we've collected such data:

Immediate deletion within 48 hours
Notification to parents/guardians (if identifiable)
Account termination

10.3 Reporting

If you believe a child has provided data, contact: privacy@genieoptimize.com

11. Changes & Contact

11.1 Policy Changes

We may update this Privacy Policy. Material changes notified via:

Email to registered address (30 days advance)
Dashboard notification
Updated "Last Modified" date

Continued use after changes = acceptance.

11.2 Previous Versions

Archived versions available upon request: privacy@genieoptimize.com

11.3 Contact Us

Privacy, GDPR, CCPA, EU Representative: privacy@genieoptimize.com

Note: As a small SaaS startup, we do not currently have a designated Data Protection Officer (DPO) as it is not required under GDPR Article 37 for our scale and data processing activities. All privacy and GDPR requests are handled through privacy@genieoptimize.com. If we grow to require a DPO in the future, we will update this policy accordingly.

General Inquiries: hello@genieoptimize.com

Support: support@genieoptimize.com

Security: security@genieoptimize.com

Mailing Address:
r6lab Radoslaw Jozefowicz
ul. Akacjowa 3
55-003 Krzykow
Poland

11.4 Supervisory Authorities

You have the right to lodge complaints with:

EU: Your national Data Protection Authority (Find your DPA)
UK: Information Commissioner's Office (ICO) - ico.org.uk
California: Attorney General's Office - oag.ca.gov/privacy