Privacy Policy.
Last updated: June 2026
This Privacy Policy governs the collection, use, and disclosure of personal data by GeniOS Intelligence in connection with thegenios.com and the GeniOS services. It applies to enterprise customers, authorized users, and visitors, and is supplemental to any agreement and Data Processing Addendum between GeniOS and your organization.
1. Introduction and Scope
This Privacy Policy ("Policy") explains how GeniOS Intelligence ("GeniOS", "we", "us" or "our") collects, uses, discloses and otherwise processes personal data in connection with our website at thegenios.com (the "Site") and the GeniOS platform, applications, application programming interfaces and related services that we make available (together, the "Services"). GeniOS provides the intelligence layer for artificial intelligence agents. On a read-only and scoped basis, the Services read the tools, memory layers and agents that a customer connects, reason over that context, and surface decisions and recommendations for the customer's agents and people, in each case accompanied by an auditable record of the reasoning, sources and confidence involved.
This Policy applies to individuals who visit or interact with the Site, who register for or use the Services, who communicate with us, who receive our marketing communications, and whose personal data we otherwise process in the course of operating our business. It describes our practices as they relate to the personal data for which we determine the purposes and means of processing, and it also describes, at a high level, how we handle personal data that is contained within a customer's connected sources and that we process on that customer's behalf.
Our processing of personal data contained in a customer's connected sources is governed principally by our agreement with the relevant customer and by the Data Processing Addendum ("DPA") entered into with that customer, rather than by this Policy. Where GeniOS acts on the documented instructions of a customer in respect of such data, that customer, and not GeniOS, is responsible for providing appropriate privacy notices to, and where required obtaining any necessary consents from, the individuals concerned. Section 3 and Section 7 explain this distinction in further detail.
Where an organization uses the Services under a Master Services Agreement ("MSA") or order form together with a DPA, the terms of that MSA, order form and DPA prevail over this Policy to the extent of any conflict with respect to that organization's use of the Services. This Policy does not form part of any contract of employment and does not alter any right that we may have to update or amend our practices from time to time. We may revise this Policy to reflect changes in our operations, in applicable law or in regulatory guidance, and any material change will be notified through the Site or by other appropriate means, with the effective date updated accordingly.
If you have any question about this Policy or about how we process personal data, or if you wish to exercise any right described in this Policy, you may contact us at hello@thegenios.com. Please read this Policy together with any additional notice that we may provide when we collect or process personal data, so that you are fully informed of how and why we are using your data.
2. Definitions
In this Policy, the following defined terms have the meanings set out below. Other terms are defined where they first appear. Defined terms in the singular include the plural and vice versa, and references to statutes include any successor or replacement legislation.
- "Personal Data" means any information relating to an identified or identifiable natural person, that is, a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or one or more factors specific to that person's physical, physiological, genetic, mental, economic, cultural or social identity. Where the context concerns Applicable Data Protection Laws in the United States, "Personal Data" also includes "personal information" as defined under those laws.
- "Special Category Data" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person's sex life or sexual orientation. This category corresponds broadly to "sensitive personal information" under United States Applicable Data Protection Laws.
- "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. "Process", "Processes" and "Processed" are construed accordingly.
- "Controller" means the natural or legal person that, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. Under United States Applicable Data Protection Laws, this role corresponds broadly to that of a "business".
- "Processor" means a natural or legal person that Processes Personal Data on behalf of and on the documented instructions of a Controller. Under United States Applicable Data Protection Laws, this role corresponds broadly to that of a "service provider".
- "Customer Data" means Personal Data contained within the tools, memory layers, agents and other sources that a customer connects to the Services, and any other Personal Data that GeniOS Processes on behalf of a customer in the course of providing the Services, in each case on that customer's documented instructions and under the DPA.
- "Enterprise Customer" means an organization that subscribes to or otherwise uses the Services, whether under an online subscription or under an MSA or order form, and on whose behalf GeniOS acts as a Processor in respect of Customer Data.
- "Applicable Data Protection Laws" means all laws and regulations relating to the Processing of Personal Data and to privacy that apply to the respective party, including, as applicable: (a) Regulation (EU) 2016/679, the General Data Protection Regulation ("GDPR"); (b) the GDPR as incorporated into the law of the United Kingdom by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 ("UK GDPR"), together with that Act; (c) the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (d) any other data protection, privacy or equivalent law that applies to the Processing described in this Policy, in each case as amended, supplemented or replaced from time to time.
- "Supervisory Authority" means an independent public authority responsible for monitoring the application of Applicable Data Protection Laws, and includes any regulator or data protection authority having jurisdiction over a party's Processing of Personal Data.
- "Sub-processor" means any Processor engaged by GeniOS to Process Customer Data on behalf of an Enterprise Customer in connection with the provision of the Services.
- "Output" means a decision, recommendation, reasoning record, source citation, confidence indicator, summary or other result that the Services generate for a customer's people or agents from the context available to them.
3. Our Role as Controller and Processor
The role that GeniOS plays under Applicable Data Protection Laws depends on the category of Personal Data in question and the reason for which it is Processed. GeniOS acts as a Controller in respect of some Processing and as a Processor in respect of other Processing. Identifying our role correctly is important because it determines which obligations fall on GeniOS and which fall on the Enterprise Customer, and it determines how individuals may exercise their rights.
GeniOS acts as a Controller in respect of Personal Data that relates to the operation of our own business and our relationship with our customers, prospects and Site visitors. This includes account registration and administration data, authentication and security data, billing and payment data, records of communications and support requests, marketing and communication preferences, and data generated through the analytics and operation of the Site and the Services at the account level. For this Processing, GeniOS determines the purposes and means, and the purposes and legal bases are described in Section 6. Individuals may exercise the rights described in this Policy directly with GeniOS in respect of this Controller Processing.
GeniOS acts as a Processor in respect of Customer Data, that is, Personal Data contained within the tools, memory layers, agents and other sources that an Enterprise Customer connects to the Services. In this capacity, GeniOS Processes Customer Data solely on the documented instructions of the Enterprise Customer and only as necessary to provide, maintain, secure and support the Services, and does not determine the purposes for which that Customer Data is Processed. The Enterprise Customer is the Controller of that Customer Data, and the Enterprise Customer is responsible for the lawfulness of its instructions, for having an appropriate legal basis for the Processing, and for providing any privacy notice required to the individuals whose data is contained within its connected sources. This Processor relationship is governed by the DPA, which forms part of the agreement between GeniOS and the Enterprise Customer and which sets out the subject matter, duration, nature and purpose of the Processing, the types of Personal Data and categories of data subjects, and the respective obligations and rights of the parties.
In limited circumstances GeniOS and an Enterprise Customer may act as independent Controllers of the same Personal Data, for example where GeniOS Processes account-level administrative or security data that also relates to the Enterprise Customer's authorized users. Each party is responsible for its own compliance with Applicable Data Protection Laws in respect of the Processing it carries out as a Controller. Where GeniOS and an Enterprise Customer jointly determine the purposes and means of Processing, the parties will put in place an appropriate arrangement allocating their respective responsibilities as required by Applicable Data Protection Laws.
Where an individual whose Personal Data forms part of Customer Data wishes to exercise data subject rights or has a question about how that data is used, the appropriate point of contact is generally the Enterprise Customer that acts as Controller of that data. If such a request is made to GeniOS directly, we will, unless legally required to act otherwise, refer the request to the relevant Enterprise Customer and reasonably assist that Enterprise Customer in responding, in accordance with the DPA.
4. Categories of Personal Data We Process
The categories of Personal Data that we Process depend on how you interact with us and with the Services. The following describes the principal categories of Personal Data that GeniOS Processes as a Controller in connection with the Site and the operation of the Services. Not every category applies to every individual, and we only Process data that is relevant and necessary for the purposes described in Section 6.
Separately, and as a Processor, GeniOS Processes Customer Data on behalf of Enterprise Customers. The categories of Personal Data contained within Customer Data are determined by the Enterprise Customer through the sources it chooses to connect, and are described at the level applicable to the relevant engagement in the DPA. GeniOS does not control, and does not seek to expand, the categories of Personal Data present in an Enterprise Customer's connected sources.
- Identity and account data, such as first and last name, username, job title, employer or organization, and the credentials associated with an account.
- Contact data, such as business email address, telephone number, and postal or business address.
- Authentication and security data, such as passwords in hashed form, multi-factor authentication details, access tokens and scopes granted for connected sources, session identifiers, and records used to detect, prevent and investigate fraud, abuse and security incidents.
- Billing and transaction data, such as plan and subscription details, credit balances and usage, billing contact information, invoices, and limited payment-related information; full payment card details are handled by our payment processors and are not stored by GeniOS.
- Usage and configuration data, such as the settings you choose, the sources you connect, the features you use, the actions you take within the Services, and administrative logs generated at the account level.
- Technical and device data, such as internet protocol address, device and browser type, operating system, language settings, referring and exit pages, and similar information collected automatically through cookies and comparable technologies when you use the Site or the Services.
- Communications and support data, such as the content of messages, enquiries, feedback and support tickets that you send to us, and our records of our correspondence and interactions with you.
- Marketing and preference data, such as your preferences in receiving communications from us, your consent status, and your engagement with our communications and events.
- Customer Data processed as a Processor, which comprises the Personal Data contained within the tools, memory layers, agents and other sources that an Enterprise Customer connects to the Services, together with the Outputs, records of reasoning, sources and confidence that the Services generate from that context. The specific categories are determined by the Enterprise Customer and are addressed in the DPA.
5. Sources of Personal Data
We obtain Personal Data from a number of sources. Understanding where Personal Data originates helps to explain the basis on which we Process it and the notices that apply. The following describes the sources from which GeniOS obtains the Personal Data that it Processes as a Controller.
In addition, as a Processor, GeniOS receives Customer Data from the sources that an Enterprise Customer connects to the Services. GeniOS accesses those connected sources on a read-only and scoped basis and only to the extent authorized by the Enterprise Customer. GeniOS does not independently collect Personal Data from an Enterprise Customer's connected sources for its own purposes, and the presence and scope of such data are determined by the Enterprise Customer.
- Directly from you, when you register for or configure an account, subscribe to or use the Services, start a free trial, connect a source, contact us, request support, respond to a survey, sign up for communications, or otherwise interact with us or the Site.
- Automatically, through cookies and comparable technologies and through server and application logs, when you visit the Site or use the Services, including technical and usage data as described in Section 4.
- From your organization, where you use the Services as an authorized user of an Enterprise Customer, in which case your employer or the organization that provisions your account may provide us with your identity, contact and role information and may determine your access rights.
- From connected sources authorized by an Enterprise Customer, from which GeniOS receives Customer Data on a read-only and scoped basis for the purpose of providing the Services, acting as a Processor on that Enterprise Customer's instructions.
- From service providers acting on our behalf, such as hosting, infrastructure, analytics, communications, payment and security providers, that provide us with data necessary to operate and secure the Site and the Services.
- From publicly available and third party sources, such as business networking platforms, public registers and marketing data providers, which we may use on a limited basis to verify information and to support our business-to-business marketing, in each case where permitted by Applicable Data Protection Laws.
6. Purposes and Legal Bases for Processing
We only Process Personal Data where we have a valid legal basis to do so under Applicable Data Protection Laws. This section sets out the purposes for which GeniOS Processes Personal Data as a Controller, and the legal bases on which we rely under the GDPR and the UK GDPR. Where we rely on legitimate interests, we do so only after balancing those interests against your interests and fundamental rights and freedoms. Where more than one legal basis is relevant to a purpose, we rely on each basis to the extent it applies. Where GeniOS acts as a Processor in respect of Customer Data, GeniOS relies on the Enterprise Customer's documented instructions and on that Enterprise Customer having established an appropriate legal basis as Controller, as further described in Section 7.
To provide, operate and administer the Services and the Site, including to create and maintain your account, to authenticate access, to enable the connection of sources, to deliver the features you request, and to provide the intelligence layer, decisions, recommendations and auditable records that the Services generate. Our legal basis is the performance of a contract with you, or taking steps at your request prior to entering into a contract; where the contract is with your organization rather than with you individually, our legal basis is our legitimate interest in operating and delivering the Services to that organization and its authorized users.
To manage subscriptions, credits, trials, billing and payments, including to measure usage against credit allowances, to invoice, to collect fees, and to administer renewals and cancellations. Our legal basis is the performance of a contract, our legitimate interest in operating our business and recovering amounts owed, and, where applicable, compliance with a legal obligation such as tax and accounting requirements.
To secure the Site and the Services and to prevent, detect and investigate fraud, abuse, unauthorized access and security incidents, including maintaining logs, monitoring for anomalies, and enforcing our terms and acceptable use requirements. Our legal basis is our legitimate interest in protecting the Site, the Services, our customers and our business, and compliance with a legal obligation where we are required to maintain security safeguards.
To provide customer support and to communicate with you about the Services, including responding to your enquiries, sending service and transactional messages, and notifying you of changes to the Services, to this Policy or to our terms. Our legal basis is the performance of a contract and our legitimate interest in maintaining an effective relationship with you and keeping you informed.
To improve, develop and maintain the Site and the Services, including analyzing usage at an aggregated and account level, diagnosing technical problems, and enhancing performance, reliability, and features. Our legal basis is our legitimate interest in understanding how the Services are used and in improving them. GeniOS does not use Customer Data, prompts or the content of connected sources to train its own or any third party's foundation or machine-learning models, as further described in Section 7.
To carry out marketing and to promote the Services, including sending communications about our products, features, offers and events to business contacts and to individuals who have expressed interest, and measuring the effectiveness of those communications. Our legal basis is our legitimate interest in promoting our business to existing and prospective customers, or your consent where consent is required by Applicable Data Protection Laws. You may withdraw consent or object to direct marketing at any time, including by using the unsubscribe mechanism in our communications or by contacting us at hello@thegenios.com.
To rely on your consent for specific Processing, such as the use of certain cookies and comparable technologies that are not strictly necessary, and any other Processing for which we request your consent. Where we rely on consent, our legal basis is that consent, and you may withdraw it at any time without affecting the lawfulness of Processing carried out before withdrawal.
To comply with legal and regulatory obligations and to establish, exercise or defend legal claims, including responding to lawful requests from public authorities, meeting record-keeping requirements, and protecting our legal rights. Our legal basis is compliance with a legal obligation to which we are subject, and our legitimate interest in protecting and defending our rights.
Where we intend to Process Personal Data for a purpose other than that for which it was collected, we will assess the compatibility of the new purpose and, where required, provide you with information about the new purpose and the applicable legal basis before carrying out that further Processing.
7. Customer Data and Connected Sources
The core function of the Services is to reason over the context that an Enterprise Customer chooses to make available and to surface decisions and recommendations for that Enterprise Customer's agents and people. To do this, GeniOS connects to the tools, memory layers and agents that the Enterprise Customer authorizes and Processes the Customer Data contained within them. This section explains the commitments that govern that Processing. These commitments are contractual, are reflected in the DPA, and operate in addition to the description of our Processor role in Section 3.
Access is read-only and scoped. GeniOS accesses an Enterprise Customer's connected sources on a read-only basis, meaning that the Services read from those sources in order to reason over their context and do not write to, alter or delete the underlying data in those sources through that access. Access is also scoped, meaning that it is limited to the specific sources, tools and permissions that the Enterprise Customer authorizes, and the Enterprise Customer controls and can modify or revoke that scope. GeniOS does not seek access beyond the scope granted.
Customer Data is encrypted in transit and at rest. GeniOS applies technical and organizational measures designed to protect Customer Data against unauthorized or unlawful Processing and against accidental loss, destruction or damage, including encryption of Customer Data in transit and at rest, access controls, and logging. The specific measures maintained by GeniOS are set out in the DPA and are kept under review.
No use of Customer Data to train models. GeniOS does not use Customer Data, prompts, or the content of an Enterprise Customer's connected sources to train, fine-tune or otherwise develop its own or any third party's foundation models or other machine-learning models. Customer Data is Processed only to provide the Services to the Enterprise Customer from whose sources it originates, and is not repurposed for model development or for the benefit of other customers.
GeniOS does not sell Customer Data. GeniOS does not sell Customer Data and does not share Customer Data for cross-context behavioral advertising. Customer Data is disclosed only as necessary to provide the Services, to Sub-processors engaged under the terms required by the DPA, or where required to comply with a legal obligation, in each case consistent with the Enterprise Customer's instructions.
Every decision carries an auditable record. For each decision or recommendation that the Services surface, GeniOS generates an auditable record that captures the reasoning applied, the sources relied upon and an indication of confidence. This record is designed to provide transparency and accountability to the Enterprise Customer and its authorized users, and to support human oversight of the Outputs of the Services.
Processing only on documented instructions under the DPA. GeniOS Processes Customer Data solely on the documented instructions of the Enterprise Customer, including with regard to international transfers, unless required to Process otherwise by a law to which GeniOS is subject, in which case GeniOS will inform the Enterprise Customer of that legal requirement before Processing unless that law prohibits such information on important grounds of public interest. The Enterprise Customer, as Controller, is responsible for ensuring that it has a lawful basis for the Processing, that it has provided any required notice to the individuals whose Personal Data is contained in its connected sources, and that its instructions comply with Applicable Data Protection Laws. GeniOS makes available to the Enterprise Customer the information reasonably necessary to demonstrate compliance with these obligations and, taking into account the nature of the Processing and the information available to GeniOS, provides reasonable assistance in respect of security, breach notification, data protection impact assessments and responses to requests from individuals to exercise their rights, all as set out in the DPA.
Personnel who Process Customer Data are bound by appropriate obligations of confidentiality. Any Sub-processor that GeniOS engages to Process Customer Data is subject to data protection obligations that are no less protective than those to which GeniOS is bound under the DPA, and GeniOS remains responsible to the Enterprise Customer for the performance of each Sub-processor's obligations. Upon expiry or termination of the Services, GeniOS deletes or returns Customer Data in accordance with the Enterprise Customer's instructions and the DPA, except to the extent that retention is required by a law to which GeniOS is subject. Questions relating to Customer Data and connected sources may be directed to hello@thegenios.com.
8. Automated Reasoning, Decision Support and Human Oversight
The Services operate as an intelligence layer for AI agents. On a read-only and scoped basis, the Services read the tools, memory layers and agents that a customer connects, reason over that context, and surface decisions and recommendations for the customer's people and agents. Each Output is accompanied by an auditable record of its reasoning, the sources relied upon and an associated confidence indicator. This section explains how automated reasoning relates to Personal Data and the safeguards that apply.
The Services are designed as decision support. Outputs are intended to inform, assist and accelerate the actions of the customer's human personnel and connected agents; they are not a substitute for the customer's own judgment. As between GeniOS and the customer, the customer remains responsible for reviewing, accepting, modifying or rejecting any Output and for any action that is taken, or not taken, in reliance on an Output.
We do not use the Services to make decisions that produce legal effects concerning an individual, or that similarly significantly affect an individual, based solely on automated processing without meaningful human involvement. Where an Output could inform such a decision, the design intent is that a competent person considers the Output together with other relevant information, has the authority and capacity to reach an independent conclusion, and determines the final decision. The confidence indicator and the record of reasoning and sources are provided precisely to enable this human review and to allow the reviewer to interrogate, contest or override an Output.
Outputs are generated by probabilistic and analytical techniques and may be incomplete, may reflect limitations or errors in the connected sources, or may be superseded by later information. Outputs do not constitute legal, financial, medical, employment, safety or other professional advice, and should not be relied upon as such. Individuals whose Personal Data is Processed in connection with an Output may exercise the rights described elsewhere in this Policy, including, where an Output has informed a decision affecting them, the right to obtain human intervention, to express their point of view and to contest the outcome. Because the Enterprise Customer determines the purposes and means of Processing Customer Data, requests concerning a specific decision are generally directed to, and handled by, the relevant Enterprise Customer as Controller, and we will support the Enterprise Customer in responding as required by applicable law and the applicable DPA.
9. Aggregated and De-identified Data
We may create aggregated, statistical, anonymized or de-identified data ("Aggregated Data") from Personal Data and other information Processed through the Services, including operational metrics, usage patterns and performance measurements. Aggregated Data is produced using measures designed to ensure that it does not, and cannot reasonably be used to, identify any individual, whether directly or indirectly, alone or in combination with other information reasonably available to us.
We may use, retain and disclose Aggregated Data for lawful business purposes, including to operate, secure, evaluate, maintain and improve the Services, to develop new features and capabilities, to produce benchmarks and industry insights, and to prepare reports and communications. Where we publish or share Aggregated Data, we do so only in a form that does not identify any individual, customer or connected source unless the relevant party has agreed otherwise.
We maintain the de-identified character of such data. We do not attempt to re-identify Aggregated Data except as strictly necessary to test the effectiveness of our de-identification measures or as required by law, and we commit to maintaining and using such data only in de-identified form and not to attempting to re-identify it other than for those limited purposes. To the extent information no longer relates to an identified or identifiable natural person, it is not Personal Data and the data protection provisions of this Policy do not apply to it. Separately, and as stated in our public commitments, we do not use Customer Data, prompts or connected source content to train our own or any third party's foundation or machine-learning models.
10. Disclosure of Personal Data and Sub-processors
We disclose Personal Data only as described in this Policy and as permitted by applicable law. We do not sell Personal Data, and we do not share Personal Data for cross-context behavioral advertising, in each case as those terms are defined under applicable law, including the CCPA/CPRA. We have not sold or shared Personal Data in the preceding twelve months.
We disclose Personal Data to the following categories of recipients, in each case subject to appropriate safeguards:
- Service providers and Sub-processors: We engage carefully selected third parties to provide infrastructure, hosting, storage, connectivity, security, monitoring, analytics, communications, billing and support functions on our behalf. Each such party acts under a written contract that limits their Processing to the purposes of providing services to us, requires them to implement appropriate technical and organizational measures, imposes duties of confidentiality, and prohibits use of the Personal Data for their own independent purposes. Where a party acts as a Sub-processor of Customer Data, its engagement is governed by the DPA, including the Enterprise Customer's rights regarding notice of, and objection to, new Sub-processors.
- Customer and authorized users: Where Personal Data forms part of Customer Data, we disclose it to the relevant Enterprise Customer and the users the Enterprise Customer authorizes, consistent with the Enterprise Customer's configuration of the Services and the read-only and scoped nature of our access.
- Legal, regulatory and safety: We may disclose Personal Data where we believe in good faith that disclosure is necessary to comply with a law, regulation, legal process, or enforceable governmental or regulatory request; to enforce our agreements and policies; to detect, prevent or address fraud, security, or technical issues; or to protect the rights, property or safety of GeniOS, our customers, individuals or the public, as required or permitted by law.
- Corporate transactions: If we are involved in a merger, acquisition, financing, reorganization, insolvency, or sale or transfer of all or part of our assets or business, Personal Data may be disclosed or transferred as part of that transaction, subject to the recipient being bound by commitments consistent with this Policy and to any notice required by applicable law.
- Professional advisers and affiliates: We may disclose Personal Data to our affiliates and to professional advisers such as auditors, accountants, insurers and lawyers, where necessary for the administration and protection of our business and subject to appropriate confidentiality obligations.
11. International Data Transfers
We operate internationally, and Personal Data may be Processed, stored and accessed in countries other than the country in which it was collected, including the country in which GeniOS is established and the countries in which our service providers and Sub-processors operate. The data protection laws of those countries may differ from those of your country of residence.
Where we transfer Personal Data originating in the European Economic Area ("EEA"), the United Kingdom or Switzerland to a country that has not been recognized as providing an adequate level of protection, we implement appropriate safeguards recognized under the GDPR and the UK GDPR. These safeguards include the European Commission's Standard Contractual Clauses ("SCCs") for transfers from the EEA, the United Kingdom's International Data Transfer Agreement or the UK Addendum to the SCCs (the "UK IDTA/Addendum") for transfers subject to the UK GDPR, and, for onward transfers, equivalent contractual protections in agreements with our service providers and Sub-processors.
Where the European Commission or the relevant United Kingdom authority has determined that a country, territory or framework ensures an adequate level of protection, we may rely on such adequacy decision as the basis for a transfer. Where appropriate and consistent with applicable law, we may also rely on a derogation, such as the necessity of the transfer for the performance of a contract or your explicit consent.
Where we transfer Personal Data as a Processor of Customer Data, the transfer mechanisms and the parties' respective obligations are set out in the DPA. We carry out transfer risk assessments where required and apply supplementary measures, such as encryption and access controls, where necessary to protect transferred Personal Data. You may request further information about the safeguards we apply, and where available a copy of the relevant clauses, by contacting us at hello@thegenios.com.
12. Data Retention
We retain Personal Data only for as long as necessary to fulfill the purposes for which it was collected and Processed, including to provide and secure the Services, to comply with our legal, regulatory, tax and accounting obligations, to resolve disputes, to enforce our agreements, and to establish, exercise or defend legal claims. When Personal Data is no longer required for these purposes, we delete it or irreversibly anonymize it.
To determine the appropriate retention period, we consider the nature, sensitivity and volume of the Personal Data, the purposes for which it is Processed and whether those purposes can be achieved by other means, the potential risk of harm from unauthorized use or disclosure, applicable limitation periods and legal or regulatory requirements to retain data, and the instructions of the relevant Enterprise Customer where we act as a Processor.
For Personal Data contained in Customer Data, retention is governed by the Enterprise Customer's instructions, the Enterprise Customer's configuration of the Services and the DPA. During the term of an Enterprise Customer's subscription, Customer Data is retained to provide the Services. Following termination or expiry, we will delete or return Customer Data in accordance with the DPA and the applicable MSA or order form, subject to any retention required by law. Because our access is read-only and scoped, Personal Data that remains in an Enterprise Customer's connected sources continues to be controlled by the Enterprise Customer and is subject to the Enterprise Customer's own retention arrangements.
For account, billing, marketing and Site analytics data, for which we act as a Controller, we apply retention periods appropriate to each category. For example, we retain billing and transaction records for the period required by applicable financial and tax laws, and we retain marketing preferences until you withdraw consent or object and for a reasonable period thereafter to honor your choice. Backup copies are retained for a limited period consistent with our backup and business continuity practices and are then overwritten or deleted.
13. Information Security
We implement and maintain technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, and other forms of unlawful Processing. These measures are appropriate to the risk presented by the Processing and take into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing.
Our measures include, without limitation, the categories described in the list below. No method of transmission or storage is completely secure, and while we work to protect Personal Data, we cannot guarantee absolute security; you are responsible for maintaining the confidentiality of your account credentials and for configuring the scope of access you grant to the Services.
- Encryption: Customer Data is encrypted in transit and at rest using industry-accepted cryptographic protocols and algorithms.
- Scoped, least-privilege access: Access to the tools, memory layers and agents that a customer connects is read-only and scoped to what the Services require. Internal access to Personal Data is granted on a need-to-know basis under the principle of least privilege, subject to authentication controls, and is reviewed periodically.
- Network and application security: We employ measures such as network segmentation, firewalls, secure development practices, vulnerability management and change control to protect the confidentiality, integrity and availability of the Services.
- Monitoring and logging: We maintain monitoring and audit logging of relevant system and access events to detect, investigate and respond to anomalous or unauthorized activity. Consistent with the design of the Services, each Output carries an auditable record of its reasoning, sources and confidence.
- Resilience and recovery: We maintain backup, redundancy and business continuity practices designed to restore availability of and access to Personal Data in a timely manner following an incident.
- Organizational measures: We impose confidentiality obligations on personnel, provide security and privacy awareness training, apply data protection by design and by default, and maintain policies and procedures governing the handling of Personal Data and the management of security incidents.
14. Personal Data Breach Notification
We maintain procedures to detect, assess, contain, investigate and remediate security incidents affecting Personal Data. A "personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
Where we act as a Processor of Customer Data, we will notify the affected Enterprise Customer without undue delay after becoming aware of a personal data breach affecting that Enterprise Customer's Customer Data, and we will provide information reasonably available to us to assist the Enterprise Customer in meeting its own notification obligations. We will cooperate with the Enterprise Customer and take reasonable steps to mitigate the effects of the breach and to minimize any resulting damage, in each case in accordance with the DPA. As Controller of the affected Personal Data, the Enterprise Customer is responsible for determining whether notification to a Supervisory Authority or to affected individuals is required and for making any such notification.
Where we act as a Controller, for example in respect of account, billing, marketing or Site analytics data, and a personal data breach is likely to result in a risk to the rights and freedoms of individuals, we will notify the competent Supervisory Authority without undue delay and, where feasible, within the timeframe required by applicable law. Where the breach is likely to result in a high risk to affected individuals, we will also communicate the breach to those individuals without undue delay, unless an exception recognized by applicable law applies, such as where we have rendered the affected Personal Data unintelligible through encryption or have taken measures that ensure the high risk is no longer likely to materialize.
Our notifications will, to the extent known and permitted by law, describe the nature of the breach, the categories and approximate number of individuals and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. We will document personal data breaches, including the facts, effects and remedial action taken. Our notification of or response to an incident is not an acknowledgment of fault or liability. If you become aware of a suspected security issue affecting Personal Data, please contact us promptly at hello@thegenios.com.
15. Your Rights and How to Exercise Them
Depending on your location and the applicable data protection laws, you may have certain rights in relation to the Personal Data that GeniOS holds about you. Where GeniOS acts as a Controller of your Personal Data, the rights described in this section are available to you and we will respond to valid requests as set out below. Nothing in this section limits any additional rights you may have under the laws of your jurisdiction.
Subject to the conditions and exceptions provided by applicable law, you may exercise the following rights: (a) the right of access, meaning the right to obtain confirmation of whether we Process Personal Data about you and to receive a copy of that data together with related information; (b) the right to rectification, meaning the right to have inaccurate Personal Data corrected and incomplete Personal Data completed; (c) the right to erasure, meaning the right to request deletion of your Personal Data where there is no lawful basis for us to continue Processing it; (d) the right to restriction, meaning the right to request that we limit our Processing of your Personal Data in defined circumstances; (e) the right to object, meaning the right to object to Processing that is based on our legitimate interests and, at any time and without justification, to Processing for direct marketing purposes; (f) the right to data portability, meaning the right to receive Personal Data you have provided to us in a structured, commonly used and machine readable format and, where technically feasible, to have it transmitted to another Controller; and (g) the right to withdraw consent at any time where our Processing is based on your consent, without affecting the lawfulness of Processing carried out before the withdrawal.
To exercise any of these rights, please contact us at hello@thegenios.com. We may ask you for information sufficient to verify your identity before acting on a request, and we will only use that information to process and respond to your request. We do not charge a fee to handle most requests; however, where a request is manifestly unfounded, excessive or repetitive, we may charge a reasonable fee that reflects our administrative costs, or we may decline to act, in each case as permitted by applicable law and with an explanation of our decision.
We will respond to your request without undue delay and in any event within the timeframe required by the law applicable to you. For requests governed by the GDPR or the UK GDPR, we will respond within one month of receipt, and we may extend this period by up to two further months where necessary taking into account the complexity and number of requests, in which case we will inform you of the extension and the reasons for it within the first month. For requests governed by United States state privacy laws, we will respond within the periods described in the notice to residents of the relevant state.
We will not discriminate or retaliate against you for exercising any of your privacy rights. Exercising your rights will not result in the denial of Services, a different level or quality of Services, or different prices or rates, except where a difference is reasonably related to the value provided by the relevant Personal Data and is otherwise permitted by law.
Where GeniOS Processes Personal Data as a Processor on behalf of an Enterprise Customer, that Enterprise Customer is the Controller of the Customer Data contained in its connected sources. In that case, your rights are exercised against the Enterprise Customer, and if you send a request directly to us we will, where lawful and reasonably practicable, refer your request to the relevant Enterprise Customer and assist that Enterprise Customer in responding through appropriate technical and organizational measures. We will act on Customer Data only in accordance with the Enterprise Customer's documented instructions and the applicable DPA.
16. Notice to California Residents
This section provides information required by the CCPA/CPRA and applies to residents of the State of California ("California consumers") whose personal information GeniOS Processes as a business. Terms used in this section have the meanings given to them under the CCPA/CPRA. Where GeniOS Processes Customer Data on behalf of an Enterprise Customer, GeniOS acts as that Enterprise Customer's service provider and Processes such personal information only for the business purposes specified in our agreement with the Enterprise Customer.
The categories of personal information we have collected, the sources of that information, the business and commercial purposes for which we collect it, and the categories of recipients to whom we disclose it are described in the sections of this Policy addressing the Personal Data we collect, how we use it and how we share it. We collect the categories of personal information identified in those sections, which may include identifiers, customer account and commercial information, internet or other electronic network activity information, professional or employment related information, and inferences drawn from the foregoing.
We do not sell your personal information, and we do not share your personal information for cross-context behavioral advertising, in each case as those terms are defined under the CCPA/CPRA. We have not sold or shared the personal information of California consumers in the preceding twelve months. We have not sold or shared the personal information of consumers we know to be under sixteen years of age.
To the extent we collect information that constitutes sensitive personal information under the CCPA/CPRA, we use and disclose it only for the purposes permitted by the CCPA/CPRA, such as performing the Services, providing security and fraud prevention, and other purposes for which a consumer may not limit our use of sensitive personal information. We do not use or disclose sensitive personal information for the purpose of inferring characteristics about a consumer.
As a California consumer, and subject to the exceptions and verification requirements of the CCPA/CPRA, you have the following rights: the right to know the categories and specific pieces of personal information we have collected about you, the categories of sources, the purposes for collection, and the categories of third parties to whom we disclose it; the right to delete personal information we have collected from you; the right to correct inaccurate personal information we maintain about you; and the right to limit the use and disclosure of sensitive personal information where such right applies.
You may submit a request to know, delete, correct or limit by contacting us at hello@thegenios.com. We will verify your request by matching the information you provide with the information we hold, and we may request additional information where necessary to verify your identity. You may use an authorized agent to submit a request on your behalf, in which case we may require the agent to provide proof of your written authorization and may require you to verify your own identity directly with us or to confirm that you have authorized the agent to act for you. We will not discriminate against you for exercising any of your CCPA/CPRA rights, as described in Section 15 on your rights.
17. Information for Individuals in the European Economic Area and the United Kingdom
This section applies where the GDPR or the UK GDPR governs our Processing of your Personal Data and GeniOS acts as a Controller. Where GeniOS acts as a Processor on behalf of an Enterprise Customer, that Enterprise Customer determines the legal bases for Processing Customer Data and is responsible for handling data subject requests, with our assistance as described in this Policy and in the DPA.
When we Process your Personal Data as a Controller, we rely on one or more of the following legal bases: (a) the performance of a contract with you or the taking of steps at your request prior to entering into a contract, for example to create and administer your account and to provide the Services; (b) our legitimate interests, where these are not overridden by your interests or fundamental rights and freedoms, for example to operate, secure and improve the Services, to prevent fraud and misuse, and to communicate with you about the Services; (c) compliance with a legal obligation to which we are subject, for example to meet accounting, tax and regulatory requirements; and (d) your consent, where we have asked for it, for example for certain marketing communications or optional analytics and cookies. Where we rely on legitimate interests, you may ask us for further information about the balancing we have carried out.
You have the rights described in Section 15 on your rights, including the rights of access, rectification, erasure, restriction, objection and portability, and the right to withdraw consent. You also have the right to lodge a complaint with a Supervisory Authority, in particular in the European Union member state of your habitual residence, place of work or the place of an alleged infringement, or, in the United Kingdom, with the Information Commissioner's Office. We would, however, appreciate the opportunity to address your concerns before you approach a Supervisory Authority, and we encourage you to contact us first.
Where required by the GDPR or the UK GDPR, we have appointed a representative in the European Union and a representative in the United Kingdom to act as points of contact for individuals and supervisory authorities on matters relating to our Processing of Personal Data. You may contact our data protection function, and reach our EU and UK representatives, by writing to hello@thegenios.com and identifying the nature of your request, and we will route your communication to the appropriate contact.
Information about how we transfer Personal Data outside the European Economic Area and the United Kingdom, including our use of the SCCs and the UK IDTA/Addendum together with appropriate supplementary measures, is set out in Section 11 addressing international transfers.
18. Cookies and Similar Technologies
The Site uses cookies and similar technologies, such as pixels, tags, local storage and software development kits, to operate, secure and improve the Site and to understand how visitors interact with it. A cookie is a small text file that a website places on your device to store information that can be read when you return. Similar technologies perform comparable functions and are referred to together in this Policy as "cookies".
We use cookies that fall into the following general categories: strictly necessary cookies, which are required to operate the Site and to provide core features such as security, network management and access to secure areas; functional cookies, which remember choices you make and personalize your experience; and analytics cookies, which help us understand aggregate usage patterns so that we can measure and improve the performance of the Site. We use analytics cookies to generate Site analytics data for which GeniOS acts as a Controller. We do not use cookies on the Site to build advertising profiles about you or to serve cross-context behavioral advertising.
You can control and manage cookies in several ways. Most browsers allow you to refuse or delete cookies through their settings, and where required by law we present a cookie notice or preference tool that lets you accept or decline non essential cookies. Strictly necessary cookies cannot be switched off through such tools because the Site cannot function properly without them. If you disable or delete certain cookies, some features of the Site may not work as intended.
Some browsers transmit "Do Not Track" or global privacy control signals. Where applicable law requires us to treat a recognized opt out preference signal as a valid request, we will honor that signal in accordance with the requirements of that law. For further information about the specific cookies used on the Site and their duration, please refer to the cookie notice or preference tool made available on the Site.
19. Children
The Services are business products intended for organizations and their personnel, and the Site is directed to a professional audience. The Services and the Site are not directed to, and we do not knowingly collect Personal Data from, children under the age of sixteen, or under such higher age of digital consent as may apply in your jurisdiction.
We do not knowingly permit children to register for an account or to use the Services. If you are a parent or guardian and you believe that a child has provided Personal Data to us through the Site, or if you otherwise become aware that we may have collected Personal Data from a child, please contact us at hello@thegenios.com so that we can investigate and, where appropriate, delete the information in accordance with applicable law.
Where an Enterprise Customer connects sources that contain Personal Data, the Enterprise Customer is responsible, as Controller, for ensuring that it has a lawful basis to include any such data and for complying with any requirements that apply to the Personal Data of minors.
20. Third-Party Links and Services
The Site and the Services may contain links to, or integrate with, websites, applications, tools, memory layers and services that are operated by third parties, including sources that an Enterprise Customer chooses to connect to the Services. We provide these links and integrations for convenience and to enable the functionality that our customers request. The presence of a link or integration does not imply that we endorse, or are responsible for, the third party or its content, products or practices.
This Policy does not apply to the practices of third parties that we do not own or control. When you access a third party website or service, or when an Enterprise Customer connects a third party source, the collection and use of your Personal Data by that third party is governed by the third party's own privacy notice and terms, not by this Policy. We encourage you to review the privacy notices of any third party services before you use them or provide Personal Data to them.
Where GeniOS connects to an Enterprise Customer's third party sources, it does so on a read-only and scoped basis in accordance with the Enterprise Customer's instructions, and it Processes the resulting Customer Data as a Processor as described in this Policy and in the DPA. We are not responsible for the configuration, security or data practices of the third party sources themselves, which remain the responsibility of the Enterprise Customer and the relevant third party providers.
21. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, the Services, applicable law, or for other operational, legal or regulatory reasons. When we make changes, we will revise the "last updated" date shown at the top of this Policy and, where the changes are material, we will provide additional notice as required by applicable law, for example by posting a prominent notice on the Site or by contacting you through the account or email details we hold.
We encourage you to review this Policy periodically so that you remain informed about how we Process Personal Data and about your rights. Your continued use of the Site or the Services after an updated Policy takes effect constitutes your acknowledgement of the updated Policy, to the extent permitted by applicable law. Where the law requires your consent to a change, we will obtain that consent before the change applies to you.
If any change to this Policy conflicts with the terms of an MSA, order form or DPA in place with an Enterprise Customer, those enterprise terms will prevail over this Policy with respect to that Enterprise Customer and its Customer Data for the matters they address.
22. Contact Us
If you have any questions, comments or concerns about this Policy or about how GeniOS Processes your Personal Data, or if you wish to exercise any of your privacy rights, please contact us at hello@thegenios.com. This address is the point of contact for all privacy inquiries and rights requests, including requests to access, rectify, erase, restrict, object to, port or limit the Processing of your Personal Data, and requests to withdraw consent.
To help us respond efficiently, please include enough information for us to understand and act on your request, such as the nature of your request, the Services or Site involved, and details that enable us to verify your identity. We may contact you to confirm your identity or to request further information before we act, in accordance with applicable law.
Where GeniOS acts as a Processor on behalf of an Enterprise Customer, and your request concerns Customer Data, we will, where lawful and reasonably practicable, direct your request to the relevant Enterprise Customer and support that Enterprise Customer in responding. If you are an individual in the European Economic Area or the United Kingdom, you may also reach our data protection function and our EU and UK representatives through the same address, and you retain the right to lodge a complaint with your Supervisory Authority as described in this Policy.