Privacy Policy
This Privacy Policy ("Policy") explains how the Genitor platform ("Platform", "Service", "we", "us", "our") collects, uses, stores, transfers, and protects users' personal data. Genitor is a Delaware-incorporated SaaS platform that lets you build production-ready websites by writing prompts to artificial intelligence.
This Policy applies to the Platform itself, the genitor.net domain and all of its subdomains (e.g. *.genitor.net), and every service provided through them. By accessing, signing up for, or otherwise using the Platform, you confirm that you have read and accepted this Policy.
The controller of your personal data is the Genitor team, based in Wilmington, Delaware, USA. We comply with the EU General Data Protection Regulation (GDPR), the UK Data Protection Act, the California Consumer Privacy Act / CPRA (CCPA), other US state privacy laws (VCDPA, CPA, CTDPA, UCPA), Turkey's KVKK, and other applicable privacy legislation.
1. Introduction
Genitor is a cloud-based platform that lets you build full-featured websites by writing prompts to AI. Each project receives its own subdomain (e.g. mysite.genitor.net), an isolated PostgreSQL database, and a CMS. You can also bring your own custom domain, choose from our template marketplace, and apply to our creator program.
This Policy covers all personal data collected, processed, and stored when you use the Platform. It applies both to the Platform itself and to websites published on genitor.net or any subdomain. By using the Service, you consent to the processing of your information as described here.
We are the controller — the party that determines the purposes and means of processing your data. If you have any questions, requests, or complaints, you can reach our privacy team at [email protected] at any time.
2. Definitions
The key terms used in this Policy have the following meanings:
- Personal Data — any information that identifies, or can be reasonably linked to, a natural person (such as name, email, IP address).
- Processing — any operation performed on personal data: collection, recording, storage, modification, transfer, deletion, or destruction.
- Controller — the party that determines the purposes and means of processing personal data. For this Policy, that is Genitor.
- Processor — a third party that processes personal data on behalf of the Controller (e.g. Hetzner, Cloudflare).
- Data Subject — the natural person whose personal data is processed; in this Policy, that is you.
- User Content — anything you create, upload, or store through the Platform: websites, files, text, AI prompts.
- Cookies — small text files stored by your browser that allow us to recognise you and preserve preferences.
- Service — the entire set of features provided by the Genitor Platform.
- Platform — genitor.net and the underlying technical infrastructure.
- Project — a website created by a user on the Platform together with its associated resources (database, files, settings).
- Subdomain — a public address in the format *.genitor.net assigned automatically to each project.
3. Data we collect
Below we describe the categories of data we collect when you use the Service. Some of it you provide directly, some is collected automatically, and some comes from third parties.
3.1. Account data
When you create or use an account, we collect:
- Your name (as you provide it).
- Email address — used for authentication, notifications, and contact.
- Password — never stored in plaintext; hashed securely with bcrypt.
- Profile picture (avatar), if you upload one.
- Google OAuth identifier — the unique user ID Google assigns when you sign in with your Google account.
- Account creation timestamp and last login timestamp.
3.2. Profile and creator data
If you fill in a public profile or apply to the creator program, we collect:
- Bio (short description, role, area of work).
- Social links (Twitter/X, GitHub, LinkedIn, Behance, etc.).
- Location or city, if you choose to provide it.
- Profile avatar.
- Public profile slug (used in /u/{slug} URLs).
- Creator application materials: pitch text and links to 3 sample projects.
- Application status and timestamps (pending, approved, rejected).
3.3. Project and user content
Content you create and store on the Platform:
- Websites you build — code, design, content, and configuration.
- Data stored in your project's database (e.g. customer records, blog posts, form submissions).
- Files you upload — images, documents, videos, and similar.
- AI prompts you send to the generation engine.
- Project name, subdomain, and custom domain settings.
- Project-level integrations and API keys (stored in encrypted form).
3.4. Usage and technical data
Data collected automatically when you visit and use the Platform:
- IP address — for session and approximate geolocation.
- Browser type and version (User-Agent).
- Operating system and device type.
- Login-time device fingerprint — used to detect suspicious activity.
- Page views, click activity, and navigation paths.
- Feature-usage metrics (which menus and buttons you use).
- AI generation events (timestamp, model, prompt length, status).
- Build and deploy logs.
- Error reports and crash logs.
3.5. Communication data
Information generated when you communicate with us:
- Emails you send to our support team.
- In-app chat and messaging history.
- Support ticket history and statuses.
- Subject, contents, and attachments of your queries.
3.6. Payment data
We do NOT store your full card number or CVV. All payment data is held and processed by a PCI-DSS compliant third-party payment processor. We retain only the limited payment information needed to operate billing:
- Your customer ID inside our payment processor.
- The last four digits of your card (e.g. **** **** **** 4242).
- Card brand (Visa, MasterCard, etc.).
- Card expiry month and year.
- Billing address you provide.
- Transaction history (amount, date, status, invoice number).
4. Sources of data
We obtain your personal data from the following sources:
- Directly from you — through registration, profile completion, content creation, or contacting support.
- Automatically — through cookies, server logs, telemetry, and analytics tools.
- Third-party SSO providers — when you sign in with Google OAuth, Google sends us basic profile information (name, email, avatar).
- Payment processor — confirmations of successful or failed transactions.
- Public sources — when you connect a custom domain we may inspect public WHOIS metadata where available.
- Internal Platform systems — signals from anti-spam, anti-fraud, and security tooling.
5. Legal bases for processing
For users in the European Union/European Economic Area and the United Kingdom, we process your personal data only when at least one of the following legal bases applies:
5.1. Performance of a contract
We process your data to create your account, deliver the Service, process payments, and otherwise perform our contractual obligations to you. This basis covers core account features, project operation, and invoicing.
5.2. Legitimate interests
We rely on legitimate interests to keep the Platform secure, prevent fraud, improve the Service, and send important Service-related communications. We balance these interests against your rights and freedoms each time and stop processing if your interests prevail.
5.3. Consent
We send marketing emails, use optional analytics cookies, and enable certain optional features only with your explicit consent. You can withdraw your consent at any time, easily and without penalty.
5.4. Legal obligation
We retain and disclose certain data to comply with applicable law — for example, tax records, accounting requirements, court orders, and other regulatory obligations. This includes invoices, payment history, and other records required by law.
6. How we use your data
We use the data we collect for the following purposes:
- Provide, operate, and maintain the Service.
- Create accounts, authenticate users, and manage logins.
- Process payments, issue invoices, and manage subscriptions.
- Verify identity and prevent abuse of the Platform.
- Provide customer support and respond to your inquiries.
- Detect security threats, fraud, and policy violations.
- Improve the quality, performance, and functionality of the Service.
- Send marketing and promotional content where you have consented.
- Comply with our legal and regulatory obligations.
- Generate aggregated analytics and reporting.
- Understand customer behaviour to inform new features.
7. AI processing of your prompts
When you use the Platform's AI generation features, the prompt you write together with relevant project context (e.g. existing page structure, design settings) is sent to our chosen AI provider for processing. This processing is necessary to generate the result you requested (code, text, design).
We log your prompts and retain them for a limited time to detect abuse, improve the product, and ensure service stability. Your prompts are NOT used to train third-party AI models. Our contracts with AI providers explicitly require that customer data is not used for model training.
The AI provider itself may temporarily retain your prompt to deliver and audit the response, but is contractually prohibited from adding it to its training corpus. For more details on the current AI provider, please contact [email protected].
8. Sharing and disclosure
We share your personal data only with the categories of recipients listed below, and only when necessary. Every transfer happens under a written agreement and with appropriate safeguards.
8.1. Service providers (processors)
The following third-party providers process limited personal data on our behalf:
- Hetzner Online GmbH (Germany) — server and infrastructure hosting.
- Cloudflare, Inc. — CDN, SSL/TLS, DDoS protection, and DNS services.
- Google LLC — OAuth identity verification when you sign in with Google.
- Stripe, Inc. (USA) — processes all Genitor subscription payments and tax (Stripe Payments + Stripe Tax + Stripe Billing). Card data is stored only by Stripe under PCI-DSS Level 1; we retain only the last 4 digits, brand, expiry, billing address, and Stripe customer ID.
- AI provider — for processing prompts and returning generation results.
- Transactional email provider — for delivering system notifications and account emails.
- Cloudflare, Inc. (Cloudflare R2) — encrypted off-site backups (daily rclone sync); stored in EU regions.
- Analytics and error-monitoring platforms — to keep the Service stable.
8.2. Legal authorities
We may disclose your data when required by law, in response to a court order, or upon a written request from a competent authority. We disclose data only after verifying that a request is lawful and proportionate, and we attempt to notify the affected user where this is permitted.
We may also disclose data when necessary to protect life, property, or the safety of users or the public.
8.3. Business transfers
If Genitor is sold, merges with another company, or is acquired by another legal entity, your personal data may transfer to the successor. In that case the data will be subject to protection no weaker than this Policy, and we will inform you about any material changes.
8.4. Public-by-design surfaces
Some data is public by the very nature of the Service. Websites you publish under *.genitor.net are accessible to anyone on the internet. If you join the creator program and choose a public profile, your /u/{slug} page is public. You control these surfaces and can change visibility at any time.
8.5. Aggregated and anonymised analytics
We may share aggregated or anonymised statistics about Service usage with customers, investors, and partners. Such information cannot be used to identify any individual user.
8.6. We never sell your data
We do not sell your personal data to advertisers, data brokers, or any third party for monetary or other valuable consideration. We have no plans to do so in the future.
9. International data transfers
Genitor, Inc. is a US-domiciled company; however, all customer databases, files, and primary backups are stored in EU data centers (Hetzner, Germany; Cloudflare R2 EU regions). Personal data of EU/UK residents is therefore stored within the EEA. Access by Genitor staff based in the US constitutes an international transfer governed by the EU Standard Contractual Clauses (Module 1, Controller-to-Controller) and equivalent UK IDTA / Swiss FADP transfer instruments.
If you live outside the EU, the transfer of your data to Germany constitutes an international transfer and is performed under an adequacy decision or other applicable safeguard.
When we use Cloudflare's global network, our AI provider, or other vendors, your data may be processed outside the EU, including in the United States. For such transfers we rely on the European Commission's Standard Contractual Clauses (SCCs) and other appropriate safeguards.
Transfers to countries without an adequacy decision are made only after additional safeguards are in place. For more details on international transfers, contact [email protected].
10. Data retention
We keep personal data only for as long as necessary. The following retention periods apply:
- Account data — for the lifetime of the account, plus 90 days after deletion (in case you change your mind).
- Profile and creator profile — same as account data.
- Projects and databases — for the lifetime of the project, plus 30 days after deletion; then permanently removed.
- Communication data (support correspondence) — 3 years.
- Payment and invoice records — at least 5 years, in line with U.S. federal tax record-keeping rules (IRC §6001).
- Backups — a rolling 90-day retention window.
- Server logs — 30 to 90 days.
- Error logs — 90 days.
- Audit logs (admin actions) — 2 years.
- Marketing-consent records — 3 years after consent is withdrawn (for evidentiary purposes).
- AI prompt logs — 90 days, for abuse review.
11. Security measures
We implement industry-standard technical and organisational measures to protect your personal data from unauthorised access, alteration, disclosure, or destruction.
- Encryption in transit for all traffic (TLS 1.3 via Cloudflare).
- Encryption at rest for sensitive fields.
- Secure password hashing (bcrypt) — plaintext passwords are never stored.
- Per-project isolated PostgreSQL schema with PUBLIC role permissions revoked.
- Worker-thread sandboxing for execution of user-supplied API code.
- Regular encrypted backups.
- Multi-factor authentication (MFA) and least-privilege access for staff.
- All admin actions recorded in an audit log.
- Content Security Policy (CSP), HSTS, X-Frame-Options, and other hardening headers.
- Automated vulnerability scanning and a regular security-patching cadence.
- Continuous monitoring and anomaly-detection systems.
- Confidentiality agreements with all employees and contractors.
12. Your rights
Under applicable legislation (GDPR, UK DPA, CCPA/CPRA, KVKK and other applicable privacy laws), you have extensive rights with respect to your personal data. You may exercise the following rights at any time.
12.1. Right of access
You have the right to obtain confirmation as to whether we process your personal data, receive a copy of it, and be informed about how it is processed. We respond to access requests within 30 days.
12.2. Right to rectification
You have the right to correct or update inaccurate or incomplete personal data. Most fields can be updated yourself at /dashboard/profile.
12.3. Right to erasure ("right to be forgotten")
In certain circumstances you may request deletion of your personal data. You can delete your account yourself at /dashboard/profile/danger. Data we are legally required to retain (such as tax records) will be deleted after the relevant retention period.
12.4. Right to restriction
You may request that we restrict processing of your data in certain circumstances, such as when you contest its accuracy or the lawfulness of processing.
12.5. Right to data portability
You have the right to receive your personal data in a structured, commonly used, machine-readable format. We support JSON exports of your data from /dashboard/profile.
12.6. Right to object
You have the right to object to processing based on our legitimate interests, including direct marketing. We will stop processing for direct marketing immediately upon objection.
12.7. Right to withdraw consent
Where processing relies on your consent, you can withdraw it at any time without penalty. Withdrawing consent does not affect the lawfulness of processing carried out before withdrawal.
12.8. Right not to be subject to solely automated decision-making
You have the right not to be subject to decisions based solely on automated processing that produce significant effects on you. Genitor does not make significant solely-automated decisions about users; for cases like fraud detection, a human reviews the final decision.
12.9. How to exercise your rights
To exercise these rights, email [email protected] or use the relevant self-service tools inside the dashboard. We may ask you to verify ownership of the account before fulfilling a request. We respond within 30 calendar days.
13. Children's privacy
The Service is not intended for users under the age of 16 (or the local age of digital consent if higher). We do not knowingly collect personal data from anyone under that age.
If you are a parent or guardian and believe that your child has provided us with personal data, please contact [email protected]. We will promptly delete such data after verification.
14. Cookies and similar technologies
The Platform uses cookies, localStorage, sessionStorage, pixels, and similar technologies. A detailed description of categories and how to manage them is available in our separate Cookie Policy at /cookies.
You can change your cookie preferences at any time through your browser settings or the cookie banner inside the Platform.
15. Marketing communications
We send newsletters, product updates, and promotional content only with your explicit consent (opt-in). Every marketing email includes an unsubscribe link.
You cannot unsubscribe from transactional emails (account, billing, security), as they are essential for operating the Service. We classify these as operational rather than marketing communications.
You can manage your marketing preferences at /dashboard/settings/notifications.
16. Third-party links and embeds
Your projects may contain links to external sites or embed third-party content such as YouTube, Twitter/X, Stripe Checkout, or Google Maps. We have no control over these external resources, and their own privacy policies apply.
We recommend reviewing the privacy practices of any third party before clicking external links or interacting with embedded content. Genitor is not responsible for third-party practices.
17. Data breach notification
If a data breach affects your personal data, we will, where required by law, notify the competent supervisory authority and you within 72 hours of becoming aware of the breach.
The notification will describe the nature of the incident, the categories of data affected, the likely consequences, and the measures we are taking to mitigate the risk. We will also recommend steps you can take to protect yourself.
We maintain an internal incident-response plan; once a breach is detected, the relevant response team is engaged immediately.
18. Changes to this Policy
We may update this Privacy Policy from time to time. We will notify you of material changes at least 14 days in advance, either by email to your registered address or via a prominent banner inside the Platform dashboard.
The most recent update date is always shown in the "Last updated" line. By continuing to use the Service after a change takes effect, you accept the updated Policy.
If you would like to review previous versions or a change log, contact [email protected].
19. Filing complaints
We always encourage you to contact us first so that we can address your concerns directly and quickly. However, you also have the right to lodge a complaint with your local data protection authority.
For EU residents, this is the supervisory authority in your country of residence (such as the BfDI in Germany, the CNIL in France, or the AEPD in Spain).
California residents may file complaints with the California Privacy Protection Agency (https://cppa.ca.gov); other US residents may contact their state attorney general's office.
For UK residents the relevant authority is the Information Commissioner's Office (ICO); for Turkey it is the KVKK Board; for Russia it is Roskomnadzor.
20. Contact (Data Protection)
For any questions, requests, or complaints about this Privacy Policy or how we process your personal data, please contact our Data Protection Team:
- Primary privacy contact: [email protected]
- General support: [email protected]
- Postal address: Genitor, Inc., Wilmington, Delaware, USA
- Response window: 30 calendar days
21. Contact
If you have any questions, concerns, or requests regarding this Privacy Policy, please reach out to us. Our primary data-protection contact channels are:
- Privacy email: [email protected]
- General support: [email protected]
- Wilmington, Delaware, USA