GENPLIFY – PRIVACY POLICY (BETA)

Last Updated: December 18, 2025

This Privacy Policy explains how Genplify Limited (“Genplify”, “we”, “our”, “us”) collects, uses, shares, and protects personal data when you use our platform.

WHO WE ARE

Genplify Limited
Hong Kong (Data Controller and Processor as applicable)
Email: support@genplify.com

1. WHO CONTROLS YOUR DATA

• When you access Genplify through your employer or organization (“Customer”), that Customer is typically the data controller for your learning data
• Genplify acts as data processor on the Customer's behalf, and as controller for website visits, account management, and product analytics
• In some cases, we act as joint controllers

Your organization's privacy officer or legal team can clarify the exact relationship for your situation.

2. WHAT PERSONAL DATA WE COLLECT

We collect only the minimum personal data necessary to deliver the Service, in compliance with data minimization principles under GDPR Article 5(1)(c).

2.1 ACCOUNT AND IDENTIFICATION DATA

• Full name, email address, organization, job title
• SSO identifiers from Google / Microsoft / SAML
• Account status and enrollment dates

2.2 LEARNING AND ASSESSMENT DATA

• Assessment responses (answers selected or written)
• Correctness of each response
• Module and lesson completion status
• Proficiency scores and percentile rankings
• Dimension scores (prompt engineering, critical evaluation, workflow integration, responsible use, AI judgment)

2.3 USAGE AND TECHNICAL DATA

• IP address and country-level location only (not precise geolocation)
• Device type and browser (for compatibility purposes)
• Session dates and duration
• Login dates

WHAT WE DO NOT TRACK OR COLLECT

To ensure strict GDPR compliance and user privacy protection, we explicitly do not track or collect:

• Keystroke timing or response time per individual response (this violates EU data minimization principles)
• Number of attempts or retries (behavioral profiling not necessary for service delivery)
• XP earned, streak data, or achievements (gamification data not collected)
• Iteration patterns or self-correction metrics (behavioral tracking prohibited unless explicitly consented)
• Biometric identifiers (fingerprint, facial recognition, retina scans)
• Government ID numbers or passport information
• Precise GPS location data
• Health or medical information
• Special categories of data (racial origin, religious beliefs, political opinions, union membership, genetic data, sex life or sexual orientation)
• Browsing activity outside the platform
• Keyboard/mouse movement patterns

Exception: If you provide accessibility accommodations (screen reader preferences, font size), we process these only to enable platform functionality.

3. WHY WE USE YOUR DATA (LEGAL BASIS)

We use your data only for the following purposes and legal bases:

3.1 DELIVER THE SERVICE (Contractual Necessity - GDPR Article 6(1)(b))

• Create and maintain your account
• Deliver lessons and assessments
• Compute proficiency scores based on response accuracy
• Display progress dashboards
• Send transactional emails (password reset, score updates)

3.2 IMPROVE ASSESSMENT CALIBRATION (Legitimate Interest - GDPR Article 6(1)(f))

• Analyze question performance using aggregated, anonymized response data
• Refine scoring algorithms
• Update benchmarks by anonymized groups (industry, role)

3.3 PREVENT ABUSE AND PROTECT SECURITY (Legitimate Interest - GDPR Article 6(1)(f))

• Detect unauthorized account access
• Monitor for account sharing (systematic pattern analysis, not individual keystroke tracking)
• Rate-limit API requests to prevent overload
• Investigate security incidents when reported

We do not use behavioral profiling or automated decision-making for security decisions. Account actions require manual human review.

3.4 COMPLY WITH LAW (Legal Obligation - GDPR Article 6(1)(c))

• Retain invoices and billing records as required by tax law
• Respond to valid legal requests (court orders, warrants)

3.5 SEND COMMUNICATIONS (Consent - GDPR Article 7)

• Transactional emails only (account status, score results, deadlines)
• Optional product updates (only where you consent; you can withdraw anytime)

We do not send marketing emails without explicit opt-in consent. Consent is freely given and can be withdrawn at any time.

4. WHERE AND HOW WE STORE DATA

4.1 DATA LOCATION

• Primary Database: Supabase PostgreSQL in Asia-Pacific South region (Singapore)
• Backups: Distributed across Asia-Pacific
• Application Servers: Vercel with global edge deployments

4.2 DATA SECURITY

We protect your data using:

• Encryption in Transit: HTTPS/TLS 1.3 for all connections
• Encryption at Rest: AES-256 encryption of database and backups
• Authentication: Multi-factor authentication available (TOTP, SMS)
• Authorization: Role-based access control; organization data isolation
• Database Row-Level Security: Enforced at database layer so each organization sees only its own data
• Access Controls: Only staff with business need access personal data
• Audit Logging: All data access logged with timestamp and user identity
• Regular Security Assessments: Vulnerability scanning and periodic penetration testing

4.3 SUB-PROCESSORS

We share your data only with service providers who support the platform:

All sub-processors are bound by data protection agreements (Data Processing Agreements) that comply with GDPR Article 28 and include Standard Contractual Clauses for international transfers.

5. SHARING AND DISCLOSURE

5.1 YOUR ORGANIZATION'S ADMINS

Organization administrators can see:

• Your name, email, job title, department
• Your proficiency scores and percentile rankings
• Your progress (lessons completed, modules finished)
• Aggregated class analytics (average scores, completion rates)

Admins CANNOT see:

• Your individual assessment responses
• Your raw sandbox prompts or AI outputs
• Keystroke data, timing data, or iteration patterns
• Any behavioral tracking data
• Your browsing history outside the platform

5.2 GENPLIFY TEAM

Only staff with business need access personal data (e.g., support staff investigating a technical issue). All staff sign confidentiality agreements.

5.3 LEGAL AND LAW ENFORCEMENT

We disclose personal data only when legally required:

• Valid court order or legal subpoena
• Investigation of suspected fraud or criminal activity
• Response to government request via formal legal process

We provide minimal, proportionate disclosure. We do not voluntarily share data with authorities.

5.4 BUSINESS TRANSFERS

If Genplify is acquired, merged, or sold, personal data may be transferred as part of the transaction. We will notify you and provide the opportunity to opt-out if your rights materially change.

5.5 WE DO NOT SELL DATA

We do NOT sell your personal data to third parties for marketing or commercial purposes.

6. DATA RETENTION AND DELETION

6.1 RETENTION PERIODS

Your data is retained according to the following schedule:

No behavioral data retention: Since we do not collect keystroke timing, attempts, or behavioral signals, these data categories do not apply.

6.2 YOUR DELETION RIGHTS (GDPR Article 17)

You can request deletion of your account and associated data by emailing support@genplify.com with subject “Data Deletion Request”.

Upon receipt of a valid deletion request:

• We evaluate legality (whether deletion is permitted under law)
• If approved, we delete data within 30 days
• Backups purge within additional 30 days (Supabase retains rolling 30-day backups)
• We send written confirmation

We may deny deletion if:

• Data is necessary to complete your current learning program
• Legal obligation requires retention (tax records, fraud investigation)
• Data is needed to defend a legal claim
• Data is already anonymized

Your organization may also restrict deletion if the data is needed for business purposes (e.g., ongoing training program).

7. YOUR RIGHTS (GDPR Articles 15–21)

Depending on where you live, you may have rights to:

7.1 RIGHT OF ACCESS (Article 15)

• Request a copy of all personal data we hold about you
• Receive data in portable format (JSON/CSV)
• Know what data we collect and how we use it

7.2 RIGHT TO RECTIFICATION (Article 16)

• Correct inaccurate or incomplete information
• Request we update your profile

7.3 RIGHT TO ERASURE (Article 17 - Right to be Forgotten)

• Request deletion of your data in certain circumstances
• Subject to legal exceptions (e.g., data needed for ongoing program)

7.4 RIGHT TO RESTRICT PROCESSING (Article 18)

• Request we limit how we use your data
• We retain data but stop active processing

7.5 RIGHT TO DATA PORTABILITY (Article 20)

• Receive your data in machine-readable format to transfer to another service
• Free of charge

7.6 RIGHT TO OBJECT (Article 21)

• Object to processing based on legitimate interest
• Object to marketing communications

7.7 RIGHT NOT TO BE SUBJECT TO AUTOMATED DECISION-MAKING (Article 22)

• We do not use fully automated decision-making to deny account access or invalidate scores
• Any account action requires manual human review

TO EXERCISE THESE RIGHTS:

Email: support@genplify.com
Subject: “[RIGHT] Request - [Your Name]”

Please specify:

• Your full name and email
• Your account ID (if known)
• Type of request (access, correction, deletion, portability, etc.)
• Specific details of your request

We will respond within 5 business days. In some cases, we may need to verify your identity before processing the request.

If you are using Genplify through your organization, we may coordinate your request with your organization's privacy officer to determine the appropriate response.

8. INTERNATIONAL DATA TRANSFERS

8.1 HOW WE TRANSFER DATA

Personal data collected from EU/EEA residents is transferred to servers in Singapore and USA (where sub-processors are located). These countries do not have EU adequacy decisions.

8.2 LEGAL SAFEGUARDS

To justify international transfers, Genplify implements:

• Standard Contractual Clauses (SCCs): EU Commission-approved contract terms for lawful transfers (per EU Commission Decision 2021/914)
• Encryption: Data encrypted end-to-end in transit and at rest
• Access Controls: Strict limitation of who can access data
• Sub-Processor Agreements: All vendors bound by equivalent data protection terms
• Regular Security Assessments: Annual audits of security controls

We maintain a Transfer Impact Assessment showing how legal safeguards mitigate risks of data access by foreign governments or other authorities. This is available upon request to competent data protection authorities.

8.3 EU DATA RESIDENCY OPTION

For Enterprise customers requiring data to remain within the EU:

• Data stored exclusively in Supabase Frankfurt region (Germany)
• No international transfers
• Available on Enterprise tier
• ~15-20% infrastructure cost premium

Contact support@genplify.com for EU residency option inquiry.

9. CHILDREN AND SENSITIVE DATA

Genplify is designed for professional and enterprise use.

• NOT intended for children under 16
• We do not knowingly collect data from children
• If we discover we've collected data from a child, we delete it immediately

You must not include special categories of personal data (health information, religious beliefs, political opinions, etc.) in your prompts or responses.

10. COOKIES AND TRACKING

Genplify uses:

ESSENTIAL COOKIES:

• Authentication (keeping you logged in)
• Security (CSRF tokens, session management)
• Core functionality (navigation state, preferences)

OPTIONAL ANALYTICS COOKIES:

• Google Analytics (if you consent): Understanding feature usage and improving UX
• Heatmaps (if you consent): Seeing where users click and scroll

In regions where required by law, you will see a COOKIE BANNER allowing you to:

• Accept all cookies (recommended for full functionality)
• Reject non-essential cookies
• Customize cookie preferences

You can manage cookies in your browser settings at any time.

11. SECURITY INCIDENTS

11.1 IF WE DISCOVER A SECURITY INCIDENT

If we discover unauthorized access or loss of personal data:

• We contain the incident immediately
• We investigate the scope and cause
• We notify your organization and affected individuals within 24 hours
• We provide details about the data compromised and steps to protect yourself
• We implement safeguards to prevent recurrence

11.2 TO REPORT A SECURITY ISSUE

If you discover a security vulnerability:

Email: support@genplify.com
Subject: “SECURITY REPORT [CONFIDENTIAL]”

Please provide:

• Description of the vulnerability
• Steps to reproduce
• Potential impact

We review security reports promptly and coordinate fixes.

12. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy as our practices and legal requirements evolve.

• We will notify you of material changes via email or in-app notification
• Continued use after changes take effect constitutes acceptance
• For questions about changes, contact support@genplify.com

The “Last Updated” date at the top of this policy indicates when we last revised it.

13. APPLICABLE LAWS AND JURISDICTION

This Privacy Policy complies with:

• EU General Data Protection Regulation (GDPR) – Regulation EU 2016/679
• UK General Data Protection Regulation (UK GDPR)
• Brazil Lei Geral de Proteção de Dados (LGPD)
• Hong Kong Personal Data (Privacy) Ordinance (PDPO)
• Other applicable data protection laws where you reside

If you have questions about how local laws apply to your data, contact support@genplify.com.

14. CONTACT INFORMATION

For privacy questions or to exercise your rights:

Email: support@genplify.com
Subject: “[Privacy Question]” or “[Data Request]”
Response Time: We respond within 5 business days

END OF PRIVACY POLICY