In compliance with the General Data Protection Regulation (GDPR — EU Regulation 2016/679), HEALTH ZONE-E, UNIPESSOAL, LDA (“we”, “us”, “Genie”), headquartered at Rua do Cepo, n.º 53, 2415-366 Leiria, Portugal (NIPC PT516569929), establishes how it collects, processes, and protects the personal data of users of the Genie platform.

This Privacy Policy applies to all users of the Genie platform from the first moment of accessing the website, regardless of whether a paid plan is subscribed. By using Genie, all users accept that the service is governed by this policy.

For any questions regarding this policy, contact us at hello@genie.dev.

1. Data Controller

Health Zone-e, Unipessoal, Lda
Rua do Cepo, n.º 53, 2415-366 Leiria, Portugal
NIPC: PT516569929
Email: hello@genie.dev

2. Data We Collect

2.1 Account Data

When you register, we collect: name, email address, and authentication credentials. If you register via OAuth (GitHub, GitLab, or Bitbucket), we receive your public profile information and repository access tokens from those providers.

2.2 Project and Code Data (ZIPs)

When you connect a repository or upload a ZIP, we access your codebase solely to provide the service (AI analysis, preview, pull request creation). Project files are sent to isolated preview environments (Fly.io) and to our AI models. We do not use your code to train AI models or share it with third parties beyond the subprocessors listed below.

2.3 Chat History

Prompts and interactions are stored in our relational database (PostgreSQL via Railway) to provide the chat interface, context, and the Time Travel / Rollback functionality. A sliding window of the last 20 messages is sent to Anthropic's API per request. Full history is retained until account deletion.

2.4 Images and Chat Uploads

Images and files uploaded in the chat are stored in Cloudflare R2 exclusively for multimodal analysis by the AI. They have a 30-day TTL (time-to-live), after which they are automatically deleted.

2.5 Billing Data

Payment information (card number, billing address) is processed exclusively by Stripe. We never store your full card details on our servers.

2.6 Analytics Data

We use Google Analytics 4 (GA4) to collect anonymised usage data (page views, session duration, geographic region). GA4 data is collected only with your consent via our cookie banner. You may opt out at any time.

2.7 Voice Data

The speech-to-text functionality, when available, is processed entirely in your browser. Audio is never transmitted to or stored on our servers.

3. Legal Basis for Processing

Contractual necessity (Art. 6(1)(b) GDPR): Account data, code data, chat history, billing — necessary to provide the service you subscribed to.
Consent (Art. 6(1)(a) GDPR): Analytics cookies (GA4) — only collected after explicit consent via our cookie banner.
Legitimate interest (Art. 6(1)(f) GDPR): Security logging and abuse prevention.
Legal obligation (Art. 6(1)(c) GDPR): Billing records retained by Stripe as required by financial law.

4. Data Sharing with Third Parties (Subprocessors)

To operate Genie, we rely on infrastructure providers acting as our data processors under strict confidentiality agreements and Data Processing Agreements (DPAs). We use the following subprocessors:

Provider	Purpose	Location
Anthropic	AI model processing (code and chat content). Your data is not used by Anthropic to train their models, in accordance with their B2B zero-retention / no-training policy.	USA
Supabase	Authentication (JWT, OAuth)	EU
Railway	Backend (Django) and database (PostgreSQL)	USA/EU
Fly.io	Preview containers (ephemeral, your code in RAM)	EU/USA
Cloudflare R2	Storage of project ZIPs and chat images (30-day TTL)	EU
Stripe	Payment processing and billing records	USA/EU
Brevo	Transactional and marketing emails	EU
Google Analytics (GA4)	Anonymised usage analytics (consent-based)	USA
GitHub / GitLab / Bitbucket	OAuth authentication and repository access	USA

Transfers to the USA are made under Standard Contractual Clauses (SCCs) or adequacy decisions approved by the European Commission.

5. Data Retention & Privacy by Design

Project ZIPs and chat images: Auto-deleted after 30 days (Cloudflare R2 TTL), or immediately upon account deletion.
Preview containers (Fly.io): Auto-destroyed after 15 minutes of inactivity. Your code runs in RAM only and is never persisted to disk in the preview environment.
Chat history: Retained until account deletion, then deleted within 30 days.
Account data: Maintained while you have an active Genie account, then deleted within 30 days of cancellation.
Billing records: Retained by Stripe as required by Portuguese and EU financial law (typically 10 years).
Analytics (GA4): Retained for 14 months in Google's systems (industry default), anonymised.

6. Cookies

Genie uses the following types of cookies:

Strictly necessary: Authentication session cookies (Supabase). These cannot be disabled as they are essential for the service.
Analytics (optional): Google Analytics 4 cookies to measure usage. These are only set after you provide explicit consent via our cookie banner.

You may withdraw your analytics consent at any time by clicking “Manage Cookies” in the footer or by clearing your browser cookies. Withdrawing consent does not affect the lawfulness of processing based on consent before its withdrawal.

7. Your Rights (GDPR)

Under the GDPR, you have the following rights regarding your personal data:

Right of access (Art. 15): Request a copy of the data we hold about you.
Right to rectification (Art. 16): Request correction of inaccurate data.
Right to erasure (Art. 17): Request deletion of your data (“right to be forgotten”).
Right to restriction (Art. 18): Request that we limit how we process your data.
Right to data portability (Art. 20): Receive your data in a structured, machine-readable format. Note: this right only applies when processing is based on your consent or on the performance of a contract, and is carried out by automated means.
Right to object (Art. 21): Object to processing based on legitimate interest.
Right to withdraw consent: For analytics cookies, at any time without affecting prior processing.

To exercise any of these rights, contact us at hello@genie.dev. We will respond within 30 days. You also have the right to lodge a complaint with the Portuguese data protection authority:

CNPD — Comissão Nacional de Proteção de Dados
Av. D. Carlos I, 134, 1.º, 1200-651 Lisboa
T: +351 213 928 400 · F: +351 213 976 832
geral@cnpd.pt · www.cnpd.pt

8. Security

We implement appropriate technical and organisational measures to protect your data, including: HTTPS for all data in transit; access controls and authentication; ephemeral preview containers that are auto-destroyed after 15 minutes of inactivity; and strict file size limits to prevent abuse.

In the event of a data breach that poses a risk to your rights and freedoms, we will notify the CNPD within 72 hours and affected users without undue delay, as required by Art. 33–34 GDPR.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or via an in-platform notice at least 14 days before the changes take effect. Continued use of Genie after that date constitutes acceptance of the updated policy.

Health Zone-e, Unipessoal, Lda
Rua do Cepo, n.º 53, 2415-366 Leiria, Portugal
NIPC: PT516569929
hello@genie.dev