Legal
Privacy Policy
Last updated: June 11, 2026 · Effective: June 11, 2026
This Privacy Policy explains how Genlytic collects, uses, stores, and protects personal data when you use our platform. It applies to all users of genlytic.app and is compliant with the Swiss Federal Act on Data Protection (revDSG, in force 1 September 2023) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Controller
The data controller responsible for processing your personal data is:
Lionel Murbach
Operating as Genlytic
Switzerland
Email: hello@genlytic.app
No Data Protection Officer (DPO) is formally designated at this stage. All data protection inquiries are handled directly by the controller at the address above.
2. Data We Collect
We collect the following categories of personal data:
| Category | Data Points | Source |
|---|---|---|
| Account data | Name, email address, profile picture | You / Clerk |
| Authentication data | Encrypted passwords, session tokens, 2FA state | Clerk |
| Billing data | Subscription plan, billing cycle, invoice history (no raw card data) | Stripe |
| Organization data | Organization name, domain, member roles, usage counters | You |
| GEO scan data | Brand names, keywords, competitor names, target URLs you enter | You |
| AI response data | Responses from AI engines we query on your behalf | AI providers |
| Usage & log data | Page views, feature interactions, error logs, IP address, browser/OS | Automatic |
| Communication data | Emails you send to hello@genlytic.app or via in-app forms | You |
We do not collect special categories of data (Art. 9 GDPR / Art. 5 DSG) and do not engage in automated decision-making that produces legal effects.
3. Legal Basis for Processing
We process your personal data on the following legal grounds:
- Contract performance (Art. 6(1)(b) GDPR / Art. 31(2)(a) DSG): Account management, scan execution, billing, and core platform features are necessary to provide the service you subscribed to.
- Legitimate interests (Art. 6(1)(f) GDPR / Art. 31(2)(b) DSG): Security monitoring, fraud prevention, service improvement, and product analytics, where these interests are not overridden by your rights.
- Legal obligation (Art. 6(1)(c) GDPR): Retaining billing and invoice records as required by Swiss tax law (10 years).
- Consent (Art. 6(1)(a) GDPR): Marketing emails and optional analytics tracking, where we ask for your consent separately.
4. How We Use Your Data
- Create and manage your account and organization
- Execute GEO scans and return results to your dashboard
- Process payments and manage your subscription via Stripe
- Send transactional emails (receipts, password reset, 2FA codes)
- Provide customer support when you contact us
- Monitor platform security and detect abuse
- Improve the platform through aggregated, anonymized usage analytics
- Send product updates and GEO intel digest (opt-in only)
We do not sell, rent, or trade your personal data to third parties. We do not use your data to train AI models without your explicit consent.
5. Sub-processors
We rely on the following third-party service providers (sub-processors) to operate the platform. All are bound by data processing agreements (DPAs) and provide appropriate safeguards for international data transfers.
| Provider | Purpose | Location |
|---|---|---|
| Clerk, Inc. | Authentication, user management, 2FA | US |
| MongoDB Atlas (MongoDB, Inc.) | Database storage | US / EU |
| Stripe, Inc. | Payment processing, billing, invoices | US |
| Vercel, Inc. | Hosting, CDN, serverless functions | US / Global |
| OpenAI, Inc. | AI-powered suggestions and brief generation | US |
| Anthropic, PBC | AI brief generation | US |
| Resend, Inc. | Transactional email delivery | US |
| Google LLC | Analytics (if enabled) | US |
6. International Data Transfers
Most of our sub-processors are based in the United States. Transfers of personal data from Switzerland or the EU to the US are governed by:
- Standard Contractual Clauses (SCCs) as approved by the EU Commission (2021/914) and recognized by the Swiss FDPIC for transfers from Switzerland.
- EU–US Data Privacy Framework for providers certified under the DPF (e.g. Google, Stripe, Vercel).
By using Genlytic, you acknowledge that your data may be transferred to and processed in countries outside Switzerland and the EU/EEA. We take all reasonable steps to ensure such transfers are protected by appropriate safeguards.
7. Data Retention
| Data Category | Retention Period |
|---|---|
| Account & profile data | Until account deletion + 30 days for recovery |
| GEO scan & analytics data | Duration of subscription + 90 days after cancellation |
| Billing & invoice records | 10 years (Swiss OR / tax law obligation) |
| Server & access logs | 90 days rolling |
| Support correspondence | 3 years from last interaction |
| Newsletter subscribers | Until unsubscribe |
8. Your Rights
Under the Swiss DSG and/or the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 25 DSG / Art. 15 GDPR): Request a copy of the personal data we hold about you.
- Right to rectification (Art. 32 DSG / Art. 16 GDPR): Correct inaccurate or incomplete data.
- Right to erasure (Art. 32 DSG / Art. 17 GDPR): Request deletion of your data, subject to legal retention obligations.
- Right to data portability (Art. 28 DSG / Art. 20 GDPR): Receive your data in a structured, machine-readable format.
- Right to restriction (Art. 18 GDPR): Restrict processing in certain circumstances.
- Right to object (Art. 21 GDPR): Object to processing based on legitimate interests, including direct marketing.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior processing.
- Right to lodge a complaint: You may lodge a complaint with the Swiss Federal Data Protection and Information Commissioner (FDPIC) at edoeb.admin.ch, or with your local EU supervisory authority.
To exercise any of these rights, contact us at hello@genlytic.app. We will respond within 30 days. We may request proof of identity before processing sensitive requests.
10. Security
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. These include:
- TLS encryption for all data in transit
- Bcrypt password hashing (factor 12)
- JWT tokens with 7-day expiry and post-password-change invalidation
- Redis-based brute-force lockout on login and password reset
- Organization-scoped database access with mandatory tenant isolation
- Token blacklisting on logout
In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and, where required, inform affected users without undue delay.
11. Children
Genlytic is not directed at persons under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us at hello@genlytic.app and we will delete the information promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email or a prominent notice on the platform at least 14 days before taking effect. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of Genlytic after the effective date constitutes acceptance of the updated policy.
13. Contact
For any questions, concerns, or requests regarding this Privacy Policy or our data processing practices, please contact:
Lionel Murbach / Genlytic
Switzerland
hello@genlytic.app
We will acknowledge your request within 5 business days and respond substantively within 30 days.