GenForge Privacy Policy

Version 2.1 · in force as of 27 April 2026

This Policy describes the processing of personal data of Consumers (Art. 2(1) Directive 2011/83/EU; Art. 22¹ Polish Civil Code), Traders (Art. 43¹ Polish Civil Code) and Individual-Entrepreneurs-Consumers (Art. 385⁵ Polish Civil Code). It complements the Terms of Service, in particular § 14 (DPA).

§ 1. Data Controller

The data controller is Usługi IT Patryk Łuba, ul. Kwiatowa 6, 07-705 Troszyn, Poland, Tax ID (NIP) 758-237-97-73 (hereinafter: the "Controller").

Contact: contact@genforge.tech

The Controller has not appointed a Data Protection Officer (DPO) — based on the assessment under Article 37 GDPR, the activity does not require it (no large-scale data processing, no systematic large-scale monitoring of individuals, no large-scale processing of special categories of data). Please contact the Controller directly for data protection matters.

§ 2. Legal Bases for Processing

Art. 6(1)(a) GDPR — consent of the data subject (e.g. consent to marketing, consent to analytical cookies).
Art. 6(1)(b) GDPR — performance of a contract (Service provision, Account management, payment processing, AI Content generation).
Art. 6(1)(c) GDPR — compliance with legal obligations (issuing invoices and receipts, tax bookkeeping, DSA obligations, handling complaints, AI Act obligations).
Art. 6(1)(f) GDPR — legitimate interests of the Controller (security monitoring, abuse prevention, claim enforcement and defence, marketing of the Controller's own services to existing customers).

§ 3. Scope of Data Collected

3.1. Data provided by the User

E-mail address (registration, login, communication).
First and last name (optional, for Consumers — for invoicing; for businesses — representative).
Company data: name, Tax ID, EU VAT number, address (B2B invoicing).
Receipt / personal invoice data for Consumers.
Country of residence and currency (pricing personalisation, VAT OSS settlement).
Language and marketing preferences (consent and timestamps of grant/withdrawal — accountability under Art. 7 GDPR).
Age declaration (≥ 16 — § 3 par. 5 of the Terms).
Consumer statements: status as Consumer / Individual-Entrepreneur-Consumer; statement requesting commencement of performance and the resulting loss of the right of withdrawal (§ 3b of the Terms) — together with timestamps.
Password (stored hashed using a modern industry-standard algorithm; the Controller has no access to the password in plain text).
Referral programme data (§ 4a of the Terms): an automatically generated individual referral code; the identity of the referrer where registration took place via a referral link or by entering a code; the history of credits granted and used.

3.2. Data collected automatically

IP address, browser and device information (User-Agent) — used for enforcing Plan limits, abuse prevention and statistics. IP addresses are treated as Personal Data in line with CJEU case-law (Breyer, C-582/14).
Cookies (details in § 8).
Server logs (access dates and times, requested resources, response codes).
Usage data (number of AI generations, processed model units, pageviews of the User's Portals) — internal Controller analytics.
Portal visit telemetry: aggregated daily statistics of pageviews and referring host names, presented to the User in their Portal dashboard. The Controller does not store full IP addresses of Portal readers nor identifiers of specific visitors.
Subscription and churn metadata: dates of conclusion, expiry, current status, the date of the last Plan change — necessary for subscription handling, payment dunning and reactivation campaigns.

3.3. Portal content and AI prompts (separate category)

Portal description (AI prompt), titles of published articles, categories, tags, authors (defined by the User).
Content of generated and published articles.
Portal configuration: selected theme, hero settings, footer, SEO, Google Analytics key (if configured).
Webhook URL (Enterprise) — the external endpoint to which generation notifications are sent; the Controller does not read or log webhook responses.

3.4. Data processed by third parties (details in § 5)

Stripe — payment data (the Controller does not store full card data).
Anthropic (Claude AI) — prompts, titles, categories and niche descriptions transmitted for article generation.
Google (GA4, Search Console) — if integration has been enabled by the User.
Pexels — queries for stock photos (no Personal Data of the User).
Sentry — error events (IP address, e-mail, stack trace).
Hetzner (hosting and Object Storage) — database and media storage.
Internal in-memory cache and task queue server — within the Controller's infrastructure (EEA).

§ 4. Purposes of Processing

Purpose	Legal basis	Retention
Service provision (Account, Portals, AI Content generation)	Art. 6(1)(b)	Duration of contract + 30 days retention before deletion
Invoicing and tax settlement	Art. 6(1)(c)	5 years from the end of the tax year
Complaint handling	Art. 6(1)(c)	3 years from settlement (B2B limitation period) or 6 years (Consumer)
Consumer consents (waiver of right of withdrawal, marketing consent)	Art. 6(1)(a) + Art. 7 GDPR (accountability)	3 years from withdrawal of consent or contract termination
Marketing of the Controller's own services to customers	Art. 6(1)(f) / Art. 6(1)(a) — consent for e-mail marketing	Until consent is withdrawn / objection raised
Referral programme — attribution, credit accrual, payout on the next invoice (§ 4a of the Terms)	Art. 6(1)(b) — performance of the referral-programme contract	Term of the referrer/referee Account + 6 years for accounting
Detection of abuse in the referral programme (self-referrals, multi-account chains)	Art. 6(1)(f) — legitimate interest in protecting programme integrity	3 years from the end of the campaign
Reactivation campaigns (winback) — § 11a par. 7 of the Terms	Art. 6(1)(a) — marketing consent of an existing customer + Art. 13 ePrivacy Directive 2002/58/EC	Up to 60 days from churn or until consent is withdrawn / objection raised
Notifying search engines about new/modified articles (§ 7 par. 8 of the Terms)	Art. 6(1)(b) — performance of contract (provision of SEO features)	No retention by the Controller beyond server logs
Analysis of Service usage, security	Art. 6(1)(f)	90 days (logs), 24 months (aggregated statistics)
Abuse prevention (rate limit, anti-fraud)	Art. 6(1)(f)	90 days
Claim enforcement and defence	Art. 6(1)(f)	Until claims are time-barred (3 years B2B, 6 years Consumer)
Handling DSA notices (notice & action, appeals)	Art. 6(1)(c) — DSA obligations	5 years from settlement (Art. 16(5) DSA)
Error monitoring (Sentry)	Art. 6(1)(f)	90 days

§ 5. Data Recipients (current sub-processor list)

Provider	Scope	Location	Transfer basis
Stripe, Inc.	Payments and subscriptions	USA / Ireland (Stripe Payments Europe Ltd)	SCC (2021/914) + EU-US DPF
Anthropic, PBC	AI Content generation (Claude API)	USA	SCC (2021/914)
Hetzner Online GmbH	Application and database server hosting	Germany (EEA)	—
Hetzner Object Storage	Media storage (photos, logos, invoice PDFs)	Germany / Finland (EEA)	—
Functional Software, Inc. (Sentry)	Error and performance monitoring. Scope: error trace, sequence of actions preceding the error, request metadata (URL, method, parameters), the identifier of the logged-in User and IP address. Sensitive authentication headers and request bodies are filtered before transmission.	USA	SCC (2021/914) + EU-US DPF
Google Ireland Ltd.	Google Analytics (GA4) only after explicit consent; Google Search Console (Pro+ integration only)	Ireland / USA	SCC + EU-US DPF
Pexels GmbH (Canva group)	Stock photos (text queries only, no User Personal Data)	Germany (EEA)	—
Microsoft Corporation (notification of search engines about content changes — IndexNow)	Notifying participating search engines about new or modified URLs. Only public URLs and the Portal hostname are transmitted — no User Personal Data.	USA	SCC (2021/914) + EU-US DPF
Public authorities	Solely under applicable law	Poland / EU	—

The list of sub-processors is updated as changes occur. Notice of changes is given pursuant to § 14 of the Terms of Service (30 days' prior notice).

§ 6. Transfers Outside the European Economic Area

Data may be transferred to the USA (Stripe, Anthropic, Sentry, Google, Microsoft IndexNow) on the basis of:

Standard Contractual Clauses (SCC) approved by Commission Implementing Decision (EU) 2021/914,
EU-US Data Privacy Framework (DPF), where the recipient is certified,
Binding Corporate Rules (BCR), where applicable.

Other sub-processors (Hetzner Online GmbH, Hetzner Object Storage, Pexels GmbH) operate within the EEA — no transfer outside the EEA takes place.

§ 7. Rights of the Data Subject

Right of access (Art. 15 GDPR) — to obtain a copy of the data.
Right to rectification (Art. 16 GDPR) — to correct inaccurate data.
Right to erasure ("right to be forgotten") (Art. 17 GDPR).
Right to restriction of processing (Art. 18 GDPR).
Right to data portability (Art. 20 GDPR) — in a structured format (JSON/CSV).
Right to object (Art. 21 GDPR) — to processing based on legitimate interest, and to direct marketing.
Right to withdraw consent (Art. 7(3) GDPR) — at any time, without affecting the lawfulness of processing before withdrawal.
Right not to be subject to automated decision-making (Art. 22 GDPR) — see § 10a.

Exercise of rights: contact@genforge.tech or via the contact form at genforge.tech/contact. We respond within 30 days; in justified cases, the period may be extended by 2 months with appropriate reasoning.

Note — distinction of timeframes: the 30-day timeframe applies to data-subject requests under GDPR (DSAR — Art. 12(3) GDPR). The 14-day timeframe in § 12 of the Terms of Service concerns commercial complaints under the Polish Consumer Rights Act and does not displace GDPR obligations.

Disconnecting the Google Search Console integration. A User who has connected their Account to Google Search Console (Pro+ Plan) may disconnect the integration at any time from the dashboard (SEO → Google Search Console → Disconnect). Upon disconnection the Controller immediately deletes the stored Google access credentials from its database and ceases issuing further requests on the User's behalf. Independently, the User may revoke authorisation directly in the Google account settings: myaccount.google.com/permissions.

Self-service account deletion. The User may initiate account deletion at any time from the dashboard (Account settings → Danger zone). The flow is two-step: after the User confirms with their password we send an email containing a single-use link valid for 24 hours. Once confirmed, the account is immediately deactivated, Portals stop being available to readers, any active subscription is cancelled, and all personal data is permanently erased after a 30-day grace period during which the User can still restore the account by logging back in. After the grace period the data is automatically anonymised or removed in line with the retention periods listed in § 4. Exception: VAT invoices are retained for 5 years (Art. 112 of the Polish VAT Act) with buyer personal data anonymised (name replaced with "deleted user", address removed) — only the invoice number, amounts and VAT rate required for tax accounting remain.

Complaint to the supervisory authority. The data subject has the right to lodge a complaint with the President of the Personal Data Protection Office (PUODO), ul. Stawki 2, 00-193 Warsaw, Poland, or with the supervisory authority of the EU Member State in which they are habitually resident, in which they work or in which the alleged infringement took place.

§ 8. Cookies

The Service uses cookies in accordance with Article 5(3) of Directive 2002/58/EC (ePrivacy) and Article 173(1) of the Polish Telecommunications Act of 16 July 2004.

Cookie	Purpose	Lifetime	Type / basis
`sessionid`	Session of a logged-in User	14 days	Essential (Art. 173(3)(2) Polish Telecommunications Act)
`csrftoken`	CSRF protection	1 year	Essential
`django_language`	Language preference (PL/EN)	1 year	Functional
`cookie_consent`	Stores the user's cookie consent decision	1 year	Essential
referral programme cookie	Referral programme attribution (§ 4a of the Terms) — remembers the referral code between clicking the referral link and Account registration	30 days	Functional — required for the operation of the referral programme (Art. 6(1)(b) GDPR)
`_ga`, `_ga_*`, `_gid`	Google Analytics — anonymous visit statistics	up to 2 years	Analytical — requires consent (Art. 6(1)(a) GDPR)

The Service does not use third-party marketing (advertising) cookies. Google Analytics analytical cookies are loaded only after obtaining the user's explicit consent via the cookie banner (Google Consent Mode v2). The user can change their preferences by clicking the "Cookie settings" link in the site footer — withdrawal of consent immediately blocks GA loading.

§ 9. Data Security

The Controller applies appropriate technical and organisational measures (Art. 32 GDPR), including:

TLS encryption of transport (certificates from a public certification authority),
password hashing using a modern, industry-standard algorithm (passwords are not stored in plain text),
encryption of database backups,
encryption of sensitive credentials stored in the database (including passwords for outbound mail relays configured by the Controller and credentials for the Google Search Console integration),
data access limited on a least-privilege basis; rate limiting on authentication and registration endpoints,
browser security headers (HTTPS enforcement, frame restrictions, CSRF protection, content-source policy),
verification of cryptographic signatures of incoming payment notifications and outgoing Enterprise notifications,
event logging (access logs, application logs, error monitoring),
regular technology-stack updates and vulnerability monitoring,
reviews of employee and sub-processor permissions at least annually.

§ 9a. Personal Data Breach

The Controller has implemented a procedure for detecting and responding to personal data breaches.
Upon becoming aware of a breach, the Controller — without undue delay and no later than within 72 hours — notifies the President of the Personal Data Protection Office, unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons (Art. 33 GDPR).
Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the Controller shall without undue delay inform the data subjects in plain and intelligible language (Art. 34 GDPR). The notification shall include at least: a description of the nature of the breach, contact details, likely consequences and measures taken.
The Controller maintains an internal register of all breaches (Art. 33(5) GDPR), irrespective of whether they required notification.
As Processor for Users (§ 14 of the Terms), the Controller notifies the User acting as Controller of a breach within 48 hours of becoming aware of it.

§ 10. AI Data Processing (Anthropic)

In the course of AI Content generation, the following are transmitted to the Anthropic (Claude) API:
- portal configuration prompt (niche description, audience, tone),
- existing article titles in the portal (to avoid duplicates),
- list of portal categories,
- basic portal information (name, domain — where published publicly),
- list of "sister portals" (name and domain only, no prompts — to prevent cross-portal injection),
- optionally: keywords from Google Search Console (where the integration is active, Pro+).
Anthropic processes the transmitted data solely to execute the API request. Anthropic does not use API data to train its models — consistent with the Anthropic API Terms of Service in force as of the effective date of this Policy.
Scope of the Google Search Console integration. Following authorisation, the Controller obtains from Google a credential allowing only the read-only retrieval of the User's Search Console data. No data is fetched from Gmail, Drive, Calendar, Contacts or any other Google service. Credentials are stored by the Controller in encrypted form (§ 9). Search Console data is synchronised once a day. The User may disconnect the integration at any time (§ 7) or revoke the authorisation in their Google account.
Generated content is stored on the Controller's servers (Hetzner, Germany — EEA) and made available to the User.
The User may delete generated content at any time from the dashboard; generation logs (without content) are retained for 90 days for performance-analysis and security purposes.

§ 10a. Automated Decision-Making (Art. 22 GDPR)

The Controller does not take decisions concerning the User based solely on automated processing, including profiling, which produce legal effects concerning the User or similarly significantly affect them.
AI Content generation by the artificial-intelligence system:
- takes place upon the User's express request (manual or through a User-defined schedule),
- does not constitute an automated decision within the meaning of Art. 22 GDPR — it is a content service performed on instruction,
- generated content can at any time be reviewed, modified, rejected or deleted,
- under the Enterprise Plan, a manual-approval mode allows publication of the generated content to be held until the User approves it.
Notwithstanding the foregoing, the User has the right to human intervention, to express their own position and to contest any decision — at contact@genforge.tech.

§ 11. Roles of Controller and Processor towards Third-Party Data

The Controller processes Personal Data of Service Users as an independent controller (Art. 4(7) GDPR).
To the extent the User collects Personal Data of third parties through their Portal (e.g. newsletter subscribers' e-mail addresses, reader comments, contact form submissions), the legal relationship is as follows:
- the User is the Controller of such data (they determine the purposes and means of processing),
- the Controller (GenForge) is the Processor — processing data on behalf of and on the User's instructions pursuant to § 14 of the Terms (DPA).
A Consumer who uses the Portal solely to publish their own content and does not collect data of third parties does not become a Controller in the above sense. If they activate data-collecting features (e.g. contact form, newsletter, comments), they assume the obligations of a Controller.
The Controller provides the User with tools enabling them to comply with GDPR obligations towards their readers (export, deletion on request, list of sub-processors). This does not replace the User's obligation to prepare their own Portal privacy policy where required.

§ 12. Changes to the Privacy Policy

The Controller reserves the right to amend this Policy. Material changes are communicated by e-mail and in-dashboard with at least 14 days' advance notice. Continued use of the Service after the changes take effect constitutes acceptance; a User who does not accept the changes may terminate the contract in accordance with the Terms (§ 10).

Version history is available on request: contact@genforge.tech.

§ 13. Contact

E-mail: contact@genforge.tech
Postal address: Usługi IT Patryk Łuba, ul. Kwiatowa 6, 07-705 Troszyn, Poland
Personal data breach reports: contact@genforge.tech (subject: "Breach — GDPR")
Reports of illegal content (DSA Art. 16): abuse@genforge.tech

GenForge Privacy Policy version 2.1 — © 2026 Usługi IT Patryk Łuba. Main changes in version 2.1: description of the referral programme and its attribution cookie, description of reactivation campaigns, addition of a sub-processor responsible for notifying search engines about content changes (USA, on the basis of SCC + EU-US DPF), correction of the location of the stock-photo provider (EEA / Germany), clarification of the scope of error monitoring and the Google Search Console integration, introduction of the 16+ age requirement, refined rules on Portal-visit telemetry (no retention of readers' IP addresses). Contact: contact@genforge.tech · Terms of Service