1. Commitment to GDPR
GenieX Software OÜ is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 (GDPR). We collect, process, and store personal data responsibly, lawfully, and transparently.
As the data controller for ListsGenie.com, we are based in Estonia, an EU member state, and operate in accordance with EU data protection laws.
2. Lawful Basis for Data Processing
We process personal data only where a valid legal basis under Article 6 of the GDPR applies:
- Contractual necessity — to deliver the ListsGenie service
- Legitimate interests — service improvement, fraud prevention
- Consent — for non-essential cookies and marketing communications
- Legal obligations — e.g., accounting, tax compliance
3. Data Subjects' Rights
Under the GDPR, you have the right to:
- Access your personal data
- Rectify inaccurate data
- Delete your data ("right to be forgotten")
- Restrict or object to processing
- Withdraw consent at any time
- Data portability — receive your data in a structured format
To exercise these rights, contact:
📧
support@listsgenie.com or use the
Support section in your dashboard to open a ticket.
We respond to all GDPR requests within
30 days.
4. Data Collection & Storage
We collect and store the following categories of personal data:
- Name, email address, and hashed password
- Subscription details and payment data (via Stripe)
- AI usage activity (non-personal)
- IP address and browser metadata
Data is stored on secure servers located in the United States, operated by GDPR-compliant infrastructure providers. We ensure that appropriate safeguards (such as encryption and limited access) are in place for transatlantic data storage.
5. Third-Party Processors
We work only with GDPR-compliant subprocessors including:
- Stripe (payments)
- OpenAI (AI generation; no personal data is sent in prompts)
- Cloud & support platforms (for hosting and customer service)
All subprocessors are bound by Data Processing Agreements (DPAs) and Standard Contractual Clauses where applicable.
6. International Data Transfers
As our primary infrastructure is located in the United States, personal data may be transferred outside the European Economic Area (EEA).
We ensure lawful international data transfers under:
- Standard Contractual Clauses (SCCs) adopted by the European Commission
- Supplementary safeguards, including data encryption, limited access, and secure transit
- Due diligence and audits of subprocessors to verify compliance
We do not transfer sensitive or special-category data under Article 9 of GDPR.
7. Data Security Measures
- SSL encryption (HTTPS)
- Encrypted storage and backups
- Limited internal access to personal data
- Role-based access control
- Regular security reviews
8. Data Retention
We retain data:
- As long as your account remains active
- Up to 6 months after account closure (for legal compliance)
- Transactional records may be kept longer for audit and taxation
9. Supervisory Authority
If you believe your rights under GDPR have been violated, you have the right to file a complaint with your national data protection authority.
As our company is based in Estonia, our lead supervisory authority is: