gentic

Privacy Policy

Last updated: April 18, 2026

1. Introduction

This policy describes how Gentic ("we", "us") collects, uses, stores, and protects information when you use gentic.co, the Gentic MCP servers (mcp.gentic.co), Gentic Computer (computer.gentic.co), and related services (together, the "Service"). It applies to individual users, organization members, and visitors.

2. What we collect

When you use Gentic, we collect:

  • Account info: name, email address, and password (hashed with bcrypt)
  • Organization data: organization name, slug, logo, and member roles
  • Usage data: tool calls, credit transactions, API key metadata, and session logs
  • Content you provide: brand profiles, campaign context, uploaded files, and any data you enter into tools
  • Integration data: OAuth tokens and API credentials for connected third-party services (Google Ads, Slack, Meta, PostHog, Telegram, etc.). Tokens are encrypted at rest with AES-256-GCM using keys managed outside the database
  • Google user data: when you connect Google Ads, we access campaign, ad group, keyword, and performance data on your behalf via the Google Ads API — see section 6 for details
  • Billing data: payment processing is handled by Stripe — we don't store your card details or bank information
  • Analytics: product usage analytics and event data to improve the service
  • Communications: support requests, newsletter subscriptions, and account emails

3. How we use it

  • Provide and operate the Gentic platform and agent-facing tools
  • Execute the specific actions you (or your agent) request — e.g. running a campaign analysis, generating a brand identity, or sending a Slack message
  • Process payments and manage your credit balance
  • Send transactional emails (account verification, password resets, billing receipts)
  • Detect, prevent, and investigate abuse, fraud, and security incidents
  • Improve the product based on aggregated, anonymized usage patterns
  • Communicate product updates and changes
  • Comply with legal obligations

We do not sell your personal data, use it to serve advertising to you, or share it with data brokers. We do not use Google user data, or user content processed through the Service, to train generalized AI or machine learning models.

4. AI and large language model providers

Gentic does not operate its own foundation models. AI-powered features are delivered by two third-party providers:

  • Anthropic — Claude models (Opus, Sonnet, Haiku) accessed via the Anthropic API
  • Google — Gemini models accessed via the Google Generative Language API

When you or your agent invoke an AI-powered tool, the inputs you provide (your prompt, business description, brand context, uploaded content, and any relevant third-party data you have authorized us to use) are sent over TLS to the selected provider so the model can generate a response. We operate under the paid API terms of both providers:

  • Anthropic and Google have contractually committed that API inputs and outputs are not used to train their generalized models.
  • Providers may retain API traffic briefly for abuse monitoring per their published policies.
  • We do not send your Google user data (Google Ads campaign data, etc.) to AI providers for training purposes; it may be included in a prompt only when necessary to fulfill a specific action you have requested (e.g. asking the agent to analyze a campaign you own).

AI output is probabilistic and may be inaccurate. Do not rely on AI-generated analyses, verdicts, names, or recommendations as legal, financial, trademark, or professional advice without independent verification.

5. Google API Services User Data Policy

When you connect Google Ads to your Gentic organization, Gentic's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, with respect to data obtained from Google APIs:

  • We access Google Ads data (campaigns, ad groups, keywords, search terms, and performance metrics) only with your authorization, via the OAuth consent flow, and only for scopes you explicitly approve.
  • We use this data solely to provide the features you request — for example, reporting performance, analyzing campaigns, generating keyword ideas, or making changes to campaigns you own through the Gentic MCP server or Gentic Computer agent.
  • We do not sell Google user data.
  • We do not use Google user data for advertising, including retargeting, personalized advertising, or interest-based advertising.
  • We do not use Google user data to train, fine-tune, or improve generalized AI/ML models (our own or any third party's).
  • We do not transfer Google user data to third parties except as necessary to provide the Service (e.g. storing data in our database infrastructure), to comply with applicable law, or as part of a merger or acquisition with continued protection of the data.
  • Human access to Google user data is restricted to (a) the account owner and organization members they authorize, (b) Gentic engineers troubleshooting a specific support ticket with your permission, and (c) where required by law.
  • You may revoke our access at any time by disconnecting the Google Ads integration from your Gentic dashboard or by visiting myaccount.google.com/permissions.

6. Data storage and security

We take data protection seriously and apply layered safeguards to protect sensitive information:

  • Encryption in transit: all traffic to gentic.co, mcp.gentic.co, computer.gentic.co, and every third-party API we use is served over TLS 1.2 or higher.
  • Encryption at rest: our primary database (Supabase PostgreSQL) encrypts storage at rest. Third-party OAuth tokens and API keys (Google Ads refresh tokens, Slack bot tokens, Meta access tokens, PostHog keys, Telegram bot tokens) are additionally encrypted with AES-256-GCM using a key stored outside the database and rotated on a scheduled cadence.
  • Password hashing: account passwords are hashed with bcrypt — we never store or log plaintext passwords.
  • Access controls: data is isolated per organization at the application and database layer. Role-based access controls restrict production access to a small number of authorized engineers, authenticated with SSO and hardware-backed MFA.
  • Least-privilege OAuth scopes: we request only the scopes strictly needed for the features you use.
  • Secret management: API keys and service credentials are stored in Fly.io secret storage and are not checked into source control.
  • Audit logging: authentication events, integration connect/disconnect events, and admin actions are logged for security monitoring.
  • Network isolation: the application, database, and internal service APIs communicate over authenticated service-to-service tokens.
  • Regular updates: we monitor security advisories and apply updates to runtime dependencies on an ongoing basis.

7. Data retention

  • Active accounts: we retain account data for as long as your account is active.
  • Account deletion: when you delete your account, we delete personal data from our primary systems within 30 days.
  • Backups: encrypted database backups may retain deleted data for up to 35 days before being rotated out.
  • Integration tokens: OAuth tokens and API keys are deleted immediately when the integration is disconnected.
  • Billing and tax records: retained for up to 7 years to comply with legal and accounting requirements.
  • Anonymized / aggregated analytics: may be retained indefinitely in a form that does not identify you.

8. International data transfers

Gentic is operated from the United States, and our primary infrastructure (Supabase, Fly.io, MotherDuck) is hosted in the United States. If you access the Service from outside the US, your data will be transferred to and processed in the US. Where required, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) with our sub-processors for transfers of EU/UK personal data.

9. Security incident response

If we become aware of a security incident that affects your personal data, we will notify affected users without undue delay — and, where required, within the timeframes set by applicable law (e.g. 72 hours under GDPR). Notifications will describe the nature of the incident, the data affected, and the steps we are taking. You can also report a suspected security issue to support [at] gentic.co.

10. Your rights

Depending on where you live, you may have the following rights regarding your personal data:

  • Access: request a copy of the personal data we hold about you.
  • Correction: ask us to correct inaccurate or incomplete data.
  • Deletion: request deletion of your account and associated personal data.
  • Portability: request an export of your data in a machine-readable format.
  • Objection / restriction: object to or restrict certain processing (applicable under GDPR/UK GDPR).
  • Opt-out of sale/sharing: California residents may opt out of any sale or sharing of personal information — we do not sell personal information.
  • Withdraw consent: where processing is based on consent, you may withdraw it at any time.
  • Complaint: you may lodge a complaint with your local data protection authority.

To exercise any of these rights, email support [at] gentic.co. We will respond within the timeframes required by applicable law.

11. Children's privacy

Gentic is not directed to, and we do not knowingly collect personal data from, children under 16. If you believe a child has provided personal data to us, please contact support [at] gentic.co and we will take steps to delete it.

12. Cookies and analytics

We use first-party cookies for authentication and session management, and analytics tools (PostHog) to understand how people use Gentic and improve the experience. These tools may set cookies. We do not run third-party advertising trackers.

13. Changes

We may update this privacy policy from time to time. When we do, we'll update the "Last updated" date at the top. For material changes, we'll notify you by email or an in-app notice.

14. Contact

Privacy, security, or general questions: support [at] gentic.co.