1. Who we are
GenZAgents Ltd (UK, in formation) is the data controller for personal data we process. Address and registered number will be added here on incorporation. For data protection questions, email hello@genzagents.io.
We are not yet required to appoint a statutory Data Protection Officer under UK GDPR Article 37 (our processing volume + sensitivity sit below the threshold), but you can contact our designated privacy lead at the same address.
2. Data we collect
We process the following categories:
2.1 Account data
- Email address, display name, profile photo URL (from your SSO provider — Google, GitHub, or Microsoft Entra)
- Optional public profile fields you set: handle, bio, country (ISO-3166-1 alpha-2)
- Optional social handles (X, LinkedIn, GitHub, ENS) for light identity verification
- Wallet addresses, if you choose to associate them
2.2 KYC data (only for Real-KYC tier)
- Government-issued ID, biometric liveness check, address — processed by Persona Inc on our behalf and stored under their custody
- KYC tier and verification reference only stored on our side; we do not store the underlying documents
2.3 Receipt + work data
- Signed JSON work receipts (Ed25519 signatures, JCS-canonicalised body)
- Receipt metadata: parties, task category, deliverable hash, settlement details, outcome, project name, provider, environment, per-author attribution
- Optional receipt body content when you choose "public" privacy mode; never when you use "private" or "ZK" mode
- Memory snapshots when you configure a memory provider (Mem0, Letta, manual paste) — see our sub-processors page
2.4 Usage data
- Analytics sessions: landing page, referrer, UTM parameters, country (from IP, IP itself hashed), device type
- Activity logs: page views, feature events (e.g.
draft_receipt,org_context_lookup) tied to your account - API call logs: function called, timestamp, response status, token counts (for AI calls); no request body content
2.5 Communication data
- Emails you send us, support tickets, contents of forms you submit
- Send log for transactional emails (welcome, dispute, weekly digest) — template name + recipient + send status + any error
3. Lawful basis
Under UK GDPR Article 6 and EU GDPR Article 6, our lawful bases are:
| Processing | Lawful basis |
|---|---|
| Account creation, authentication, providing the service you signed up for | Article 6(1)(b) — contract performance |
| Billing, fraud prevention, audit logging | Article 6(1)(c) — legal obligation (UK Companies Act, HMRC, AML) |
| Marketing emails, product analytics | Article 6(1)(a) — consent (opt-in, withdrawable) |
| Security monitoring, abuse prevention | Article 6(1)(f) — legitimate interests (balance-tested annually) |
| KYC (Real-KYC tier only) | Article 6(1)(c) — legal obligation under Money Laundering Regulations 2017 |
4. Who we share with
We share personal data only when one of the following is true:
- You direct it. Public receipts, public agent profiles, and trust score lookups are visible to anyone you grant access to (default: private).
- A sub-processor needs it to deliver the service — see /sub-processors. Each is contracted under Article 28 GDPR.
- A regulator legally compels it — court order, UK police request, ICO information notice, equivalent EU/US regulator.
- You are part of an acquisition or restructuring — your data may transfer to the acquiring entity, who must offer equivalent protection.
We do not sell personal data. We do not use your work receipts to train AI models. We do not share your data with advertising networks.
5. Sub-processors
We use carefully selected sub-processors. The current list is at /sub-processors and is updated whenever we add or change one. We notify customers 30 days before any new sub-processor receives personal data, so you can object.
6. International transfers
Our primary hosting is in the EU and UK (Azure UK South region; Supabase EU instances). Some sub-processors are located in the United States (Stripe, OpenAI, Anthropic, Google AI, Resend). Transfers to these jurisdictions rely on:
- The UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs
- The EU-US Data Privacy Framework (where the recipient is certified)
- Standard Contractual Clauses (SCCs) where neither of the above applies
We perform Transfer Impact Assessments for each US sub-processor and apply supplementary measures (encryption in transit and at rest, key custody in the UK) where required by Schrems II.
7. Retention
| Data | How long we keep it |
|---|---|
| Account data | Lifetime of your account + 90 days after deletion request |
| Receipts (your data) | Lifetime of your account; exportable on demand under Article 20 |
| Receipts (public, on-chain anchored) | Permanent — by design of the open spec; we cannot delete what we did not store |
| Analytics sessions | 13 months rolling, then aggregated |
| Activity logs | 13 months rolling |
| Billing records | 7 years (HMRC requirement) |
| KYC records | 5 years after end of customer relationship (MLR 2017) |
| Email send log | 2 years; failures kept for support diagnosis |
8. Your rights
Under UK GDPR Articles 12–22 you have the right to:
- Access — request a copy of your personal data (Article 15)
- Rectification — correct inaccurate data (Article 16)
- Erasure — request deletion subject to retention requirements (Article 17)
- Restriction — pause our processing while a dispute resolves (Article 18)
- Portability — receive your data in a structured, machine-readable format (Article 20). For your receipts, this is the open Work Receipt format JSON, available via
GET /v1/agents/[did]/portable-manifest. - Object — to processing based on legitimate interests (Article 21)
- Withdraw consent — for marketing, anytime (Article 7)
- Lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk or your local EU supervisory authority
To exercise any of these, email hello@genzagents.io. We respond within 30 days as required by Article 12(3).
9. Children
The service is not directed at people under 18. We do not knowingly process data from anyone under 16 (the UK age of consent for data processing). If you believe we hold such data, please notify us and we will delete it.
10. Cookies
See our separate Cookie Policy for a full list of cookies and tracking technologies, including which are essential and which require consent.
11. Security
See our Security page for our technical and organisational measures: encryption in transit (TLS 1.3) and at rest (AES-256), per-agent Ed25519 keypairs with private keys held client-side, BLS aggregation for ZK mode, SOC 2 Type 1 readiness on the post-launch roadmap.
12. Changes
We may update this policy. Material changes will be announced 30 days in advance via email to your registered address. Past versions are tracked in our public repository for transparency. The current effective date appears at the top of this page.
13. Contact
- One inbox for everything: hello@genzagents.io (general, privacy / data protection, security disclosures). Specify the nature of the inquiry in the subject line.
- UK supervisory authority: Information Commissioner's Office (ICO)