Skip to main content
GENSO
← Back to Home

Privacy Policy

v1.0.0Effective February 25, 2026

At a Glance β€” Privacy Policy

  • What we collect: Account info, usage data, and content you upload or create
  • AI processing: Content sent to Anthropic/Google for processing; according to their published API data handling policies, neither provider uses your data for model training
  • We do not sell your data: Ever
  • Breach notification: Without unreasonable delay after confirmation of a security incident
  • Data deletion: Deleted within 90 days after account termination
  • Geographic scope: US-based organizations only; EU/UK/Swiss use requires a separate DPA addendum
  • Your rights: California residents have CCPA/CPRA rights (access, deletion, opt-out)

1. Introduction

1.1 Scope

This Privacy Policy ("Policy") describes how LW Group, LLC dba LW Technologies ("we," "us," "our," or "Genso") collects, uses, stores, shares, and protects personal information when you use the Genso platform and related services (collectively, the "Service").

1.2 Our Role

Our role depends on the context of the data being processed:

  • As a Data Controller: We are the controller for account registration data, billing information, and Service usage data that we collect and process for our own business purposes.
  • As a Data Processor/Service Provider: When your organization ("Customer") uses the Service to store and manage procedures, policies, and other content, we act as a processor (or "service provider" under CCPA/CPRA) on Customer's behalf. Our Data Processing Agreement governs this processing relationship.

If you are a Customer employee or user, your organization is the controller of the content data stored in the Service. Please refer to your organization's privacy practices for information about how they handle your data within the Service.

1.3 Geographic Scope

The Service is intended for organizations based in the United States. By creating an account, you certify that your organization is located in the United States. If your organization is in the European Economic Area, United Kingdom, or Switzerland, this Service is not authorized for your use without a separately negotiated GDPR data processing addendum. Accounts found to be operated from restricted jurisdictions may be suspended.

2. Information We Collect

2.1 Account Information

When your account is created or you register for the Service, we collect:

  • Email address
  • Full name
  • Phone number (optional)
  • Job title (optional)
  • Employee ID (optional)
  • Profile information you choose to provide

2.2 Organizational Information

When your organization uses the Service, we collect:

  • Company name and details
  • Industry classification
  • Department structures
  • Location information
  • Organizational hierarchy data

2.3 Content Data

Through your use of the Service, we process:

  • Procedures and policies you create, upload, or manage
  • Document attachments and files
  • Comments, annotations, and revision history
  • AI processing inputs and outputs (see Section 5 for details)

2.4 Usage Data

We automatically collect information about how you interact with the Service:

  • Login timestamps and session duration
  • Features accessed and actions taken
  • AI processing request metadata (timestamps, token counts, provider used, processing type)
  • Search queries within the platform
  • Navigation patterns and page views
  • Custom analytics data (page views, feature usage, form interactions) collected via our in-house analytics system β€” no third-party analytics providers are used

2.5 Device and Technical Data

We automatically collect:

  • IP address
  • Browser type and version
  • Operating system
  • Device type and screen resolution
  • Referral URLs
  • Language preferences
  • Device metadata used to remember trusted MFA devices (user-agent string, accept-language, accept-encoding headers) β€” used for "remember this device" MFA trust (30-day duration)

2.6 Payment Data

When your organization subscribes to a paid plan:

  • Payment processing is handled entirely by Stripe, Inc.
  • We do NOT store credit card numbers, CVVs, or full payment card details
  • We receive and store: billing email, subscription status, plan type, and transaction history
  • Stripe processes payments in accordance with PCI DSS standards

2.7 Password Security Data

When you create or change your password, a partial cryptographic hash (first 5 characters of the SHA-1 hash) is checked against the Have I Been Pwned breach database using a k-anonymity model. Your full password and full hash are never transmitted. This check can be disabled by your administrator.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Operation

  • Providing, maintaining, and improving the Service
  • Processing and managing your account
  • Enabling document management and collaboration features

3.2 AI Processing

  • Transmitting document content to AI providers for parsing and extraction
  • Transmitting prompts and context to AI providers for content generation
  • Storing AI processing job records (including document text and parsed results) for job management and quality assurance (see Section 5 for details)
  • Logging AI usage metadata for quota management

3.3 Authentication and Security

  • Verifying your identity and authenticating access
  • Managing multi-factor authentication (MFA)
  • Detecting, investigating, and preventing fraudulent or unauthorized access
  • Maintaining session security with appropriate timeouts
  • Enforcing rate limits and security policies
  • Checking passwords against known data breaches using privacy-preserving methods (k-anonymity)
  • Verifying human users via CAPTCHA challenges (Cloudflare Turnstile)

3.4 Billing and Subscription Management

  • Processing subscription changes and renewals
  • Managing feature access based on subscription tier
  • Communicating about billing events

3.5 Communications

  • Sending transactional emails (account creation, password resets, security alerts)
  • Delivering service announcements and updates
  • Responding to support requests

3.6 Analytics and Improvement

  • Understanding how the Service is used to improve features
  • Monitoring Service performance and reliability
  • Identifying and fixing technical issues
  • Analytics are collected in-house with no third-party analytics providers
  • We attempt to respect Do Not Track (DNT) browser signals where technically feasible
  • Users can also disable analytics via an in-app opt-out mechanism

3.7 Legal Compliance

  • Complying with applicable laws and regulations
  • Responding to legal requests and preventing harm
  • Enforcing our Terms of Service
  • Maintaining audit trails

4. Sensitive Data

4.1 Prohibited Sensitive Data

The Service is not designed to store or process the following categories of sensitive information. You agree not to upload or submit:

  • Protected Health Information (PHI): Medical records, health conditions, treatment information, or other data covered by HIPAA. LW Technologies is not HIPAA-compliant by default. Customers handling Protected Health Information must not use the Service unless a Business Associate Agreement has been separately executed in writing by both parties.
  • Government-Issued Identifiers: Social Security numbers, passport numbers, driver's license numbers, or national identification numbers
  • Financial Account Data: Credit card numbers, bank account numbers, or other financial instrument details
  • Biometric Data: Fingerprints, facial recognition data, retinal scans, or other biometric identifiers
  • Children's Data: Information relating to individuals under 13 (see Section 12)
  • Classified Information: Government-classified or restricted information of any level

4.2 Content Responsibility

If your organization uploads content to the Service that incidentally contains personal information of third parties (e.g., employee names referenced in procedures), your organization is responsible for ensuring it has the appropriate legal basis and consent to process that information.

4.3 Special Category Data

We do not intentionally process special categories of personal data (as defined by data protection laws, including data revealing racial or ethnic origin, political opinions, religious beliefs, genetic data, or sexual orientation). If such data is incidentally included in content you upload, your organization bears responsibility for its lawful processing.

5. AI Data Processing

5.1 Document Parsing β€” What We Store

When you use AI document parsing features:

  • Input: The content of uploaded documents (text and images) is stored in our database as part of the processing job record
  • Output: Parsed results (extracted procedures, structured data) are stored in our database as part of the processing job record
  • Metadata: Timestamps, token counts, provider used, confidence scores, processing status, and file references are logged
  • File Storage: Uploaded files may be temporarily stored in our cloud storage with configurable retention periods

Document parsing job records (including input text and output results) are retained as part of Customer's data and are subject to the data retention policies described in Section 8.

5.2 Content Generation β€” What We Store

When you use AI content generation features:

  • Input: Your prompts and context are transmitted to the AI provider but are not logged or stored by us β€” only metadata is recorded
  • Output: Generated content is returned to your browser but is not stored by us unless you save it as part of a document
  • Metadata: Timestamps, token counts, provider used, document type, and success/failure status are logged (no content)

5.3 AI Service Providers

We use the following AI providers:

  • Anthropic (Claude): Document parsing and analysis
  • Google (Gemini): Content generation assistance
  • Ollama (self-hosted): Emergency fallback processing

All AI providers we use (Anthropic, Google) publish API data handling terms that prohibit the use of API inputs for model training or improvement. We rely on these published commitments when processing customer content through AI features. If a provider's policy changes materially, we will notify customers and evaluate alternative providers.

5.4 Data Minimization in AI Processing

We transmit only the content necessary for the requested AI processing task. We do not transmit account credentials, payment information, or unrelated Customer Data to AI providers. We review AI provider data handling practices when onboarding new providers and when providers update their terms.

5.5 User Control

  • You choose when to use AI features; they are never applied automatically without your initiation
  • You can use the Service without utilizing AI features
  • AI processing quotas and availability vary by subscription tier

6. Automated Decision-Making

6.1 AI-Assisted Features

The Service uses AI to assist with document parsing and content generation. These features are tools that provide suggestions and draft content for your review. No automated decisions are made that produce legal effects or similarly significant effects on individuals.

6.2 Human Review Required

All AI-generated content requires human review and approval before it is used or published within the Service. The Service does not make automated decisions about user access, employment, credit, or any other matter affecting individual rights.

6.3 Rate Limiting

The Service uses automated rate limiting and progressive account lockout for security purposes (e.g., after repeated failed login attempts). These automated security measures are designed to protect your account and do not constitute profiling.

7. Information Sharing

We do not sell your personal information. We share your information only in the following circumstances:

7.1 Service Providers (Sub-processors)

We engage trusted third-party service providers who process data on our behalf:

Provider Purpose Data Processed
Supabase, Inc. Database hosting, authentication, file storage Account data, content, authentication data
Stripe, Inc. Payment processing Billing information, subscription data
Anthropic, PBC AI document parsing Document content submitted for processing
Google LLC AI content generation Prompts and context submitted for generation
Mailjet SAS Transactional email delivery Email addresses, notification content
Functional Software, Inc. (Sentry) Error monitoring, performance tracking Error data, technical metadata
Amazon Web Services, Inc. Cloud infrastructure Hosted data as part of infrastructure
Cloudflare, Inc. Bot protection (Turnstile CAPTCHA) IP address, browser fingerprint, interaction data
Twilio, Inc. SMS-based multi-factor authentication (optional) Phone number, verification codes

7.2 Sub-processor Changes

We will update the sub-processor list when we add or replace providers. If you would like to be notified of sub-processor changes, contact support@gensoapp.com to be added to our notification list. Details about sub-processor obligations and change procedures are described in our Data Processing Agreement.

7.3 Legal Requirements

We may disclose your information if required to do so by law, or if we believe in good faith that such action is necessary to:

  • Comply with a legal obligation, subpoena, or court order
  • Protect and defend our rights or property
  • Prevent or investigate possible wrongdoing
  • Protect the safety of users or the public

Legal Process and Government Requests

If LW Technologies receives a subpoena, court order, or government request for Customer data, we will: (a) notify the affected Customer via email within 5 business days unless legally prohibited from doing so; (b) cooperate with Customer's reasonable efforts to quash or modify overbroad requests; and (c) produce only the minimum data required by the legal obligation.

7.4 Business Transfers

In the event of a merger, acquisition, reorganization, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or prominent notice within the Service of any change in ownership.

7.5 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

7.6 Within Your Organization

Your information may be visible to administrators and authorized users within your organization as part of the Service's role-based access control system.

8. Data Retention

8.1 Account Data

  • Active accounts: Retained for the duration of your account and your organization's active subscription
  • Trial accounts (not converted): Retained for 30 days after trial expiration, then permanently deleted from active systems. Email notification is sent prior to deletion.
  • Cancelled paid accounts: Retained for ninety (90) days following the end of your subscription. During this period, your organization's administrator may log in to reactivate the account or export data. After the retention period, data is permanently deleted from active systems. You may request earlier deletion at any time (see Section 11).

8.2 Content Data (Including AI Processing Records)

  • Active use: Retained until deleted by you or your organization's administrator
  • AI processing jobs: Document parsing records (including input text and parsed results) are retained as part of your organization's content data until deleted or until account termination
  • Post-termination: Available for export for 30 days, then permanently deleted from active systems

8.3 AI Usage Metadata

AI usage logs (timestamps, token counts, provider, processing type β€” no content) are retained for up to 2 years for analytics and quota management, then deleted.

8.4 Audit Logs

Platform audit logs are retained for 2 years for security and compliance purposes, then deleted.

8.5 Payment Records

Transaction records are retained as required by applicable tax and financial regulations (typically 7 years).

8.6 Technical Logs

Server logs and error tracking data are retained for up to 90 days, then deleted.

8.7 Backup Retention

Automated backups may contain copies of the data described above. Backups are encrypted and are purged in accordance with our regular backup rotation schedule, no later than 90 days following deletion from active systems.

8.8 Data Export on Termination

Upon termination, Customer has 90 days to export all organizational data via the dashboard export feature. Exports are provided in standard JSON and CSV formats. LW Technologies will provide export assistance upon request at no charge during the 90-day window.

9. Data Security

We implement administrative, technical, and physical safeguards designed to protect your information. These measures are described in detail in our Terms of Service (Section 10: Security and Data Protection).

Key measures include:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Row-Level Security (RLS) for multi-tenant data isolation
  • Multi-factor authentication support
  • Progressive rate limiting on authentication
  • Configurable session management with idle timeouts (24-hour maximum session duration with 30-minute idle timeout)
  • Audit logging of administrative and data access events
  • Role-based access controls

No system is 100% secure. While we strive to protect your information using commercially reasonable measures, we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials and for reporting suspected security incidents to support@gensoapp.com.

Security Certifications

LW Technologies maintains security practices aligned with SOC 2 Trust Service Criteria. Customers may request our most recent security documentation by contacting support@gensoapp.com.

10. Data Breach Notification

10.1 Notification Commitment

In the event of a data breach that affects your personal information, we will:

  • Notify affected Customers without unreasonable delay after confirmation of a security incident (defined as: credible evidence that personal data was accessed, exfiltrated, or destroyed without authorization)
  • Provide a description of the nature of the breach, the categories and approximate number of individuals affected, and the likely consequences
  • Describe the measures taken or proposed to address the breach

10.2 Notification Method

Notifications will be sent via email to the primary contact and billing contact associated with the affected Customer account. For breaches affecting a significant number of users, we may also post a notice within the Service.

10.3 Law Enforcement Delay

Notification may be delayed if law enforcement determines that notification would impede a criminal investigation, in which case notification will be made as soon as law enforcement determines it is appropriate.

10.4 Your Obligations

If you become aware of any unauthorized access to your account or Customer Data, you should notify us immediately at support@gensoapp.com.

11. Your Rights (CCPA/CPRA)

If you are a California resident, you have the following rights:

11.1 Right to Know

You have the right to request information about the categories and specific pieces of personal information we have collected, the sources of collection, the business purposes for collection, and the categories of third parties with whom we share your information.

11.2 Right to Delete

You have the right to request deletion of your personal information, subject to certain exceptions (such as legal retention obligations and data needed to complete a transaction).

11.3 Right to Opt-Out of Sale/Sharing

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising purposes.

11.4 Right to Non-Discrimination

We will not discriminate against you for exercising any of your CCPA/CPRA rights.

11.5 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of personal information:

  • Identifiers: Name, email address, phone number, IP address, employee ID
  • Professional/Employment Information: Job title, department, organizational role
  • Internet/Electronic Activity: Usage data, feature interaction within the Service, search queries, analytics session identifiers, marketing attribution data (UTM parameters)
  • Commercial Information: Subscription and billing records

How to Exercise Your Rights

To exercise any of these rights, contact us at support@gensoapp.com. We will verify your identity before processing your request. You may also designate an authorized agent to submit requests on your behalf.

12. Children's Privacy

12.1 Age Restriction

The Service is not intended for individuals under the age of 16. We do not knowingly collect personal information from children under 13 as defined by the Children's Online Privacy Protection Act (COPPA).

12.2 FERPA

The Service is not designed for use in K-12 educational settings. We do not knowingly collect information subject to FERPA (Family Educational Rights and Privacy Act). If your organization operates in an education context, you are responsible for ensuring compliance with these regulations before uploading any student data.

12.3 Remediation

If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly. If you believe we have collected information from a child under 16, please contact us at support@gensoapp.com.

13. Cookies and Tracking Technologies

Our use of cookies and similar tracking technologies is described in our Cookie and Tracking Technologies Policy. Please refer to that document for detailed information about the specific technologies we use, their purposes, and how to manage them.

14. International Users

14.1 US-Based Processing

The Service is hosted and operated in the United States. All data is stored and processed in the United States.

14.2 Not Targeted at International Users

As stated in Section 1.3, the Service is intended for organizations based in the United States. We do not intentionally market to or provide the Service to individuals in the European Economic Area, United Kingdom, Switzerland, or other jurisdictions with comprehensive data protection legislation.

14.3 Acknowledgment

If you choose to access the Service from outside the United States, you acknowledge that your information will be transferred to and processed in the United States, where data protection laws may differ from those in your jurisdiction. Your use of the Service constitutes your acknowledgment of this transfer.

15. Changes to This Policy

15.1 Notification

We may update this Privacy Policy from time to time. When we make material changes, we will:

  • Update the "Effective Date" at the top of this Policy
  • Update the version number
  • Make reasonable efforts to notify you of material changes before they take effect via email and/or in-app notification
  • Summarize the material changes in the notification

15.2 Review

We encourage you to review this Policy periodically to stay informed about our data practices.

16. Contact Information

If you have questions about this Privacy Policy or our data practices, please contact us:

17. Governing Law and Jurisdiction

This Privacy Policy is governed by and construed in accordance with the laws of the State of Delaware, without regard to its conflict of law principles. Any dispute arising under this Privacy Policy shall be resolved pursuant to the dispute resolution and arbitration provisions in our Terms of Service.

This Privacy Policy was last updated on March 10, 2026.

For questions about our legal documents, please contact us at support@gensoapp.com