Privacy Policy

1. Who We Are

GEN-MAX is a web application operated in the United Kingdom, accessible at www.genmax.co.uk. For any privacy enquiries, see the contact section at the bottom of this page.

2. What Data We Collect

• Account data: Your email address (account identifier), name, phone number, and LinkedIn URL - optional fields used only to personalise your outreach templates.
• CV / Portfolio file: Stored securely if uploaded; can be attached to emails you send. Deletable at any time from Settings.
• Search history: The types of companies you have searched for and your search count.
• Sent email log: Recipient name, address, and date - to prevent duplicate outreach.
• Gmail credentials: Either a Gmail App Password (encrypted) or OAuth tokens (access + refresh token), used solely to send emails on your behalf and to check for replies from recipients you have contacted.
• API keys (optional): Stored encrypted; used only to make API calls on your behalf.
• Session data: A temporary session cookie to keep you logged in.
• Login IP address: Retained for security purposes.

3. How We Use Your Data

• To provide the GEN-MAX service: finding companies, generating personalised emails, and sending from your Gmail.
• To personalise email templates with your name, phone, and LinkedIn URL.
• To track which companies you have contacted so you are never shown duplicates.
• To enforce fair usage limits and prevent platform abuse.
• To contact you about the service where strictly necessary - no marketing emails.

4. Gmail API Access - Limited Use

When you connect Gmail via OAuth, GEN-MAX requests one scope:

• gmail.send - to send emails you have reviewed and approved inside GEN-MAX.

Specifically:

• What we do: Send only the emails you explicitly approve from inside the app. Each send is initiated by an in-app action you take.
• What we never do: Read any email in your inbox (sent or received), access your contacts, store email content after sending, or use Gmail data for any purpose beyond sending the emails you have approved.
• No AI training on your data: We do not use your Gmail data, email content, contact lists, search history, or any user interaction with GEN-MAX to train, fine-tune, or otherwise improve any artificial intelligence or machine learning models - ours or any third party's. The AI features in GEN-MAX (Anthropic Claude) operate on prompts only and do not retain or learn from your data.
• No advertising or sale: We do not sell, transfer, or use your Gmail data for advertising purposes of any kind.
• Revoking access: Disconnect at any time via Settings → Gmail & Sending → Disconnect. Disconnecting immediately deletes your stored OAuth access and refresh tokens from our database, and GEN-MAX can no longer access your Gmail account. To additionally revoke at the Google level, visit myaccount.google.com/permissions.

Our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Data Storage, Security & Retention

• All data is stored on Railway's cloud infrastructure.
• Gmail App Passwords and API keys are stored using server-side encryption.
• OAuth tokens are stored encrypted and never logged or exposed in plaintext.
• Email body content is not stored after sending - only recipient name, address, and timestamp.
• Data persists on a dedicated volume that survives application redeployments.

How long we keep your data:

• Account & profile (email, name, phone, LinkedIn, sign-in IPs): kept while your account is active; deleted within 30 days of account closure unless we are required to retain it for legal or accounting reasons.
• OAuth tokens: kept while Gmail is connected; deleted immediately when you disconnect Gmail or close the account.
• Sent-email log (name, address, date): kept while your account is active so we can prevent duplicate outreach; deleted within 30 days of account closure.
• CV / portfolio files: kept until you remove them or close your account; deleted within 30 days of removal.
• Public business data we have cached (company name, website, public email): kept up to 90 days, then deleted on a rolling schedule. This contains no personal data about you.
• Backups: residual data may persist in encrypted backups for up to 30 additional days before secure deletion.

6. Data Sharing

We do not sell, rent, or share your personal data for advertising or marketing. Data is shared only with these sub-processors to deliver the service:

• Google Maps / Places API - to search for companies. No personal data is transmitted.
• Anthropic Claude API - to generate AI responses. No personal user data is shared.
• Railway - cloud hosting. Governed by the Railway Privacy Policy.

7. Your Rights

GEN-MAX is operated from the United Kingdom and follows UK GDPR. If you are in the EU/EEA, the UK GDPR mirrors the EU GDPR and you have the same rights; if you are elsewhere (including the United States and other countries), we extend these same rights to you as a matter of policy. You have the right to access, rectify, erase, port, restrict, and object to processing of your personal data. Get in touch using the contact details below to exercise any right. We respond within 30 days.

Two specific things worth flagging:

• Right to complain (UK / EU): If you believe we have mishandled your data, you have the right to lodge a complaint with a supervisory authority. In the UK that is the Information Commissioner's Office (ico.org.uk); in the EU it is the data-protection authority of your country of residence. We would ask you to contact us first so we can try to resolve it directly.
• California residents (CCPA / CPRA): If you are a California resident you have additional rights: to know what personal information we have collected, to delete it, to correct it, to opt out of any "sale" or "sharing" of personal information (we do not sell or share your personal information in the meanings used by the CCPA / CPRA), and to non-discrimination for exercising these rights. To exercise any of these rights, contact us using the address below.
• One-click in-app deletion: You can also delete your account and all associated data immediately from Settings → Account → Delete my account. This action is irreversible.

8. International Users & Data Transfers

GEN-MAX is available to users in multiple countries, including across Europe and the Americas. Regardless of where you are based:

• Where your data is processed: Your data is stored and processed on cloud infrastructure provided by Railway, and on the systems of the sub-processors listed in section 6 (Google, Anthropic). These may be located outside your home country, including in the United Kingdom, the European Union, and the United States.
• Cross-border transfers: Where personal data is transferred internationally, we rely on appropriate safeguards (such as the UK International Data Transfer Agreement, EU Standard Contractual Clauses, or equivalent mechanisms used by our sub-processors) to protect it.
• Your local law: By using GEN-MAX you acknowledge that your data may be processed in the locations described above. You remain responsible for ensuring your own outreach complies with the laws of your country and your recipients' countries (see our Terms of Service).

9. Cookies

GEN-MAX uses a single session cookie to keep you logged in. It contains only a session identifier - no personal data. It is deleted when you log out or your session expires. We do not use advertising or tracking cookies.

10. Children

GEN-MAX is not directed at children under 13 (or the minimum age in your jurisdiction, whichever is higher). We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this policy from time to time. The date at the top always reflects the latest version. Continued use of GEN-MAX after an update constitutes acceptance of the revised policy.

12. Get in Touch

If you have any questions about this privacy policy or how your data is handled, reach out to us: