Data Processing Addendum (DPA)

Effective: March 11, 2026 | Last reviewed: March 11, 2026

This DPA forms part of the agreement between GenLP LLC and the customer entity using the service. It applies when we process customer end-user data on the customer's behalf.

Scope and roles

  • Customers act as controllers for customer end-user data they collect through published pages.
  • GenLP LLC acts as processor or service provider for that data.
  • For our own account, billing, support, analytics-consent, and security data, we act as controller as described in the Privacy Policy.

Instructions, purpose, and categories

We process customer end-user data only on documented customer instructions, including the product configuration the customer enables and the support requests the customer submits.

  • Purpose: host pages, route submissions, secure the service, and provide support.
  • Data subjects: visitors and end users of customer-published pages.
  • Data categories: contact details, form submissions, IP address, device metadata, operational logs, and related support records.
  • Special-category data is not intended for this workflow unless separately agreed in writing.

Security and confidentiality

We apply technical and organizational measures appropriate to the risks of the processing, including access controls, encryption in transit, vendor security controls, logging, and restricted personnel access.

Subprocessors

Customers authorize the subprocessors listed at /subprocessors. We require those vendors to protect data through written terms appropriate to the services they provide.

Provider:Google Cloud (Firestore, Cloud Run, Cloud Storage)
Role:Infrastructure and storage
Data:Account data, generated content, public assets, logs
Purpose:Host and secure the service
Location:United States and regional locations as configured
Transfers / Notes:
Contractual safeguards and regional hosting controls as applicable
Hosts public-by-default assets for customer pages.
Provider:Cloudflare
Role:DNS, CDN, and custom-domain delivery
Data:IP addresses, request metadata, TLS and routing data
Purpose:Deliver published pages and protect availability
Location:Global network
Transfers / Notes:
Contractual safeguards and regional controls as applicable
Used for custom hostname and edge delivery flows.
Provider:Google Analytics
Role:Optional analytics
Data:Cookie and usage data when analytics is enabled
Purpose:Measure site usage and performance
Location:United States and other Google-operated regions
Transfers / Notes:
Google contractual safeguards as applicable
Analytics events are blocked until consent is granted on this surface.
Provider:Stripe
Role:Payment processor
Data:Payment details, billing metadata, transaction status
Purpose:Process subscriptions, refunds, and fraud checks
Location:United States, EU, and other Stripe-operated regions
Transfers / Notes:
Stripe contractual safeguards as applicable
Card details are provided directly to Stripe at checkout.
Provider:Resend
Role:Transactional email delivery
Data:Email address and message-delivery metadata
Purpose:Send service notices and operational messages
Location:United States
Transfers / Notes:
Contractual safeguards as applicable
Transactional email tracking pixels are not enabled by default.
Provider:Sentry
Role:Error monitoring
Data:Error reports and limited runtime metadata
Purpose:Monitor reliability and investigate incidents
Location:United States and EU regions
Transfers / Notes:
Contractual safeguards as applicable
Captures technical diagnostics, not payment content.

Changes and objections

We publish subprocessor updates at /subprocessors/changes. Requests for notice copies or objections are currently handled manually through privacy@genlp.ai.

International transfers

When customer end-user data is transferred internationally and the law requires a transfer mechanism, the parties will rely on the applicable standard contractual clauses, UK transfer addendum, or equivalent contractual safeguards, together with supplementary measures as appropriate to the processing at issue.

Data subject requests, incidents, and deletion

  • We will reasonably assist customers with data subject requests relating to customer end-user data.
  • We will notify customers without undue delay after confirming a breach affecting customer end-user data.
  • At termination or on request, we will delete or return customer end-user data unless law requires retention or short-term backup retention remains necessary for resilience.