Privacy Policy

Last updated: April 12, 2026

At genui.sh, we take your privacy seriously. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our API service for creating shareable UI artifacts. It also describes your rights under the EU General Data Protection Regulation ("GDPR"), the UK GDPR, and the California Consumer Privacy Act as amended by the CPRA ("CCPA/CPRA").

The data controller for personal data processed through genui.sh is Eduard Maghakyan, operating as genui.sh as a sole proprietor. You can reach us at support@genui.sh.

1. Information We Collect

Account Information

When you create an account, we collect your email address for authentication purposes. We use magic link authentication, which means we do not store passwords.

Usage & Product Analytics Data

We automatically collect information about how you interact with our Service, including:

  • API request logs and timestamps
  • Artifact creation, share, and view counts
  • IP addresses and device information
  • Browser type and operating system
  • Product analytics events (e.g. sign-in, artifact creation, template switches, upgrade checkout, subscription changes) collected via PostHog

Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card numbers or banking information on our servers. We only retain your Stripe customer ID to manage your subscription.

Content Data

We store the artifacts you create through our Service, including markdown content, chart data, tables, and PDF configurations. This data is necessary to provide the core functionality of our Service.

2. How We Use Your Information & Legal Bases

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Process your transactions and manage your subscription
  • Send you technical notices and support messages
  • Respond to your comments and questions
  • Monitor and analyze usage patterns to improve user experience
  • Detect, prevent, and address technical issues or fraud
  • Enforce our Terms of Service and rate limits
  • Comply with legal obligations

Under the GDPR and UK GDPR, we rely on the following legal bases: (a) performance of a contract for account, billing, and core Service functionality; (b) legitimate interests for product analytics, security, fraud prevention, and service improvement; (c) legal obligation for tax, accounting, and regulatory compliance; and (d) consent where required by law (which you may withdraw at any time).

3. Product Analytics (PostHog)

We use PostHog to understand how users interact with genui.sh so we can improve the product. PostHog is configured to capture a limited set of product events, such as sign-ins, artifact creation, template selection, subscription upgrades, and cancellations. Events are proxied through our own /ingest endpoint and stored on PostHog's US cloud infrastructure.

PostHog may receive the following information:

  • A pseudonymous distinct user ID that we associate with your account after you sign in
  • Event names and metadata (e.g. artifact template type, plan name, content size in bytes)
  • IP address, browser, operating system, and page path
  • Cookies and similar local storage set by PostHog to maintain the distinct ID across sessions

We do not send the content of your artifacts, API keys, or email body content to PostHog. Session replay is not enabled. You can opt out of PostHog product analytics at any time by contacting support@genui.sh. PostHog acts as our data processor under a Data Processing Agreement; their privacy policy is available at posthog.com/privacy.

4. Data Storage & Security

Your data is stored securely using industry-standard practices:

  • Database: We use Neon (PostgreSQL) for primary data storage with encryption at rest
  • Caching: Upstash (Redis) is used for rate limiting and performance optimization
  • Hosting: Our application is hosted on Vercel with enterprise-grade security
  • API Keys: All API keys are hashed using SHA-256 before storage
  • Transport: All traffic is encrypted in transit using TLS

We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction. No method of transmission or storage is 100% secure, and we cannot guarantee absolute security.

5. Third-Party Services (Sub-processors)

We use the following sub-processors to operate our platform. Each operates under its own privacy policy and, where applicable, a Data Processing Agreement with us:

  • Stripe — Payment processing and subscription management
  • Vercel — Application hosting and edge network
  • Neon — PostgreSQL database hosting
  • Upstash — Redis caching and rate limiting
  • Resend — Transactional email delivery
  • PostHog — Product analytics

6. International Data Transfers

Our Service and most of our sub-processors are hosted in the United States. If you access genui.sh from the European Economic Area, the United Kingdom, Switzerland, or other regions with data protection laws, your personal data may be transferred to, stored, and processed in the United States. Where required, such transfers are protected by Standard Contractual Clauses or equivalent safeguards approved by the European Commission.

7. Data Retention

We retain your account information for as long as your account is active. Artifacts may have configurable expiration times set by you. Upon account deletion, we will remove your personal data within 30 days, except where we are required to retain it for legal, tax, accounting, or regulatory purposes. Product analytics events are retained by PostHog for up to 7 years subject to their data retention policies. Aggregated, anonymized data may be retained indefinitely.

8. Your Rights (GDPR / UK GDPR)

If you are in the EEA, UK, or Switzerland you have the following rights:

  • Access: Request a copy of the personal data we hold about you
  • Rectification: Request correction of inaccurate or incomplete personal data
  • Erasure: Request deletion of your account and associated data ("right to be forgotten")
  • Portability: Request a portable copy of your data in a machine-readable format
  • Restriction: Request that we restrict processing of your data
  • Objection: Object to processing based on our legitimate interests
  • Withdraw consent: Where processing is based on consent, withdraw it at any time
  • Lodge a complaint: File a complaint with your local supervisory authority

To exercise any of these rights, please contact us at support@genui.sh. We will respond within 30 days.

9. Your Rights (California — CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect and how we use it
  • Request deletion of your personal information
  • Correct inaccurate personal information
  • Opt out of the "sale" or "sharing" of personal information
  • Limit use and disclosure of sensitive personal information
  • Be free from retaliation for exercising your privacy rights

We do not sell personal information and do not share it for cross-context behavioral advertising. To exercise CCPA/CPRA rights, contact support@genui.sh. We may verify your request using the email associated with your account.

10. Cookies & Similar Technologies

We use essential cookies to maintain your session and authentication state. These cookies are strictly necessary for the operation of our Service. Our session cookies are httpOnly and secure, with a 30-day expiration period. We also use first-party analytics cookies/local storage set by PostHog to maintain a pseudonymous distinct ID so we can measure product usage. We do not use advertising or cross-site tracking cookies.

11. Children's Privacy

Our Service is not directed to children under the age of 16 and we do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.

12. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and, where required, the relevant supervisory authority within 72 hours of becoming aware of the breach, in accordance with applicable law.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any significant changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically for any changes.

14. Contact Information

If you have any questions about this Privacy Policy or our data practices, please contact us at support@genui.sh.