Privacy Policy | GeneChecklist

1. Who we are

This Privacy Policy describes how GeneChecklist ("we", "us", the "Service") collects, uses, and shares personal information when you use genechecklist.com and related services.

For any privacy question or to exercise your rights, contact us at privacy@genechecklist.com.

2. Information we collect

2.1 Information you give us

Account data — email address and password (the password is hashed, we never see it in plain text). If you sign in with Google, we receive your verified email and basic profile info from Google.
Checklist content — titles, descriptions, items, notes, categories, and any logo image you upload.
Subscription data — when you upgrade to Pro, billing details are handled by Stripe; we receive only your customer ID and subscription status.
Communications — emails you send to our support address.

2.2 Information we collect automatically

Usage data — pages visited, features used, time on site, and approximate location derived from your IP address.
Device data — browser type, operating system, screen size, referrer URL.
Cookies and similar technologies — see our Cookie Policy for the full list and your choices.

2.3 AI feature inputs

When you use AI suggestions, your prompt and existing checklist items are sent to Anthropic (our AI provider) for processing. Anthropic does not use this data to train its models per its standard API terms. We do not store the AI prompt beyond the immediate request.

3. How we use your information

Provide the checklist building, saving, sharing, and PDF download features you request.
Authenticate you and keep your account secure.
Process Pro subscription payments via Stripe.
Send transactional emails (account confirmation, password reset, receipt, welcome).
Monitor and improve the Service, measure aggregate traffic, debug errors.
Show advertising on free template pages to support the free tier (Pro accounts see no ads).
Comply with legal obligations and enforce our Terms.

4. Legal bases (for EU/UK users)

Under the GDPR / UK GDPR, we process your personal data on the following bases:

Contract — to provide the Service you signed up for.
Legitimate interest — to keep the Service secure, debug, and improve.
Consent — for non-essential cookies, analytics, advertising, and marketing emails.
Legal obligation — to keep tax/billing records.

5. Sharing with third parties

We do not sell your personal data. We share data only with the processors that operate the Service:

Supabase (database + authentication hosting)
Vercel (web hosting and CDN)
Anthropic (AI suggestions)
Stripe (subscription payments)
Resend (transactional email delivery)
Google (Google Sign-In, and Google AdSense for advertising on free pages)

Each is bound by a data processing agreement (DPA) or equivalent contractual safeguards. International transfers (e.g. EU to US) rely on Standard Contractual Clauses where applicable.

We may disclose information when required by law, court order, or to protect rights, property, or safety.

6. Cookies and advertising

We use strictly necessary cookies (for sign-in and security) without consent. Analytics and advertising cookies are set only with your consent (EU/UK) or with the option to opt out (US/other regions). See our Cookie Policy for details and to change your preferences.

Google AdSense may use cookies to serve ads. Google's advertising practices and your controls are described at policies.google.com/technologies/ads. Pro subscribers do not see ads.

7. Data retention

Account data — kept while your account is active; deleted within 30 days of account deletion request.
Saved checklists — kept while your account is active; you can delete individual lists any time.
Billing records — kept 7 years for tax/audit obligations (regardless of account deletion).
Server logs — anonymised after 30 days.
Email delivery logs — kept 90 days by our email provider.

8. Your rights

8.1 All users

You can:

Access and download a copy of your data from your dashboard.
Update or correct your data.
Delete your account and associated data.
Withdraw consent for any optional processing.

8.2 EU / UK residents (GDPR)

You additionally have the right to:

Object to processing based on legitimate interest.
Restrict processing in certain circumstances.
Receive your data in a portable, machine-readable format.
Lodge a complaint with your local supervisory authority.

8.3 California residents (CCPA / CPRA)

You additionally have the right to:

Know what personal information we collect, use, and disclose.
Delete personal information we hold about you.
Correct inaccurate personal information.
Limit the use of sensitive personal information.
Opt out of "sale" or "sharing" — you can do this any time via the Do Not Sell or Share My Personal Information link in our footer or by emailing us. We do not sell personal data in the traditional sense, but Google AdSense's use of cookies may constitute "sharing" under CPRA.
Non-discrimination for exercising these rights.

To exercise any right, email privacy@genechecklist.com. We respond within 30 days (or 45 days for CCPA requests, extendable to 90 with notice).

9. Children

GeneChecklist is not directed at children under 13 (under 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us data, contact us and we will delete it.

10. Security

We protect your data with industry-standard measures: HTTPS for every connection, passwords hashed with bcrypt, row-level access controls on the database, security headers (CSP, HSTS), and access logging. No system is perfectly secure; if you discover a vulnerability, please email security@genechecklist.com.

11. Changes to this policy

We may update this policy. If we make material changes we'll notify you by email and via a banner on the site. The "Last updated" date at the top reflects the most recent revision.

12. Contact

Questions about your data, this policy, or your rights:
Email: privacy@genechecklist.com