Overview
The data controller for personal data processed through GenieOS is Mail Genius Ltd (registered in England & Wales, company number 17183230, registered office 71-75 Shelton Street, Covent Garden, London WC2H 9JQ, United Kingdom). GenieOS is a trading name of Mail Genius Ltd.
A "sub-processor" is any third party who processes personal data on our behalf to help us deliver GenieOS. This includes the cloud we run on, the AI models that power Genie, the payment processor that handles billing, and the email service that sends our own service notifications.
We don't currently use sub-processors for advertising, retargeting, or any kind of data brokerage. The list below is exhaustive for what's live today. If we ever add an advertising-related vendor (e.g. for marketing-site performance measurement), it'll appear here under the same 30-day notice rule described below and inside an opt-in cookie category.
Separately, when you connect a third-party platform yourself — a social network such as X, or your own email-sending provider — you direct us to share content with it on your instruction. Those platforms act as independent third parties (not our sub-processors), and their own terms and privacy policies govern what they do with the content you publish or send.
We commit to giving 30 days' notice before adding a new sub-processor. You can subscribe to changes at the bottom of this page.
Infrastructure
| Sub-processor | Purpose & data | Location | Transfer |
|---|---|---|---|
Google Cloud Platform (Firebase) DPA / terms ↗ | Primary cloud infrastructure: Firestore (database), Cloud Functions (compute), Cloud Storage (assets), Firebase Auth (identity), Firebase Hosting (CDN/edge), Cloud Logging. All workspace content, contacts, send-event logs, account & authentication data, service logs. | United Kingdom (europe-west2, London) + EU multi-region for backups | Adequacy (UK ↔ EU); SCCs + UK IDTA for any US transfers |
Billing
| Sub-processor | Purpose & data | Location | Transfer |
|---|---|---|---|
Stripe Payments Europe Ltd DPA / terms ↗ | Subscription billing, payment processing, invoicing, tax calculation. Billing contact, business name, billing address, VAT number, payment method (tokenised — we never see card numbers). | Ireland (EU) with global processing footprint | SCCs + UK IDTA |
AI features
| Sub-processor | Purpose & data | Location | Transfer |
|---|---|---|---|
Anthropic, PBC DPA / terms ↗ | Powers the "Genie" assistant, content generation, copy suggestions, and the support agent. The prompts you submit to AI features (which may include content, brand notes, or contact metadata you reference) and the resulting model output. We do not permit training on your data. | United States | SCCs + UK IDTA; zero-data-retention enterprise endpoint where available |
Google LLC (Gemini / Vertex AI) DPA / terms ↗ | Text and image generation behind selected Genie features (e.g. fast drafting, image models). The prompts you submit to those features and the resulting model output. Configured so your data is not used to train Google’s foundation models. | European Union; United States | SCCs + UK IDTA |
OpenAI, L.L.C. DPA / terms ↗ | Selected text and image generation features (e.g. GPT image generation and prompt advisory). The prompts you submit to those features and the resulting model output. We use the API (not consumer) endpoints, which are not used to train OpenAI’s models by default. | United States | SCCs + UK IDTA |
Recraft, Inc. DPA / terms ↗ | Vector and raster image generation behind the design / imagery surfaces. The prompts and reference imagery you submit to those features and the resulting output. | United States | SCCs + UK IDTA |
See the AI features clause in the Terms of Service for how we contractually constrain training, retention, and reuse.
Service communications
| Sub-processor | Purpose & data | Location | Transfer |
|---|---|---|---|
MailerSend DPA / terms ↗ | Transactional email delivery for our own service emails (login codes, billing receipts, product updates). Recipient email address, message subject, message body, send-event metadata (delivered / bounced / complained). | United States; EU data residency available | SCCs + UK IDTA |
Product analytics
| Sub-processor | Purpose & data | Location | Transfer |
|---|---|---|---|
Google Analytics 4 (Firebase Analytics) DPA / terms ↗ | Aggregate, privacy-respecting product analytics: which features are used, where errors occur, conversion funnels. Loaded only with consent in jurisdictions that require it. Pseudonymous device identifiers, page views, click events, IP-derived region (not stored). | European Union; United States | SCCs + UK IDTA; IP anonymisation enabled |
PostHog Inc. DPA / terms ↗ | Two roles. (1) Product analytics for the GenieOS application itself — how features are used, conversion funnels, where errors occur — captured server-side (the SPA does not load the PostHog browser SDK). (2) Visitor analytics on customer-shipped landing pages (pages.genieos.pro/{ws}/{slug}), powering the per-page Performance tab and the Genie chat-driven drill-down. Customer-page visitor events are received via our own first-party reverse-proxy at pages.genieos.pro/_a/ev (ad-block resilient, scrubbed at the edge) and forwarded to PostHog. Customers never see PostHog's UI; we surface curated cards from our own backend. For the app: pseudonymous product-usage events linked to workspace / user identifiers. For customer pages: workspace-peppered cookie id (post-consent only — pre-consent visitors are counted cookieless with no identifier), page slug, parent campaign id, audience id, referrer host, UTM parameters, IP-derived country (raw IP discarded at the edge), coarse device class. Form-field values never enter the analytics stream. | European Union (Frankfurt) | Hosted in EU; IP discarded at the edge before forwarding. |
Optional sending providers
| Sub-processor | Purpose & data | Location | Transfer |
|---|---|---|---|
Postmark, Amazon SES, Sendgrid, Mailgun (or your own SMTP) | If you connect your own sending provider, GenieOS hands the message to it for final delivery. We never become the controller of that relationship — your DPA with the provider applies directly. The full email payload (To/From/Subject/HTML/text), variables you reference, and send-event callbacks the provider sends back. | Varies by provider | Per the provider's own terms |
These appear only if you connect them in Settings → Domains. If you stick with our managed sending, none of these apply.
Notification of changes
We'll publish material changes to this list at least 30 days before they take effect, and email a notice to workspace owners. To get those notices direct to a security or procurement inbox of your choice, email [email protected] with the address you want subscribed.
You may object to a new sub-processor on reasonable grounds. If we can't accommodate the objection, you may terminate the affected portion of your subscription with a pro-rata refund.
Contact
Questions about this page, requests for DPAs, or copies of safeguards in place: [email protected].