LEGAL
Privacy Policy
This policy explains how Geri Labs collects, uses, and protects your personal data. It applies to all Geri Labs products, including OpEx and Wallet Buddy.
Effective: 20 June 2026
UK GDPR · US CCPA
1. About Geri Labs
Geri Labs operates gerilabs.app and all associated software products, including OpEx and Wallet Buddy. We are committed to protecting your personal data under the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA).
This Privacy Policy explains what personal data we collect, how we process it, why we process it, and what rights you have. By using our products or website, you acknowledge this policy. Please read it carefully.
2. Data We Collect
We may collect the following categories of personal data:
Identity and Contact Data: Full name, email address, and username.
Usage Data: Pages visited, features used, timestamps, session duration, and error reports.
Financial Data (Wallet Buddy): Account balances, transaction records, bill amounts, and card details processed via secure third-party integrations. We do not store raw card numbers.
Operational Data (OpEx): Business spend categories, vendor names, invoice amounts, renewal dates, and workflow data you submit.
AI Interaction Data: Prompts, queries, and outputs generated through our AI-powered features.
Device and Technical Data: IP address, browser type, device identifiers, and operating system.
Communications Data: Emails, support messages, and feedback you send us.
3. How We Use Your Data
We use your personal data to:
— Provide, operate, and improve our software products (OpEx, Wallet Buddy).
— Power AI-assisted features including spend intelligence, financial summaries, and decision support.
— Send transactional communications such as account confirmations, security alerts, and product updates.
— Respond to support requests and feedback.
— Comply with legal obligations.
— Prevent fraud and ensure platform security.
— Conduct internal analytics to improve product performance.
We do not use your personal data for unsolicited marketing without your explicit consent.
4. Legal Bases for Processing (UK GDPR)
We rely on the following legal bases under Article 6 UK GDPR:
Contract (Art. 6(1)(b)): Processing is necessary to deliver the services you have signed up for.
Legitimate interests (Art. 6(1)(f)): To improve our products, prevent fraud, and maintain platform security, provided these interests are not overridden by your rights.
Legal obligation (Art. 6(1)(c)): To comply with applicable legislation.
Consent (Art. 6(1)(a)): Where we ask for your explicit consent, such as for marketing communications. You may withdraw consent at any time without affecting prior processing.
Where we process special category data, we rely on explicit consent under Article 9(2)(a) or another applicable condition under Schedule 1 of the Data Protection Act 2018.
5. AI Data Processing
Our products OpEx and Wallet Buddy use artificial intelligence and machine learning to surface insights from data you provide. The following commitments apply to all AI processing:
— Your data is processed securely and is never used to train third-party AI foundation models without your explicit prior consent.
— AI-generated outputs (spending summaries, vendor risk signals, bill predictions) are decision-support tools, not autonomous decisions. You remain fully in control.
— We use zero-data retention API agreements with AI infrastructure providers where technically feasible.
— Sub-processors used for AI inference are contractually bound to equivalent data protection standards.
— You have the right to request a human review of any AI-assisted outcome that materially affects you, consistent with Article 22 of UK GDPR.
AI interaction logs are anonymised after 30 days unless retention is legally required.
6. Sharing Your Data
We do not sell, rent, or trade your personal data to third parties. We may share data in limited circumstances:
Service providers: Cloud infrastructure, analytics, customer support tools, and payment processors. All are bound by written data processing agreements and may only process data under our documented instructions.
AI sub-processors: Third-party model providers used to power AI features, governed by strict contractual data handling requirements.
Legal authorities: Where required by applicable law, a court order, or to protect the rights, property, or safety of our users or the public.
Business transfers: In the event of a merger, acquisition, or asset sale, your data may be transferred as part of that transaction. We will provide notice and ensure equivalent protections are maintained.
7. International Data Transfers
Your data may be transferred to and processed in countries outside the United Kingdom. Where such transfers occur, we ensure appropriate safeguards are in place, which may include:
— UK adequacy regulations for countries deemed to provide an adequate level of protection.
— International Data Transfer Agreements (IDTAs) approved by the Information Commissioner’s Office.
— Standard Contractual Clauses or equivalent mechanisms ensuring your data receives the same level of protection as inside the UK.
You may contact us to obtain a copy of the relevant transfer mechanism.
8. Your Rights Under UK GDPR
If you are based in the United Kingdom, you have the following rights:
— Right of access: Request a copy of the personal data we hold about you.
— Right to rectification: Ask us to correct inaccurate or incomplete data.
— Right to erasure: Ask us to delete your data where there is no compelling reason for continued processing.
— Right to restriction: Ask us to restrict processing in certain circumstances.
— Right to data portability: Receive your data in a structured, machine-readable format.
— Right to object: Object to processing based on legitimate interests.
— Rights related to automated decision-making: Request human review of decisions made solely by automated means, including AI systems.
To exercise any of these rights, contact us at privacy@gerilabs.app. We will respond within 30 days. If you are unsatisfied with our response, you have the right to lodge a complaint with the Information Commissioner’s Office (ICO) at ico.org.uk.
9. Your Rights Under US CCPA / CPRA
If you are a California resident, you have the following rights under the California Consumer Privacy Act and California Privacy Rights Act:
— Right to know: What personal information we collect, the purposes of collection, and how it is used or disclosed.
— Right to delete: Request deletion of personal information we hold about you, subject to certain exceptions.
— Right to correct: Request correction of inaccurate personal information.
— Right to opt out of sale or sharing: We do not sell your personal information or share it for cross-context behavioural advertising.
— Right to limit use of sensitive personal information: To restrict how we use sensitive data categories beyond necessary service delivery.
— Right to non-discrimination: We will not penalise you for exercising your privacy rights.
To submit a verifiable consumer request, email privacy@gerilabs.app. We will respond within 45 calendar days, with a possible 45-day extension where reasonably necessary.
10. Data Retention
We retain your personal data for as long as your account is active or as necessary to provide our services. Where you close your account, we will delete or irreversibly anonymise your personal data within 90 days, unless we are required to retain it longer to comply with a legal obligation or for legitimate business purposes such as fraud prevention or dispute resolution.
Financial data processed through Wallet Buddy is retained only for as long as required to deliver the service or meet applicable regulatory obligations. AI interaction logs are anonymised within 30 days.
11. Security
We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, disclosure, alteration, or destruction. These measures include:
— Encryption in transit (TLS 1.2+) and at rest (AES-256).
— Strict access controls and least-privilege principles for internal systems.
— Regular internal security assessments and monitoring.
— Documented incident response procedures.
No method of transmission over the internet is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority within 72 hours where required by law.
12. Cookies and Tracking Technologies
Our website and products use cookies and similar technologies to support functionality, remember your preferences, and analyse performance. Types of cookies we use include: essential cookies (required for the service to function), functional cookies (to remember your settings), and analytics cookies (to understand usage patterns).
You can manage your cookie preferences through your browser settings at any time. Please note that disabling certain cookies may affect the functionality of our products.
13. Children’s Privacy
Our products and website are not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child under 16, please contact us at privacy@gerilabs.app and we will promptly delete that information.
14. Changes to This Policy
We may update this Privacy Policy periodically to reflect changes in our practices, legal requirements, or product features. Material changes will be communicated by email or via a prominent notice on our website at least 14 days before taking effect. The effective date at the top of this document will always reflect the most recent revision.
Continued use of our products after any update constitutes your acceptance of the revised policy.
15. Contact and Data Controller
Geri Labs is the data controller for personal data processed under this policy.