Legal
Privacy policy
How GeFi collects, uses, and protects personal data.
This document has not yet been reviewed by legal counsel. Final version to be published before public launch. Do not rely on it for legal compliance today.
Who we are
GeFi (the “Service”) is operated by GeFi Ltd. (“we”, “us”). We are the
controller of personal data processed via the marketing site
(gefi.io) and the application (app.gefi.io). When we process
personal data on behalf of a customer (for example, end-user data
submitted to a model), we do so as a processor under our
Data Processing Agreement.
What we collect
- Account data. Name, email, company, role.
- Identity verification. When required, name, address, ID document, and liveness checks via our KYC subprocessor (Sumsub).
- Usage data. Inference calls, model subscriptions, audit log entries.
- Billing data. Card / wallet data is held by Stripe; we hold the last four digits and the billing address.
- Telemetry. Anonymised aggregate metrics for product analytics.
What we don’t collect
- We do not sell personal data.
- We do not use behavioural advertising trackers on the marketing site.
- We do not embed third-party scripts on dashboard surfaces beyond what is strictly required to operate the Service.
Lawful basis for processing
We rely on the following lawful bases under GDPR / UK GDPR Article 6:
| Processing activity | Lawful basis |
|---|---|
| Creating and operating your account; delivering the Service; taking payment. | Performance of a contract (Art. 6(1)(b)). |
| Authentication, MFA, fraud prevention, abuse detection, and platform security. | Legitimate interest (Art. 6(1)(f)) — securing the Service for all customers. |
| Aggregate product analytics and service improvement. | Legitimate interest (Art. 6(1)(f)). |
| KYC / KYB identity verification. | Legal obligation (Art. 6(1)(c)) under applicable AML rules. |
| Hash-chained, Merkle-anchored audit logs and regulatory record-keeping. | Legal obligation (Art. 6(1)(c)) and legitimate interest of customers and regulators. |
| Marketing emails and the newsletter. | Consent (Art. 6(1)(a)); withdrawable at any time. |
Retention schedule
| Data category | Retention period |
|---|---|
| Account data (profile, preferences). | Deleted within 30 days of account closure. |
| Authentication and session data. | Session lifetime; security logs retained for 12 months. |
| Inference audit logs (hash-chained, Merkle-anchored). | 5–7 years, per the jurisdictional rules of each model. |
| Billing records and invoices. | 7 years (tax / accounting requirements). |
| KYC / KYB records. | 5 years after the end of the customer relationship, per applicable AML rules. |
| Marketing list entries. | Until you unsubscribe; suppression record kept indefinitely. |
Subprocessors
We use a small, intentional set of subprocessors. The current list is on the Compliance & Trust page, and the contractual terms under which they process personal data are set out in our Data Processing Agreement.
Your rights
You can access, export, correct, and erase your personal data from inside the dashboard, or by emailing privacy@gefi.io.
- EU / UK (GDPR, UK GDPR). You have the right to access, rectification, erasure, restriction of processing, portability, and to object to processing carried out under legitimate interest. You may withdraw consent at any time without affecting the lawfulness of prior processing. You can lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, the CNIL in France).
- California (CCPA / CPRA). You have the right to know what personal information we collect, to delete it, to correct it, to opt out of any sale or sharing (we do neither), and to limit use of sensitive personal information. You will not be discriminated against for exercising these rights.
- Other jurisdictions. We honour comparable rights under other applicable data-protection laws (LGPD, POPIA, PIPL, etc.). Contact privacy@gefi.io with the specifics of your request.
We aim to respond within 30 days (GDPR / UK GDPR) or 45 days (CCPA), extendable by a further period where the request is complex.
Cookies
See our Cookie policy for the full inventory of
cookies set on gefi.io and app.gefi.io.
Contact
Email privacy@gefi.io for privacy-related questions or requests. We aim to respond within five business days.