Last Updated: July 8, 2025
1. Introduction Welcome to Genmi, a chatbot service provided by OAO Limited (“OAO”, “we”, “us” or “our”). We respect your privacy and are committed to protecting your personal data. This Privacy Policy (“Policy”) describes how we collect, use, disclose, and protect personal information when you use the Genmi chatbot and related services (collectively, the “Service”). It also explains your rights with respect to your personal data. We pledge to comply with applicable data protection laws, including Hong Kong’s Personal Data (Privacy) Ordinance and similar laws in other jurisdictions, and to handle your personal data lawfully and responsibly.
By using Genmi, you agree that your personal data will be collected, used, and disclosed as described in this Policy. If you do not agree with these practices, please do not use the Service. If you have any questions, you can contact us at privacy@genmi.app.
2. Personal Data We Collect We collect or obtain several types of information about you:
Information from Google Sign-In: Genmi uses Google OAuth for authentication. When you log in with your Google account, we receive certain information from Google such as your name, email address, and potentially your profile photo or other basic profile info (depending on what you agree to share on the Google consent screen). We only collect the Google profile data necessary to create and identify your account on Genmi (typically your Google ID, name, and email). This occurs with your explicit consent when you authorize our app via Google. We do not receive your Google password or any data beyond the scope we request and you approve.
User-Provided Content and Data: We collect the content you input into the chatbot, which may include text queries, messages, images, videos or other media you submit for generation or editing, or files you choose to upload (“User Content”). This information may contain personal data if you include such details in your chat with Genmi. For example, if you ask Genmi a question about your life or upload a document, any personal information contained therein is collected by our Service in order to respond to your query. Please avoid submitting sensitive personal data (such as information about your health, finances, identification numbers, passwords, or biometric information) unless it is necessary to use the Service. If you do provide sensitive data, you are consenting to our processing of that data for the purposes described in this Policy.
E-mail Data: If you connect an e-mail account (such as Gmail or another supported e-mail service), we may process e-mail metadata (sender, recipients, subject, timestamps) and message bodies that you explicitly authorise us to access in order to draft, read, send or summarise e-mails on your behalf.
Usage Data: We automatically collect certain technical information when you use Genmi. This includes log data like your IP address, device type, browser type, operating system, referring URLs, pages or features of the Service used and the time spent, timestamps of interactions (e.g. when you initiate a chat), and diagnostic data in case of errors. We may also collect analytics data about your usage patterns (for example, how often you use the chatbot, aggregate usage statistics, etc.). This information helps us understand and improve the Service and ensure it is working properly.
Cookies and Similar Technologies: Our website may use cookies or similar tracking technologies (such as local storage or session storage) to provide and optimize the Service. For instance, cookies might be used to keep you logged in via your browser or to remember your preferences. We do not use cookies for advertising, but we do use them for essential functionality and analytics. You can control cookies through your browser settings. Note that if you disable certain cookies, parts of the Service (like maintaining your session login) might not function properly.
3. How We Use Your Information We use the collected information for the following purposes:
Providing and Operating the Service: We process your Google profile information to authenticate you and create your user account. We use your chat content and queries to generate responses from the Genmi chatbot (which involves sending your query to our language model backend, see Section 4 below). Essentially, your data is used to fulfill your requests – e.g., to answer your questions, perform searches via the chatbot, or upload and retrieve files as you direct.
E-mail Features: For connected e-mail accounts (such as Gmail or other supported services), we use your authorisation solely to draft, send, read or summarise messages as you request, and never for analytics, advertising or model training.
Service Improvement and Analytics: Usage data and analytics help us understand how users interact with Genmi so we can improve features and performance. For example, we may analyze which topics users ask about most or how long sessions last to optimize the chatbot’s capabilities. We may also use error logs and diagnostics (which could include excerpts of chat content if an error occurs during a conversation) to troubleshoot and fix bugs or issues with the Service. We use third-party analytics (such as PostHog) to assist with this – see Section 4 for details on third-party services.
Personalization: In the future, we may use your data to personalize your experience. For instance, Genmi might learn from your prior conversations to provide more relevant answers, or use your preferred language and context. (If implemented, such personalization would still comply with this Policy, and we would clarify the scope of any profiling or personalization).
Communications: If you provide us contact information (like your email via Google login), we may send you service-related communications. These include transactional emails (for example, account notices, changes to terms or policy, security alerts) or customer support responses if you contacted us. We will not send you marketing emails unless you have expressly opted in to such communications. (At launch, Genmi does not plan email marketing; if that changes, we will update this Policy and ensure compliance with opt-in requirements.)
Payments and Transactions: If you purchase a subscription or paid feature, we (and our payment processor Stripe) will use your payment information to process the transaction. We do not see your full credit card number or banking details; Stripe handles that. We do keep records of your transactions (amount, date, product purchased) linked to your account for billing history, customer support, and financial record-keeping.
Legal Compliance and Protection: We may use or disclose your information as necessary to comply with applicable laws, regulations, legal processes, or enforceable governmental requests. For example, we may process personal data to respond to a subpoena or to exercise legal rights or defend legal claims. We also use data to enforce our Terms of Service and to detect or prevent fraud, security issues, and misuse of our Service. If needed, we might use data (such as IP addresses or account information) to block malicious users and keep Genmi safe for all.
We will only use your personal data for the purposes described above or as otherwise disclosed to you. If we want to use it for a new purpose that is incompatible with the original purpose, we will obtain your consent before doing so (or do so in accordance with applicable law). We do not use your personal data for any direct marketing without your consent, and at present, we do not conduct any direct marketing via the Service.
4. Disclosure of Your Information (Third-Party Service Providers) We value your privacy and do not sell your personal data to third parties. However, we do share certain information with third parties in the following circumstances, all in line with providing or improving Genmi, or as required by law:
Service Providers: We employ trusted third-party companies and services to support our operations. These third parties act as “data processors” on our behalf, processing data only under our instructions and for the purposes we outline in this Policy. The key service providers and partners we use include:
Amazon Web Services (AWS) – We use AWS S3 for file storage (to store any files or attachments you might upload through Genmi) and AWS CloudFront as a Content Delivery Network to efficiently deliver content to you. Personal data (like your files, and potentially backup copies of databases) may be stored on AWS servers. AWS may process basic telemetry (like IP addresses in server logs) as part of providing its infrastructure service to us.
Google Cloud / Google Gemini AI – Genmi’s chatbot intelligence is powered by Google’s Gemini API (a large language model). This means that when you input a question or message, the content of your query (and relevant context) is sent to Google’s servers to generate a response. Google processes that data to return an answer. We do not send your personal account info (like your name or email) to the Gemini API; however, any personal information you include in a chat query will inherently be transmitted to Google’s AI service to get an answer. Google is contractually bound to use that data only to provide the service to us (not for their own purposes), and Google is a company with high security standards. Nonetheless, please be aware of this external processing. (For Google login, as described, Google also provides us your basic profile data during authentication).
Replicate, Inc. – We call Replicate’s hosted image‑ and video‑generation APIs when you ask Genmi to create or edit media. Your prompt, any uploaded seed image/video and the generated media are processed on Replicate’s servers and cached for up to 30 days for abuse monitoring, consistent with Replicate’s Privacy Policy.
Google Gmail API and Similar Services – If you connect an e-mail account (such as Gmail or another supported e-mail service), Genmi processes message data only transiently (≤ 24 hours) to fulfil your request and does not use it for advertising or training. For Gmail specifically, this is in line with Google’s Limited-Use policy.
PostHog (Analytics) – We use PostHog, an analytics platform, to gather usage statistics about Genmi. PostHog helps us analyze user interactions (for example, which features are used most, or what the typical user journey is) without relying on external analytics like Google Analytics. Data such as event logs, user agent, and general location (city/region based on IP) may be collected by PostHog. We have configured PostHog to self-hosted mode (if applicable) or to not retain full IP addresses if possible, to respect privacy. Analytics data is used internally to improve the Service.
Sentry (Error Tracking) – We utilize Sentry to monitor and debug technical errors in Genmi’s application. When the app encounters an error, Sentry captures information about the error and the state of the application, which may include snippets of user identifiers or data in memory at the time of the error. This is used solely to diagnose and fix issues. We try to avoid sending any personally identifiable information in error logs. However, if any personal data is incidentally captured (for example, part of a chat message in a crash log), it will be treated as confidential and only used for troubleshooting.
Neon (Database Hosting) – Our primary user database is hosted on Neon, a cloud database service. This stores user account data (like your Google ID, name, email) and potentially your conversation history or other app data. Neon, as a host, could have access to the stored data as a processor, but they will only access it as needed to maintain the database service. We rely on Neon’s security measures (encryption at rest, etc.) to protect the database.
Upstash (Redis) – We use Upstash to host a Redis in-memory data store, which we use for caching and quick data retrieval (for example, caching recent conversation context or session information to speed up the chatbot responses). Data stored in Redis may include your session tokens or recent messages, but typically not long-term personal data. Upstash, as a provider, ensures the data is stored in memory/on disk and accessible quickly to our app; they will not use your data for any other purpose.
Vercel (Hosting Platform) – Genmi’s web interface and API are hosted on Vercel. When you interact with Genmi’s website or app, your requests go through Vercel’s servers. Vercel will process network information (IP addresses, requests, responses) as part of routing and serving the application. They may also keep logs of requests for a short period for debugging or performance (which could include IP and timestamp). Vercel acts as a processor to deliver our service to you.
Exa (Web Search Integration) – Genmi may integrate a web search feature (via a service we refer to as “Exa”) to find information on the internet when answering your queries. If you ask Genmi something that requires up-to-date web information, the Service might use Exa to perform a search. This entails sending your query (or a portion of it) to a search API, which then returns relevant results that Genmi can use to formulate an answer. In doing so, the query and your IP (and possibly a generic user agent) are disclosed to that search API. We do not give it any info identifying you personally (like your name or account info). The search results we receive may include snippets from third-party websites. We only use them transiently to provide you an answer and do not share your personal data with those websites (unless of course the query itself contains personal data).
We have entered into appropriate agreements with the above service providers to ensure your personal data is handled in compliance with applicable privacy laws and only for our Service purposes. These providers are obligated to protect your information to a standard comparable to our own safeguards. We do not allow them to use your data for their own marketing or other unrelated purposes. Moreover, we take steps (such as data encryption, access controls, and audits) to ensure any personal data sent to or stored with these providers is secure.
Payment Processor: If you make payments on Genmi (such as subscribing to a premium plan), payments will be processed by Stripe. Stripe will collect and process your payment information (e.g., credit card number, billing address) on our behalf. Stripe’s handling of your data is governed by Stripe’s own Privacy Policy and Terms of Service. We do not receive or store your sensitive payment card details from Stripe; we only receive confirmation of payment and basic details like the last four digits of your card, card type, and a payment token or ID, which we use for record-keeping and to handle billing issues. We may share your name, email, and order amount with Stripe to facilitate the transaction and receipt issuance. Stripe is PCI-DSS compliant and is a widely used secure payment provider.
Legal and Safety Disclosures: We may disclose personal information to third parties (such as courts, law enforcement or government agencies, or opposing counsel) if we believe disclosure is reasonably necessary: (i) to comply with any applicable law, regulation, legal process, or governmental request; (ii) to enforce our Terms of Service, investigate and defend ourselves against any third-party claims or allegations; (iii) to protect the rights, property, and safety of OAO Limited, our users, or the public (for example, to report suspected illegal activity or security breaches).
Business Transfers: If OAO Limited is involved in a merger, acquisition, sale of assets, or corporate reorganization, your personal data may be transferred to the successor or affiliate as part of that transaction. We will ensure the new owner will continue to honor the commitments we have made in this Privacy Policy, and we will notify you (for example, via a prominent notice on our site or an email) of any such change in ownership or control of your personal information.
Aside from the situations above, we will not share your personal data with third parties unless we have your consent to do so. Importantly, we do not share users’ personal information with advertisers or social media companies, and we have no third-party advertising integrations at this time.
5. International Data Transfers We are based in Hong Kong and many of our systems and third-party providers are located in countries around the world. This means your personal data may be transferred to and stored on servers in countries different from your own, including the United States, Europe, or other regions. For example, AWS and Stripe are U.S.-based companies; if you are in Hong Kong or Singapore, some of your data will be transmitted to and stored in the U.S. or EU. We understand that different countries have different data protection laws. When we transfer personal data out of the origin country, we take steps to ensure compliance with applicable cross-border data transfer rules.
If you are in a jurisdiction like Singapore or the European Economic Area (EEA) that regulates cross-border data transfers, we will ensure that appropriate safeguards are in place. This may include using Standard Contractual Clauses or similar legal mechanisms, or ensuring the transfer is otherwise permitted by law. By using Genmi, you understand that your information may be transferred to our servers and facilities (and those of our service providers) in multiple countries.
Regardless of where your data is processed, we will apply the protections described in this Policy and comply with any applicable legal requirements providing adequate protection for the transfer of personal data.
6. Data Retention We keep your personal data only for as long as necessary to fulfill the purposes for which it was collected, as outlined in this Policy, and to comply with our legal and business obligations. This section explains our general retention practices:
Account Information (Google Profile Data): We retain the basic account information you provided (name, email, Google ID) for as long as your Genmi account exists. If you delete your account or stop using Genmi, we may remove or anonymize this information upon request (see Section 7 on your rights), or after a period of inactivity (for example, we might purge accounts that have been inactive for a few years, after attempting to reach out to you). We may keep a hashed identifier (a coded version of your Google ID/email) solely to prevent duplicate accounts or abuse (e.g., if banned).
Chat Conversations and User Content: The messages you send to the chatbot and the answers you receive may be stored to enable features like conversation history, context for follow-up questions, or for us to review and improve the AI’s performance. By default, we aim to retain chat logs for 90 days on our servers. This allows you to revisit recent conversations and helps us troubleshoot issues. After this period, chat logs may be automatically deleted or anonymized in our production systems, unless they have been flagged for review due to a policy violation or error (in which case we keep them until the issue is resolved). We may retain aggregated or anonymized information (which no longer can identify you) indefinitely for analysis. If you wish for your conversation history to be deleted sooner, you have the right to request deletion – see below.
E-mail Content via Gmail or similar integration: Stored alongside your chat history for up to 90 days to maintain conversation context, then automatically deleted or anonymised, unless you:
E‑mail Content via Gmail API: Automatically deleted from our servers within 24 hours after completion of the requested action, unless you choose to save it in your Genmi workspace.
Uploaded Files: Any files you upload to Genmi (if this feature is available) will be stored on AWS S3. If you delete a file through the interface (or your account is deleted), we will remove the file from active storage. However, it may persist in backup archives for a short period before those backups expire. We generally rotate backups regularly and do not keep them beyond 90 days. We do not actively use files in backup except for disaster recovery.
Analytics and Logs: Analytics data in PostHog and logs (including Sentry error logs and Vercel server logs) are generally kept for shorter periods. For instance, our application logs and error logs may be retained for around 90 days for troubleshooting and then overwritten or deleted. Aggregated analytics may be kept longer (to observe usage trends over time), but those do not contain personally identifiable info beyond possibly high-level usage tied to an anonymous user ID.
Payment Records: Transaction records are kept as long as required for financial reporting and tax compliance. Typically, we must retain those for at least 7 years (under HK tax law) or as required by accounting standards. However, this data is limited to what is necessary (e.g., payment amounts, date, and related user identity) and not sensitive card details.
Legal Holds: If we are under a legal obligation to preserve data (for example, in response to a legal dispute or law enforcement request), or if the data is needed to investigate a violation of our Terms, we will retain the specific data as required (isolated from routine deletion) until that obligation is fulfilled.
After the applicable retention periods, we will securely delete or anonymize your personal data. “Deletion” means we will remove it from our active databases, though it may persist in securely stored backups for a limited time until those are also deleted or overwritten in the normal course of business. Anonymization means we alter the data so it can no longer be associated with you (for example, by removing identifiers and aggregating data). Anonymized data is no longer personal data and we may retain it for analytical purposes without further notice to you.
7. Your Rights and Choices We strive to give you control over your personal data. Subject to applicable law, you have the following rights regarding the personal data we hold about you:
Access and Correction: You have the right to request a copy of the personal data we hold about you and to correct or update any inaccuracies. For example, you can ask us to confirm whether we are processing your personal data, and you can request access to your profile info or chat history that we have stored. If any of that information is incorrect or has changed (such as you want to update your display name), you can request that we correct it. Some of this can be self-served (if we provide a profile editing feature); otherwise, contact us and we will assist.
Deletion (Right to Erasure): You have the right to request deletion of your personal data. If you wish to delete your Genmi account entirely, you can contact us to do so. Upon verification of your identity and request, we will delete or anonymize your personal data from our active databases. This includes removing your profile information and chat logs associated with your account. Note that there are certain exceptions to deletion – we might retain data if required for legal obligations or as noted in our retention section (e.g., transaction records or if data is needed to resolve disputes). If we cannot delete certain data, we will explain why (for example, if it is retained for legal compliance). Also, please understand that deletion is irreversible – if your account is deleted, your conversation history and any saved content will be permanently removed and cannot be recovered.
Withdrawal of Consent: Where we rely on your consent to process data (for instance, if you gave consent for a specific optional feature or for receiving marketing emails), you have the right to withdraw that consent at any time. For example, if we ever request your consent for something, you can later opt out. Withdrawing consent will not affect the lawfulness of any processing we already performed, but will stop the future processing of the data for which consent was given. (Note: If you withdraw consent for a fundamental data use – like the processing of your queries by the AI – we may not be able to provide the Service to you unless there’s an alternative legal basis to continue.)
Object or Restrict Processing: In certain jurisdictions (such as under the GDPR), you have the right to object to our processing of your data or ask us to restrict processing. For example, you can request that we stop using your data for analytics profiling, or you could object to processing that is based on our legitimate interests. We will honor such requests as required by applicable law. In practical terms, if you have concerns about any specific processing, please let us know and we’ll review if we can accommodate your request (by stopping or limiting that processing) without affecting the service provision.
Data Portability: Again under laws like GDPR, you may request a copy of certain data in a machine-readable format to transfer to another provider (this typically applies to data you provided directly, like your account info and messages). If applicable, we can provide an export of your chat history or profile information in a commonly used format upon request.
Children’s Data: As noted, our Service is not intended for children under the age of 18 without parental consent. If you are a parent or guardian and believe we have collected personal data about a minor without proper consent, please contact us. We will take steps to delete such information as soon as possible. We do not knowingly process personal data of children under 13 at all; if such data is identified, we will remove it.
To exercise any of your rights, please contact us at privacy@genmi.app. We may need to verify your identity (for example, by asking you to email us from the address associated with your account or to provide some identifying information) before fulfilling your request, to ensure that we do not disclose data to the wrong person or delete the wrong account. We will respond to your request within a reasonable timeframe as required by law (typically within 30 days for access or correction requests in Hong Kong, and within one month under GDPR, etc., with extensions if necessary which we will communicate to you).
There may be limitations to these rights: for instance, if your request is manifestly unfounded or excessive, we might charge a reasonable fee or refuse to act on it (as allowed by law). We will explain any such decisions to you.
Additionally, you have the right to lodge a complaint with a data protection authority if you believe we have infringed your privacy rights. In Hong Kong, that would be the Office of the Privacy Commissioner for Personal Data (PCPD). In Singapore, the PDPC. In the EU, your local supervisory authority. We encourage you to contact us first, so we have the opportunity to address your concerns directly.
8. Data Security We take the security of your personal data seriously. We have implemented administrative, technical, and physical safeguards to protect your information against unauthorized access, disclosure, alteration, or destruction. These measures include:
Encryption of data in transit and at rest where feasible. For example, our databases are encrypted, and communications between your browser and our servers (and between our servers and third-party APIs like Google) are protected via TLS/HTTPS encryption.
Access controls to personal data. Only authorized OAO personnel or contractors who need to process your data (for example, to provide support or maintain the system) have access to identifying personal data, and they are bound by strict confidentiality obligations. Access to production databases and sensitive systems is logged and restricted on a need-to-know basis.
Regular security assessments and monitoring. We keep our software and infrastructure up to date with security patches. We utilize security tools and practices (such as firewalls, intrusion detection, and monitoring of our applications) to guard against vulnerabilities or unauthorized access attempts.
Employee and contractor training on data privacy and security practices. Our team is trained to handle personal data properly and to respond to potential security issues.
Data processor diligence: We choose reputable third-party service providers (like Google, AWS, Stripe) with strong security track records and we ensure via contracts that they also implement appropriate security measures. For instance, Stripe is PCI compliant for payment data; AWS has robust physical and network security at its data centers; etc.
Despite our efforts, please note that no system can be 100% secure. The transmission of information via the internet is not completely risk-free, so we cannot guarantee absolute security of data. However, we continuously review and enhance our security measures to keep your data safe. In the unlikely event of a data breach that poses significant risk to your rights (for example, a leak of personal information), we will notify you and the relevant authorities as required by law.
9. Third-Party Links and Services Genmi’s interface or communications may occasionally contain links to third-party websites or services that are not operated by OAO (for example, if Genmi provides a reference or link to a source on the web in an answer, or if our website has a link to our social media page). This Privacy Policy does not cover those third-party sites. If you click on a link to a third-party website, you will be subject to that third party’s own privacy practices. We encourage you to review the privacy policies of any external sites or services you visit. We are not responsible for the content, privacy, or security of any third-party websites.
Additionally, if you access Genmi through any third-party platforms (for instance, a messaging app integration), any information collected by that platform is subject to its own policy. This Policy only covers data we collect and process.
10. Children’s Privacy Our Service is not directed to children under 18 years of age. We do not knowingly collect personal data from anyone under 13, and we do not permit use of Genmi by anyone under 18 without parental consent. If you are under 18, you should only use Genmi with the involvement and permission of a parent or guardian.
If we become aware that personal information of a child under 13 (or a minor under 18 using the Service without guardian consent) has been provided to us, we will take steps to delete such information as soon as possible. Parents or guardians who discover that their child has used our Service and provided personal data without consent should contact us immediately at privacy@genmi.app, and we will promptly remove the data and terminate the child’s account if applicable.
We recognize the importance of protecting children’s privacy and will follow all applicable laws and guidelines regarding youth privacy online.
11. Changes to this Privacy Policy We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other operational reasons. When we make changes, we will post the updated Policy with a new “Last Updated” date at the top. If the changes are material, we will provide a more prominent notice (such as by email notification to our users or a notice on our website or within the Genmi interface).
We encourage you to review this Policy periodically to stay informed about how we are protecting your information. Your continued use of Genmi after any changes to this Policy will signify your acceptance of the updated terms, to the extent permitted by law.
12. Contact Us If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:
We will do our best to address any issue or query promptly. Your trust is important to us, and we are committed to resolving any concerns about your privacy.