Request demo

Genestack Privacy Notice

Effective from: 8 May 2026

  1. About this Notice

    Genestack Limited ("Genestack", "we", "us", "our") respects your privacy and is committed to processing personal data lawfully, fairly and transparently. This Privacy Notice explains how we collect, use, disclose and protect personal data when you visit our website, interact with us, request information, or use our services.

    Cookies and similar tracking technologies used on our website are addressed in a separate document, our Cookie Notice, which is linked from the footer of every page on the Genestack website.

    This Notice is issued under the UK General Data Protection Regulation (UK GDPR), the UK Data Protection Act 2018 and the Data (Use and Access) Act 2025 (DUAA). Where we process personal data of individuals in the European Economic Area, we apply equivalent standards under the EU GDPR.

  2. Who We Are

    Genestack Limited is the data controller for the personal data described in this Notice. Our details are:

    • Company name: Genestack Limited
    • Registered in: England and Wales (Company number 7778793)
    • Registered office: Salisbury House, Station Road, Cambridge, CB1 2LA, United Kingdom
    • ICO data protection registration: ZA344149
    • Website: https://genestack.com
    • Data Protection Officer (DPO): privacy@genestack.com
  3. Personal Data We Collect

    We collect personal data in the following categories:

    1. Information you provide directly: Name, email address, telephone number, employer, job title, country, and any other information you provide when you complete a website form, request a demo, attend a meeting, subscribe to communications, apply for a position, or otherwise contact us.
    2. Communications data: The content of email, telephone, video conference and live-chat exchanges with us, together with associated metadata such as date, time, sender, recipient and subject.
    3. Technical and usage data: IP address, browser type and version, operating system, device type, time-zone setting, pages visited, referring URL, and interactions with our website. Some of this data is collected through cookies and similar technologies. The detail of our cookie use is set out in our Cookie Notice.
    4. Recruitment data: If you apply for a position with us, additional information including CV / résumé, employment history, qualifications, references, and right-to-work documentation.
    5. Customer and commercial relationship data: For customers and prospective customers, business contact data, contract terms, billing details, and records of services we have delivered.
  4. Purposes and Legal Bases for Processing

    We process personal data for specific purposes, each supported by a lawful basis under UK GDPR Article 6:

    Purpose Lawful basis
    Operating, securing and improving our website and online presence Legitimate interests — UK GDPR Art. 6(1)(f)
    Responding to enquiries, demo requests and support requests Legitimate interests / Steps prior to entering a contract — Art. 6(1)(b) and 6(1)(f)
    Delivering our products and services to customers Performance of a contract — Art. 6(1)(b)
    Sending marketing communications by email Consent — Art. 6(1)(a). You may withdraw consent at any time.
    Lead-tracking and CRM activity beyond initial enquiry handling Legitimate interests, balanced against your rights and interests — Art. 6(1)(f), or consent where required.
    Recruitment and assessment of candidates Legitimate interests / Steps prior to entering a contract / Legal obligation — Art. 6(1)(b), 6(1)(c), 6(1)(f)
    Compliance with legal, regulatory and tax obligations Legal obligation — Art. 6(1)(c)
    Establishing, exercising or defending legal claims Legitimate interests — Art. 6(1)(f)

    We do not engage in solely-automated decision-making, including profiling, that produces legal or similarly significant effects in respect of any of the above processing within the meaning of UK GDPR Article 22.

  5. Recipients of Personal Data

    We share personal data with the following categories of recipient. All third parties are subject to written contractual arrangements that require them to safeguard personal data and to act only on our documented instructions, except where they act as independent controllers.

    • Genestack group companies — including our affiliate based in the Republic of Serbia, for the purposes of operating group services. This intra-group sharing is governed by an internal Data Sharing Agreement and Transfer Risk Assessment.
    • Cloud and infrastructure providers — Amazon Web Services (AWS), used to host our products and certain operational systems.
    • Customer relationship and consent management platforms — Salesforce (CRM and form tracking) and Enzuzo (cookie consent management).
    • Analytics providers — Google (Google Analytics 4) and Hotjar, used to understand website performance and user experience. These are activated only where you have given analytics consent.
    • Advertising and audience providers — LinkedIn (Insight Tag), used for advertising measurement and audience building. Activated only where you have given marketing consent.
    • Professional advisers — legal, financial, audit, insurance, security and other professional advisers, where required.
    • Public authorities and regulators — where compelled or permitted by law (for example, the Information Commissioner's Office, HMRC, courts).
    • Successors and acquirers — in any business sale, merger or restructuring, the personal data we hold may be transferred to the successor entity.

    We do not sell your personal data to any third party.

  6. International Data Transfers

    Where personal data is transferred outside the United Kingdom, we ensure that an appropriate transfer mechanism is in place. Specifically:

    • Transfers to our group company in Serbia are governed by the UK International Data Transfer Agreement (IDTA), supplemented by a Transfer Risk Assessment under section 17A of the Data Protection Act 2018 (as amended by the DUAA).
    • Transfers to providers in the United States (including Salesforce, Google, LinkedIn, Hotjar and AWS US regions where applicable) rely on the UK Extension to the EU–US Data Privacy Framework where the receiving organisation is certified, and otherwise on the IDTA or the UK Addendum to the EU Standard Contractual Clauses.
    • Transfers to other countries rely on adequacy regulations in force from time to time under section 17A of the Data Protection Act 2018, or on the IDTA / UK Addendum.

    You may request a copy of the relevant transfer mechanism by contacting our DPO at the address in Section 14.

  7. Data Retention

    We retain personal data only for as long as necessary for the purposes set out in Section 4. Indicative retention periods are:

    Category Retention period
    Website enquiries and unconverted leads 24 months from last contact
    Marketing consent and communications history Until consent is withdrawn, then 12 months for audit
    Customer contractual data Term of contract plus 7 years (UK statutory limitation)
    Recruitment data — unsuccessful candidates 12 months from decision
    Recruitment data — successful candidates Per employee record retention policy
    Cookie consent records 12 months
    Records required to evidence compliance with this Notice 6 years

    Where retention is required for a longer period by applicable law (for example, tax records, statutory reporting), we retain personal data for the period required by that law.

  8. Your Rights

    Under UK GDPR Articles 15–22 you have the following rights in relation to your personal data:

    • Right of access — to obtain a copy of the personal data we hold about you (Art. 15).
    • Right to rectification — to request correction of inaccurate or incomplete data (Art. 16).
    • Right to erasure — to request deletion of your data, subject to applicable exemptions (Art. 17).
    • Right to restrict processing — in defined circumstances (Art. 18).
    • Right to data portability — for data you have provided to us, where processing is based on consent or contract and is carried out by automated means (Art. 20).
    • Right to object — to processing based on legitimate interests, including direct marketing (Art. 21).
    • Right to withdraw consent — at any time, where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal (Art. 7(3)).

    To exercise any of these rights, please contact privacy@genestack.com. We will respond within one calendar month, extendable by up to two further months for complex or numerous requests in line with UK GDPR Article 12(3) and the Data (Use and Access) Act 2025.

    If you are not satisfied with how we have handled your request, please refer to Section 9 below for our complaint-handling process.

  9. How to Complain

    We take any complaint about our handling of personal data seriously. If you have a concern, please contact our Data Protection Officer in the first instance:

    • Email: privacy@genestack.com
    • Postal address: Data Protection Officer, Genestack Limited, Salisbury House, Station Road, Cambridge, CB1 2LA, United Kingdom

    When we receive a complaint about our handling of your personal data, we will:

    • acknowledge receipt of your complaint without undue delay, and in any event within 30 days;
    • investigate your complaint and respond substantively without undue delay; and
    • inform you of your right to escalate the complaint to the Information Commissioner's Office if you remain dissatisfied with our response.

    This complaint-handling process reflects our duty under Article 77A of the UK GDPR (as inserted by the Data (Use and Access) Act 2025).

    You retain a separate right to lodge a complaint directly with the Information Commissioner's Office at any time without first contacting us, at https://ico.org.uk/make-a-complaint/. We would, however, appreciate the opportunity to address your concerns first.

  10. Cookies and Similar Technologies

    Our use of cookies and similar tracking technologies on the Genestack website is addressed in our Cookie Notice. The Cookie Notice sets out the categories of cookies in use, the specific cookies set, their purposes and lifetimes, and how to manage your preferences via our consent management tool. The Cookie Notice is linked from the footer of every page on the Genestack website.

  11. Security

    We implement appropriate technical and organisational measures to safeguard personal data against unauthorised access, accidental loss, alteration, disclosure or destruction. These measures include access controls, encryption in transit and at rest, network segmentation, monitoring and logging, supplier due diligence, employee training, and a formal information security management system. Genestack is independently certified to ISO/IEC 27001:2022.

  12. Children

    Our website and services are directed to professional and business users. We do not knowingly collect personal data from children under the age of 13. If you believe we hold personal data of a child, please contact privacy@genestack.com so we can investigate and, where appropriate, delete it.

  13. Changes to This Notice

    We may update this Privacy Notice from time to time. The version and effective date at the top of this Notice show when it was last updated. Material changes will be communicated via the website and, where you have provided an email address and consented to such communications, by email. We encourage you to review this Notice periodically.

  14. Contact

    For privacy queries, including any request to exercise the rights set out in Section 8 or to make a complaint under Section 9, please contact our Data Protection Officer:

    • Email: privacy@genestack.com
    • Postal address: Data Protection Officer, Genestack Limited, Salisbury House, Station Road, Cambridge, CB1 2LA, United Kingdom

    For all other enquiries: info@genestack.com.

Download the policy as a PDF

Contact Genestack

To discuss your projects, challenges or to ask us any questions

Get in touch