Lenzo. Privacy Policy

Effective Date: January 1, 2024
Last Updated: December 20, 2025

‍

1. INTRODUCTION AND SCOPE

1.1 Policy Overview

This Privacy Policy ("Policy") describes how Genio Group, Inc., a Delaware corporation ("Company," "we," "us," or "our"), operating under the trade name and mark "Lenzo" ("Lenzo," "Platform," or "Services"), collects, uses, discloses, and protects personal information obtained through our trade compliance monitoring platform accessible at lenzo.ai and associated applications.

This Policy applies to all users of the Lenzo Platform, including authorized business representatives who register for corporate accounts, utilize our Services, or otherwise interact with our website, applications, or communications. By accessing or using the Services, you acknowledge that you have read, understood, and agree to be bound by this Policy and consent to the collection, use, and disclosure practices described herein.

Genio Group, Inc. acts as the data controller (or "business" under California law) for personal information collected through the Services, determining the purposes and means of processing personal data as described herein.

Business-to-Business Service: The Services are designed exclusively for business use and are not directed to consumers acting in their individual capacity. Users represent and warrant that they are authorized representatives of business entities and are accessing the Services for legitimate business purposes.

1.2 Quick Summary

The Lenzo Platform provides automated trade compliance monitoring, sanctions screening, and regulatory compliance services for business organizations. To deliver these Services, we collect and process:

Account Information: Name, business email address, company details, and authentication credentials of authorized business users
Compliance Data: Business partner information, transaction records, and entity data obtained through secure third-party integrations for sanctions screening and compliance analysis
Integration Data: Information from business systems and single sign-on providers (Google Workspace, Microsoft 365, Okta, OneLogin) and social authentication providers (LinkedIn) to manage user access and organizational workflows
Usage Data: Technical and behavioral information regarding authorized users' interaction with the Platform

We use this information to provide compliance monitoring services, conduct sanctions screening, generate compliance reports, improve Platform functionality, and fulfill our contractual obligations to your organization.

We implement commercially reasonable security measures including encryption, access controls, and regular security assessments to protect your information. We do not sell personal information to third parties for monetary consideration. Data is shared only with essential service providers necessary for Platform operation, as required by applicable law, or with your organization's explicit authorization.

For detailed information regarding our data practices, please review the complete sections below.

1.3 IMPORTANT DISCLAIMER AND ASSUMPTION OF RISK

USER ACKNOWLEDGMENT AND ASSUMPTION OF ALL RISKS: BY ACCESSING OR USING THE LENZO PLATFORM, YOU EXPRESSLY ACKNOWLEDGE, UNDERSTAND, AND AGREE TO THE FOLLOWING:

NO LEGAL OR COMPLIANCE ADVICE: THE LENZO PLATFORM PROVIDES INFORMATIONAL TOOLS AND AUTOMATED SCREENING SERVICES ONLY. THE PLATFORM DOES NOT PROVIDE LEGAL, REGULATORY, OR PROFESSIONAL COMPLIANCE ADVICE. ALL INFORMATION, SCREENING RESULTS, ALERTS, REPORTS, AND RECOMMENDATIONS PROVIDED THROUGH THE PLATFORM ARE FOR INFORMATIONAL PURPOSES ONLY AND DO NOT CONSTITUTE LEGAL ADVICE, REGULATORY GUIDANCE, OR PROFESSIONAL COMPLIANCE CONSULTING.

NO GUARANTEE OF ACCURACY OR COMPLETENESS: GENIO GROUP, INC. DOES NOT WARRANT, REPRESENT, OR GUARANTEE THE ACCURACY, COMPLETENESS, TIMELINESS, RELIABILITY, OR CORRECTNESS OF ANY SANCTIONS SCREENING RESULTS, COMPLIANCE ALERTS, REGULATORY INFORMATION, OR ANY OTHER DATA PROVIDED THROUGH THE PLATFORM. SANCTIONS LISTS, REGULATORY REQUIREMENTS, AND COMPLIANCE OBLIGATIONS CHANGE FREQUENTLY AND WITHOUT NOTICE. THE PLATFORM MAY CONTAIN ERRORS, OMISSIONS, INACCURACIES, OR OUTDATED INFORMATION.

USER SOLE RESPONSIBILITY: YOU AND YOUR ORGANIZATION BEAR SOLE AND EXCLUSIVE RESPONSIBILITY FOR:

ALL COMPLIANCE DECISIONS, ACTIONS, AND OMISSIONS
INDEPENDENT VERIFICATION OF ALL SCREENING RESULTS AND COMPLIANCE INFORMATION
ENGAGING QUALIFIED LEGAL COUNSEL AND COMPLIANCE PROFESSIONALS
ENSURING COMPLIANCE WITH ALL APPLICABLE EXPORT CONTROL, IMPORT CONTROL, SANCTIONS, AND OTHER REGULATORY REQUIREMENTS
ANY AND ALL CONSEQUENCES ARISING FROM RELIANCE ON THE PLATFORM

ASSUMPTION OF ALL RISKS: YOU EXPRESSLY ASSUME ALL RISKS ASSOCIATED WITH USE OF THE PLATFORM, INCLUDING BUT NOT LIMITED TO:

REGULATORY PENALTIES, FINES, OR ENFORCEMENT ACTIONS
CIVIL OR CRIMINAL LIABILITY
LICENSE REVOCATIONS OR DEBARMENT
REPUTATIONAL HARM
FINANCIAL LOSSES
ANY OTHER DAMAGES OR ADVERSE CONSEQUENCES

NO LIABILITY: GENIO GROUP, INC. SHALL HAVE NO LIABILITY WHATSOEVER FOR ANY COMPLIANCE FAILURES, REGULATORY VIOLATIONS, PENALTIES, FINES, OR ANY OTHER CONSEQUENCES ARISING FROM YOUR USE OF OR RELIANCE ON THE PLATFORM, REGARDLESS OF WHETHER SUCH CONSEQUENCES RESULT FROM PLATFORM ERRORS, OMISSIONS, INACCURACIES, OR OUTDATED INFORMATION.

INDEPENDENT VERIFICATION REQUIRED: YOU MUST INDEPENDENTLY VERIFY ALL INFORMATION PROVIDED BY THE PLATFORM BEFORE MAKING ANY COMPLIANCE DECISIONS OR TAKING ANY ACTIONS. THE PLATFORM IS A SUPPLEMENTARY TOOL ONLY AND DOES NOT REPLACE PROFESSIONAL COMPLIANCE PROGRAMS, LEGAL COUNSEL, OR HUMAN JUDGMENT.

2. DEFINITIONS

For purposes of this Policy, the following terms have the meanings set forth below:

"Personal Data" or "Personal Information" means any information relating to an identified or identifiable natural person, including but not limited to name, email address, identification numbers, location data, online identifiers, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person. This term is synonymous with "personal information" as defined under the California Consumer Privacy Act (CCPA) and "personal data" as defined under the General Data Protection Regulation (GDPR).

"Processing" means any operation or set of operations performed on Personal Data, whether by automated means or otherwise, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Data Controller" means the entity that determines the purposes and means of Processing Personal Data. Genio Group, Inc. serves as the Data Controller (or "business" under CCPA terminology) for Personal Data collected through the Services.

"Data Processor" means an entity that Processes Personal Data on behalf of the Data Controller pursuant to documented instructions (or "service provider" or "contractor" under CCPA terminology).

"Data Subject" means an identified or identifiable natural person whose Personal Data is Processed (or "consumer" under CCPA terminology).

"User," "Customer," "Authorized User," or "you" means any individual who accesses or uses the Services as an authorized representative of a business entity subscribing to the Platform. All references to "you" in this Policy refer to business users acting in their professional capacity.

"Services" means the Lenzo trade compliance monitoring platform, including the website located at lenzo.ai, web-based application interface, mobile applications (if available), integrations, application programming interfaces (APIs), and all associated features and functionality provided by Genio Group, Inc. under the Lenzo brand.

"Third-Party Service Providers," "Subprocessors," or "Service Providers" means entities engaged by us to perform functions on our behalf, including but not limited to cloud hosting, data analytics, payment processing, customer support services, and communications infrastructure.

"Sensitive Personal Information" means Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data processed for unique identification purposes, health data, data concerning sex life or sexual orientation, Social Security numbers, driver's license numbers, passport numbers, financial account credentials, or precise geolocation data, as defined under applicable privacy laws including the California Privacy Rights Act (CPRA) and GDPR special categories of personal data.

"Compliance Data" means information related to trade compliance, including but not limited to sanctions screening results, denied party screening outcomes, export control classifications, regulatory alerts, and related compliance monitoring information.

3. DATA COLLECTION

3.1 Categories of Data Collected

We collect and Process the following categories of Personal Information in connection with providing the Services to business customers:

3.1.1 Account and Registration Data

When an authorized representative of your organization creates an account or registers to use the Services, we collect:

Full legal name
Business email address (corporate domain)
Company or organization legal name
Job title and functional role within the organization
Account password (cryptographically hashed using industry-standard algorithms; plaintext passwords are never stored)
Account preferences and configuration settings
Subscription plan selection (Starter, Professional, or Premium)
Billing contact information

3.1.2 Business Partner and Entity Data

Through your organization's use of the Platform for compliance screening, we receive and process:

Business partner names, aliases, and alternative spellings
Company registration numbers and identifiers
Physical addresses and registered locations
Country of incorporation and operation
Beneficial ownership information (where provided)
Transaction counterparty details
Product and service descriptions for classification purposes
End-use and end-user information
Any other entity information submitted for screening purposes

Critical Notice: All business partner and entity data is provided by you or your organization. We do not independently verify the accuracy or completeness of information you submit for screening. You bear sole responsibility for the accuracy of all submitted data.

3.1.3 Compliance Screening Data

Based on data collected from your submissions and third-party regulatory sources, we derive, aggregate, and store the following compliance-related information:

Sanctions screening results and match determinations
Denied party list screening outcomes
Export control classification suggestions
Regulatory alert history and status changes
Screening timestamps and audit trails
Match confidence scores and analysis
Historical screening records for audit purposes
User decisions and override documentation

DISCLAIMER: All screening results are provided for informational purposes only. Screening results may contain false positives, false negatives, or inaccuracies. You must independently verify all screening results before making compliance decisions.

3.1.4 Single Sign-On (SSO) Integration Data

Through authorized integrations with enterprise SSO identity providers (Google Workspace, Microsoft 365 / Entra ID, Okta, OneLogin) and social authentication providers (LinkedIn), we collect organizational authentication and identity data including:

User authentication event logs (login date and timestamp, application or service accessed, session initiation and termination times)
Organizational directory information (employee names, business email addresses, department or team assignments, manager relationships)
Login frequency patterns and usage metrics
Authentication device metadata (device type, operating system, approximate geographic location derived from IP address)
Group memberships, role assignments, and permission attributes
Account status (active, suspended, terminated)
LinkedIn profile information (when using LinkedIn authentication): name, email address, profile picture, LinkedIn profile URL, company information, job title, and other profile data you authorize us to access through LinkedIn's OAuth consent flow
Magic link authentication data: email addresses used for authentication requests, authentication request timestamps, link generation and usage events, device information, and IP addresses associated with magic link access

3.1.5 Usage and Technical Data

We automatically collect certain technical information when authorized users access or use the Services through standard web server logging and application telemetry:

Internet Protocol (IP) addresses (used for approximate geographic location, security analysis, and fraud prevention)
Browser type, version, and language preference settings
Device identifiers and technical characteristics (device type, manufacturer, model, operating system type and version, screen resolution, hardware specifications)
Referral sources and URLs (websites or services from which users navigate to the Platform)
Clickstream data and navigation paths (pages viewed, features accessed, sequence of interactions within the Platform)
Timestamps of Platform interactions (date and time of login, feature usage, session duration)
Session identifiers and authentication tokens
Feature utilization metrics (which Platform features are accessed, frequency of use, interaction patterns)
Error logs, exception reports, and diagnostic data generated during Platform operation
Performance metrics (page load times, API response times, system resource utilization)
Geographic location derived from IP address (limited to country, state/region, and city level; no precise GPS coordinates)

3.1.6 Communication and Support Data

When your organization's authorized users communicate with Genio Group, Inc., we collect and retain:

Customer support ticket contents, including issue descriptions, troubleshooting steps, and resolution notes
Email correspondence sent to or received from Company email addresses (support@lenzo.ai or other designated addresses)
In-Platform chat transcripts and messaging history
User feedback, product satisfaction surveys, and feature requests
Documentation, screenshots, log files, and diagnostic information voluntarily submitted in connection with support requests
Webinar registrations and attendance records
Event participation and interaction data

3.2 Methods of Collection

Personal Information is collected through the following technical and operational methods:

Direct Provision by Users: Information that authorized users voluntarily and actively provide when creating accounts, completing registration forms, configuring Platform settings, submitting entities for screening, submitting support requests, or otherwise communicating with us through available channels.

Automated Collection via Authorized Integrations: Information obtained through OAuth 2.0 or similar secure authorization protocols connecting the Platform to third-party business services, including:

Google Workspace Admin SDK and Reports API for SSO authentication logs
Microsoft Graph API for Microsoft 365 / Entra ID SSO authentication logs
Okta API for SSO authentication logs
OneLogin API for SSO authentication logs
LinkedIn OAuth API for social authentication and profile data

Magic Link Authentication: We provide passwordless authentication through email-based magic links. When you request a magic link, we send a time-limited, single-use authentication link to your registered email address. Magic links contain cryptographic tokens that expire after a short period (typically 15 minutes) and can only be used once. We collect email addresses, authentication request timestamps, link usage events, and device information associated with magic link authentication.

Third-Party Regulatory Data Sources: Compliance information obtained from government sanctions lists, denied party lists, export control databases, and other regulatory sources, which is used to conduct screening against user-submitted entities.

Cookies and Similar Tracking Technologies: Information collected through first-party and third-party cookies, web beacons, pixel tags, local storage, and similar tracking technologies embedded in our website and application interfaces. Detailed information regarding our use of cookies is provided in Section 11 and our separate Cookie Policy.

Third-Party Analytics and Monitoring Services: Information collected through analytics platforms such as Google Analytics, Mixpanel, PostHog, Meta/Facebook Ads, LinkedIn Ads, LinkedIn Sales Navigator, OpenAI/ChatGPT, xAI/Grok, X (Twitter), or similar services, which employ cookies and JavaScript-based tracking to analyze Platform usage patterns, user behavior, performance metrics, and advertising effectiveness.

Inference and Derivation: Certain information is derived or inferred from other data sources, including screening match analysis, risk assessments, and recommendations generated through algorithmic analysis and machine learning models.

3.3 Data We Explicitly Do Not Collect

To provide transparency and clarity regarding the scope and limitations of our data collection practices, we explicitly do not collect, store, process, or maintain access to the following categories of information:

Banking, financial institution, or payment card login credentials, passwords, PINs, or security questions
Complete credit card numbers, CVV/CVC security codes, or magnetic stripe data (payment processing is conducted exclusively by Stripe, Inc., a PCI DSS Level 1 certified payment processor)
Social Security Numbers, Taxpayer Identification Numbers, national identification numbers, or government-issued identification credentials (except as voluntarily submitted for entity screening purposes)
Health information, medical records, insurance information, or protected health information (PHI) as defined under HIPAA
Biometric identifiers including fingerprints, facial recognition data, retinal scans, voiceprints, or DNA profiles
Precise real-time geolocation data, GPS coordinates, or continuous location tracking (only approximate location derived from IP address)
Audio or video recordings unless expressly requested and authorized for specific support purposes
Contents of files, documents, or data stored in connected cloud storage services (Dropbox, Google Drive, OneDrive, etc.)
Information regarding individuals under 18 years of age (Services are not directed to minors)

4. LEGAL BASIS FOR PROCESSING

4.1 GDPR Legal Bases (EEA, UK, and Swiss Users)

For users and organizations located in the European Economic Area (EEA), United Kingdom, or Switzerland, we Process Personal Data only where we have established a lawful basis under the General Data Protection Regulation (GDPR), UK GDPR, or Swiss Federal Act on Data Protection (FADP). Our legal bases for Processing include:

4.1.1 Performance of Contract (GDPR Article 6(1)(b))

Processing is necessary for the performance of our contractual obligations to your organization under the Terms of Service, or to take steps at your organization's request prior to entering into a contract. This legal basis covers:

Creating and maintaining user accounts for authorized representatives
Providing access to Platform features, functionality, and integrations
Processing billing transactions and managing subscription payments
Conducting sanctions screening and compliance monitoring as contracted services
Generating compliance reports, screening results, and regulatory alerts
Delivering customer support, technical assistance, and troubleshooting services
Communicating service-related information, system status updates, and notifications essential for Platform operation
Enforcing our Terms of Service and usage policies

4.1.2 Legitimate Interests (GDPR Article 6(1)(f))

Processing is necessary for our legitimate business interests or those of your organization, except where such interests are overridden by your fundamental rights and freedoms requiring protection of Personal Data. Our legitimate interests include:

Preventing fraud, unauthorized access, security breaches, and cyber threats to protect Platform integrity
Ensuring network and information security through monitoring, logging, and threat detection systems
Improving Platform functionality, performance, user experience, and feature development through analysis of aggregated usage patterns
Conducting internal business analytics, product development research, and market analysis to inform strategic decisions
Optimizing Platform performance, reliability, and scalability
Enforcing our Terms of Service, Acceptable Use Policy, and other legal agreements
Exercising or defending against legal claims, litigation, or disputes
Facilitating efficient business operations, administration, and corporate governance
Communicating with users regarding Platform updates, new features, or service enhancements that may benefit their organizations

We have conducted legitimate interest assessments (balancing tests) to ensure that our Processing activities do not disproportionately impact your fundamental rights and freedoms. Where Processing relies on legitimate interests, you have the right to object as described in Section 10.

4.1.3 Consent (GDPR Article 6(1)(a))

Where required by applicable law or where we do not rely on another legal basis, Processing is based on your explicit, informed, freely given, and specific consent. This includes:

Marketing communications, promotional materials, and newsletters (where not covered by legitimate interest provisions)
Non-essential cookies and tracking technologies used for analytics, advertising, or personalization purposes beyond Platform functionality
Optional data sharing with third-party service providers beyond those strictly necessary for Service delivery
Processing of special categories of Personal Data (GDPR Article 9) or criminal conviction data (GDPR Article 10), should such Processing ever become relevant to our Services

You have the absolute right to withdraw consent at any time without affecting the lawfulness of Processing conducted prior to withdrawal. Withdrawal of consent does not affect our ability to Process Personal Data based on alternative lawful grounds such as contract performance or legitimate interests. To withdraw consent, contact us at support@lenzo.ai.

4.1.4 Legal Obligations (GDPR Article 6(1)(c))

Processing is necessary to comply with legal obligations to which Genio Group, Inc. is subject under applicable laws and regulations, including:

Tax reporting, record-keeping, and documentation obligations under the Internal Revenue Code and state revenue laws
Responding to lawful requests, legal process, court orders, subpoenas, or warrants from law enforcement agencies, regulatory authorities, or judicial bodies
Compliance with data protection laws, including GDPR data subject access request obligations
Regulatory examination, audit, and reporting requirements imposed by competent authorities
Preservation of data pursuant to litigation holds or regulatory investigations

4.2 CCPA/CPRA Legal Framework (California Residents)

For California residents whose Personal Information we Process, we comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA). Under this framework:

Business Purpose: We collect and Process Personal Information for legitimate business purposes including providing Services, detecting security incidents, debugging, short-term transient use, performing services on behalf of the business, undertaking internal research, and verifying service quality.

Commercial Purpose: We may use Personal Information for our commercial purposes such as auditing interactions, detecting fraud, improving Services, and undertaking activities to maintain and improve service quality.

No Sale of Personal Information: Genio Group, Inc. does not sell Personal Information as defined under CCPA/CPRA. We do not exchange Personal Information for monetary or other valuable consideration.

Service Provider Relationships: Third parties that receive Personal Information from us are engaged as service providers or contractors under written agreements restricting their use of such information to providing specified services.

5. PURPOSES OF DATA PROCESSING

We Process Personal Information collected through the Services for the following business purposes necessary to deliver compliance monitoring functionality and maintain Platform operations:

5.1 Core Service Delivery

Sanctions Screening and Denied Party Screening:

Automated screening of business partners, counterparties, and entities against global sanctions lists, denied party lists, and restricted entity databases
Real-time and batch screening capabilities for compliance workflow integration
Generation of screening results, match reports, and risk assessments
Maintenance of screening audit trails for compliance documentation

DISCLAIMER: All screening results are provided as informational tools only. You must independently verify all results and are solely responsible for all compliance decisions.

Regulatory Monitoring and Alerts:

Monitoring of sanctions list updates, regulatory changes, and compliance requirement modifications
Automated alerts when monitored entities appear on updated sanctions or restricted party lists
Notification of regulatory changes affecting your compliance obligations
Tracking of regulatory publication dates and effective dates

DISCLAIMER: Regulatory monitoring may not capture all changes or updates. You must independently monitor regulatory developments and cannot rely solely on Platform alerts.

Product Classification and Export Control Support:

AI-assisted suggestions for export control classification of products and technologies
Reference tools for harmonized tariff schedule and export control classification determination
Classification workflow management and documentation

DISCLAIMER: All classification suggestions are for informational reference only and do not constitute official classifications. You are solely responsible for accurate product classification and must obtain official rulings where required.

Reporting, Dashboards, and Data Visualization:

Generation and display of compliance dashboards presenting screening activity, alert status, and compliance metrics
Production of scheduled reports detailing screening volumes, match rates, and compliance activities
Creation of audit reports documenting screening history and user decisions
Data export functionality providing information in machine-readable formats (CSV, JSON, Excel, PDF) for external analysis or integration

5.2 Platform Operations and User Account Management

Authentication, Authorization, and Access Control:

Verification and validation of user identity through email-based authentication mechanisms, cryptographic password validation, and passwordless magic link authentication
Social authentication via LinkedIn OAuth, allowing users to sign in using their LinkedIn credentials and share basic profile information (name, email address, profile picture) with the Platform
Creation, maintenance, and termination of authenticated user sessions with appropriate security controls and timeout policies
Implementation and enforcement of role-based access control (RBAC) policies restricting data visibility and functionality based on assigned user permissions and organizational roles
Support for multi-factor authentication (MFA) mechanisms enhancing account security beyond password-only authentication
Integration with enterprise single sign-on (SSO) systems and social authentication providers enabling centralized authentication for business customers

Subscription Billing and Payment Administration:

Processing of recurring subscription payments through designated third-party payment processors in accordance with selected subscription plans
Generation, delivery, and archival of invoices, payment receipts, and billing statements documenting all financial transactions
Administration of subscription plan modifications including upgrades, downgrades, seat adjustments, and plan migrations
Processing of refund requests in accordance with the terms specified in our Billing & Refund Policy
Maintenance of comprehensive billing history and payment records satisfying accounting, audit, and tax compliance requirements

Technical Support and Customer Assistance:

Receipt, triage, and resolution of customer support inquiries submitted through email, in-Platform messaging, or designated support channels
Diagnosis and remediation of technical issues, software defects, data synchronization problems, or functionality impairments affecting Platform operation
Provision of configuration assistance for integration setup, data source connectivity, and Platform customization
Investigation and resolution of data discrepancies, reporting inconsistencies, or calculation errors identified by customers
Delivery of onboarding support, training materials, and guidance regarding effective Platform utilization

DISCLAIMER: Technical support does not include compliance advice, legal guidance, or regulatory interpretation. All compliance decisions remain your sole responsibility.

5.3 Security, Fraud Prevention, and Legal Compliance

Security Monitoring and Threat Detection:

Continuous automated monitoring of authentication attempts, access patterns, and Platform interactions to detect anomalous behavior indicative of unauthorized access attempts or account compromise
Implementation of security controls designed to prevent, detect, and respond to brute force attacks, credential stuffing attacks, account takeover attempts, and other malicious activity
Investigation of reported or detected security incidents and implementation of appropriate containment, remediation, and corrective measures
Maintenance of comprehensive audit logs recording access to sensitive data, administrative actions, and security-relevant events for forensic analysis and compliance verification
Operation of intrusion detection and prevention systems monitoring network traffic and application behavior for security threats

Regulatory Compliance and Legal Obligations:

Retention of transaction records and business documents as required under applicable laws
Maintenance of records for periods required by federal and state tax laws (typically seven years from transaction date)
Processing of data subject rights requests including access requests, deletion requests, correction requests, and objection requests under GDPR, CCPA/CPRA, and other applicable privacy laws
Cooperation with lawful requests for information from law enforcement agencies, regulatory authorities, or judicial bodies when accompanied by appropriate legal process
Creation and maintenance of documentation, records, and evidence necessary to demonstrate compliance with data protection obligations

5.4 Business Analytics and Product Development

Product Innovation and Feature Development:

Analysis of aggregated, anonymized usage patterns to identify unmet customer needs, workflow inefficiencies, and opportunities for new Platform capabilities
Market research regarding compliance monitoring practices, organizational challenges, and competitive alternatives to inform strategic product decisions
Evaluation of feature adoption rates, usage patterns, and customer feedback to prioritize product development efforts and resource allocation
Development and training of machine learning models designed to improve accuracy of entity matching, classification suggestions, and screening algorithms
Experimentation with new algorithms, data processing techniques, and analytical methodologies to enhance Platform intelligence and recommendation quality

Important Limitation: All business analytics and research activities involving customer data are conducted using either (i) anonymized data from which individual or organizational identification is not reasonably possible, or (ii) aggregated data presented at sufficient scale to prevent reverse identification of specific customers.

5.5 Communications and Customer Engagement

Transactional and Service-Essential Communications:

Account creation confirmations, password reset communications, and authentication-related notifications required for Platform access and security
Billing statements, payment confirmations, failed payment notifications, and subscription renewal notices related to customer financial obligations
Service availability notifications including planned maintenance windows, unplanned outages, and service restoration updates
Integration status communications regarding successful data synchronization, connection failures, authorization expirations, or required reconnection actions
Security notifications regarding suspicious account activity, required security actions, policy violations, or threat intelligence relevant to customer accounts

Regulatory Update Communications:

Notifications regarding significant sanctions list updates, regulatory changes, or compliance requirement modifications
Alerts regarding entities previously screened that have been added to restricted lists

Opt-Out Rights: Customers may opt out of non-essential business communications at any time by clicking unsubscribe links provided in email communications or contacting support@lenzo.ai. Opting out does not affect delivery of transactional, service-essential, or legally required communications necessary for Platform operation and contractual obligations.

6. DATA SHARING AND DISCLOSURE

We disclose Personal Information to third parties only in the limited circumstances described in this section. Genio Group, Inc. does not sell Personal Information as defined under applicable privacy laws including the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA).

6.1 Service Providers and Subprocessors

We engage third-party service providers to perform specific functions supporting Platform operations and Service delivery. These entities act as data processors (GDPR terminology), service providers or contractors (CCPA/CPRA terminology), or subprocessors, and are contractually bound to:

Process Personal Information only pursuant to our documented instructions and for specified purposes
Implement and maintain appropriate technical and organizational security measures
Maintain confidentiality of all Personal Information received
Not use or disclose Personal Information for purposes other than performing contracted services
Comply with applicable data protection laws and cooperate with regulatory authorities
Upon termination of services, return or securely delete Personal Information as directed

6.1.1 Cloud Infrastructure and Computing Services

Provider: Amazon Web Services, Inc. (AWS) and/or Google Cloud Platform (Google LLC)

Services: Cloud computing infrastructure, data storage, database hosting, content delivery, network infrastructure, and related technical services

Data Disclosed: All categories of Personal Information described in Section 3 may be stored within cloud infrastructure operated by these providers

Data Location: Primary storage in United States data center regions. For business customers with specific data residency requirements, alternative regional deployments may be available subject to technical feasibility and additional contractual terms

Security: Data encrypted at rest using AES-256 encryption, encrypted in transit using TLS 1.3, isolated multi-tenant architecture, regular third-party security assessments

6.1.2 Payment Processing Services

Provider: Stripe, Inc.

Services: Payment processing, subscription billing management, fraud detection, payment method storage and tokenization, invoicing, and related financial services

Data Disclosed: Billing contact information, payment method details (credit/debit card numbers are collected directly by Stripe and never transmitted to or stored by Genio Group, Inc.), subscription plan selections, billing history, and invoice records

PCI Compliance: Stripe is certified as a PCI DSS Level 1 Service Provider, the highest level of payment security certification. Genio Group, Inc. does not receive, transmit, or store complete payment card numbers, reducing PCI scope and protecting cardholder data

Privacy Policy: https://stripe.com/privacy

6.1.3 Analytics and Monitoring Services

Providers:

Google Analytics (Google LLC): Website and application analytics, user behavior analysis, performance monitoring, feature utilization tracking, and conversion optimization
Mixpanel (Mixpanel, Inc.): Event tracking, user behavior analysis, and product analytics
PostHog (PostHog, Inc.): Product analytics, feature flags, session replay, and user behavior tracking
Meta/Facebook Ads (Meta Platforms, Inc.): Advertising on Facebook, Instagram, Messenger, and Audience Network, conversion tracking, and retargeting
LinkedIn Ads (LinkedIn Corporation): Professional B2B advertising, sponsored content, and conversion tracking
LinkedIn Sales Navigator (LinkedIn Corporation): B2B sales prospecting, lead tracking, and account-based marketing
OpenAI/ChatGPT (OpenAI, L.L.C.): AI platform advertising, conversational marketing, and integration tracking
xAI/Grok (xAI Corp.): AI platform advertising and integration tracking
X (Twitter) (X Corp.): Social media advertising, conversion tracking, and engagement analytics

Data Disclosed: Usage data, technical information, pseudonymous identifiers, aggregated behavioral patterns, performance metrics, conversion events, and advertising interaction data

Anonymization Measures: We implement IP address anonymization, pseudonymous user identifiers, and data retention limits to minimize personal data exposure through analytics platforms. For advertising platforms, we use hashed identifiers and aggregated data where possible.

6.2 Legal Disclosures and Law Enforcement

We may disclose Personal Information where we reasonably believe disclosure is necessary to:

Legal Process Compliance:

Respond to subpoenas, court orders, search warrants, national security letters, or other lawful requests issued by courts, government agencies, or law enforcement authorities with appropriate jurisdiction
Comply with legal obligations to which Genio Group, Inc. is subject, including regulatory reporting requirements, tax obligations, and statutory mandates

Protection of Rights and Safety:

Protect the rights, property, safety, or security of Genio Group, Inc., our customers, employees, or the public
Investigate, prevent, or take action regarding suspected or actual illegal activities, fraud, security threats, or violations of Terms of Service
Establish, exercise, or defend legal claims in litigation, arbitration, or regulatory proceedings

Notice Where Permitted: Where legally permissible and operationally practicable, we attempt to provide affected customers with notice prior to disclosure of their Personal Information in response to legal process. However, we may be prohibited from providing such notice where:

Court order or legal process explicitly prohibits notification
Notification would obstruct investigation, threaten safety, or be impractical under circumstances
Emergency circumstances exist requiring immediate action

6.3 Business Transfers

In connection with significant business transactions, Personal Information may be disclosed to or acquired by third parties:

Transaction Types:

Merger with or acquisition by another company
Sale of all or substantially all Company assets
Corporate restructuring, reorganization, or consolidation
Financing, investment, or similar corporate transactions
Bankruptcy, receivership, or insolvency proceedings

Due Diligence: Personal Information may be shared with prospective acquirers, investors, or transaction parties during due diligence phases, subject to confidentiality agreements restricting use of such information to transaction evaluation purposes.

Successor Obligations: Personal Information transferred in connection with business transactions remains subject to this Privacy Policy until you receive notice of changed practices from the successor entity. We contractually require successor entities to honor existing privacy commitments, though such requirements may be limited or modified by bankruptcy court orders or governing transaction agreements.

6.4 Anonymized and Aggregate Data

We may create statistical, aggregate, or anonymized data derived from Personal Information by removing or modifying identifying elements such that the resulting data cannot reasonably be used to identify specific individuals or organizations. Properly anonymized data is not considered Personal Information under applicable privacy laws.

Permitted Uses: We may use and disclose anonymized or aggregate data for any lawful business purpose without restriction, including:

Industry benchmark reports and market analysis
Academic or commercial research regarding compliance monitoring practices
Marketing materials demonstrating Platform value and typical customer outcomes
Product development and machine learning model training

Anonymization Standards: We employ technical measures designed to ensure anonymization is irreversible and that re-identification is not reasonably possible using available means. These measures include data aggregation, generalization, suppression of outliers, and removal of unique identifiers.

No Re-identification: We do not attempt to re-identify anonymized data and contractually prohibit third parties receiving anonymized data from attempting re-identification.

6.5 Customer-Authorized Disclosures

We may disclose Personal Information to third parties when customers explicitly authorize or direct such disclosure, including:

Additional Integrations: Sharing data necessary to enable customer-authorized third-party integrations beyond those identified in Section 6.1
Data Exports: Providing data in response to customer-initiated export requests or data portability exercises
Collaborative Access: Sharing data with additional users, team members, or external parties at customer direction
API Access: Disclosing data to customer-authorized applications via API connections (if applicable)

Authorization may be withdrawn at any time by disconnecting integrations, revoking API access, or contacting support@lenzo.ai.

6.6 No Sale of Personal Information

CCPA/CPRA Compliance Statement: Genio Group, Inc. does not and will not sell Personal Information as the term "sell" or "sale" is defined under the California Consumer Privacy Act (Cal. Civ. Code § 1798.140) and California Privacy Rights Act.

No Monetary Exchange: We do not exchange, rent, lease, or otherwise provide Personal Information to third parties for monetary consideration or other valuable consideration.

No Data Brokerage: We do not engage in data brokerage activities, do not provide Personal Information to marketing list compilers, and do not participate in data sharing arrangements characteristic of advertising technology ecosystems.

Disclosure for Business Purposes: All third-party disclosures of Personal Information described in this Section 6 constitute disclosures for business purposes (CCPA terminology) or necessary service provider engagements, not sales of Personal Information.

7. INTERNATIONAL DATA TRANSFERS

7.1 Cross-Border Data Processing

Genio Group, Inc. is headquartered in the United States, and our primary data processing operations are conducted within the United States. Personal Information collected through the Services is transferred to, stored in, and processed in the United States and potentially other jurisdictions where our service providers maintain operations.

Primary Processing Location: Personal Information is primarily stored and processed in data center facilities located within the United States operated by third-party cloud infrastructure providers engaged by us.

Global Service Provider Infrastructure: Certain service providers identified in Section 6 operate multi-jurisdictional infrastructure and may process Personal Information across various geographic locations as part of their ordinary service delivery operations.

Jurisdictional Differences: The United States and other jurisdictions where Personal Information may be processed may not provide the same level of data protection as the laws of your country or region of residence. In particular, United States government authorities may have broader surveillance and data access powers than authorities in other jurisdictions.

7.2 European Economic Area, United Kingdom, and Switzerland

For individuals and organizations located in the European Economic Area (EEA), United Kingdom, or Switzerland, we implement legally recognized transfer mechanisms and appropriate safeguards for Personal Information transferred from these regions to the United States or other third countries.

7.2.1 Legal Transfer Mechanisms

Standard Contractual Clauses (Primary Mechanism): We rely on Standard Contractual Clauses (SCCs) as our primary legal mechanism for transferring Personal Information from the EEA, UK, or Switzerland to jurisdictions not subject to adequacy decisions under GDPR Article 45.

European Commission SCCs: For transfers from the EEA, we implement the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 (European Commission Implementing Decision (EU) 2021/914 of 4 June 2021).

UK International Data Transfer Agreement: For transfers from the United Kingdom, we implement either (i) the UK International Data Transfer Agreement (IDTA) issued by the UK Information Commissioner's Office, or (ii) the UK Addendum to the EU Standard Contractual Clauses, as appropriate to the specific transfer arrangement.

Swiss Data Transfer Provisions: For transfers from Switzerland, we implement the European Commission SCCs as modified and approved by the Swiss Federal Data Protection and Information Commissioner (FDPIC) for compliance with the Swiss Federal Act on Data Protection (FADP).

Data Processing Agreements: Business customers located in the EEA, UK, or Switzerland may execute our Data Processing Agreement (DPA), which incorporates applicable Standard Contractual Clauses and establishes the respective data protection obligations of parties. The DPA is available upon request to support@lenzo.ai.

7.2.2 Supplementary Security Measures

In addition to implementing Standard Contractual Clauses, we apply supplementary technical and organizational measures to ensure appropriate protection for Personal Information transferred internationally, in accordance with recommendations from the European Data Protection Board (EDPB):

Strong Encryption: Personal Information is encrypted both during transmission (using TLS encryption with strong cipher suites) and at rest (using encryption algorithms meeting industry standards). Encryption keys are managed through secure key management systems with restricted access controls.

Access Restrictions: Access to Personal Information is restricted to authorized personnel who require such access to perform their designated job functions. Access is governed by role-based access control policies implementing the principle of least privilege.

Contractual Protections: Service providers processing Personal Information on our behalf are contractually obligated to implement appropriate security measures, limit processing to documented instructions, maintain confidentiality, and comply with applicable data protection requirements.

Data Minimization in Transfer: We transfer only the categories and volumes of Personal Information necessary to accomplish specified legitimate purposes, avoiding transfer of excessive or unnecessary data.

7.3 International Transfer Risk Acknowledgment

Explicit Acknowledgment Required: By creating an account and using the Services, you explicitly acknowledge that:

Personal Information will be transferred to and processed in the United States
The United States may not provide equivalent data protection to your jurisdiction of residence
United States government authorities may have legal powers to access Personal Information under circumstances that may not exist in other jurisdictions
Despite implementation of Standard Contractual Clauses and supplementary safeguards, cross-border transfers inherently carry risks that differ from purely domestic processing

Not Consent for GDPR Purposes: This acknowledgment constitutes your informed understanding of cross-border transfer risks. For EEA, UK, and Swiss individuals, this acknowledgment does not constitute "consent" under GDPR Article 49(1)(a) as our legal basis for transfers. We rely on Standard Contractual Clauses described in Section 7.2.1 as our transfer mechanism for such individuals.

Right to Object: Individuals may object to international transfers of their Personal Information. However, because our Platform infrastructure is deployed exclusively in the United States, objection to international transfers may result in our inability to provide Services to you. Contact support@lenzo.ai to discuss concerns regarding international transfers.

8. DATA SECURITY

Genio Group, Inc. implements technical, administrative, and physical security measures designed to protect Personal Information from unauthorized access, use, disclosure, alteration, or destruction. While we employ security practices appropriate to the sensitivity of information processed and consistent with industry standards, no security system is impenetrable, and we cannot guarantee absolute security of Personal Information.

8.1 Technical Security Measures

8.1.1 Encryption and Cryptography

Encryption at Rest: Personal Information stored in production databases, file storage systems, and backup infrastructure is encrypted using industry-standard encryption algorithms. Encryption protects data confidentiality in the event of unauthorized physical access to storage media or improper data disposal.

Encryption in Transit: All transmission of Personal Information between end-user devices and our Platform, between Platform components, and between our Platform and integrated third-party services is protected using Transport Layer Security (TLS) encryption or equivalent cryptographic protocols. We do not support outdated or deprecated protocols known to have security vulnerabilities.

Cryptographic Key Management: Encryption keys are managed using dedicated key management services provided by our cloud infrastructure providers, with access restricted to authorized systems and personnel. Key management practices include logical separation of keys from encrypted data, regular key rotation where operationally feasible, and comprehensive audit logging of key access and usage.

Password Hashing: User passwords are never stored in recoverable plaintext form. Passwords are processed using cryptographic hash functions with computational complexity designed to resist brute-force attacks, rainbow table attacks, and other password recovery techniques. Each password is hashed with a unique cryptographic salt preventing identical passwords from producing identical hash values.

8.1.2 Network and Infrastructure Security

Network Access Controls: Platform infrastructure is protected by network firewalls and access control lists restricting inbound and outbound network traffic to authorized protocols, ports, and source addresses. Default-deny policies block unauthorized network communications.

Network Monitoring: We employ monitoring systems that analyze network traffic patterns, system logs, and authentication events to identify anomalous behavior potentially indicating security incidents, unauthorized access attempts, or system compromises.

DDoS Protection: Our cloud infrastructure providers implement Distributed Denial of Service (DDoS) protection mechanisms designed to detect and mitigate volumetric attacks, protocol attacks, and application-layer attacks targeting service availability.

Vulnerability Management: We conduct periodic vulnerability assessments of infrastructure and application code to identify known security vulnerabilities. Identified vulnerabilities are prioritized for remediation based on severity, exploitability, and potential impact.

8.2 Security Disclaimer

NO GUARANTEE OF SECURITY: DESPITE IMPLEMENTATION OF SECURITY MEASURES DESCRIBED IN THIS SECTION, GENIO GROUP, INC. CANNOT AND DOES NOT GUARANTEE THAT PERSONAL INFORMATION WILL BE COMPLETELY SECURE FROM UNAUTHORIZED ACCESS, INTERCEPTION, ALTERATION, OR DESTRUCTION. NO METHOD OF TRANSMISSION OVER THE INTERNET OR METHOD OF ELECTRONIC STORAGE IS COMPLETELY SECURE.

USER ACKNOWLEDGMENT: BY USING THE SERVICES, YOU ACKNOWLEDGE AND ACCEPT THE INHERENT RISKS ASSOCIATED WITH ELECTRONIC DATA TRANSMISSION AND STORAGE. YOU AGREE THAT GENIO GROUP, INC. SHALL NOT BE LIABLE FOR ANY UNAUTHORIZED ACCESS TO, INTERCEPTION OF, OR ALTERATION OF PERSONAL INFORMATION, EXCEPT TO THE EXTENT SUCH LIABILITY CANNOT BE EXCLUDED UNDER APPLICABLE LAW.

9. DATA RETENTION

9.1 Retention Principles

We retain Personal Information only for as long as necessary to fulfill the purposes for which it was collected, satisfy legal and regulatory retention requirements, and support legitimate business operations. Retention periods vary based on data category, applicable legal requirements, and ongoing business necessity.

9.2 Retention Periods by Data Category

9.2.1 Account and Registration Data

Active Accounts: Account data is retained for the duration of the business relationship while accounts remain active and subscriptions are maintained.

Closed Accounts: Following account closure or subscription termination, account data is retained for twenty-four (24) months to support potential account reactivation, resolve post-termination disputes, and satisfy audit requirements.

Post-Retention Deletion: Following expiration of retention periods, account data is deleted in accordance with procedures described in Section 9.3, subject to exceptions in Section 9.4.

9.2.2 Billing and Financial Records

Transaction Records: Records of subscription payments, invoices, billing statements, and payment history are retained for seven (7) years from transaction date to satisfy tax documentation requirements, support financial audits, and enable dispute resolution.

Payment Methods: Tokenized payment method references are retained for the duration of the business relationship plus twelve (12) months following termination. Actual payment card numbers are never stored by Genio Group, Inc.

9.2.3 Security and Audit Logs

Security and Audit Logs: Access logs recording authentication to sensitive systems, administrative actions, security events, data access patterns, and compliance-relevant activities are retained for a minimum of twelve (12) months and maximum of twenty-four (24) months unless longer retention is required for security investigations, legal proceedings, or regulatory examinations.

9.2.4 Compliance and Screening Data

Screening Records: Records of sanctions screening, denied party screening, and compliance checks are retained for seven (7) years to support audit requirements and regulatory compliance.

Alert History: Regulatory alert history and status changes are retained for seven (7) years following generation.

Classification Records: Product classification records and export control documentation are retained for seven (7) years or longer as required by applicable export control regulations.

9.2.5 Technical and Usage Data

Application Logs: Technical logs recording system operations, user interactions, feature usage, error conditions, and performance metrics are retained for ninety (90) days unless extended retention is necessary for debugging critical issues, security investigations, or performance optimization initiatives.

Anonymized Analytics: Usage statistics, feature adoption metrics, and behavioral patterns that have been properly anonymized such that re-identification is not reasonably possible may be retained indefinitely for product development, business intelligence, and industry research purposes.

9.3 Data Deletion Methods and Procedures

9.3.1 Automated Deletion Systems

Scheduled Deletion Processes: Automated deletion jobs execute on regular schedules (typically daily) to identify Personal Information exceeding defined retention periods and queue such information for secure deletion.

Deletion Verification: Deletion operations are logged with sufficient detail to verify successful completion, including record counts, categories of data deleted, deletion timestamps, and confirmation of completion status.

9.3.2 Manual Deletion Requests

Submission Methods: Users may request deletion of their Personal Information through:

Account settings interface (where self-service deletion is technically implemented)
Email request to support@lenzo.ai with subject line "Data Deletion Request"
Completed Data Subject Request Form (available at lenzo.ai/privacy-request if implemented)
Written request to Genio Group, Inc. referencing this Privacy Policy

Processing Timeline: Deletion requests are processed within the following timeframes:

GDPR Requests (EEA/UK/Swiss residents): Thirty (30) days from receipt and successful identity verification, extendable to sixty (60) days for complex requests with notice of extension
CCPA Requests (California residents): Forty-five (45) days from receipt and successful identity verification, extendable by an additional forty-five (45) days for complex requests with notice of extension
Other Jurisdictions: Sixty (60) days from receipt and successful identity verification unless shorter timeframe is required by applicable law

9.4 Exceptions to Deletion and Extended Retention

Notwithstanding the retention periods in Section 9.2 and user deletion requests under Section 9.3.2, we may retain Personal Information for longer periods or decline deletion where:

Applicable statutes, regulations, or rules require retention
Information is subject to pending litigation, arbitration, government investigations, or regulatory examinations
Retention is necessary to detect, prevent, or investigate fraud, abuse of Services, or violations of Terms of Service
Information is necessary to establish, exercise, or defend legal claims during applicable statute of limitations periods

10. USER RIGHTS

Depending on your jurisdiction of residence, you may have legal rights regarding Personal Information we Process about you. This Section describes rights available under major data protection frameworks. The specific rights available to you depend on applicable law in your jurisdiction.

10.1 Rights Under the General Data Protection Regulation (GDPR)

Individuals located in the European Economic Area (EEA), United Kingdom, or Switzerland have the following rights under GDPR, UK GDPR, or Swiss Federal Act on Data Protection:

10.1.1 Right of Access

You have the right to obtain confirmation whether we Process your Personal Data and, where we do, to access such Personal Data along with supplementary information including processing purposes, data categories, recipients, retention periods, and information source.

10.1.2 Right to Rectification

You have the right to obtain correction of inaccurate Personal Data and completion of incomplete Personal Data concerning you.

10.1.3 Right to Erasure

Subject to certain exceptions, you have the right to obtain erasure of Personal Data where processing is no longer necessary, you withdraw consent, you object to processing, processing is unlawful, or erasure is required for legal compliance.

10.1.4 Right to Restriction

You have the right to obtain restriction of processing where you contest accuracy, processing is unlawful but you oppose erasure, we no longer need the data but you require it for legal claims, or you have objected pending verification.

10.1.5 Right to Data Portability

You have the right to receive Personal Data you provided to us in structured, commonly used, machine-readable format, and to transmit such data to another controller where processing is based on consent or contract and carried out by automated means.

10.1.6 Right to Object

You have the right to object to processing based on legitimate interests, including profiling, on grounds relating to your particular situation. We must cease processing unless we demonstrate compelling legitimate grounds overriding your interests, rights, and freedoms, or processing is necessary for legal claims.

10.2 Rights Under California Consumer Privacy Act (CCPA/CPRA)

California residents have the following rights under CCPA as amended by CPRA:

10.2.1 Right to Know

You have the right to request disclosure of categories and specific pieces of Personal Information collected, sources, business purposes, and third parties with whom information is shared.

10.2.2 Right to Delete

You have the right to request deletion of Personal Information we collected from you, subject to exceptions including legal obligations, security purposes, and completion of transactions.

10.2.3 Right to Correct

You may request correction of inaccurate Personal Information we maintain about you.

10.2.4 Right to Non-Discrimination

We do not discriminate against individuals for exercising CCPA rights.

10.3 Exercising Your Rights

Email: support@lenzo.ai (subject: "Privacy Rights Request")

Required Information in Request:

Full name
Email address associated with account
Specific right you wish to exercise
Sufficient detail to locate your information
Preferred response delivery method

11. COOKIES AND TRACKING TECHNOLOGIES

Genio Group, Inc. uses cookies, web beacons, local storage, and similar tracking technologies on the Lenzo Platform to enable functionality, analyze usage patterns, and support legitimate business operations.

11.1 Categories of Tracking Technologies We Use

11.1.1 Strictly Necessary Technologies

These technologies are essential for Platform operation and cannot be disabled without rendering the Services inoperable or severely impairing functionality.

Purpose and Use:

Authentication: Maintaining logged-in sessions, verifying user identity, managing authentication state across Platform navigation
Security: Preventing cross-site request forgery (CSRF) attacks, detecting suspicious activity patterns, protecting against unauthorized access
Session Management: Preserving application state during multi-step processes

11.1.2 Analytics and Performance Technologies

These technologies collect information about Platform usage patterns, performance metrics, and user interactions to support product improvement, issue identification, and performance optimization.

Third-Party Analytics Services:

We use third-party analytics platforms that collect information pursuant to their own privacy policies:

Google Analytics (Google LLC): https://policies.google.com/privacy
Mixpanel (Mixpanel, Inc.): https://mixpanel.com/legal/privacy-policy/
PostHog (PostHog, Inc.): https://posthog.com/privacy
Meta/Facebook Ads (Meta Platforms, Inc.): https://www.facebook.com/privacy/explanation
LinkedIn Ads (LinkedIn Corporation): https://www.linkedin.com/legal/privacy-policy
LinkedIn Sales Navigator (LinkedIn Corporation): https://www.linkedin.com/legal/privacy-policy
OpenAI/ChatGPT (OpenAI, L.L.C.): https://openai.com/privacy
xAI/Grok (xAI Corp.): https://x.ai/privacy
X (Twitter) (X Corp.): https://twitter.com/privacy

11.2 Managing Cookie Preferences

Browser Controls: Most web browsers allow you to manage cookies through browser settings. You can typically:

View cookies stored on your device
Delete all or specific cookies
Block third-party cookies
Block all cookies from specific sites

12. THIRD-PARTY LINKS AND SERVICES

The Lenzo Platform interacts with third-party services through integrations, may contain links to external websites, and relies on third-party service providers for certain functionality.

12.1 Third-Party Data Sources

Regulatory Data Sources: The Platform accesses sanctions lists, denied party lists, and regulatory information from government and third-party sources. We do not control the accuracy, completeness, or timeliness of these sources.

DISCLAIMER: GENIO GROUP, INC. DOES NOT WARRANT THE ACCURACY, COMPLETENESS, OR TIMELINESS OF ANY THIRD-PARTY DATA SOURCES. YOU MUST INDEPENDENTLY VERIFY ALL INFORMATION AND ARE SOLELY RESPONSIBLE FOR ALL COMPLIANCE DECISIONS.

12.2 External Website Links

No Endorsement Implied: Inclusion of links does not constitute endorsement, recommendation, approval, or representation regarding:

Accuracy, completeness, or reliability of third-party content
Quality, safety, or legality of third-party products or services
Privacy practices or data security of third-party websites

No Control or Responsibility: We do not control, operate, monitor, or assume responsibility for content published on third-party websites, products or services offered by third parties, or privacy practices or data collection by third-party websites.

User Responsibility and Due Diligence: You access third-party websites at your own risk.

13. CHILDREN'S PRIVACY

Age Restriction: The Lenzo Platform is designed exclusively for business use by adults acting in their professional capacities. The Services are not directed to individuals under the age of 18.

No Collection from Minors: We do not knowingly collect Personal Information from individuals under 18 years of age.

14. AUTOMATED DECISION-MAKING

Automated Processing: We use automated systems, including machine learning algorithms, to analyze entity data, conduct screening, and generate compliance-related suggestions.

Human Decision Authority: We do not make decisions producing legal effects or similarly significantly affecting you based solely on automated processing. Material compliance decisions are made by authorized representatives of customer organizations.

DISCLAIMER: Automated systems are imperfect and may produce errors including false positives and false negatives. Users must validate all automated determinations before making compliance decisions. ALL COMPLIANCE DECISIONS REMAIN THE SOLE RESPONSIBILITY OF THE USER.

15. SECURITY INCIDENT NOTIFICATION

Incident Response: We maintain procedures for detecting, investigating, and responding to security incidents affecting Personal Information.

Regulatory Notification: Where incidents constitute personal data breaches, we notify relevant supervisory authorities and affected individuals as required by applicable law.

No Guarantee: Despite security measures, we cannot guarantee that incidents will never occur. No security system is impenetrable.

16. BUSINESS TRANSFERS

Corporate Transactions: In the event of merger, acquisition, asset sale, bankruptcy, or similar corporate transaction, Personal Information may be transferred to successor entities as a business asset.

Successor Obligations: This Privacy Policy continues to apply to previously collected Personal Information after transfer until users receive notice of changed practices.

17. CHANGES TO PRIVACY POLICY

Modification Rights: We may modify this Privacy Policy at any time to reflect changes in practices, legal requirements, or business operations.

Material Changes: For material changes significantly affecting privacy rights or expanding data collection, use, or disclosure, we provide:

Email notice to registered addresses at least thirty (30) days before effective date where feasible
Conspicuous Platform notice
Updated Privacy Policy with revised effective date

Acceptance: Continued use of Services after the effective date of changes constitutes acceptance, except where applicable law requires affirmative consent.

18. LIMITATION OF LIABILITY AND INDEMNIFICATION

18.1 Limitation of Liability

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW:

NO LIABILITY FOR COMPLIANCE DECISIONS: GENIO GROUP, INC. SHALL HAVE NO LIABILITY WHATSOEVER FOR ANY COMPLIANCE DECISIONS MADE BY YOU OR YOUR ORGANIZATION, WHETHER BASED ON INFORMATION PROVIDED BY THE PLATFORM OR OTHERWISE. ALL COMPLIANCE DECISIONS ARE YOUR SOLE RESPONSIBILITY.

NO LIABILITY FOR REGULATORY CONSEQUENCES: GENIO GROUP, INC. SHALL NOT BE LIABLE FOR ANY REGULATORY PENALTIES, FINES, ENFORCEMENT ACTIONS, LICENSE REVOCATIONS, DEBARMENT, CRIMINAL CHARGES, CIVIL LIABILITY, OR ANY OTHER REGULATORY CONSEQUENCES ARISING FROM YOUR USE OF THE SERVICES.

NO LIABILITY FOR DATA ACCURACY: GENIO GROUP, INC. SHALL NOT BE LIABLE FOR ANY INACCURACIES, ERRORS, OMISSIONS, OR OUTDATED INFORMATION IN SCREENING RESULTS, REGULATORY DATA, OR ANY OTHER INFORMATION PROVIDED THROUGH THE PLATFORM.

NO LIABILITY FOR THIRD-PARTY DATA: GENIO GROUP, INC. SHALL NOT BE LIABLE FOR THE ACCURACY, COMPLETENESS, OR TIMELINESS OF ANY THIRD-PARTY DATA SOURCES INCLUDING GOVERNMENT SANCTIONS LISTS, DENIED PARTY LISTS, AND REGULATORY DATABASES.

EXCLUSION OF DAMAGES: IN NO EVENT SHALL GENIO GROUP, INC., ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, OR LICENSORS BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, PUNITIVE, OR EXEMPLARY DAMAGES, INCLUDING BUT NOT LIMITED TO DAMAGES FOR LOSS OF PROFITS, GOODWILL, USE, DATA, OR OTHER INTANGIBLE LOSSES, ARISING OUT OF OR RELATING TO YOUR USE OF OR INABILITY TO USE THE SERVICES, REGARDLESS OF WHETHER SUCH DAMAGES ARE BASED ON WARRANTY, CONTRACT, TORT (INCLUDING NEGLIGENCE), STATUTE, OR ANY OTHER LEGAL THEORY, AND WHETHER OR NOT WE HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.

MAXIMUM LIABILITY: TO THE EXTENT LIABILITY CANNOT BE COMPLETELY EXCLUDED UNDER APPLICABLE LAW, GENIO GROUP, INC.'S TOTAL CUMULATIVE LIABILITY FOR ALL CLAIMS ARISING OUT OF OR RELATING TO THIS PRIVACY POLICY OR THE SERVICES SHALL NOT EXCEED THE GREATER OF (A) THE AMOUNTS PAID BY YOU TO GENIO GROUP, INC. FOR THE SERVICES DURING THE TWELVE (12) MONTHS IMMEDIATELY PRECEDING THE EVENT GIVING RISE TO THE CLAIM, OR (B) ONE HUNDRED UNITED STATES DOLLARS ($100.00).

18.2 User Indemnification

INDEMNIFICATION OBLIGATION: YOU AGREE TO INDEMNIFY, DEFEND, AND HOLD HARMLESS GENIO GROUP, INC., ITS AFFILIATES, OFFICERS, DIRECTORS, EMPLOYEES, AGENTS, AND LICENSORS FROM AND AGAINST ANY AND ALL CLAIMS, DAMAGES, LOSSES, LIABILITIES, COSTS, AND EXPENSES (INCLUDING REASONABLE ATTORNEYS' FEES AND COSTS) ARISING OUT OF OR RELATING TO:

YOUR USE OF OR RELIANCE ON THE SERVICES
YOUR COMPLIANCE DECISIONS OR ACTIONS
YOUR VIOLATION OF APPLICABLE LAWS OR REGULATIONS
YOUR VIOLATION OF THIS PRIVACY POLICY OR THE TERMS OF SERVICE
YOUR VIOLATION OF ANY RIGHTS OF THIRD PARTIES
ANY CLAIMS BY REGULATORY AUTHORITIES, GOVERNMENT AGENCIES, OR THIRD PARTIES RELATING TO YOUR COMPLIANCE ACTIVITIES

18.3 Acknowledgment of Risk

YOU EXPRESSLY ACKNOWLEDGE AND AGREE THAT:

THE PLATFORM IS PROVIDED AS A SUPPLEMENTARY INFORMATIONAL TOOL ONLY
YOU BEAR SOLE RESPONSIBILITY FOR ALL COMPLIANCE DECISIONS AND ACTIONS
GENIO GROUP, INC. DOES NOT PROVIDE LEGAL, REGULATORY, OR PROFESSIONAL COMPLIANCE ADVICE
YOU MUST ENGAGE QUALIFIED LEGAL AND COMPLIANCE PROFESSIONALS FOR YOUR COMPLIANCE PROGRAM
YOU MUST INDEPENDENTLY VERIFY ALL INFORMATION PROVIDED BY THE PLATFORM
YOU ASSUME ALL RISKS ASSOCIATED WITH USE OF THE PLATFORM

19. DISPUTE RESOLUTION AND SUPERVISORY AUTHORITIES

Data Protection Authorities:

EEA Supervisory Authorities: EEA residents may lodge complaints with data protection authorities in their country of residence. Contact information: https://edpb.europa.eu/about-edpb/board/members_en

UK Information Commissioner's Office:
Website: https://ico.org.uk
Telephone: +44 (0) 303 123 1113

Swiss Federal Data Protection Commissioner:
Website: https://www.edoeb.admin.ch
Email: info@edoeb.admin.ch

U.S. Regulatory Authorities:

Federal Trade Commission:
Website: https://www.ftc.gov
Complaint Portal: https://reportfraud.ftc.gov

California Privacy Protection Agency:
Website: https://cppa.ca.gov

Direct Contact Encouraged: Before lodging regulatory complaints, we encourage contacting us directly at support@lenzo.ai to attempt informal resolution.

20. CONTACT INFORMATION

Privacy Inquiries:

Email: support@lenzo.ai
Subject Line Guidance: Include "Privacy Inquiry," "Data Subject Request," or specific request type for efficient routing

Response Time: We acknowledge inquiries within ten (10) business days and provide substantive responses within thirty (30) days, or within timeframes specified by applicable law for specific request types.

Company Information:

Legal Name: Genio Group, Inc.
Trade Name: Lenzo
Incorporation: Delaware, United States
Website: https://www.lenzo.ai/

21. EFFECTIVE DATE AND ACCEPTANCE

Effective Date: January 1, 2024

Last Updated: December 20, 2025

Acceptance: By accessing or using the Lenzo Platform, creating an account, or engaging with our Services on or after the Effective Date, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy, including all disclaimers, limitations of liability, and assumption of risk provisions contained herein.

Superseding Effect: This Privacy Policy supersedes all prior privacy policies, notices, or statements related to the Lenzo Platform, except to the extent that prior versions govern Personal Information collected under such versions per Section 17 (no retroactive application unless legally required or consented to).

Complete Agreement: This Privacy Policy, together with our Terms of Service, constitutes the complete agreement regarding privacy practices and data protection obligations.

Severability: If any provision is found invalid, illegal, or unenforceable, it will be modified to the minimum extent necessary to make it valid and enforceable, or if modification is not possible, severed. All other provisions remain in full force and effect.

Survival: Provisions that by their nature should survive termination of Services or account closure will survive, including data retention obligations, limitation of liability, indemnification, dispute resolution, and governing law provisions.

‍