Privacy Policy — GeraReach
Last updated: 2026-06-12 · Version 2026.05.09
This privacy policy explains how GeraReach (reach.gera.services), operated by Gera Systems Ltd (registered in England and Wales), collects, uses, and protects your personal data. It is written to satisfy UK GDPR and the Data Protection Act 2018 as a baseline, with additional callouts for EU/EEA visitors (GDPR), California residents (CCPA/CPRA), Brazil (LGPD), Canada (PIPEDA), Singapore/Thailand/Malaysia (PDPA), and Gulf-region data localisation requirements.
1. Who we are
The data controller is Gera Systems Ltd. The data protection contact is privacy@gera.services. Postal correspondence may be sent to our registered office in England.
2. What this product does
GeraReach is the customer acquisition operating layer for Gera operations and B2B subscribers.
3. Personal data we collect
| Category | What we collect | Lawful basis | Default retention |
|---|---|---|---|
| identity | Name, date of birth, gender (where you choose to provide it). | contract, consent | 24 months |
| contact | Email address, phone number, postal/billing address. | contract, consent | 24 months |
| authentication | Password hashes, MFA seeds, session tokens, login history. | contract, legitimate_interests | 12 months |
| payment | Payment metadata (last four digits of your card, billing country, Stripe customer reference). We do NOT store full card numbers — Stripe handles that on their PCI-DSS-compliant systems. | contract, legal_obligation | 85 months |
| usage | Device type, browser, IP address, page views, click events. | legitimate_interests, consent | 12 months |
| communications | Support tickets, in-product chat, transactional emails. Recordings of voice/video calls only with both-party consent where applicable law requires. | contract, legitimate_interests | 24 months |
4. Why we use your data (purposes)
- To provide the GeraReach service to you (Art 6(1)(b) — contract).
- To keep the service safe, fraud-free, and reliable (Art 6(1)(f) — legitimate interests).
- To comply with applicable laws (Art 6(1)(c) — legal obligation), including AML/KYC where applicable.
- For analytics and improvement (Art 6(1)(f) — legitimate interests / Art 6(1)(a) — consent for non-essential analytics where required by law).
- To operate AI features. We do not train foundation models on your data without explicit consent.
5. Who we share your data with
- Sub-processors that help operate the service (hosting, payments, email, analytics). A current list is published at /legal/sub-processors.
- Counterparties to a transaction you initiate (e.g. the doctor you book, the restaurant you order from).
- Authorities where legally required.
We do not sell your personal data. We do not share data with insurers, employers, or third-party advertisers without your explicit opt-in.
6. International transfers
Your data may be processed in jurisdictions outside your country of residence. Where data leaves the UK or EEA, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses (SCCs). Suppliers in the UK adequacy list, and US suppliers participating in the EU-US Data Privacy Framework, are used where possible.
7. Your rights
You can:
- Access the data we hold about you (Art 15)
- Correct inaccurate data (Art 16)
- Erase your account (Art 17) — see /account/delete
- Export your data in a machine-readable format (Art 20) — see /account/export
- Object to processing or restrict processing (Art 18, 21)
- Withdraw consent at any time without affecting prior processing (Art 7(3))
- Lodge a complaint with a supervisory authority (UK: Information Commissioner's Office, ico.org.uk)
California residents have additional rights under CCPA/CPRA including the right to know what we have collected in the past 12 months, the right to delete, and the right to opt out of "selling" or "sharing" — although we do not sell or share for cross-context behavioural advertising.
Brazilian residents have rights under LGPD; Canadians under PIPEDA; Singapore/Thailand/Malaysia under PDPA. The substance is materially similar; contact privacy@gera.services to exercise any right.
8. Children
GeraReach is not intended for children under 13 (under 16 in some EU jurisdictions). Where the product offers gameplay (Gera games portfolio) we apply the UK Children's Code: age gates, no behavioural advertising, and minimum data collection.
9. Security
We use TLS in transit, encryption at rest for sensitive data, role-based access controls, audit logs, and regular vulnerability scanning. Despite reasonable precautions, no system is perfectly secure; we maintain a breach-notification procedure aligned to GDPR Article 33/34.
10. AI disclosures
This product includes AI-driven features. Where you interact with an AI agent, that fact is disclosed in the UI. We classify our AI systems under the EU AI Act as "limited risk" — see /legal/ai-act.
We do not use your inputs to train foundation models without your explicit, granular consent. Inference data is processed transiently and not retained beyond what is necessary to deliver the response and audit the interaction.
11. Cookies
For a full list of cookies we set and how to manage them, see our cookie policy. You can change your preferences at any time at /cookie-settings.
12. Changes to this policy
We update this policy when our practices change or when required by law. Material changes are notified by email or in-product. Older versions are kept in our git history at the public Gera repository.
13. Contact
Privacy questions: privacy@gera.services. General support: support@gera.services.
Country-localised versions of this policy are available at /legal/privacy/<CC> for select markets. In the event of a conflict between this English baseline and a localised version, the localised version applies for residents of that country.