Geb AI
/
Start chatting

Data Handling Policy

Last updated: April 21, 2026

This Data Handling Policy explains where and how Geb AI (operated by Green Union Capital Inc.) stores and processes your data, complementing our Privacy Policy.

1. Infrastructure

  • Hosting: Google Cloud Platform, primary region europe-west4 (Netherlands).
  • Application runtime: Google Cloud Run (stateless containers, auto-scaled).
  • Database: Google Cloud SQL for PostgreSQL, private connectivity only.
  • AI models: Karnak (self-hosted on Vertex AI) for primary chat; Google Gemini (managed API) for complementary capabilities such as long-document understanding.
  • File uploads (Pro plan and above): Google Cloud Storage with lifecycle-based auto-expiry.
  • Authentication: Google Firebase Authentication.
  • Payments: Stripe (PCI-DSS Level 1 certified).

2. Data flow

  1. Your browser sends a request to api.gebai.ca (Cloud Run backend).
  2. The backend verifies your Firebase ID token.
  3. The backend persists your message to PostgreSQL and forwards it to the AI model.
  4. The AI model returns a response, which is persisted to PostgreSQL and returned to your browser.
  5. Usage telemetry is recorded for billing and operational purposes.

Message content is transmitted over TLS 1.2+ and stored encrypted at rest.

3. Retention

  • Chat messages and folders: retained until you delete them.
  • Uploaded files: automatically purged 30 days after last access unless saved to a chat.
  • Usage telemetry: retained up to 24 months for analytics, fraud detection, and service improvement.
  • Account records: retained while active and for a limited period after closure to comply with tax and legal obligations.

4. Training data

We do not use your conversations to train our AI models without your explicit opt-in consent. Karnak is a third-party model developed by the Applied Innovation Center; we host it but do not fine-tune it on customer data. Our complementary models (including Google Gemini) are used under terms that prohibit training on customer content.

5. Access controls

  • Production database access is restricted to authorized personnel for operational purposes only.
  • All production access is logged and audited.
  • Secrets (API keys, database credentials) are stored in Google Secret Manager with least-privilege IAM policies.
  • Two-factor authentication is required for all operator accounts.

6. Data breach notification

In the unlikely event of a data breach that compromises personal information, we will notify affected users and applicable data protection authorities within the timelines required by law (including 72 hours under the EU GDPR and as soon as feasible under Canada's PIPEDA).

7. Data export and deletion

You can export your chat history and delete individual conversations through the Service. For full account deletion or complete data export, email privacy@gebai.ca. We respond within 30 days.

8. Enterprise data sovereignty

Customers with specific regulatory requirements (MENA data residency, sector-specific compliance) can discuss dedicated deployment options. Contact enterprise@gebai.ca.

9. Sub-processors

Current third-party sub-processors:

  • Google LLC (Cloud infrastructure, Firebase Authentication, Gemini API)
  • Applied Innovation Center (Karnak model provider)
  • Stripe, Inc. (payments)

We will update this list when sub-processors change and will notify affected users where legally required.

10. Contact

Green Union Capital Inc.
Privacy inquiries: privacy@gebai.ca
Enterprise: enterprise@gebai.ca