Privacy Policy

The short version: We collect only what we need to run GrantAI, we never sell your data, we don't use your grant content to train AI models without your consent, and you can delete your account and data at any time. Read on for the full details.

Who We Are
Data We Collect
How We Use Your Data
Legal Basis for Processing
Data Sharing & Third Parties
Data Retention
Cookies & Tracking
Data Security
Your Rights
Children's Privacy
International Transfers
California Privacy (CCPA)
Changes to This Policy
Contact & Data Requests

1 Who We Are

[COMPANY LEGAL NAME], operating as GrantAI, is the data controller responsible for your personal information. We are registered in [STATE/COUNTRY].

This Privacy Policy explains how we collect, use, share, and protect information about you when you use the GrantAI website, platform, and related services (collectively, the "Service"). It applies to all users including visitors, free tier users, and paid subscribers.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree, please discontinue use of the Service.

2 Data We Collect

We collect the following categories of information:

Category	What We Collect	Source
Account Data	Name, email address, password (hashed), account creation date	You provide directly on signup
Organization Profile	Organization name, type, EIN (optional), state, staff size, mission statement, focus areas, populations served, geography, funding goals	You provide via the Org Profile wizard
Usage Data	Pages visited, features used, grant searches performed, tabs clicked, session duration, browser type, device type, IP address	Automatically collected via our platform
Grant Pipeline Data	Grants you save, pipeline stage, application notes, deadlines you track	You create through use of the Service
AI Writing Content	Grant application drafts generated using our AI tools, sections you edit and save	Generated by you using our AI tools
Payment Data	Billing name, address, last 4 digits of card, transaction history. Full card numbers are never stored by us.	Processed by our payment provider (Stripe)
Communications	Emails you send to support, feedback submissions, survey responses	You provide directly
Cookies & Technical Data	Session tokens, preference cookies, analytics identifiers	Automatically set by our platform

Data we do NOT collect: We do not collect Social Security numbers, full financial account numbers, health records, biometric data, or any sensitive personal information beyond what is listed above.

3 How We Use Your Data

We use your information for the following purposes:

Providing the Service — to operate, maintain, and improve the GrantAI platform, including processing your searches, generating AI content, and managing your pipeline
Personalization — to tailor grant match scores, search results, and AI-generated content to your organization's profile and mission
Account management — to manage your account, authenticate your identity, and process subscription billing
Communications — to send transactional emails (account confirmations, password resets, billing receipts), product updates, and — with your consent — marketing emails about new features or relevant grant opportunities
Customer support — to respond to your questions, troubleshoot issues, and improve our help resources
Security & fraud prevention — to detect and prevent unauthorized access, abuse, or fraudulent use of the Service
Analytics & improvement — to understand how users interact with the platform and to improve features, performance, and user experience. We use aggregated, anonymized data for this purpose
Legal compliance — to comply with applicable laws, regulations, and legal processes

We do not use your organization's mission statements, grant drafts, or application content to train our AI models without your explicit opt-in consent. Aggregate, anonymized usage patterns may be used to improve matching algorithms.

4 Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA) or United Kingdom, we process your personal data under the following legal bases:

Processing Activity	Legal Basis
Providing the Service (account, platform features, billing)	Contract Performance
Sending transactional emails (receipts, alerts, password resets)	Contract Performance
Security monitoring and fraud prevention	Legitimate Interests
Platform analytics and improvement	Legitimate Interests
Marketing and promotional communications	Consent
Compliance with legal obligations	Legal Obligation

Where we rely on legitimate interests, we have assessed that our interests are not overridden by your rights and freedoms. You may object to processing based on legitimate interests at any time.

5 Data Sharing & Third Parties

We do not sell your personal data. We share data only in the following limited circumstances:

Service providers: We work with trusted third-party vendors who process data on our behalf under strict data processing agreements. These include:
- Stripe — payment processing
- Vercel / hosting provider — infrastructure and deployment
- OpenAI or equivalent — AI writing feature processing (inputs processed but not stored for training)
- Analytics provider (e.g. Plausible or similar privacy-first tool) — anonymized usage analytics
- Email delivery provider — transactional and marketing emails
Legal requirements: We may disclose your information if required by law, court order, or government authority, or where we believe disclosure is necessary to protect our rights, prevent fraud, or ensure user safety
Business transfers: If GrantAI is acquired, merged, or undergoes a change of ownership, your data may be transferred as part of that transaction. We will notify you via email and/or prominent notice on the Service prior to your data becoming subject to a different privacy policy
With your consent: We may share data with third parties when you have given us explicit permission to do so

All third-party service providers are contractually required to handle your data securely, use it only for the purposes we specify, and comply with applicable privacy laws.

6 Data Retention

We retain your personal data for as long as your account is active or as needed to provide the Service. Specifically:

Active accounts: Data is retained for the duration of your account plus a 30-day grace period after cancellation, during which you may re-activate and recover your data
After deletion: Upon account deletion request, we will permanently delete your personal data within 30 days, except where retention is required by law (e.g. billing records required for tax purposes, which we retain for up to 7 years)
Anonymized data: Aggregate, anonymized analytics data may be retained indefinitely as it cannot be used to identify you
Backups: Deleted data may persist in encrypted backup systems for up to 90 days before being permanently purged
Support communications: Emails and support tickets are retained for up to 3 years to help resolve disputes and improve our support quality

7 Cookies & Tracking

We use cookies and similar tracking technologies to operate and improve the Service. Here is what we use:

Cookie Type	Purpose	Duration
Essential	Authentication tokens, session management, security. Required for the Service to function.	Session / up to 30 days
Functional	Remembering your preferences (e.g. billing toggle state, last tab viewed)	Up to 1 year
Analytics	Understanding how users navigate the platform. We use privacy-first analytics that do not track individuals across sites.	Up to 1 year
Marketing	Used only with your consent to measure effectiveness of campaigns	Up to 2 years

Managing cookies: You can control and delete cookies through your browser settings. Disabling essential cookies may prevent the Service from functioning properly. You can also opt out of analytics tracking via the cookie consent banner on first visit.

We do not use cookies to track you across third-party websites.

8 Data Security

We take the security of your data seriously and implement industry-standard measures including:

Encryption in transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
Encryption at rest: Stored data is encrypted using AES-256
Access controls: Access to production systems and customer data is restricted to authorized personnel only, using multi-factor authentication
Password security: User passwords are hashed using bcrypt and are never stored in plain text
Regular audits: We conduct regular security reviews and vulnerability assessments
Incident response: We maintain a data breach response plan. In the event of a breach affecting your data, we will notify you within 72 hours as required by GDPR, and as soon as practicable under other applicable laws

While we implement strong security measures, no system is 100% secure. We encourage you to use a strong, unique password and to contact us immediately at [SECURITY EMAIL] if you suspect unauthorized access to your account.

9 Your Rights

Depending on your location, you have some or all of the following rights regarding your personal data:

👁️

Right to Access

Request a copy of all personal data we hold about you, in a portable format.

✏️

Right to Rectification

Request correction of any inaccurate or incomplete data we hold about you.

🗑️

Right to Erasure

Request deletion of your personal data ("right to be forgotten"), subject to legal retention requirements.

⏸️

Right to Restriction

Request that we limit how we process your data in certain circumstances.

📦

Right to Portability

Receive your data in a structured, machine-readable format to transfer to another service.

🚫

Right to Object

Object to processing based on legitimate interests or for direct marketing purposes.

↩️

Withdraw Consent

Where processing is based on consent, withdraw it at any time without affecting prior processing.

🤖

Automated Decisions

Request human review of any automated decisions that significantly affect you.

To exercise any of these rights, contact us at [PRIVACY EMAIL]. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request. There is no charge for most requests; however, we may charge a reasonable fee for manifestly unfounded or repetitive requests.

If you are in the EEA, you also have the right to lodge a complaint with your local data protection authority (DPA).

10 Children's Privacy

The Service is not directed to individuals under the age of 18. We do not knowingly collect personal information from children. If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at [PRIVACY EMAIL] and we will promptly delete such information from our systems.

If we discover that we have inadvertently collected information from a child under 18, we will delete it immediately.

11 International Data Transfers

GrantAI is operated from the United States. If you are accessing the Service from outside the US — including from the European Economic Area, United Kingdom, or Switzerland — your information may be transferred to and processed in the United States.

For transfers from the EEA or UK, we rely on appropriate safeguards including:

Standard Contractual Clauses (SCCs) approved by the European Commission
The UK International Data Transfer Agreement (IDTA) where applicable
Adequacy decisions where they exist

By using the Service, you acknowledge that your data may be transferred to and processed in jurisdictions that may have different privacy laws than your own. We will always ensure appropriate protections are in place.

12 California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

Right to Know: Request disclosure of the categories and specific pieces of personal information we have collected about you, the sources, the purposes, and the third parties with whom we share it
Right to Delete: Request deletion of personal information we have collected, subject to certain exceptions
Right to Correct: Request correction of inaccurate personal information
Right to Opt-Out of Sale/Sharing: We do not sell or share personal information for cross-context behavioral advertising. You do not need to opt out.
Right to Limit Use of Sensitive Personal Information: We do not use sensitive personal information beyond what is necessary to provide the Service
Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To submit a CCPA request, contact us at [PRIVACY EMAIL] or use the subject line "California Privacy Request." We will respond within 45 days. You may designate an authorized agent to make requests on your behalf.

Categories of personal information collected in the past 12 months: Identifiers, professional/employment information, internet or other network activity, inferences drawn from the above. See Section 2 for full details.

13 Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will:

Update the "Last updated" date at the top of this page
Notify registered users by email at least 14 days before the changes take effect
Display a prominent notice on the Service for active users
Where required by law, seek your consent before applying material changes

We encourage you to review this Policy periodically. Your continued use of the Service after the effective date of any changes constitutes your acceptance of the updated Policy. If you do not agree to the updated Policy, you should stop using the Service and may request deletion of your account.

14 Contact & Data Requests

For any privacy-related questions, data requests, or to exercise your rights, please contact our Privacy team:

GrantAI Privacy
[COMPANY LEGAL NAME]
[STREET ADDRESS]
[CITY, STATE, ZIP]
Email: [PRIVACY EMAIL]
Subject line for data requests: "Privacy Request — [Your Name]"

We aim to respond to all privacy inquiries within 5 business days and to complete data requests within 30 days (45 days for California residents).

This Privacy Policy was written in plain language to be as transparent and understandable as possible. It does not constitute legal advice. For legal concerns specific to your organization, we recommend consulting a qualified attorney.

Table of Contents