GritFlow
Back to LegalLegal

Privacy Policy

Last updated: June 4, 2026

GritFlow AI, LLC (“GritFlow,” “we,” “us,” or “our”) respects your privacy. This Privacy Policy explains how we collect, use, share, and protect information when you visit our websites, use our Services, or otherwise interact with us. This Policy provides notice of our privacy practices; it is not a contract, and where we need your consent to a particular processing activity, we ask for it separately.

1. Scope and Roles

This Policy applies to personal information we handle as a business. To make our role clear, it helps to understand that GritFlow's world has two layers of personal data, and this Policy governs only the first of them.

The two layers

Layer 1 — Data GritFlow handles for its own purposes (this Policy). This Privacy Policy governs GritFlow's own handling of:

  • information about website visitors and prospective customers;
  • account and billing data for our customers and account administrators;
  • support communications you send to us;
  • product telemetry and Usage Data we generate to operate, secure, and improve the Services;
  • marketing data; and
  • limited account, support, telemetry, billing, security, and usage information that GritFlow handles for its own business purposes. Customer Data — including prompts, content, files, and personal data submitted by a customer or processed inside a Customer Application — is handled under the customer's agreement, the Terms, and, where it contains personal data, the Data Processing Addendum.

For this layer, GritFlow generally acts as the controller of the data it collects about visitors, prospects, and administrators, and as a processor or service provider for the prompts, content, and files a customer submits (as described below).

Layer 2 — Personal data inside a Customer Application or Deployed Application (the customer's data, not governed by this Policy). Personal data that is processed inside a Customer Application or Deployed Application — including the data of the customer's own end users — is the customer's data. The customer (not GritFlow) is the controller of that data and is responsible for its own privacy notices to those end users, for establishing a lawful basis for the processing, and for responding to their requests. Where GritFlow processes that data on the customer's behalf, it does so as a processor under the Data Processing Addendum. GritFlow's processing of such data is governed by the customer's instructions and the DPA, not by this consumer-facing Policy.

Our role by data type

Within Layer 1, our role still depends on the data in question:

  • Customer Data. When we provide the Services to a customer organization, that customer decides what data is submitted to the Services and for what purpose. The customer acts as the controller (and, under the EU AI Act, the deployer) of any personal information contained in its Customer Data, and GritFlow acts as a processor or service provider that handles such data on the customer's behalf and documented instructions. Each customer is provisioned a dedicated, isolated environment, and its Customer Data is kept separate from that of other customers.
  • Our own data. For information we collect about website visitors, prospective customers, and account administrators, and for Usage Data we generate to operate and improve the Services, GritFlow is the controller.

Customer responsibilities. Because the customer determines the purposes and means of processing its Customer Data — and, in Layer 2, the personal data of its own end users — the customer is responsible for:

  • providing any required privacy notices to its own personnel, clients, end users, and other individuals whose data it submits or processes;
  • establishing a lawful basis for the processing and obtaining any consents the law requires;
  • responding to, and routing, the data-subject (consumer) requests of those individuals; and
  • determining whether its particular use of the Services involves profiling, automated decision-making, or sensitive personal data, and meeting any obligations that result.

GritFlow assists the customer with these obligations as described in our Data Processing Addendum (see Section 17).

2. Information We Collect

Account and contact information

When you create an account, request a demo or profit audit, or contact us, we collect information such as your name, business email, company name, role, and phone number.

Billing information

For paid Subscriptions, we collect billing contact details and payment particulars needed to process ACH and wire payments. We do not store full bank credentials beyond what is necessary to administer your account, and payment processing may be handled by third-party financial providers.

Usage and device data (“Usage Data”)

We automatically collect information about how the Services are accessed and used, such as log data, device and browser information, IP address, feature usage, and performance and error metrics. We refer to this as Usage Data.

Customer Data

When you use the Services, you and your authorized users submit Customer Data, which we process to provide the Services and generate AI Output. For purposes of this Policy, Customer Data is the data, content, and materials you or your authorized users submit to the Services; it does not include AI Output or Usage Data, which we describe separately. We handle Customer Data in accordance with your agreement with us, your instructions, and the Data Processing Addendum (see Section 17).

AI-generated inferences

Where our AI generates inferences, predictions, scores, or profiles about you from the information described above, we treat those AI-derived outputs as personal information that is subject to this Policy and to the rights described in Section 12 (Your Privacy Rights).

3. How We Use Information

  • To provide, operate, secure, and support the Services;
  • To process Subscriptions, billing, and payments;
  • To generate AI Output and deliver the analytics and insights you request;
  • To communicate with you about your account, support, and service updates;
  • To improve and develop our products, including aggregated and de-identified analysis;
  • To detect, prevent, and respond to fraud, abuse, and security incidents; and
  • To comply with legal obligations and enforce our agreements.

5. How We Share Information

We do not sell your personal information. We share information only as needed to run our business and provide the Services:

  • Subprocessors and service providers — vendors that host infrastructure, process payments, provide AI model capabilities, send communications, or support analytics, in each case under contracts that limit their use of the information to providing services to us;
  • AI model providers — to generate AI Output, subject to terms that restrict their use of the data;
  • Legal and safety — when required by law or to protect the rights, property, or safety of GritFlow, our customers, or others; and
  • Business transfers — in connection with a merger, acquisition, financing, or sale of assets, subject to this Policy.

Each subprocessor we engage, including every AI model provider, is bound by written contractual restrictions that limit its use of personal information to providing services to us and prohibit using that information for its own independent purposes. We maintain a current list of the subprocessors we use to deliver the Services at /legal/subprocessors. Where you have a contract with us, you may receive notice of, and object to, new subprocessors through the process described in our Data Processing Addendum (see Section 17). The categories of personal information disclosed to each category of recipient correspond to the categories in the table in Section 12.

6. AI Processing

The Services use artificial intelligence to analyze Customer Data and produce AI Output. We do not use your Customer Data to train publicly available foundation models. This commitment covers your Customer Data, the prompts and inputs you submit to our AI features, the AI Output generated from them, any Customer-specific embeddings derived from your data, and the processing logs tied to your environment. Each AI model provider we use to power the Services is contractually bound to the same restriction and is prohibited from using your data to train its own models or for any independent purpose.

Where we use aggregated or de-identified data to improve and develop the Services, such data is not used to identify you or your organization, and you may opt out of any such service-improvement use by contacting us at privacy@gritflowai.io. AI Output is informational only; see our Disclaimer and the AI Output section of our Terms of Service.

7. Data Retention

We retain personal information for as long as needed to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. When you close your account, we delete or de-identify Customer Data in the ordinary course following the export window described in our Terms of Service, subject to backups and legal-retention requirements.

We retain the inputs you submit to our AI features, the AI Output generated from them, and the associated processing logs only for as long as needed to provide, secure, and improve the Services and to meet our legal obligations, after which we delete or de-identify them in the ordinary course.

The following sets out our retention periods by category of data.

  • Account/contact data — Life of the account, plus 90 days after closure.
  • Billing records — 7 years, for tax and accounting purposes.
  • Support records — 2 years after the matter is closed.
  • Customer Data — The term of the agreement plus the 30-day export window, after which it is deleted, subject to backups and legal holds.
  • AI inputs/outputs/logs tied to the customer environment — The term of the subscription plus 30 days, unless a longer period is required to provide or secure the service, to meet a legal hold, or as the customer configures.
  • Security logs — 12 months.
  • Marketing data — Until you opt out, then 24 months of inactivity.

8. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information, including encryption in transit and at rest, access controls, and monitoring. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, and you are responsible for safeguarding your account credentials.

9. De-identified and Aggregated Data

Where we de-identify or aggregate personal information, we maintain the data in de-identified form and will not attempt to re-identify it, except as permitted by law to test that our de-identification is effective. We apply reasonable technical and organizational controls to prevent re-identification and contractually prohibit any recipient of de-identified or aggregated data from re-identifying it. We do not use de-identified or aggregated data to identify you or your organization.

10. International Data Transfers

We are based in the United States and process personal information in the United States. We do not currently transfer personal information internationally or rely on cross-border transfer mechanisms. If we begin serving customers or data subjects in the EEA or the UK, we will use an appropriate safeguard — such as the European Commission's standard contractual clauses or the UK International Data Transfer Addendum — and update this Policy. You can ask how your information is handled by contacting us at privacy@gritflowai.io.

11. Automated Decision-Making and Profiling

The Services use AI to generate analyses, recommendations, scores, and decisions that support your business intelligence. Each GritFlow application runs as a dedicated, self-contained environment provisioned for a single customer. The AI's outputs and any automated decisions are confined to that environment and are not shared with other customers or other GritFlow applications, unless you configure a Deployed Application, integration, connected account, Cross-Brain feature, or approved workflow to make them available to external systems or your own end users.

Roles. For Customer Data, the customer is the controller and deployer and decides whether the Services are used in a way that involves profiling or automated decision-making and whether any consequential decisions about individuals are made. GritFlow does not make automated decisions that produce legal or similarly significant effects about individuals for its own purposes. Where the customer configures such use, the customer remains responsible for it and for maintaining meaningful human oversight, and GritFlow assists the customer in meeting the related obligations as described in our Data Processing Addendum (see Section 17).

Cross-Brain (optional enterprise feature). Our enterprise “Cross-Brain” capability is off by default. If you explicitly opt in, you may connect two of your GritFlow applications so that insights and automated decisions can flow between them. This feature is available only to enterprise customers and is controlled and authorized entirely by you; enabling it expands the contained scope described above to the applications you connect.

Your rights. Where automated decision-making that produces legal or similarly significant effects does occur, and to the extent the law affords you these rights, you may request human review of the decision, express your point of view, and receive a meaningful explanation of the logic involved and the consequences of the processing. If your data was submitted to the Services by a customer organization, that organization controls the relevant processing, and we will route your request to it and assist as described in our Data Processing Addendum. To make such a request, contact us at privacy@gritflowai.io.

These protections reflect, as applicable, the rights regarding automated individual decision-making under Article 22 of the GDPR and UK GDPR, the CPRA's regulations governing automated decision-making technology (ADMT) for California residents as those obligations take effect, and Colorado's automated-decision-making technology law for Colorado residents.

12. Your Privacy Rights

Depending on where you live, you may have rights to access, correct, delete, or port your personal information, to object to or restrict certain processing, and to withdraw consent. You may also opt out of marketing communications at any time.

California residents have rights under the CCPA/CPRA, including to know, delete, correct, and opt out of the “sale” or “sharing” of personal information and certain targeted advertising. We do not sell personal information and do not knowingly share it for cross-context behavioral advertising.

The following summarizes the categories of personal information we collect and how we handle them for the preceding 12 months. We do not sell or share personal information for cross-context behavioral advertising.

  • Identifiers / contact information — Examples: Name, email, business contact details, account identifiers; Sources: Directly from you, automatically from your use; Purpose: Provide & support the Services, authentication, billing, communications; Recipients: Hosting, database/authentication, AI, and email subprocessors; Sold/shared: No; Retention: Account life + 90 days; Sensitive: No.
  • Commercial / billing information — Examples: Subscription plan, transaction and billing records; Sources: From you, bank/payment records; Purpose: Billing, account administration, accounting; Recipients: Bank/payment and accounting providers; Sold/shared: No; Retention: 7 years; Sensitive: No.
  • Internet / usage activity — Examples: Log data, device and usage information; Sources: Automatically from your use; Purpose: Security, performance, support, product analytics; Recipients: Hosting and infrastructure subprocessors; Sold/shared: No; Retention: 12 months (security logs); Sensitive: No.
  • Geolocation data — Examples: Approximate location inferred from IP; Sources: Automatically from your use; Purpose: Security and fraud prevention; Recipients: Hosting and infrastructure subprocessors; Sold/shared: No; Retention: 12 months; Sensitive: No.
  • Professional / employment information — Examples: Job title, employer, business role; Sources: From you; Purpose: Account relationship and support; Recipients: Hosting, database/authentication subprocessors; Sold/shared: No; Retention: Account life + 90 days; Sensitive: No.
  • Inferences — Examples: Limited product-usage inferences; Sources: Derived from your use; Purpose: Product improvement (aggregated/de-identified); Recipients: None external; Sold/shared: No; Retention: De-identified; Sensitive: No.

To exercise your rights, contact us at privacy@gritflowai.io. If your information was provided to the Services by a customer organization, we will refer your request to that organization. We will not discriminate against you for exercising your rights.

13. Cookies and Tracking

We use cookies and similar technologies for authentication, preferences, and analytics. You can control non-essential cookies through your browser or our cookie controls. For details, see our Cookie Policy.

14. Children's Privacy

The Services are intended for businesses and are not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us personal information, please contact us and we will take appropriate steps to delete it.

16. Changes to This Policy

We may update this Policy from time to time. We will post the updated Policy with a new “Last updated” date and, for material changes, provide additional notice where appropriate.

17. Data Processing Addendum

Where we process personal information on a customer's behalf as a processor or service provider — including the personal data of a customer's own end users processed inside a Customer Application or Deployed Application (Layer 2 above) — that processing is governed by our Data Processing Addendum (DPA), available at /legal/dpa, which is incorporated into the customer's agreement with us. The DPA sets out the processing instructions, the parties' respective responsibilities, the subprocessor notice and objection process, international-transfer safeguards, security measures, breach notification, and return or deletion of personal information. If there is a conflict between this Policy and the DPA with respect to such processing, the DPA controls.

18. Contact Us

For privacy questions or to exercise your rights, contact:

GritFlow AI, LLC — Attn: GritFlow AI, LLC · 41 Peabody St, Nashville, TN 37210, United States

Email: privacy@gritflowai.io · Web: gritflowai.io

Privacy Policy | GritFlow