Privacy Policy

At Grant-AI, your privacy matters. This policy explains what data we collect, why, and how we protect it. We follow the EU General Data Protection Regulation (GDPR) and applicable data protection laws.

1. Data We Collect

1.1 Account Data

When you sign up, we collect:

• Name and email address (from OAuth provider)
• Profile picture (from Google/GitHub)
• GitHub username and public repository data (if connected)

1.2 Startup Profile Data

When you complete onboarding, we store:

• Company name and description
• Industry, stage, team size
• Location and remote status
• Funding preferences and equity tolerance
• Any documents you upload (pitch decks, etc.)

1.3 Application Data

When you apply to programs through Grant-AI:

• AI-generated application content
• Application status and history
• Your edits and customizations

1.4 Usage Data

We automatically collect:

• Pages visited and features used
• Search queries within the platform
• Device type, browser, and IP address
• Timestamps of actions

2. How We Use Your Data

We use your data exclusively to:

• Provide the Service — matching you with programs, generating applications, tracking status
• Improve matching quality — your feedback helps our AI provide better recommendations
• Send notifications — deadline reminders, application updates, new matches
• Prevent fraud — detecting and preventing misuse
• Legal compliance — fulfilling legal obligations

3. What We Never Do

4. Data Sharing

We share data only with:

• Funding programs — only the application data you explicitly approve for submission
• Infrastructure providers — cloud hosting (Vercel, Railway), database (PostgreSQL), authentication (NextAuth)
• AI providers — OpenAI for application generation (your data is not used for model training per their API terms)
• Payment processors — Stripe for subscription billing

5. Data Security

We protect your data with:

• Encryption in transit (TLS 1.3) and at rest (AES-256)
• OAuth-based authentication (no passwords stored)
• Role-based access controls
• Regular security audits
• EU-based data processing where possible

6. Your Rights (GDPR)

Under the GDPR, you have the right to:

• Access — request a copy of all data we hold about you
• Rectification — correct inaccurate data
• Erasure — request deletion of your data ("right to be forgotten")
• Portability — receive your data in a machine-readable format
• Objection — object to certain processing
• Restriction — request limited processing

To exercise any of these rights, email us at privacy@grantai.dev. We respond within 30 days.

7. Cookies

We use minimal cookies:

• Essential cookies — authentication session, CSRF protection (required)
• Preference cookies — theme, language settings (optional)

We do not use third-party tracking cookies, advertising pixels, or analytics cookies that track you across websites.

8. Data Retention

• Active accounts — data retained while your account is active
• Deleted accounts — data permanently deleted within 30 days
• Application data — retained for 2 years after last activity for your records
• Server logs — automatically purged after 90 days

9. International Transfers

Your data may be processed in the EU and US. For transfers outside the EU, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission.

10. Children's Privacy

Grant-AI is not intended for users under 16. We do not knowingly collect data from children.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via email. The "Last updated" date at the top reflects the most recent revision.

12. Contact

For any privacy-related questions or requests:

• Email: privacy@grantai.dev
• Data Protection Officer: privacy@grantai.dev
• Address: Grant-AI, Berlin, Germany