Privacy Policy
Effective date: November 9, 2025
Website: grantcue.com (the "Site")
Product: GrantCue (the "Service")
Who we are: GrantCue ("GrantCue," "we," "us," or "our").
This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use our Site and Service, and describes the choices and rights you may have.
This policy is drafted to align with common global standards (GDPR/UK GDPR transparency requirements and U.S. state privacy laws, including California's CPRA/CCPA) and Google OAuth/Calendar disclosures. It does not constitute legal advice.
1. Scope
This Policy applies to: (a) visitors to our Site; (b) individuals who create a GrantCue account or are added by a customer organization as team members; (c) people who contact us (support/sales); and (d) users who connect third‑party accounts (e.g., Google) to the Service.
For organizational customers, GrantCue generally acts as a processor/service providerand processes personal information on the customer's instructions. The customer is the controllerresponsible for its own privacy notices and choices. Where we collect information for our own purposes (e.g., account, billing, security, Site analytics, marketing), we act as a controller.
2. Information We Collect
Information you provide
- Account details (name, email, password), profile, organization/team affiliation.
- Business contact and billing information.
- Content you upload or create in the Service (e.g., grant records, tasks, notes, files).
- Messages and support communications.
Information collected automatically
- Usage, device, and log data (browser type, pages viewed, timestamps, IP address, identifiers).
- Cookies and similar technologies for essential operations, analytics, and (if enabled) marketing.
- Approximate location derived from IP address (for security and regional settings).
Information from third parties
- If you connect Google or another provider, we receive the minimum data needed to provide the requested feature (see Section 10).
- From service providers, partners, and your organization (e.g., your admin adding you to a workspace).
You may decline to provide information; however, some features may not work without it (e.g., authentication).
3. How We Use Personal Information
We use information to:
- Provide, secure, and maintain the Service (authentication, troubleshooting, quality).
- Set up organizations, projects, and collaboration features; manage permissions.
- Fulfill integrations you choose (e.g., Google Calendar).
- Analyze aggregate usage to improve features and performance.
- Communicate service updates, security alerts, and administrative messages.
- Comply with law and enforce terms; prevent fraud, abuse, or security incidents.
Legal bases (EEA/UK): contract, legitimate interests, consent (where required), and legal obligations.
4. Our Role: Controller vs. Processor
- Processor/service provider: For content you or your organization submit to workspaces, we process it under your organization's instructions and our data processing terms. Individuals should direct requests (access, deletion, etc.) to the organization where applicable.
- Controller: For our own operations (account, billing, support, product analytics, marketing), we are the controller and respond directly to requests.
5. Cookies & Online Signals
We use cookies and similar technologies for:
- Essential operations (login, security, load balancing);
- Preferences (remembering settings);
- Analytics (to understand feature usage);
- Advertising/retargeting (only if we enable these features—opt‑out options provided).
Opt‑out preference signals (Global Privacy Control). Where applicable, we honor recognized browser/device‑level opt‑out preference signals (e.g., GPC) as valid requests to opt out of sale/sharing for cross‑context behavioral advertising under California law. See Section 9 for your rights.
You can manage cookie preferences in your browser or via our in‑product controls (where available). Blocking certain cookies may limit functionality.
6. How We Share Information
We do not sell personal information. We may disclose information to:
- Service providers/contractors (hosting, analytics, email, payments) bound by confidentiality and data protection terms;
- Your organization and its admins (for workspace oversight and user management);
- Legal/compliance recipients when required by law or to protect rights;
- Business transfers (e.g., merger, acquisition, or asset sale).
We may share de‑identified or aggregated information that cannot reasonably be used to identify you.
7. Data Retention
We keep personal information only as long as necessary for the purposes described here and as required by law. Illustrative defaults (subject to your organization's settings and our backups):
- Account data: retained while the account is active, then deleted or de‑identified within 30–90 days.
- Workspace content (tasks/files/notes): retained until you or your organization delete it or terminate the workspace.
- Audit/security logs: 12–24 months.
- Backups: rolling 30–45 days (disaster recovery only).
8. International Data Transfers
If we transfer personal data internationally (e.g., from the EEA/UK to the U.S.), we use appropriate safeguards such as the EU Standard Contractual Clauses (SCCs) and, in the UK, theIDTA/Addendum, plus supplementary measures where appropriate.
9. Your Privacy Rights
(A) California & other U.S. state rights
Depending on where you live, you may have rights to access/know, correct,delete, port, opt out of sale/sharing andtargeted advertising, and to non‑discrimination. We provide required notices at or before collection and offer opt‑out mechanisms as applicable—including honoring GPC.
(B) EEA/UK rights under GDPR
You may have rights to access, rectify, erase,restrict, object, data portability, and towithdraw consent at any time. If we process your information on behalf of a customer, we will refer your request to that customer when required.
How to exercise your rights
- Submit a request via: [email protected]
- We'll verify your identity and respond within the applicable timeframe.
10. Google OAuth & Calendar Integration
If you choose to connect your Google account (e.g., Calendar), we access only the data necessaryto provide the integration you ask for. Examples include:
- Listing calendars you select, reading free/busy or event metadata you choose to sync, and creating/updating events that you explicitly request.
- Storing OAuth tokens securely to maintain the connection.
- We do not use Google data for advertising, and we do not sell it. Transfers are limited to service providers needed to deliver the integration or to comply with law.
Our use of Google data complies with the Google API Services User Data Policy, including the Limited Use requirements. You can disconnect Google at any time in your account or through your Google account permissions page. After disconnecting, we will remove or de‑identify tokens and any cached Google data not needed for audit, security, or legal obligations.
Requested scopes (illustrative; shown on Google's consent screen):
openid,email,profile(auth)https://www.googleapis.com/auth/calendar.events(create/edit events you choose)https://www.googleapis.com/auth/calendar.readonly(read only, if you enable sync)
We request the minimum scopes necessary and only when you enable the related feature. If we add new Google features or scopes, we will update this Policy.
11. Security
We implement administrative, technical, and physical safeguards designed to protect personal information (including encryption in transit, role‑based access, logging, and routine backups). No method of transmission or storage is 100% secure. You are responsible for maintaining the confidentiality of your password and for any activity in your account.
12. Children's Privacy
The Service is not directed to children under 13. We do not knowingly collect personal information from children under 13. If we learn that a child under 13 has provided personal information, we will take steps to delete it. Parents who believe their child has provided personal information may contact us at [email protected].
13. How to Contact Us
- Email: [email protected]
- Postal: GrantCue (address to be provided)
- You also have the right to lodge a complaint with your local supervisory authority (EEA/UK).
14. Changes to This Policy
We may update this Policy to reflect changes to our practices, technologies, or legal requirements. We will post the updated Policy with a new "Effective date" and, where required, provide additional notice.
15. State‑Specific Disclosures
Residents of California (CPRA), Colorado, Connecticut, Utah, Virginia, and other states with comprehensive privacy laws may have state‑specific rights and definitions (e.g., "sale," "sharing," "targeted advertising"). We provide required notices at or before collection and honor recognized opt‑out preference signals(e.g., GPC) where applicable.
Quick Reference
At‑Collection Notice
Privacy at a glance: We process your name and email to create your account and provide the Service. We use essential cookies for authentication and analytics to improve the Service. If you connect Google, we access only the data needed for the selected feature and never use it for ads. See our Privacy Policy for details and your rights. To make requests, email [email protected].
OAuth Consent Screen Summary
GrantCue will use your Google information to authenticate your account and (if enabled) read or create calendar events you select. Data is used only to provide these user‑facing features and isn't sold or used for advertising. You can disconnect anytime in your GrantCue account or your Google permissions page.
Appendix A: Data Sub‑processors
- Hosting/Infrastructure: Vercel, Supabase
- Email/Support: (to be configured)
- Analytics: (to be configured)
- Payments: Stripe (when billing is enabled)
This list is maintained and updated regularly to reflect our current service providers.