← Home

Privacy Policy

Last updated: April 29, 2026

What we collect

  • Email + display name (NextAuth, Google OAuth, or magic link).
  • Workspace content: pursuit titles, conversations, artifacts, past-performance entries, optional UEI/CAGE.
  • Usage telemetry: agent runs per period, tool-call counts, error rates. Not tied to message content.
  • Server logs: IP (hashed with rotating salt), user agent, request paths. Retention 30 days.

What we do NOT collect

  • We do not train AI models on your workspace content.
  • We do not sell or share data with third parties for advertising.
  • We do not use third-party tracking cookies. The only analytics are Vercel Web Analytics (privacy-first, no fingerprinting) and our own server-side analytics_events table.
  • We do not load PostHog, Mixpanel, Hotjar, or any session replay product. Decision: open-source analytics only (Umami self-hosted in Phase 2).

Where data lives

Supabase Postgres (US-east-1) with row-level security per workspace. SAM.gov API keys are encrypted at rest with workspace-scoped keys. Stripe handles all payment data; we never see card numbers.

Subprocessors

  • Vercel — hosting + Web Analytics
  • Supabase — database + auth + storage
  • Resend — transactional email (magic link, receipts)
  • Stripe — payments + invoicing + tax
  • OpenRouter (default LLM provider) / Anthropic / OpenAI — model inference. Per-vendor zero-retention enabled where supported.
  • Cloudflare — DNS only (no CDN cache for /api or /auth).

Your rights

Export, correct, or delete your data at any time via Workspace Settings → Data export, or by emailing privacy@grindworks.ai. Requests are honored within 30 days (CCPA/GDPR aligned).

Contact

privacy@grindworks.ai