Privacy Policy

Last updated: 14 March 2026

1. What this statement covers

This privacy policy applies to the use of GRITT and to our related websites, accounts, subscriptions, support contacts, payment relationships and usage-based features such as credits, uploads, speech and web retrieval. In this policy we explain which personal data we process, why we do so, with whom we share data, how long we retain data and which rights you have.

2. Which data we process and why

• Account and authentication data: such as email address, hashed password, account status and preferences such as language or theme. Legal basis: performance of the agreement.
• Subscription and payment data: such as the selected plan, credits, invoice status, transaction references, Stripe customer and subscription IDs, promo or coupon references and administrative payment metadata. As a rule, we do not receive full card or bank account numbers. Legal basis: performance of the agreement and statutory record-keeping obligations.
• Usage, security and support data: such as IP address, timestamps, browser or device data, error messages, abuse signals, order and webhook logs and correspondence with customer service. Legal basis: performance of the agreement and our legitimate interest in security, fraud prevention, stability, troubleshooting, support and cost control.
• Content that you actively enter or upload: such as prompts, chat messages, documents, notes, transcripts and other input needed to provide the functionality you request. Legal basis: performance of the agreement.
• Vector and retrieval data: embeddings, metadata and, where needed for retrieval, text fragments of uploaded or processed content. Legal basis: performance of the agreement.
• Internal product improvement and user research: we may use usage data, error patterns and, where reasonably possible, aggregated or anonymised data for internal quality improvement, statistics, security and user research. Legal basis: our legitimate interest in improving and securing our service.
• Cookies and similar technologies: strictly necessary cookies for basic functionality and, only after consent where required, analytical or comparable non-essential cookies. Legal basis: consent for non-essential cookies; performance of the agreement or legitimate interest for strictly necessary cookies.

3. What we do not do

We do not provide your user data to AI or model providers for the training of their generic models. Where we offer AI functionality through an external processor, this is done solely to perform the function requested by you.

4. From whom we receive data

We mainly receive personal data directly from you, for example when you create an account, take out a subscription, purchase credits, use the service, upload documents or contact us. In addition, we may receive limited data from payment service providers, such as status or reference information needed for payment, invoicing, customer service and fraud prevention.

5. Recipients, processors and changes of service providers

We share personal data only where this is necessary for the delivery, security, administration, support or improvement of GRITT. For this purpose, we may use categories of service providers such as hosting and infrastructure providers, payment processors, AI and speech providers, search or retrieval providers, vector or database providers, analytics providers and email or support providers.

Where reasonably available and suitable for the relevant function, we prefer suppliers that offer processing within the EEA and have a privacy-responsible profile. This is a best-efforts preference and not an absolute guarantee that every supplier used is established within the EEA or entirely free from any third-country nexus.

Over time, we may replace, supplement or discontinue service providers with comparable suppliers, for example for reasons of continuity, security, compliance, availability, functionality, performance or cost control. If such a change is materially relevant to the processing of personal data, we will update this privacy policy and, where appropriate, also an up-to-date supplier list or documentation page.

Service providers may themselves use subprocessors or supporting infrastructure where permitted under the applicable contractual and legal framework. Any documentation or supplier page mentioning current provider names is in principle informative and intended for transparency; such an overview is not an independent promise that exactly the same parties or subprocessors will continue to be used permanently.

• Hosting and infrastructure providers: for hosting, DNS, email hosting, server management, storage and related infrastructure functions.
• Payment processors and billing providers: for payments, subscriptions, credits or top-ups, invoicing, coupons or promotional codes, customer portals and related webhook or administrative functions.
• AI and language-processing providers: for language models, embeddings, speech-to-text and similar AI functionality, depending on the configuration used at the relevant time.
• Speech providers: for text-to-speech and related audio functionality, depending on the configuration used at the relevant time.
• Vector and database providers: for embeddings, metadata and text fragments needed for retrieval functionality.
• Search or retrieval providers: for web retrieval, search results and similar search functionality.
• Analytics providers: for analytics within our own or contracted infrastructure. To the extent analytics or cookies require consent, we activate them only after valid consent.
• Email or support providers: for customer communications, support handling and operational messages, where applicable.

Where a party processes personal data on our behalf, we conclude appropriate contractual arrangements where required, such as a data processing agreement.

6. Transfers outside the EEA

Personal data may be processed within the EEA, the United Kingdom and, depending on the service provider, subprocessor or functionality used, also in other countries outside the EEA. This may include suppliers established outside the EEA while the processing region chosen by us lies within the EEA, and conversely in some cases access or transfer outside the EEA cannot be fully excluded.

Where personal data are transferred outside the EEA, we rely on an appropriate transfer mechanism, such as an adequacy decision or Standard Contractual Clauses approved by the European Commission, supplemented where necessary with appropriate additional measures. Where data are transferred to the United Kingdom, we will in principle rely on the adequacy regime or other transfer mechanism applicable at that time.

7. Retention periods

We do not retain personal data longer than necessary for the purpose for which they were collected, unless a statutory retention obligation or a stronger legitimate interest requires otherwise. In practice, we generally apply the following periods:

• Account and profile data: for as long as your account remains active. After termination, we generally delete or anonymise these data within 6 months, unless longer retention is necessary for security, dispute handling or a legal obligation.
• Documents, chat content and other content stored by you: for as long as they form part of your account or project environment. After deletion by you or termination of the account, we generally delete or anonymise these data within 90 days, with an additional limited retention period for backups where technically necessary.
• Invoices and tax administration: 7 years, or longer if required by law.
• Support correspondence: in principle up to 24 months after handling the request, unless a dispute, security incident or legal duty justifies a longer retention period.
• Security, access and error logs: in principle 90 days; in the event of incidents or abuse signals, relevant logging may be kept longer for as long as necessary for investigation, security or legal protection.
• Cookie and consent preferences: for as long as needed to remember your preferences and demonstrate our compliance.
• Aggregated or truly anonymised research and statistical data: may be retained longer because they are not, or no longer, traceable to a person.

8. Your rights

You have the right of access, rectification, erasure, restriction of processing, data portability and objection, insofar as the GDPR grants you those rights. Where processing is based on consent, you may withdraw that consent at any time. You may submit a request via service@mindyouraxis.com. We respond without undue delay and in principle within one month. To prevent misuse, we may request additional verification of your identity.

9. Cookies and analytics

We use strictly necessary cookies for basic functionality, security and session management. For analytics we use a self-hosted Matomo setup or a comparable privacy-friendly solution. To the extent analytics or similar non-essential technologies require consent under cookie rules, we place or activate them only after you have given that consent.

10. Security

We take appropriate technical and organisational measures to protect personal data, including transport encryption, access restriction, logging and security monitoring. No system is entirely risk-free; please report security issues via service@mindyouraxis.com.

11. Automated decision-making and profiling

We do not take decisions based solely on automated processing that produce legal effects concerning you or otherwise significantly affect you. We do not use personal data for marketing profiling without an appropriate legal basis.

12. 18+

GRITT is intended for persons aged 18 and over.

13. Complaints

You can send questions, privacy requests or complaints to service@mindyouraxis.com. You also have the right to lodge a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens).

14. Changes

We may amend this privacy policy, for example due to changes in GRITT, our service providers, processing purposes, security measures or applicable law. We publish the most recent version on the site. In the event of material changes, we will inform you in advance where appropriate via the website, in your account or by email.