Effective May 16, 2026 · GrantFlow Inc.
1. What we collect
- Account data: email, hashed password, name, organization, role.
- Optional contact data: phone number (for SMS alerts; opt-in).
- Usage data: proposals you create, saved searches, comments, template purchases.
- Payment metadata: Stripe customer ID, subscription state, last-4 of card. We do NOT store full credit-card numbers.
- Operational logs: IP address, browser type, timestamps, error traces (retained 90 days).
2. How we use it
- To operate the Service — authentication, billing, AI proposal generation, alerts.
- To send transactional email (receipts, grant alerts, password resets).
- To improve the Service (aggregated, anonymized analytics only).
- To detect fraud or violations of the Terms.
We do not sell your data. We do not share your data with advertisers. We do not use your proposal content to train our AI models.
3. Third-party processors
4. SMS messaging consent
SMS alerts are opt-in only. By providing your phone number in Settings, you consent to receive grant-alert messages from GrantFlow Inc.. Standard message and data rates may apply.
- Reply STOP to any message to unsubscribe immediately and clear your phone number.
- Reply HELP for help.
- Frequency: depends on your saved-search frequency (immediate, daily, or weekly).
- We never share phone numbers with third parties.
5. Cookies
We use a single HTTP-only authentication cookie. No third-party tracking cookies, no advertising pixels, no Facebook/Google Analytics by default.
6. Your rights (GDPR / CCPA)
- Access: request a copy of all data we hold about you.
- Correction: update inaccurate data via /settings.
- Deletion: request full account + data deletion via support@grantflow.it.com; we process within 30 days.
- Portability: request your data in JSON format.
- Withdraw consent: opt out of SMS at any time via STOP.
7. Data retention
- Account data: retained until you request deletion.
- Proposals: retained until you delete them or your account.
- Financial records (receipts, transactions): retained 7 years per US tax law.
- Operational logs: 90 days.
8. Security
Passwords are bcrypt-hashed. Database connections use TLS. Payments are routed through Stripe (PCI DSS Level 1). We monitor for breaches and will notify affected users within 72 hours of any confirmed incident.
9. Children's privacy
The Service is not directed to anyone under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, please contact support@grantflow.it.com.
10. International users
Data is processed and stored in the United States. By using the Service, you consent to the transfer of your data to the US, which may have different data-protection laws than your country.
11. Changes
We will email all users at least 30 days before any material change to this Privacy Policy takes effect.
12. Contact
Privacy requests: support@grantflow.it.com. General support: support@grantflow.it.com.