← GRID

Privacy Policy

Last updated: April 9, 2026

1. Who we are

GRID (“we”, “us”) is an Agentic Work OS. This policy explains what personal data we collect, why we collect it, how we use it, who we share it with, and the rights you have over it. If anything here is unclear, email us at privacy@grid.app.

2. Data we collect

  • Account data: name, email, hashed password (bcrypt, 12 rounds), avatar URL if you sign in with Google or GitHub.
  • Authentication data: session tokens (cookie named grid_session, HTTP-only, Secure in production) and short-lived OAuth state cookies.
  • Usage data: the workspace state you create — systems, goals, signals, workflows, and audit events — all scoped to your tenant.
  • AI interaction data:the prompts you send to Atrium and the responses Atrium returns. These are stored as “kernel traces” so you can audit what the AI did on your behalf.
  • Learned memory:Atrium may derive short text notes (“memories”) from your interactions so future runs are more useful. Memories are scoped to your tenant only.
  • Technical data: IP address, user agent, and timestamps for security logging and rate limiting.

3. Why we collect it (lawful basis)

  • Contract (GDPR Art. 6(1)(b)): to deliver the service you signed up for — authentication, workspace state, AI runs.
  • Legitimate interests (Art. 6(1)(f)): to operate security logging, rate limiting, and abuse prevention.
  • Consent (Art. 6(1)(a)): for optional analytics cookies (you can decline these via the cookie banner).

4. Sub-processors (who sees your data)

We share personal data only with the sub-processors below, and only as needed to deliver the service.
  • Anthropic— processes the prompts and responses in your Atrium chat and workflow runs. Data is sent to Anthropic’s API (“Claude”) and governed by Anthropic’s commercial terms and DPA. Anthropic does not train its public models on our API traffic.
  • Vercel — application hosting and edge delivery.
  • Postgres provider (Neon / Supabase) — encrypted database storage.
  • Resend — transactional email (sign-up confirmation, password reset).
  • Sentry — error monitoring. We scrub user identifiers from stack traces.

5. AI disclosure

GRID uses AI models from Anthropic (Claude family) to power Atrium chat, workflow execution, and memory. When you interact with Atrium you are interacting with an AI system. Atrium’s outputs can contain errors and should not be relied on for medical, legal, or financial decisions. You retain ownership of the inputs you send and the outputs Atrium produces for you.

6. Your rights

Under GDPR (and equivalent laws like CCPA), you have the right to:
  • Access the personal data we hold about you.
  • Correct any inaccurate data.
  • Delete your account and all associated data (Settings → Account or email privacy@grid.app).
  • Export your data in a portable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent for analytics cookies at any time.
We respond to verified requests within 30 days.

7. Data retention

  • Account data: kept for the life of your account.
  • Kernel traces (prompts and AI responses): auto-deleted after 30 days by default. You can reduce this in Settings.
  • Audit log: 12 months.
  • Backups: 7-day point-in-time recovery window.
  • On account deletion, all personal data is removed within 30 days except where retention is legally required.

8. Security

Passwords are hashed with bcrypt. Data is encrypted in transit (TLS 1.2+) and at rest (provider-level encryption). Access to production data is restricted to named personnel, logged, and reviewed. We run rate limiting on authentication endpoints and lock accounts after 10 failed attempts. No system is perfectly secure — if we become aware of a breach affecting your data, we will notify you within 72 hours as required by GDPR Art. 33.

9. Cookies

We set the following cookies:
  • grid_session — strictly necessary, identifies your signed-in session.
  • grid_oauth_state_* — strictly necessary, short-lived CSRF protection for OAuth sign-in flows.
  • grid_consent— records your cookie preferences so the banner doesn’t reappear.

10. International transfers

Our sub-processors may process data outside the EU/UK, including in the United States. Transfers rely on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses as applicable.

11. Changes

We will post any changes to this policy at this URL and update the “Last updated” date. Material changes will also be emailed to active users.

12. Contact

Data controller: GRID (see above). privacy@grid.app.