Privacy Policy

Grantable generates revenue exclusively through paid subscriptions to our platform. We offer Free, Starter, and Pro tiers — each designed for different stages of a grant team's needs.

We do not sell your data. We do not monetize your data through advertising. We do not license your content to third parties. Our business model is simple: you pay for the product, and we build the best grant workspace we can.

We collect the following categories of personal data:

Account Information

Name, email address, password (hashed), and organization details you provide when creating an account. If you sign up using Google, we receive your name and email address from Google's authentication service.

Payment Information

We use Stripe to process payments. Grantable does not directly store your credit card numbers, bank account details, or other payment credentials. Stripe's handling of your payment data is governed by Stripe's Privacy Policy.

User Content

Documents, grant applications, organizational profiles, strategic plans, funder research, and other materials you upload or create within the platform.

Usage Data

Information about how you interact with the Services, including features used, actions taken, pages visited, and time spent. This helps us understand what's working and what needs improvement.

Device and Log Data

IP address, browser type and version, operating system, time zone settings, and referring URLs. This data is collected automatically when you access the Services.

Cookies and Similar Technologies

We use essential cookies to keep you logged in and maintain your session. We use Google Fonts to serve typography. We may use analytics cookies to understand usage patterns — you can manage your cookie preferences through our cookie consent controls. See Section 9 for details.

Communications

Information from your interactions with our support team, survey responses, and feedback you choose to provide.

We use your personal data for the following purposes:

• Providing the Services — Operating the platform, processing your requests, and delivering features like funder matching, grant writing assistance, and project management.
• Personalization — Tailoring the AI to your organization's context, writing style, and grant history to provide more relevant suggestions and outputs.
• Customer support — Responding to your questions, troubleshooting issues, and providing technical assistance.
• Payment processing — Managing subscriptions, processing payments, and handling billing inquiries through our payment processor, Stripe.
• Product improvement — Analyzing aggregated, anonymized usage patterns to understand how people use the Services and identify areas for improvement. You are never personally identified in this analysis.
• Communications — Sending transactional messages (billing receipts, security alerts, account updates) and, with your consent, marketing communications about new features and relevant content. You can opt out of marketing emails at any time.
• Legal compliance — Meeting our legal obligations, resolving disputes, and enforcing our Terms of Service.
• Security — Detecting and preventing fraud, abuse, and security incidents.

We do not use your data to train AI models. This is a core commitment, not a footnote.

Our AI features are powered by third-party providers, including Anthropic (Claude) and OpenAI (GPT). When you use AI features, we transmit only the minimum necessary contextual information to these providers to fulfill your request. This may include relevant portions of your documents, organizational context, and funder information needed to generate useful output.

Both Anthropic and OpenAI operate under enterprise agreements that contractually prohibit them from using customer data to train their models. For more details on their data practices:

• Anthropic's Commercial Privacy Policy
• OpenAI's Enterprise Privacy

You may configure "AI Rules" within your account to set custom style guides and preferences that shape AI output. All content generated through AI features remains your property.

We implement technical, physical, and organizational safeguards to protect your personal data, including:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls limiting employee access to personal data
• Regular security assessments and monitoring
• Secure infrastructure hosted by trusted cloud providers
• Incident response procedures for potential security events

We are pursuing SOC 2 Type II compliance with continuous third-party auditing to independently verify our security controls. You can view our current security posture and compliance status on our Trust Portal.

Your documents are stored securely and are never shared outside your organization's workspace without your explicit consent.

We retain your personal data for as long as your account is active or as needed to provide the Services. Specifically:

• Account data is retained for the life of your account and deleted upon account closure, subject to legal retention requirements.
• User Content is typically retained for one year after account closure unless you request earlier deletion.
• Usage and log data may be retained in aggregated, anonymized form for analytics purposes after your account is closed.
• Payment records are retained as required by tax and accounting laws.

You can request deletion of your data at any time by contacting us at hello@grantable.co.

We may share your personal data with the following categories of recipients:

• Service providers — Third parties that help us operate the Services, including Supabase (database infrastructure), Stripe (payment processing), and AI providers (Anthropic, OpenAI). These providers are contractually obligated to use your data only for the services they perform on our behalf.
• Team members — If you use the Services within an organization, other members of your workspace may have access to shared content as part of normal collaboration features.
• Organization administrators — If you access the Services through an Enterprise account, your organization's administrator may have access to your account information and workspace content.
• Legal compliance — We may disclose personal data if required by law, regulation, legal process, or governmental request.
• Business transfers — In connection with a merger, acquisition, reorganization, or sale of assets, your personal data may be transferred as part of the transaction. We will notify you of any such transfer.
• With your consent — We may share data with third parties when you have given us explicit permission to do so.

We do not sell personal data to third parties. We do not share personal data with third parties for their own marketing purposes.

Grantable is a collaborative platform. When you share documents, grant applications, or other content within a workspace, other members of that workspace may be able to view, edit, or interact with that content depending on their role and permissions.

You are responsible for managing access to your workspace and ensuring that sensitive information is shared only with appropriate team members. We provide role-based access controls to help you manage these permissions.

We use the following categories of cookies and similar technologies:

• Essential cookies — Required for the Services to function. These keep you logged in, maintain your session, and enable core features. These cannot be disabled.
• Analytics cookies — Help us understand how the Services are used so we can improve them. These are optional and can be declined through our cookie consent controls.

We use Google Fonts to serve typography on our marketing website. Google may collect limited data (such as IP addresses) in connection with font delivery. For more information, see Google's Privacy Policy.

You can manage your cookie preferences at any time using the cookie settings accessible from the bottom of any page on our website.

Depending on your location, you may have the following rights regarding your personal data:

• Access — Request a copy of the personal data we hold about you.
• Correction — Request correction of inaccurate or incomplete personal data.
• Deletion — Request deletion of your personal data, subject to legal retention requirements.
• Export — Request a portable copy of your data in a machine-readable format.
• Opt-out — Unsubscribe from marketing communications through account settings or email unsubscribe links.
• Restriction — Request that we limit processing of your personal data in certain circumstances.
• Objection — Object to processing of your personal data based on legitimate interests.

To exercise any of these rights, contact us at hello@grantable.co. We will respond to all valid requests within 30 days, or as otherwise required by applicable law.

If you access the Services through an organization's Enterprise account, your organization's administrator may be able to:

• View and manage your account within the organization's workspace
• Access workspace content and activity logs
• Apply organization-wide policies and restrictions
• Remove your access to the organization's workspace

Grantable is not responsible for your organization's privacy practices. If you have questions about how your organization handles your data, please contact your organization's administrator directly.

We maintain a public Trust Portal where you can review our security certifications, compliance status, and data handling practices in detail. Visit our Trust Portal for the most current information about our security posture.

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or applicable law. If we make material changes, we will notify you via email or a prominent notice within the Services at least 30 days before the changes take effect.

We encourage you to review this Privacy Policy periodically. The "Last updated" date at the top indicates when this policy was most recently revised.