Privacy Policy

GrantAQ is operated by Friedman Global LLC, a Georgia limited liability company. For the purposes of state privacy laws (CCPA, VCDPA, CPA, CTDPA, UCPA, TDPSA, OCPA, MCDPA), we are the "business" or "controller" of the personal data described below.

Questions, requests, or complaints: privacy@grantaq.com.

Account & Organization

• Name, email address, phone number
• Organization name, type, EIN, mission, state of operation
• Financial data (annual revenue, budget, prior grant history)
• Board member names and contact information
• Uploaded documents (audits, 990s, bylaws, letters of support)

Usage & technical

• Pages visited, features used, time spent in the platform
• IP address, browser type, device type, operating system
• Referral source (UTM parameters, referral codes)
• Session tokens and authentication data

AI interaction data

• Prompts and messages sent to Grantie (our AI chat assistant)
• Grant drafts generated or edited on the platform
• AI-generated scores, strategy recommendations, readiness assessments

Payment data

Payment card data is handled directly by Stripe, our PCI-compliant processor. We receive tokenized payment identifiers and billing metadata, but never raw card numbers.

• Service delivery: match grants to your profile, generate AI drafts, score readiness, track pipeline stages
• Account administration: authentication, billing, support, fraud prevention
• Product improvement: aggregated, de-identified analytics and model improvement (not individual profiling)
• Communications: service announcements, billing notices, grant deadline reminders, and opt-in marketing
• Legal compliance: responding to lawful subpoenas, preserving evidence in disputes, enforcing our Terms

We do notsell your personal information in exchange for money. See "Sharing" below for the limited non-monetary disclosures we make.

We disclose data only to:

• Service providers under contract (see sub-processor list in §5)
• Successor entities in connection with a merger, acquisition, or asset sale
• Law enforcement or courts when required by valid legal process
• Other parties with your consent (e.g., if you invite a collaborator to your org)

The following vendors process your data on our behalf, under a written data-processing agreement:

A current list of sub-processors with specific third-party recipients is available to Oregon residents on request, as required by ORS 646A.578.

We use essential cookies for authentication and a minimal set of first-party analytics cookies (PostHog) to understand product usage. We do not use third-party advertising cookies.

Global Privacy Control (GPC): If your browser sends a GPC signal, we treat it as a valid opt-out request from sale or sharing of your personal information, as required by the Colorado Privacy Act and California Privacy Rights Act.

Regardless of your state of residence, you have the right to:

• Request access to the personal information we hold about you
• Request deletion of your personal information
• Request correction of inaccurate personal information
• Receive a copy of your personal information in a portable format
• Opt out of marketing emails at any time

To exercise any right, email privacy@grantaq.com. We will verify your identity and respond within 45 days. We may extend once by an additional 45 days for complex requests, and will notify you of the extension within the first 45 days.

The following rights apply based on your state of residence. If your state is not listed, the Universal rights in §7 still apply.

California (CCPA / CPRA)

• Right to know, access, delete, correct, and port your data
• Right to opt out of the sale or sharing of personal information. Do Not Sell or Share My Personal Information
• Right to limit the use of sensitive personal information
• Right to non-discrimination for exercising CCPA rights
• Right to opt out of automated decision-making (when applicable)
• 12-month lookback: on request, we will disclose categories of personal information collected, sold, shared, or disclosed in the preceding 12 months

Virginia (VCDPA), Connecticut (CTDPA), Montana (MCDPA)

• Right to access, correct, delete, and obtain a portable copy of your data
• Right to opt out of sale, targeted advertising, and profiling
• Appeal right: If we deny a rights request, you may appeal by emailing privacy@grantaq.com with "Privacy Rights Appeal" in the subject. We will respond within 60 days. If the appeal is denied, you may file a complaint with your state Attorney General.

Colorado (CPA)

• Same rights as Virginia, plus:
• Universal opt-out honoring: We honor Global Privacy Control (GPC) signals as opt-out requests for sale and targeted advertising, as required by Colo. Rev. Stat. §6-1-1306
• Appeal process as described above (60-day response)

Utah (UCPA)

• Right to access, delete, and port your data
• Right to opt out of sale and targeted advertising

Texas (TDPSA)

• Right to access, correct, delete, and port your data
• Right to opt out of sale, targeted advertising, and profiling
• Sensitive data notice:GrantAQ does not sell sensitive personal data or biometric data. If this changes, we will provide the notice required by Tex. Bus. & Com. Code §541.102.

Oregon (OCPA)

• All rights under VCDPA-style regimes
• Specific third-party disclosure: On request, we will provide a list of the specific third parties to whom we have disclosed your personal information (not just categories), as required by ORS 646A.578

Other states

If a new state privacy law takes effect and provides additional rights beyond those listed above, we will honor those rights as of the effective date, even if this policy has not yet been updated.

1. Email privacy@grantaq.com
2. Tell us: your name, email of record on GrantAQ, the state you reside in, and which right you wish to exercise (access, delete, correct, opt out, appeal)
3. We will verify your identity (typically by confirming ownership of the email address on your account) before acting on the request
4. We respond within 45 days (60 for appeals). If we need to extend, we will notify you within the first 45 days.
5. We do not charge a fee for reasonable requests. For repeated or manifestly unfounded requests, we may charge a reasonable fee or refuse, as permitted by law.

If you authorize an agent to make a privacy request on your behalf, the agent must provide signed written authorization. We may still contact you to verify identity.

• Active accounts: while your account is active and as long as needed to provide the service
• After account termination: 30-day grace period for data export, then deletion of personal data
• Legal hold exceptions: we may retain data longer to comply with legal obligations, resolve disputes, or enforce our Terms
• Aggregated/de-identified data: may be retained indefinitely for product improvement
• Billing and tax records: 7 years (US tax law)

We implement industry-standard security practices including encryption at rest (AES-256), encryption in transit (TLS 1.3), principle-of-least-privilege access controls, audit logging, and routine third-party security assessments.

No system is perfectly secure. If we discover a data breach that affects your personal information, we will notify you as required by applicable state data-breach-notification laws (typically 30–90 days depending on state).

GrantAQ is not intended for users under 13 years of age. We do not knowingly collect personal information from children under 13. If you believe a child has provided information to us, contact privacy@grantaq.com and we will delete it.

GrantAQ is a US service. Our data processing occurs in the United States. If you access the service from outside the United States, your data will be transferred to and processed in the US.

We do not actively market to or knowingly serve EU, UK, or Canadian residents, and do not hold ourselves out as compliant with GDPR or PIPEDA. If you are an EU / UK / Canadian resident, please do not use GrantAQ.

We may update this Privacy Policy. For material changes, we will provide at least 30 days' advance notice by email and a prominent banner in the platform. Continued use after the effective date constitutes acceptance.

Version history is maintained in our public commit history.