Privacy Policy

1. Introduction

Grail Computer ("Grail," "we," "our," or "us") is a Singapore‑based software company that provides a browser‑based AI workspace for building, deploying, and operating software agents, applications, and analytics ("Services"). Your privacy is important to us. This Privacy Policy explains how we collect, use, disclose, and secure information about you when you use any of our websites, dashboards, mobile or desktop applications, APIs, browser extensions, or any other product or service that links to this Policy (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read and understood this Policy and agree to our Terms of Service. If you do not agree, please do not use the Service.

2. Scope

This Policy applies to personal information that we process as a controller. It does not apply to:

• Data that you upload to private Grail workspaces when Grail acts as a processor on their behalf (e.g., source code, proprietary datasets).
• Third‑party services you choose to connect to in your Grail workspace (Any APIs you add to your workspace). Those services have their own privacy policies.

3. Information We Collect

3.1 Information you provide directly

• Account Data – name, email address, password (hashed), profile photo, two‑factor authentication secrets, and organization affiliation.
• Billing & Payment Data – if you purchase a paid plan, our payment processor (Stripe) collects your payment‑card details. Grail only stores limited billing metadata (card type, last four digits, expiry month/year, billing country) and invoices.
• Workspace & Project Content – source code, run‑time logs, prompts, uploaded files, database schemas, environment variables, and other artefacts you choose to store in your Grail workspace.
• Support & Communication Data – information contained in emails, chat messages, or tickets you send to us.

3.2 Information we collect automatically

• Usage & Device Data – IP address, device type, OS and browser version, language, screen resolution, referring URLs, click‑stream data, and the features you use.
• Analytics Data – anonymised event and session data collected via PostHog to understand feature adoption and product performance. Full keystrokes and sensitive payloads are never logged.
• Cookies & Similar Technologies – we use first‑party cookies for authentication and preference persistence and third‑party cookies only where strictly necessary (e.g., Stripe checkout).

3.3 Data from third parties

• Public profile data from OAuth providers (Google, X/Twitter) when you authorise Grail.

4. How We Use Information

We use your information to:

1. Provide and maintain the Service – create accounts, authenticate users, spin up workspaces, compile and deploy code, and fulfil orders.
2. Improve and research – diagnose crashes, benchmark agent performance, and develop new features.
3. Communicate – send administrative messages, security alerts, and product updates. Marketing emails are sent only with your consent.
4. Security & Abuse Prevention – detect fraud, suspicious log‑ins, or malicious code execution; enforce our Acceptable Use Policy.
5. Legal compliance – comply with financial, tax, export‑control, and anti‑money‑laundering obligations.

5. How We Share Information

We never sell your personal information. We share it only as follows:

• Service Providers – cloud hosting (Railway, AWS, Hetzner), storage (Supabase, S3‑compatible), analytics (PostHog), payments (Stripe), communications (Resend), and AI inference (OpenRouter, AWS Bedrock, Google AI).
• Public Content – if you set a project to "public," its code, prompts, and documentation become visible to anyone with the link. Private workspaces remain private by default.
• Corporate Transactions – information may be transferred in connection with a merger, acquisition, or asset sale.
• Legal & Safety – where required to comply with law, enforce our terms, or protect the rights, property, or safety of Grail, our users, or others.

6. Legal Bases for Processing (EEA/UK)

We process personal data on the following bases: (i) contract necessity; (ii) legitimate interests (product security, R&D); (iii) consent (marketing, certain cookies); and (iv) compliance with legal obligations.

7. International Data Transfers

We store the majority of user data in the US, but may transfer data to other jurisdictions where our subprocessors operate. Where we do, we rely on Standard Contractual Clauses or other lawful transfer mechanisms.

8. Data Retention

We retain personal information for as long as it is needed to: (a) deliver the Service; (b) comply with legal obligations; or (c) resolve disputes. Deleted workspaces enter a 30‑day grace‑period before permanent erasure from backups.

9. Your Rights and Choices

Subject to local law, you may have the right to access, correct, delete, or port your personal data, object to or restrict processing, and withdraw consent. You can exercise most rights from the Grail dashboard or by emailing privacy@grail.computer.

10. Security

Grail implements ISO 27001‑aligned administrative, technical, and physical safeguards, including encryption in transit and at rest, multi‑factor authentication, network segmentation, and regular independent penetration testing. We are working toward SOC 2 Type II certification.

11. Children's Privacy

The Service is not directed to children under 16. If we learn that we have collected personal information from a child without verified parental consent, we will delete it.

12. Cookies & Tracking Technologies

You can manage cookie preferences in your browser. Disabling essential cookies may break core functionality. For more details, see our separate Cookie Notice.

13. Changes to This Policy

We may update this Policy periodically. We will notify you of material changes via email or an in‑app banner and post the revised Policy with a new effective date.

14. Contact Us

If you have questions about privacy or would like to exercise your rights, please contact:

You may also lodge a complaint with your local supervisory authority.