Skip to main content
GrantPilot Back

Privacy Policy

Last updated: April 16, 2026

1. Information We Collect

Account Data: Name, email address, password (hashed), and authentication tokens when you create an account or sign in via Google/GitHub OAuth.

Organization Data: Organization name, mission, EIN, address, team size, annual budget, and other profile details you provide.

Documents & Content: Files you upload, Content Library entries, grant application drafts, and any text you enter into the platform.

Usage Data: Pages visited, features used, application outcomes you report, timestamps, browser type, IP address, and device information.

2. How We Use Your Information

We use your data to: (a) match you with relevant grant opportunities, (b) generate and optimize grant applications using AI, (c) populate your Content Library for reuse across applications, (d) send grant alerts and deadline reminders, (e) process payments and manage your subscription, (f) improve our algorithms and platform features, and (g) communicate product updates and support responses.

We never sell your personal data to third parties.

3. AI Processing

Your Content Library data, uploaded documents, and organization profile are processed by Anthropic's Claude API to generate and optimize grant applications. This data is sent to Anthropic's servers for processing. Per Anthropic's data policy, API inputs are not used to train AI models. Data is retained by Anthropic for up to 30 days for safety monitoring, then deleted. See Anthropic's privacy policy for details.

4. Cookies & Tracking

Essential Cookies: Session authentication tokens and CSRF protection. Required for the platform to function.

Preference Cookies: UI settings such as sidebar state and notification preferences.

Analytics: We use privacy-respecting analytics to understand feature usage and improve the platform. We do not use third-party advertising trackers.

5. Data Sharing & Third Parties

We share data only with the following service providers, solely for the purposes described:

  • Anthropic — AI processing for grant application generation
  • Stripe — Payment processing and subscription management
  • Vercel — Application hosting and edge delivery
  • Supabase/PostgreSQL — Database hosting

We may disclose data if required by law, subpoena, or court order, or to protect the rights and safety of our users.

6. Data Security

We use industry-standard encryption: TLS 1.3 for data in transit and AES-256 for data at rest. Passwords are hashed with bcrypt (12 rounds). Payment information is processed by Stripe and never stored on our servers. We conduct regular security reviews and maintain access controls that limit employee access to user data on a need-to-know basis.

7. Data Retention

Active accounts: We retain your data for as long as your account is active.

Account deletion: When you delete your account, we permanently remove your personal data, documents, and Content Library within 30 days. Anonymized usage analytics may be retained.

Legal obligations: We may retain certain records as required by law (e.g., payment records for tax compliance, typically 7 years).

8. Your Rights

Depending on your jurisdiction, you may have the following rights:

GDPR (EU/EEA residents): Right to access, rectify, erase, restrict processing, data portability, and object to processing. You may also lodge a complaint with your local data protection authority.

CCPA (California residents): Right to know what data we collect, right to delete, right to opt out of sale (we do not sell data), and right to non-discrimination for exercising your rights.

All users: You can export your data, update your profile, or delete your account from your dashboard settings at any time.

9. How to Exercise Your Rights

Email privacy@grantpilot.dev with your request. We will respond within 30 days. We may ask you to verify your identity before processing requests.

10. International Data Transfers

GrantPilot is based in the United States. If you access our platform from outside the US, your data will be transferred to and processed in the US. We rely on Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms to ensure adequate protection of your data.

11. Children's Privacy

GrantPilot is not intended for individuals under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

12. Changes to This Policy

We may update this policy from time to time. For material changes, we will notify you by email or through the platform at least 30 days before the changes take effect. Continued use after changes constitutes acceptance.

13. Contact Us

For privacy questions or data requests, contact us at privacy@grantpilot.dev.