1. Introduction
Welcome to AgentGRAI ("we," "our," or "us"). We are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered automation platform.
This policy applies to all users of AgentGRAI, including our website, applications, APIs, and related services (collectively, the "Service").
By using our Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use our Service.
2. Data Controller
AgentGRAI is the data controller responsible for your personal data. For any questions or concerns about this policy or our data practices, please contact us using the information provided in the Contact section below.
If you are located in the European Economic Area (EEA), you have the right to lodge a complaint with your local data protection authority if you believe we have not complied with applicable data protection laws.
3. Data We Collect
We collect the following categories of personal data:
3.1 Information You Provide Directly
- Account registration information (email address, name, password)
- Documents you upload for processing (resumes, PDFs, etc.)
- Lead and contact information you import or create
- Communication preferences and custom settings
- Support requests and correspondence
3.2 Information Collected Automatically
- Device and browser information
- IP address and approximate location
- Usage patterns and feature interactions
- Error logs and performance data
3.3 Information from Third-Party Sources
- OAuth-connected services (Google, Calendly) provide profile and calendar data
- Lead enrichment services (Hunter.io, Apollo.io) provide business contact data
- Payment processor (Stripe) provides transaction and billing information
4. How We Use Your Data
We process your personal data for the following purposes:
- Service Delivery: To provide, maintain, and improve our AI-powered automation features
- Account Management: To create and manage your user account, authenticate access, and process payments
- Communication: To send service-related notifications, updates, and respond to your inquiries
- AI Processing: To transform documents, analyze business data, and provide intelligent automation
- Lead Enrichment: To enhance lead data with publicly available business information
- Security: To detect, prevent, and respond to fraud, abuse, or security incidents
- Legal Compliance: To comply with legal obligations and protect our legal rights
5. Legal Basis for Processing
We process your personal data based on the following legal grounds under GDPR:
- Contract Performance: Processing necessary to provide the services you have requested
- Consent: When you have given explicit consent, such as connecting OAuth services or enabling voice features
- Legitimate Interest: For service improvement, security, and fraud prevention, balanced against your privacy rights
- Legal Obligation: When required by law, such as tax record retention
Data Processing Summary
| Data Type | Purpose | Legal Basis | Retention Period |
|---|---|---|---|
| Account Information (email, name, password hash) | User authentication and account management | Contract performance | Until account deletion + 30 days |
| Payment Information (via Stripe) | Subscription billing and invoicing | Contract performance | 7 years (legal requirement) |
| Resume/Document Content | AI-powered document transformation | Contract performance | 30 days after processing |
| Lead/Contact Data | Lead enrichment and CRM functionality | Legitimate interest / Consent | Until deletion requested |
| Voice Recordings (via ElevenLabs) | Voice agent functionality | Consent | 90 days after call completion |
| SMS/Message Content (via Twilio) | Communication and notifications | Contract performance | 12 months |
| Calendar Data (via Calendly) | Meeting scheduling | Consent (OAuth) | While connected + 30 days |
| Email Data (via Gmail OAuth) | Email outreach campaigns | Consent (OAuth) | While connected + 30 days |
| Usage Analytics | Service improvement and debugging | Legitimate interest | 24 months |
| AI Processing Logs | Quality assurance and abuse prevention | Legitimate interest | 90 days |
6. Data Sharing and Third Parties
We share your data with third-party service providers who help us operate our platform. Each provider is contractually bound to protect your data and use it only for the specified purposes.
Third-Party Service Providers
| Service | Provider | Purpose | Data Location |
|---|---|---|---|
| Authentication & Database | Supabase | User authentication, data storage, and real-time subscriptions | USA (AWS) |
| Payment Processing | Stripe | Subscription billing, payment processing, and invoicing | USA/EU |
| AI Processing | Anthropic (Claude) | Document transformation, business analysis, and conversational AI | USA |
| AI Embeddings & Transcription | OpenAI | Text embeddings for semantic search and Whisper audio transcription | USA |
| Lead Enrichment - Email | Hunter.io | Email discovery and verification for lead enrichment | France (EU) |
| Lead Enrichment - Phone | Apollo.io | Phone number discovery and contact enrichment | USA |
| Voice Agents | ElevenLabs | AI voice synthesis and outbound voice agent calls | USA/EU |
| SMS & Messaging | Twilio | SMS notifications and messaging functionality | USA |
| Email Authentication | Google (Gmail OAuth) | Gmail integration for email outreach campaigns | USA |
| Scheduling | Calendly | Meeting scheduling and calendar integration | USA |
Other Disclosures
We may also disclose your information:
- To comply with legal process or government requests
- To protect our rights, privacy, safety, or property
- In connection with a merger, acquisition, or sale of assets
- With your consent or at your direction
7. AI and Automated Processing
Our Service uses artificial intelligence and machine learning to provide automated features. Here is how AI processes your data:
7.1 How AI Processes Your Data
- Document Transformation: AI analyzes uploaded documents to extract content, restructure formatting, and optimize for specific purposes
- Business Analysis: AI evaluates company information to identify opportunities and generate insights
- Voice Agents: AI synthesizes speech and conducts conversations based on configured scripts and intents
- Semantic Search: AI creates embeddings to enable natural language search across your data
7.2 Your Data Is Not Used for Training
Important: We do not use your personal data or uploaded content to train or improve AI models. Your data is processed solely to provide you with the requested service features. AI providers (Anthropic, OpenAI) process your data under our data processing agreements and do not retain or train on your inputs.
7.3 Automated Decision-Making
Some features involve automated processing that may affect you, such as lead scoring or priority classification. You have the right to request human review of automated decisions that significantly affect you. Contact us to exercise this right.
8. Data Retention
We retain your personal data only as long as necessary for the purposes described in this policy, or as required by law. Specific retention periods are outlined in the Data Processing Summary table above.
When data is no longer needed, we securely delete or anonymize it. You may request deletion of your data at any time, subject to legal retention requirements.
9. Your Rights
Under GDPR and other applicable data protection laws, you have the following rights regarding your personal data:
- Right of Access: Request a copy of the personal data we hold about you
- Right to Rectification: Request correction of inaccurate or incomplete data
- Right to Erasure: Request deletion of your personal data ("right to be forgotten")
- Right to Restrict Processing: Request limitation of how we use your data
- Right to Data Portability: Receive your data in a structured, machine-readable format
- Right to Object: Object to processing based on legitimate interest or direct marketing
- Right to Withdraw Consent: Withdraw previously given consent at any time
To exercise any of these rights, please contact us at privacy@graisol.com. We will respond within 30 days, or inform you if an extension is needed.
10. International Data Transfers
Your data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. When we transfer data internationally, we ensure appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Data Processing Agreements with all service providers
- Privacy Shield certification where applicable
- Adequacy decisions for countries with equivalent data protection laws
12. Security Measures
We implement appropriate technical and organizational measures to protect your personal data against unauthorized access, alteration, disclosure, or destruction:
- Encryption of data in transit (TLS 1.3) and at rest (AES-256)
- Secure authentication with password hashing and session management
- Regular security audits and vulnerability assessments
- Access controls limiting data access to authorized personnel
- Incident response procedures for potential data breaches
- Employee security training and confidentiality agreements
While we strive to protect your data, no method of transmission over the Internet is 100% secure. We encourage you to use strong passwords and protect your account credentials.
13. Children's Privacy
Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us immediately. If we discover that we have collected data from a child under 16, we will promptly delete that information.
14. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. When we make significant changes:
- We will update the "Last updated" date at the top of this page
- We will notify you via email or in-app notification for material changes
- We may request renewed consent where required by law
We encourage you to review this policy periodically. Continued use of our Service after changes constitutes acceptance of the updated policy.
15. Contact Information
For questions, concerns, or requests related to this Privacy Policy or your personal data, please contact us:
We aim to respond to all privacy-related inquiries within 30 days.