Introduction

Gryffin ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our GDPR-compliant AI chat service.

Data Controller

Gryffin is the data controller responsible for your personal data. We are committed to complying with the General Data Protection Regulation (GDPR) and applicable Swedish data protection laws.

What Data We Collect

We collect the following categories of personal data:

Account Information: Name, email address, and password (hashed) when you create an account.
Organization Data: Organization name, website URL, and team member information.
Usage Data: Information about how you use the service, including access times and feature usage for service improvement.
Conversation Data: Messages you send through our service. Note: We automatically detect and protect personally identifiable information (PII) before it reaches AI providers.

How We Use Your Data

We use your personal data for the following purposes:

To provide and maintain our service, including processing your AI chat requests
To protect your data through encryption and PII detection
To communicate with you about your account, service updates, and support requests
To comply with legal obligations and maintain audit trails

Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

Contract Performance: Processing necessary to provide the service you signed up for.
Legitimate Interests: For security, fraud prevention, and service improvement where our interests don't override your rights.
Consent: Where you have given explicit consent for specific processing activities.
Legal Obligation: Where processing is required to comply with laws we are subject to.

Data Storage & EU Data Centers

All data is stored in EU-based data centers. We use Railway (hosting) and other GDPR-compliant providers that maintain data residency within the European Union. Your data never leaves the EU except where you explicitly choose to use AI providers based outside the EU, in which case only anonymized data (with PII removed) is transmitted.

Data Retention

We retain your personal data only as long as necessary to provide our services and fulfill the purposes described in this policy. Account data is retained while your account is active. Conversation data may be retained for audit trail purposes as required by your organization. Upon account deletion, personal data is deleted within 30 days, except where retention is required by law.

Third-Party Services

We use the following third-party services:

AI Providers (OpenAI, Anthropic): We send anonymized messages (with PII removed) to AI providers. Your personal information is never shared with these providers.
Stripe: Payment processing. Stripe is PCI-DSS compliant and handles payment data according to their privacy policy.
Brevo: Transactional email service for account-related communications.

Your Rights Under GDPR

You have the following rights regarding your personal data:

Right of Access: Request a copy of the personal data we hold about you.
Right to Rectification: Request correction of inaccurate personal data.
Right to Erasure: Request deletion of your personal data ("right to be forgotten").
Right to Restriction: Request restriction of processing in certain circumstances.
Right to Data Portability: Receive your personal data in a structured, machine-readable format.
Right to Object: Object to processing based on legitimate interests.

To exercise any of these rights, please contact us at privacy@gryffin.eu. We will respond within 30 days.

Security Measures

We implement appropriate technical and organizational measures to protect your personal data, including: encryption of data in transit (TLS) and at rest, automatic PII detection and protection, access controls and authentication, regular security assessments, and audit logging.

Contact Information

For questions about this Privacy Policy or to exercise your data protection rights, please contact us:

Email: privacy@gryffin.eu

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We recommend reviewing this policy periodically.