This Privacy Policy explains how Grounded (the “Service”, “we”, “us”) collects, uses, shares and protects personal data. Grounded is operated by Łukasz Zapolski, a sole proprietor (jednoosobowa działalność gospodarcza) registered in the Polish Central Register of Business Activity (CEIDG), trading under the business name Łukasz Zapolski, with principal place of business at Karola Łoniewskiego 9, 05-830 Kajetany, Poland, NIP 5342588163 (“Grounded”).
We are the controller of personal data of our customers (people who sign up for and administer the Service). When customers use the Service to operate chatbots that interact with their own end users, we act as a processor on the customer’s behalf for that end-user data, under a Data Processing Agreement.
1. What data we collect
1.1 Data you provide as a customer
- Account data: name, email address, password (hashed), profile settings.
- Organization data: organization name, members, invitations, roles.
- Billing data: billing email, billing address, VAT/tax ID, payment method (processed by Stripe—we never receive card numbers), invoice history.
- Content you upload: documents (PDFs, text), URLs, sitemaps and other knowledge sources you choose to ingest.
- Configuration: chatbot name, system prompt, appearance, allowed domains, API keys you generate.
- Support communications: any messages you send us.
1.2 Data your end users provide (processed on your behalf)
When an end user interacts with a chatbot you operate via Grounded, we process on your behalf:
- Chat messages the end user sends and the responses generated.
- Session identifiers and a randomly generated, persistent visitor_id stored in the end user’s browser via
localStorageto remember context across sessions. - Memory facts extracted from past conversations (per visitor_id), if you enable the memory feature.
- Feedback (thumbs up/down, optional comments) on individual responses.
- Handoff requests when the bot escalates to a human, including any contact information the end user provides.
You are responsible for informing your end users about this processing and for having a lawful basis for it (e.g. legitimate interest, consent).
1.3 Data we collect automatically
- Technical data: IP address, browser type, operating system, device type, referrer URL, pages viewed, request timestamps.
- Usage data: features used, message counts, API call patterns.
- Cookies and similar technologies: see our Cookie Policy.
2. How we use your data
We process personal data for the following purposes and on the following legal bases:
- Providing the Service — performance of contract (Art. 6(1)(b) GDPR): hosting your chatbots, processing chat messages, billing, customer support.
- Security, fraud and abuse prevention — legitimate interest (Art. 6(1)(f) GDPR): rate limiting, intrusion detection, audit logs.
- Service improvement and analytics — legitimate interest (Art. 6(1)(f) GDPR): aggregated metrics on Service usage. We do not train AI models on customer content.
- Legal compliance — legal obligation (Art. 6(1)(c) GDPR): tax records, responses to lawful requests from authorities.
- Marketing communications — consent (Art. 6(1)(a) GDPR) or legitimate interest where permitted: product updates to existing customers. You can opt out at any time.
3. AI processing — what we do and do not do
- We use OpenAI and Cohere APIs to generate chat responses and rank documents. Per their API terms, these providers do not use API data to train their models.
- We do not use customer content to train any AI model, ours or third-party.
- We do not sell personal data.
- Responses are generated in real time from your indexed documents. The Service is designed to refuse rather than hallucinate when confidence is low.
4. Sub-processors
We rely on the following sub-processors to operate the Service. We have a written data processing agreement with each, and where data is transferred outside the EEA we rely on Standard Contractual Clauses (SCCs) plus, where required, supplementary safeguards.
| Provider | Purpose | Data processed | Region |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account data, chatbot configuration, conversations, uploaded documents, embeddings | EU (Frankfurt) |
| Vercel | Application hosting, edge functions, CDN | Request metadata, IP addresses, application logs | Global (edge), primary EU |
| OpenAI | Large language model inference, embeddings | User chat messages, retrieved document chunks, system prompts API data is not used to train OpenAI models (per OpenAI API terms). | USA |
| Cohere | Document reranking | Search queries, candidate document chunks API data is not used to train Cohere models (per Cohere API terms). | USA / Canada |
| Stripe | Payment processing, subscription management | Billing name, email, payment method, billing address, transaction history | Global |
| Resend | Transactional email delivery | Recipient email address, email content | EU / USA |
| Langfuse | LLM observability and tracing | Chat queries, model responses, latency and cost metrics | EU |
| Firecrawl | Crawling customer-supplied URLs and sitemaps | Public web content from URLs the customer chooses to index | USA |
| Upstash | Rate limiting and caching (Redis) | IP-derived rate-limit counters, ephemeral cache entries | EU |
| Sentry | Error monitoring | Stack traces, request metadata, IP addresses (anonymised where possible) | EU |
We will notify customers in advance of any material changes to this list and provide an opportunity to object.
5. Data retention
- Account data: for as long as your account is active, then deleted within 30 days of account closure (longer where required by law, e.g. tax records for 5 years).
- Conversations and messages: 1 year by default. You may delete them earlier from the dashboard.
- Memory facts: kept indefinitely per visitor_id unless deleted by the customer or the end user requests deletion through you.
- Backups: rolling 30 days.
- Logs: up to 90 days.
6. Your rights under the GDPR
If you are in the EEA, UK or Switzerland, you have the right to:
- Access the personal data we hold about you.
- Rectify inaccurate or incomplete data.
- Erase your personal data (“right to be forgotten”).
- Restrict or object to processing.
- Receive your data in a portable format.
- Withdraw consent at any time, where consent is the legal basis.
- Lodge a complaint with a supervisory authority. In Poland, this is the Prezes Urzędu Ochrony Danych Osobowych (UODO), uodo.gov.pl.
To exercise any of these rights, email privacy@grounded.sh. We respond within 30 days.
7. International transfers
Some of our sub-processors are located outside the European Economic Area (notably OpenAI, Stripe, Cohere, Firecrawl). Where personal data is transferred outside the EEA, we rely on the European Commission’s Standard Contractual Clauses (2021/914) and assess supplementary measures as required by Schrems II.
8. Security
We protect personal data with industry-standard measures: TLS in transit, encryption at rest for databases and backups, scoped API keys, role-based access control, audit logging, prompt-injection sanitisation, and least-privilege access for staff. No system is perfectly secure; in the event of a personal data breach affecting your data, we will notify you and, where required, the supervisory authority within 72 hours.
9. Children
The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.
10. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by a prominent notice in the Service before they take effect.
11. Contact
Questions, requests or complaints regarding this Privacy Policy:
- Privacy contact: privacy@grounded.sh
- General contact: hello@grounded.sh
- Postal address: Łukasz Zapolski, Karola Łoniewskiego 9, 05-830 Kajetany, Poland