Privacy Policy.

Grantboard is operated by the legal entity behind grantboard.co ("Grantboard", "we", "us"). For questions about this policy or to exercise the rights described below, contact privacy@grantboard.co.

We collect data in three categories: account data you provide (email, name, password hash, optional avatar, optional Ethereum wallet address), workspace data you create or contribute to inside an organization (grants, milestones, payments, documents, comments, activity rows), and technical data automatically logged in the ordinary course of running the service (IP address, user agent, authentication events, request timestamps).

We do not run third-party analytics or advertising trackers in the product. The only cookies we set are those strictly necessary for authentication and session management.

We process personal data to provide Grantboard, including: account creation, authentication, sending transactional email (confirmation, password reset, invitations, deadline reminders), enforcing access controls, billing, security and fraud prevention, and producing the audit trail required for regulated grant management. The legal bases under GDPR are contract performance (Article 6(1)(b)), our legitimate interest in running a secure service (Article 6(1)(f)), and your consent where applicable (Article 6(1)(a)).

We share personal data only with sub-processors strictly necessary to deliver the service:

• Supabase (database, authentication, file storage), EU region.
• Resend (transactional email).
• Vercel (application hosting).
• Stripe (subscription billing, when applicable to your plan).
• IPFS / Arweave pinning providers (only when a workspace explicitly opts in to publishing documents permanently on chain).

We never sell personal data. We do not share data with advertisers.

Production data is stored in the European Union. Backups are encrypted at rest and retained for the period set by our infrastructure provider. Where data needs to leave the EEA (for example, for transactional email delivery), we rely on the standard contractual clauses where applicable.

Account data is kept while your account is active. When you schedule deletion (Settings → Privacy), your account enters a 30-day grace window during which you can restore it; at the end of the grace window we permanently delete the account, the profile, and your workspace memberships. Workspace data (grants, milestones, payments, documents) is owned by the workspace and persists subject to that workspace's own retention; rows attributed to your name carry forward without your account identity. Audit logs are retained for the period required by the workspace operator's regulatory obligations.

Under GDPR you have the right to access, correct, delete, port, restrict, and object to the processing of your personal data, and to lodge a complaint with a supervisory authority. You can exercise the access and portability rights at any time by signing in and using Settings → Privacy → Download your data (returns a structured JSON bundle). You can exercise the right to erasure via Settings → Privacy → Delete your account. By default we honor the request after a 30-day grace; you can also request immediate deletion via the "Permanently delete now" escape in the same dialog. For other requests, write to privacy@grantboard.co.

Authentication uses Supabase Auth with bcrypt-hashed passwords. All traffic between your browser and our servers is encrypted in transit (TLS). Database storage is encrypted at rest. Row-level security policies enforce that workspace data is only readable by accepted members of that workspace, and the service-role key is isolated to the server runtime.

Grantboard is not intended for children under 16. We do not knowingly collect personal data from children.

We may update this policy. Material changes will be communicated by email to active account holders. The "Last updated" date at the top of this page indicates when the most recent change took effect.