Legal

Privacy Policy

Last updated: February 1, 2026

1. Introduction

This Privacy Policy describes how Grymoir ("we," "us," or "Provider") collects, uses, stores, and protects personal data and other information when you use our RAG-as-a-Service platform, APIs, embeddable widgets, and related services (the "Service"). We are committed to protecting your privacy and handling your data transparently and in compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).

2. Data Controller & Data Processor

Grymoir acts as a Data Processor with respect to any content, documents, or data that you (the "Client" or "Data Controller") submit to the Service for indexing, retrieval, or augmented generation. For account-level and usage data described below, Grymoir acts as the Data Controller.

For any data protection inquiries, contact us at contact@grymoir.com.

A Data Processing Agreement (DPA) governing the Provider's processing of personal data on behalf of the Client is available upon request and, when executed, forms an integral part of the Terms of Service.

3. Data We Collect

We collect the following categories of data:

3.1 Account & Identity Data

  • Email address (used for authentication, billing, and service communications)
  • Name and organization (if provided)
  • Billing and payment information (processed by Stripe; we do not store full card details)

3.2 Client-Submitted Content

  • Documents, URLs, and files uploaded or submitted for indexing and retrieval
  • Vector embeddings generated from your content
  • Configuration settings for your RAG pipelines and workflows

3.3 Prompts & Query Data

  • Prompts, queries, and API requests sent to the Service
  • LLM-generated responses associated with your queries
  • Prompt and query logs are retained for the duration configured in your account dashboard. You may adjust retention periods at any time from the user panel.

3.4 Usage & Operational Data

  • API call logs, request timestamps, and response metadata
  • Token consumption and rate-limiting metrics
  • Feature usage patterns and session data
  • Error logs, performance metrics, and diagnostic information
  • IP addresses and browser/device metadata (for iframe and dashboard access)

4. How We Use Your Data & Legal Basis

We process your data exclusively for the following purposes. For each purpose, we identify the legal basis under GDPR Article 6(1):

  • Service delivery: To provide, operate, and maintain the RAG platform, including document indexing, retrieval, generation, API access, and iframe embedding. Legal basis: performance of contract (Art. 6(1)(b)).
  • Authentication & account management: To verify your identity, manage subscriptions, and process payments. Legal basis: performance of contract (Art. 6(1)(b)).
  • Observability & debugging: To monitor system health, diagnose issues, and ensure service reliability. Operational logs (including prompt logs) may be reviewed by authorized personnel solely for troubleshooting purposes. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Service improvement: To analyze aggregated, anonymized usage patterns in order to improve performance, reliability, and user experience. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Security: To detect, prevent, and respond to fraud, abuse, or security incidents. Legal basis: legitimate interest (Art. 6(1)(f)).
  • Legal compliance: To comply with applicable legal obligations, including tax and accounting requirements. Legal basis: legal obligation (Art. 6(1)(c)).

5. Data We Do NOT Sell or Share

We do not sell, rent, trade, or otherwise share your personal data or client-submitted content with third parties for their own marketing or commercial purposes. Your data is never used to train third-party AI models. We do not share your data with advertisers, data brokers, or any unrelated third parties.

6. Third-Party Sub-Processors

We use a limited set of trusted sub-processors strictly necessary to operate the Service:

  • Cloud infrastructure providers (hosting, compute, and storage)
  • LLM providers (for generation capabilities — prompts are sent per your configuration)
  • Stripe (payment processing)
  • Email service providers (transactional communications)

All sub-processors are contractually bound to process data only as instructed and to maintain appropriate security measures. A detailed list of sub-processors is available upon request.

6A. LLM Provider Data Transfers

When you use the Service, prompts and queries may be transmitted to third-party Large Language Model (LLM) providers (e.g., providers based in the United States) as necessary to deliver the generation capabilities of the Service. These transfers are made solely to process your requests and are governed by data processing agreements with each provider. For transfers from the EU to the US, we rely on the EU-US Data Privacy Framework, Standard Contractual Clauses, or other applicable legal mechanisms as appropriate.

7. Data Storage & Processing Locations

Your data is processed and stored on servers located in the European Union (EU) and/or the United States (US), depending on your account configuration and the infrastructure required to deliver the Service. Where data is transferred outside the EU, we ensure appropriate safeguards are in place in accordance with GDPR (e.g., Standard Contractual Clauses).

8. Data Retention

  • Client-submitted content (documents, vectors): Retained for the duration of your subscription. Deleted upon account termination, unless a longer retention period is required by law.
  • Prompts & query logs: Retained for the period configured in your user panel. You control the retention duration.
  • Usage & operational data: Retained for up to 12 months for observability and debugging, then anonymized or deleted.
  • Account data: Retained for the duration of the account relationship plus any legally mandated retention period.

8A. Data Breach Notification

In the event of a personal data breach, the Provider will notify the relevant supervisory authority within seventy-two (72) hours of becoming aware of the breach, as required by GDPR Article 33. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, the Provider will also notify affected data subjects without undue delay in accordance with GDPR Article 34. Clients acting as Data Controllers will be notified promptly so they may fulfill their own notification obligations.

9. Security Practices

We implement industry-standard technical and organizational measures to protect your data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Network isolation and firewall protections for all infrastructure
  • Role-based access controls with least-privilege principles
  • Regular security assessments and dependency audits
  • Secure API authentication via API keys and token-based access
  • Audit logging of administrative and data access operations
  • Incident response procedures with timely breach notification

10. Your Rights (GDPR & Applicable Law)

Where applicable under GDPR or other data protection regulations, you have the right to:

  • Access: Request a copy of the personal data we hold about you.
  • Rectification: Request correction of inaccurate data.
  • Erasure: Request deletion of your personal data ("right to be forgotten").
  • Restriction: Request restriction of processing in certain circumstances.
  • Portability: Receive your data in a structured, machine-readable format.
  • Objection: Object to processing based on legitimate interests.
  • Withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at contact@grymoir.com. We will respond within 30 days.

10A. Additional Rights for US Residents (CCPA/CPRA)

If you are a California resident or resident of another US state with applicable privacy legislation, you may have additional rights, including:

  • Right to Know: You may request disclosure of the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purpose for collection, and the categories of third parties with whom we share it.
  • Right to Delete: You may request deletion of personal information we have collected from you, subject to certain exceptions.
  • Right to Opt-Out of Sale/Sharing: We do not sell or share your personal information as defined under the CCPA/CPRA.
  • Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights.

To exercise these rights, contact us at contact@grymoir.com. We will verify your identity before processing your request and respond within 45 days.

11. Cookies & Tracking

The Service uses strictly necessary cookies for authentication and session management. We do not use third-party advertising or tracking cookies.

12. Children's Privacy

The Service is not directed at individuals under 16 years of age. We do not knowingly collect personal data from children.

13. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or a notice within the Service. Continued use of the Service after changes constitutes acceptance of the updated policy.

14. Contact

For questions, concerns, or data protection requests:

Email: contact@grymoir.com
Grymoir — registered in Poland