← Back to granvl

Privacy Policy

Last updated July 5, 2026

granvl is an early, experimental product. Features and data practices are evolving, and data provided during the alpha may be reset or deleted as the product changes.

1. Who we are and what this covers

This Privacy Policy explains how granvl collects, uses, discloses, and protects personal information when you visit our websites, request access to the platform, use our APIs and related services, or otherwise interact with us. granvl serves users internationally from British Columbia, Canada, and addresses privacy laws including the EU and UK GDPR, Quebec’s Law 25, and California’s CCPA/CPRA.

2. Personal information we collect

We collect the following categories of personal information:

  • Information you provide: name, email, company, role, access requests, demo requests, and support messages.
  • Account and access data: credentials, settings, and access records.
  • Content and configuration: pages, campaigns, prompts, and settings you create or generate.
  • Usage and device data: log data, IP address, browser and device information, pages viewed, referring URLs, and interactions (collected via cookies).
  • Billing data: limited details through our payment providers (we do not store full card numbers).

Please do not submit sensitive personal information (such as government identifiers, financial account details, health or biometric data, or precise geolocation) through the Service. We collect information directly from you, automatically, and from third parties including analytics and security providers.

3. How we use personal information

We use personal information to: provide and maintain the Service; review access requests; respond to your messages and provide support; understand how the Service is used for debugging and improvement; protect against fraud and security risks; comply with our legal obligations; and send product updates and marketing (with opt-out available).

4. Legal bases for processing (EEA, UK, and similar laws)

Where applicable, our processing relies on: performance of a contract to provide the Service; our legitimate interests in securing and improving the Service; your consent for non-essential cookies and marketing (which you may withdraw); and legal obligation to comply with applicable law.

5. Cookies and similar technologies

We use cookies and similar technologies to keep you signed in, remember preferences, secure the Service, and measure performance. Non-essential cookies require consent where required. You can control cookies through your browser settings and available opt-out methods. See our Cookie Policy for details.

6. How we disclose personal information

We disclose personal information to: service providers (hosting, infrastructure, analytics, security, email, and payments) under contracts that limit their use of it; professional advisors such as lawyers, auditors, and accountants; authorities when legally required; and successors in a merger, acquisition, or asset sale. We do not disclose your personal information for others to use for their own independent marketing. The current list of vendors that process data on our behalf — what each does, the data it touches, and its location — is published at granvl.com/subprocessors, and our Data Processing Agreement is at granvl.com/dpa.

7. “Sales” and “sharing” of personal information

We do not sell personal information for money, but we may use analytics and advertising technologies that in some U.S. states constitute a “sale” or “sharing.” You can opt out by emailing privacy@granvl.com or by enabling Global Privacy Control (GPC) signals. We do not knowingly sell or share the personal information of anyone under 16.

8. International data transfers

We operate internationally and may process and store information in Canada, the United States, and other countries. International transfers use appropriate safeguards, including European Commission Standard Contractual Clauses, adequacy decisions, or other lawful mechanisms.

9. How long we keep personal information

We retain personal information only as long as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements, after which it is deleted or anonymized. Alpha content and account data may be retained for shorter periods and reset or deleted as the product changes.

10. How we protect personal information

We use technical and organizational measures to protect information, including encryption in transit, access controls, and limiting access. No method of transmission or storage is completely secure, and — given the experimental nature of the alpha — we cannot guarantee absolute security.

11. Your privacy rights

Depending on your location, you may have rights to: access and know the personal information we hold; correct inaccurate information; request deletion or erasure; receive information in a portable format; restrict or object to processing; withdraw consent; opt out of sale, sharing, or targeted advertising; limit the use of sensitive information; object to certain automated decisions; be free from discrimination for exercising rights; and appeal decisions and lodge complaints with regulators.

12. How to exercise your rights

Email privacy@granvl.com to exercise your rights. We respond within required timeframes (generally one month under GDPR or 45 days under U.S. state laws, extendable where permitted). We may need to verify your identity. Exercising your rights is free unless requests are unfounded or excessive.

13. Automated decision-making

We do not make decisions that produce legal or similarly significant effects about you based solely on automated processing without a lawful basis and appropriate safeguards. We will update this policy if this changes.

14. Children’s privacy

The Service is intended for businesses and is not directed to children. We do not knowingly collect information from children under 13 (or the higher digital-consent age, up to 16 in the EEA). Please contact us if a child has provided personal information.

15. Third-party services

The Service may link to or integrate with third-party products we do not control, including form and email providers used to receive submissions from our website. Their privacy practices are governed by their own policies. Sections 16 and 17 describe our handling of data from advertising platforms in more detail.

16. Ad platform data (Meta and Google Ads)

If you connect an advertising account, you authorize granvl to access data from that platform on your behalf through its official APIs — the Meta Marketing API and the Google Ads API — using OAuth credentials that you grant. Depending on the permissions you approve, this data may include ad account identifiers, campaign, ad set, and ad structure, spend, delivery, and performance metrics (such as impressions, clicks, CTR, CPM, and conversions), and audience configuration.

We access, use, and store this data only to provide the Service to you: displaying your advertising performance in your workspace, joining platform metrics with conversions measured on your granvl pages, computing metrics such as cost per lead and return on ad spend, and taking actions in your connected accounts that you or the AI agents you authorize instruct us to take. We do not sell ad platform data, we do not use it to build advertising profiles of individuals, we do not use it to serve advertising, and we do not share it with other customers or unrelated third parties. It is disclosed only to the subprocessors that host and operate the Service, as described in Section 6.

granvl’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Data received from Meta platforms (“Platform Data”) is processed in accordance with the Meta Platform Terms and Developer Policies, used only as described above, retained only as long as needed for those purposes, and deleted on request or when no longer required.

You can disconnect a platform at any time from your granvl workspace settings, or by revoking granvl’s access directly — for Google, at myaccount.google.com under “Security → Third-party access”; for Meta, in Business Settings under “Integrations”. After disconnection we stop accessing the platform, and we delete the associated platform data upon request (see Section 17).

17. Data deletion

You can request deletion of your personal information and any data we hold about your connected accounts at any time, in any of these ways:

  • Submit the form at granvl.com/delete-my-data
  • Email privacy@granvl.com with the subject “Data deletion request”
  • Disconnect an ad platform (Section 16) and ask us to delete the associated platform data

We will verify the request, act on it within 30 days, and confirm when deletion is complete. Deletion covers your account, workspace content, connected-platform data, and form submissions we hold, except for records we are legally required to retain (which remain protected under this policy and are deleted when the obligation ends).

18. Region-specific disclosures

EEA, UK, and Switzerland: You have GDPR, UK GDPR, and Swiss FADP rights, including the right to complain to a supervisory authority. Legal bases are in Section 4 and transfer safeguards in Section 8.

California: The CCPA/CPRA grants residents rights to know, delete, correct, and opt out of sales or sharing without discrimination. Categories of collected information appear in Sections 2, 3, 6, and 7.

Other U.S. States: Residents of Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and other states with comprehensive privacy laws have similar rights to access, correct, delete, obtain copies, and opt out of sales and targeted advertising, and many provide appeal rights.

Canada: Under PIPEDA, BC’s PIPA, and Quebec’s Law 25, you may access and correct personal information and withdraw consent. Quebec residents have additional portability and de-indexing rights. Contact privacy@granvl.com or complain to the Office of the Privacy Commissioner of Canada, the OIPC for British Columbia, or the Commission d’accès à l’information du Québec.

Other regions: Users in Brazil (LGPD), Australia, and other jurisdictions have the rights granted under their laws. Contact us to exercise them or reach your relevant regulator.

19. Changes to this policy

We may update this policy, revising the “Last updated” date and providing notice of material changes. We review this policy at least annually.

20. Contact us and how to complain

For privacy questions or to exercise your rights, contact privacy@granvl.com. If you are unsatisfied, you have the right to complain to a data-protection regulator, including the Office of the Privacy Commissioner of Canada, the OIPC for British Columbia, the Commission d’accès à l’information du Québec, an EEA supervisory authority, the UK ICO, the California Privacy Protection Agency, or your state Attorney General.

granvl · British Columbia, Canada