Privacy Policy

1. Information We Collect

Account information

When you sign up, we collect your name, email address, and organization name. Authentication is handled by our identity provider (Clerk) — we never store your password.

Waitlist information

If you join our waitlist, we collect your email address, role, and team size. This information is used solely to communicate with you about Grimoire availability and is never shared with third parties.

Organizational knowledge

When you use Grimoire, your team creates and imports knowledge (pages, entries, and knowledge cards). This content belongs to your organization. We process it only to provide the service — generating entries, creating embeddings for search, and serving knowledge cards to authorized agents.

Connected integrations

If you connect tools like GitHub, Google Drive, Notion, Confluence, or Slack, we access content through those integrations only to extract knowledge as configured by your workspace administrators. We use OAuth tokens scoped to the minimum permissions required and never access content beyond what you explicitly authorize.

Usage data

We collect anonymized usage metrics (feature usage, page views, performance data) to improve the product. We do not track you across other websites. We do not use third-party advertising trackers.

Chat conversations

Conversations in Grimoire Chat are processed to provide AI responses enriched with your knowledge base. We do not use your conversations to train AI models. When you use BYOK (bring your own key), your prompts are sent directly to your chosen model provider under their terms.

2. How We Use Your Information

We use your information to:

• Provide, maintain, and improve the Grimoire platform
• Generate entries and knowledge cards from your pages
• Create vector embeddings for semantic search
• Serve knowledge cards to authorized agents via MCP
• Send you service communications (not marketing, unless you opt in)
• Detect and prevent security incidents
• Comply with legal obligations

That's it. We don't use your data for advertising. We don't sell it. We don't use your organizational knowledge to train models or improve products for other customers.

3. How We Protect Your Data

• Workspace isolation. Each workspace has database-level tenant isolation. No cross-workspace data access is possible, by design.
• Encryption. All data is encrypted in transit (TLS) and at rest. Embeddings are encrypted alongside your content.
• Access controls. Granular permissions scoped to workspace, division, team, and project. Agents respect every permission boundary.
• Audit logging. Full trail of access, modifications, and agent queries available to workspace administrators.
• SOC 2 controls. Built with compliance in mind from day one. Formal certification is in progress.
• No secrets in logs. Our logging infrastructure is designed to never capture API keys, tokens, passwords, or PII.

4. Data Sharing

We do not sell, rent, or trade your personal information or organizational knowledge. We share data only in these limited circumstances:

• Infrastructure providers. We use trusted cloud providers to host the service. They process data on our behalf under strict data processing agreements.
• AI model providers. When you use BYOK, your prompts are sent to your chosen provider. When using Grimoire-provided models, we use providers with data processing agreements that prohibit training on your content.
• Authentication. Clerk processes authentication data. They do not have access to your organizational knowledge.
• Legal requirements. We may disclose data if required by law, subpoena, or court order. We will notify you unless legally prohibited from doing so.

5. Data Retention & Deletion

Your organizational knowledge is retained for as long as your workspace is active. When you delete content, it is removed from our production systems within 30 days and from backups within 90 days.

If you cancel your account or request deletion of your workspace, we will delete all associated data within 30 days of the request. We will provide a data export before deletion upon request.

Waitlist data is retained until we contact you about availability, after which it is deleted unless you create an account.

6. Your Rights

Regardless of where you are located, we provide every user with:

• Access. Request a copy of the personal data we hold about you.
• Correction. Update or correct inaccurate personal data.
• Deletion. Request deletion of your personal data and organizational content.
• Export. Export your organizational knowledge in a standard format at any time.
• Objection. Object to processing of your personal data for specific purposes.

To exercise any of these rights, contact us at . We will respond within 30 days.

7. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising cookies, tracking pixels, or third-party analytics cookies. No cookie banner required — because we don't use cookies that need your consent.

8. Children's Privacy

Grimoire is a business product not directed at children under 16. We do not knowingly collect information from children. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

9. International Data Transfers

Your data may be processed in the United States or other countries where our infrastructure providers operate. When we transfer data internationally, we use appropriate safeguards including standard contractual clauses and data processing agreements to protect your information.

10. Changes to This Policy

If we make material changes to this policy, we will notify you via email or an in-app notification at least 30 days before the changes take effect. We will never retroactively weaken the privacy protections that apply to your existing data.

Contact

Questions about this policy or how we handle your data? Reach us at .