This Privacy Policy explains how Cybentis Oy, doing business as Grain ("we," "us," or "our"), collects, uses, and protects your personal information when you use our analytics platform and related services at grainql.com (the "Services").
Grain is a Finnish company registered under Business ID 3593125-1. Our registered address is PL 157, 00101, Helsinki, Finland.
For privacy inquiries, contact us at privacy@grainql.com.
1. Our approach to privacy#
Grain is a privacy-first analytics platform. We designed our Services around the principle that you should get accurate, actionable analytics without compromising your users' privacy. This means:
- No cookies by default in cookieless mode. In Grain's default cookieless mode, the tracking script does not set tracking cookies and does not persist visitor identifiers across sessions. If you choose a consent-based or opt-out mode, Grain may use first-party cookies or local storage identifiers to remember consent choices or support cross-session measurement.
- Privacy-first collection by default. We do not fingerprint devices. We are designed to work with pseudonymous analytics data, although customers can choose to send additional identifiers or event properties through their own implementation.
- Primary analytics processing in the EU. Our primary analytics infrastructure is designed to run in the European Union. Some support, billing, communications, security, and AI-related processing may involve approved service providers in other jurisdictions as described below.
- Consent-aware Google measurement on our own site. On Grain's marketing properties, Google tags are initialized with denied consent defaults and are intended to remain in a restricted mode until consent is granted.
2. Information we collect#
2.1 Account information#
When you create a Grain account, we collect:
- Name and email address — to create and manage your account
- Company name and job title — to personalize your experience
- Billing information — processed securely by Stripe; we do not store payment card details
- Authentication data — managed by Auth0; if you sign in with Google or another social provider, we receive your name, email, and profile picture
2.2 Usage data (your account)#
We collect information about how you use the Grain dashboard:
- Pages visited within the dashboard
- Features used and actions taken
- Browser type, device type, and operating system
- IP address (used for security and access logging, not shared with third parties)
- Dashboard and product preferences stored in browser storage, such as UI state, model preferences, and configuration caches
2.3 Analytics data (your website visitors)#
When you install the Grain tracking script on your website, it collects the following about your visitors:
- Page views and navigation paths
- Custom events you define
- Referral sources
- Browser, device, operating system, language, and timezone information
- Geographic information derived from network and request metadata, which may include country, region, city, and timezone
- Session duration and scroll depth
- Click positions (for heatmaps)
- Session replay data, heatmap signals, DOM snapshots, and similar visual analytics data (if enabled by you)
- Pseudonymous identifiers such as SDK-generated rotating IDs, consent state, or customer-supplied user identifiers
Important: Grain is designed to work without directly identifying end users by default, but the exact data collected depends on your configuration and implementation. If you pass names, email addresses, user IDs, or other personal data through event properties, identify calls, or custom instrumentation, Grain will process that data on your instructions.
2.4 AI features#
If you use Grain's AI-powered analytics features (such as AI insights or the Kai assistant), prompts, messages, analytics context, and tool results may be processed by our AI service providers. We design these features to use scoped, aggregated analytics results where possible, but the exact data shared depends on the feature you use, the prompt content, the tools invoked, and whether you connect your own model provider credentials.
Conversation history: By default, your Kai conversations (messages, tool results, and AI responses) are automatically saved to enable conversation history, digest generation, and continuity across sessions. You can delete individual conversations or your full chat history from your dashboard at any time. If you prefer not to have conversations persisted, you can disable chat history in your account settings.
Bring Your Own Key (BYOK): If you configure your own API key for an AI provider (e.g., OpenAI, Google, Anthropic), your prompts and analytics context are routed to that provider under your own account. Grain acts as a pass-through and does not control how the third-party provider processes data sent via your key.
3. How we use your information#
We use your information for the following purposes:
| Purpose | Legal basis (GDPR) |
|---|---|
| Providing and operating the Services | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract |
| Sending service-related communications (e.g., outage notifications, billing updates) | Performance of contract |
| Improving our Services and developing new features | Legitimate interest (Art. 6(1)(f)) |
| Detecting and preventing fraud and abuse | Legitimate interest |
| Responding to support requests | Performance of contract |
| Processing data through AI features (Kai assistant, insights, digests) | Performance of contract (Art. 6(1)(b)) |
| Sending product updates and marketing (with consent) | Consent (Art. 6(1)(a)) |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
You can opt out of marketing emails at any time by clicking the unsubscribe link or contacting us.
4. Cookies and tracking#
4.1 Our tracking script (installed on your website)#
In cookieless mode, the Grain analytics script does not use tracking cookies and does not persist visitor identifiers in browser storage for cross-session tracking.
Depending on the consent mode and privacy settings you configure, Grain may also use first-party cookies or browser storage for:
- Consent preferences
- Persistent pseudonymous identifiers after consent is granted
- Cross-session analytics in opt-out configurations
You are responsible for choosing the consent mode and disclosures that match your legal obligations.
4.2 The Grain dashboard (grainql.com)#
On our own website and dashboard, we use a combination of essential cookies and browser storage for authentication, session management, dashboard preferences, configuration caches, and product settings.
Our marketing properties also load third-party services for analytics, advertising measurement, and support, including Google Tag Manager / Google Ads and Intercom. We initialize Google consent defaults in a denied state and use these services subject to our consent and configuration logic.
5. Data sharing and sub-processors#
We do not sell your personal information. We do not share your data with advertisers.
We share data only with the following categories of service providers, under data processing agreements that require them to protect your data:
Sub-processor list#
| Sub-processor / provider | Purpose | Typical location |
|---|---|---|
| Hetzner | Primary analytics infrastructure, event storage, and tenant database | Finland (Helsinki, HEL1) |
| Azure (Microsoft) | Secondary backup, replication, and workloads | Germany (Frankfurt) |
| Cloudflare | CDN, DDoS protection, SSL, backup storage, and request-level enrichment such as geo headers | Global (EU-preferred) |
| Vercel | Frontend hosting, serverless functions, and CDN | EU and other regions used by Vercel |
| Supabase | AI conversation history, digests, memories, reports, and operational data | EU |
| Auth0 (Okta) | Authentication and identity management | EU / US |
| Stripe | Payment processing and billing | EU / US |
| Customer.io | Product and transactional messaging | EU |
| Intercom | Customer support messaging | EU / US |
| Slack | Internal operational notifications and request handling | US / EU |
| Groq | Primary AI inference for analytics features (hosts OpenAI-compatible models) | US |
| Google Cloud AI | AI inference for advanced analytics features (Gemini models) | EU / US, depending on configuration |
| Straico | Optional AI model routing when used | Provider-dependent |
| Browserbase | Automated website analysis during onboarding (via Stagehand) | US |
We may update this list from time to time. Material changes will be communicated via email or an in-app notification.
AI service providers: When you use AI features, we may send prompts, chat messages, analytics context, and returned tool results to the selected AI provider. Groq is our primary inference provider and hosts OpenAI-compatible models — when Grain uses these models, your data is sent to Groq's infrastructure, not to OpenAI directly. If you configure your own model API key (BYOK), that provider processes the request under your chosen configuration and API key, and Grain acts as a pass-through. Customers should avoid sending personal data to AI features unless they have a lawful basis to do so.
Website analysis: During onboarding, Grain may use automated browser tools (Stagehand via Browserbase) to visit and analyze your website for analytics setup purposes. This involves loading your publicly accessible website pages in a cloud browser environment.
6. International data transfers#
Our primary analytics processing occurs within the European Union. Analytics data is stored on Hetzner infrastructure in Helsinki, Finland (HEL1), with backups on Azure in Frankfurt, Germany and Cloudflare EU storage. AI conversation data is stored in Supabase (EU region).
Some support, communications, billing, security, and AI inference processing may take place outside the EU or involve providers with global operations (e.g., Groq and Browserbase in the US).
Where data is transferred outside the EU, we ensure adequate protection through:
- EU Standard Contractual Clauses (SCCs) — Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Sub-processor) of the 2021 SCCs approved by the European Commission
- Supplementary technical measures including encryption in transit (TLS 1.3) and at rest (AES-256), pseudonymization, and access controls
- Data processing agreements that restrict processing to our documented instructions
- For AI inference providers: API-only access with no model training on customer data
7. Data retention#
| Data type | Retention approach |
|---|---|
| Account data | Retained for the duration of your account and then deleted or anonymized under our offboarding processes, except where longer retention is required by law |
| Billing records | Retained as required by applicable accounting and tax laws |
| Analytics data (your website visitors) | Retained according to the retention duration configured in your privacy settings and contractual plan terms, subject to normal deletion cycles and a limited operational grace period |
| Session replay, heatmap, and snapshot data | Retained according to your feature configuration and scheduled deletion jobs, subject to a limited operational grace period |
| AI conversations, digests, and memories | Retained for the duration of your account unless you delete them earlier via the dashboard. Deleted within 90 days of account closure, subject to backup rotation |
| Support tickets and communications | Retained for as long as reasonably necessary to support the relationship, resolve disputes, and maintain business records |
| Server and security logs | Retained according to our operational and security logging practices, then rotated or deleted |
When you delete your account, we begin our account closure and deletion workflow. Some data may remain for a limited period while queued deletions, backups, or legal retention obligations are completed.
8. Data security#
We implement technical and organizational measures intended to protect your data, including:
- Encryption in transit (TLS 1.3) and at rest (AES-256)
- Access controls and authentication safeguards
- Logging, monitoring, and operational alerting
- Role-based restrictions for internal access where applicable
- Incident handling procedures, including notification where required by law
9. Your rights#
Under the GDPR and Finnish data protection law, you have the following rights:
- Access — Request a copy of the personal data we hold about you
- Rectification — Ask us to correct inaccurate or incomplete data
- Erasure — Request deletion of your personal data ("right to be forgotten")
- Restriction — Ask us to restrict processing of your data
- Portability — Receive your data in a structured, machine-readable format
- Objection — Object to processing based on legitimate interest
- Withdraw consent — Where processing is based on consent, withdraw it at any time
To exercise your rights, contact us at privacy@grainql.com or use our Data Request form.
We will respond to your request within one month. If we need additional time (up to two additional months for complex requests), we will inform you within the initial month.
If you believe we are processing your data unlawfully, you have the right to lodge a complaint with the Finnish Data Protection Ombudsman (tietosuoja.fi) or your local supervisory authority.
10. US state privacy rights#
If you are a resident of California, Colorado, Connecticut, Virginia, or another US state with comprehensive privacy legislation:
- You have the right to know what personal information we collect and how we use it
- You have the right to request deletion of your personal information
- You have the right to opt out of the sale of personal information — we do not sell personal information
- You have the right to non-discrimination for exercising your privacy rights
To exercise these rights, contact us at privacy@grainql.com.
11. Children's privacy#
Our Services are not directed to individuals under 18. We do not knowingly collect personal information from children. If we discover that we have collected data from a child under 18, we will delete it promptly. Contact us at privacy@grainql.com if you believe a child has provided us with personal information.
12. Changes to this policy#
We may update this Privacy Policy to reflect changes in our practices or applicable law. We will notify you of material changes by email or through an in-app notification at least 30 days before the changes take effect.
The "Last updated" date at the top of this page indicates when this policy was last revised.
13. Contact#
For questions about this Privacy Policy or to exercise your privacy rights:
Cybentis Oy (doing business as Grain) Business ID: 3593125-1 PL 157, 00101, Helsinki, Finland Phone: +358 41 725 0110
- Email: privacy@grainql.com
- Data requests: grainql.com/privacy/data-request
- General inquiries: support@grainql.com