Privacy Policy
Gradd takes your privacy seriously — especially because many of our users are students, some of whom may be minors. This policy explains what personal data we collect, why we collect it, who we share it with, and your rights under the General Data Protection Regulation (GDPR) and Irish data protection law.
1. Data Controller
The data controller for personal data processed through Gradd is Gradd, a sole trader operating in Ireland.
Contact: hello@gradd.ie
2. Data We Collect
Account and Registration Data
- Email address
- Password (stored as a salted hash — we never see your plain-text password)
- Account creation date and last login timestamp
Subscription and Billing Data
- Stripe customer ID and subscription status
- Payment method type and last four digits (held by Stripe — we do not store full card details)
- Billing history and invoice records
Platform Usage Data
- Chat session content — the questions you ask Aoife (Gradd's AI tutor) and the responses generated
- Session timestamps and approximate usage frequency
Technical Data
- Authentication session tokens (stored in a secure HTTP-only cookie via Supabase SSR)
- Server-side request logs (IP address, browser type) — retained for up to 30 days for security purposes
Note for parents: if your child uses Gradd, the data collected is limited to the above. We do not collect information about school attendance, real grades, or sensitive personal data as defined under GDPR Article 9.
3. Why We Collect It — Legal Bases
- Contract performance (Art. 6(1)(b)): Account registration, subscription management, and delivering the platform service.
- Legal obligation (Art. 6(1)(c)): Retaining billing records for VAT and tax compliance purposes (Irish Revenue requirements — 6 years).
- Legitimate interests (Art. 6(1)(f)): Security logging, fraud prevention, and improving AI tutor response quality.
4. Data Retention
- Account data: Retained for as long as your account is active. Deleted within 30 days of account deletion request.
- Chat sessions: Retained for 12 months to support session continuity and product improvement. You may request earlier deletion.
- Billing records: Retained for 6 years as required by Irish Revenue and VAT legislation.
- Server logs: Retained for up to 30 days, then deleted automatically.
5. Data Processors (Third-Party Services)
We share your data only with the processors listed below, all of whom are bound by GDPR-compliant data processing agreements. We do not sell your data to any third party.
| Processor | Purpose | Location | Transfer Basis |
|---|---|---|---|
| Anthropic (Claude API) | AI tutor response generation | USA | Standard Contractual Clauses (SCCs) |
| Supabase | Database, authentication, and user account management | EU (AWS eu-west-1) | Adequacy / SCCs |
| Stripe | Payment processing and subscription billing | USA / EU | SCCs |
| Resend | Transactional email (account confirmation, receipts) | USA | SCCs |
| Vercel | Application hosting and delivery | USA / global edge | SCCs |
Where processors are located outside the European Economic Area (EEA), transfers are protected by Standard Contractual Clauses approved by the European Commission.
6. Cookies
Gradd uses only essential functional cookies required to keep you logged in (Supabase authentication session). We do not use advertising cookies, tracking cookies, or analytics cookies. See our Cookie Policy for full details.
7. Your Rights Under GDPR
As a data subject under GDPR, you have the following rights:
- Right of access: Request a copy of the personal data we hold about you.
- Right to rectification: Ask us to correct inaccurate data.
- Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to our legal retention obligations.
- Right to restriction: Ask us to limit how we process your data in certain circumstances.
- Right to data portability: Receive your data in a structured, machine-readable format.
- Right to object: Object to processing based on legitimate interests.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
8. How to Request Data Deletion
To request deletion of your account and associated personal data, email us at hello@gradd.ie with the subject line "Data Deletion Request" and the email address associated with your account. We will process your request within 30 days and confirm by email when complete.
Note: billing records required for tax compliance (6 years) will be retained but fully anonymised where technically possible.
9. Supervisory Authority — Data Protection Commission
If you believe we have not handled your personal data in accordance with GDPR, you have the right to lodge a complaint with Ireland's supervisory authority:
Data Protection Commission (DPC)
21 Fitzwilliam Square South, Dublin 2, D02 RD28
Web: www.dataprotection.ie
Phone: +353 (0)76 110 4800
10. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- TLS encryption for all data in transit (HTTPS enforced)
- Passwords stored as bcrypt hashes — never in plaintext
- Row-Level Security (RLS) policies on our Supabase database ensuring users can only access their own data
- HTTP-only, secure session cookies to mitigate XSS risk
11. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by email at least 14 days before they take effect. The "last updated" date at the top of this page reflects the most recent revision.
12. Contact
For any privacy-related enquiries or to exercise your rights, contact us at: hello@gradd.ie
Gradd · gradd.ie · Terms of Service · Cookie Policy
© 2026 Gradd. All rights reserved.