Privacy Policy

GreatGrants.ai, operated by Great Grants, Inc. ("Company," "we," "us," or "our"), collects information necessary to provide our AI-powered grant management Service. We collect the following categories of information:

Account Data

• Name, email address, and password (hashed; we never store plaintext passwords).

• Phone number (optional, for MFA enrollment).

• Profile information such as role, title, and professional background.

Organization Data

• Organization name, type, mission statement, and denomination or faith tradition (if provided).

• Employer Identification Number (EIN), tax-exempt status documentation, and fiscal year information.

• Annual budget, staff size, geographic service area, and program descriptions.

Grant Content

• Grant application narratives, budgets, letters of support, and supplementary documents you create or upload.

• Grant opportunity details, funder information, and application deadlines.

• AI-generated drafts, readiness assessments, and compliance reports produced through the Service.

Usage Analytics

• Device information (browser type, operating system, screen resolution).

• IP address, approximate geographic location (city/region level), and referring URLs.

• Feature usage patterns, session duration, and navigation paths within the Service.

• Error logs and performance metrics to maintain service quality.

We use the information we collect for the following purposes:

Service Delivery

• To create and manage your account, authenticate your identity, and maintain your subscription.

• To match your organization with relevant grant opportunities based on your profile, mission, and eligibility criteria.

• To generate readiness assessments, compliance reports, and application recommendations.

AI Processing

• To power AI-assisted grant writing features, including narrative drafting, budget recommendations, and content suggestions.

• To improve the accuracy and relevance of our AI models using aggregated, anonymized usage patterns (never individual user data).

Analytics & Improvement

• To analyze usage patterns and improve Service features, performance, and reliability.

• To detect and prevent fraud, abuse, and security incidents.

Communication

• To send transactional emails (account verification, password resets, billing receipts).

• To send grant deadline reminders and application status updates.

• To send product updates and educational content (with your opt-in consent).

Transparency about how your data interacts with our AI systems is a core commitment. Here is how data flows through our AI infrastructure:

AI Gateway Architecture

All data sent to AI models passes through our proprietary AI Gateway, a private Python service that enforces strict data protection measures before any data reaches a language model.

5-Layer PII Stripping Pipeline

Before your data is sent to any AI model for processing, it passes through a five-layer personally identifiable information (PII) stripping pipeline:

1. Pattern Recognition: Automated detection and redaction of structured PII such as Social Security numbers, EIN numbers, bank account numbers, and credit card numbers.

2. Named Entity Recognition: AI-based identification and replacement of personal names, addresses, phone numbers, and email addresses with anonymized placeholders.

3. Contextual Scrubbing: Removal of contextual identifiers that could indirectly identify individuals even without explicit PII.

4. Organization De-identification: Replacement of organization-specific identifiers with generic labels during AI processing, with re-mapping upon response return.

5. Output Validation: Post-processing scan of AI responses to detect and remove any PII that may have been introduced or echoed by the model.

No Training on Your Data

Your data is never used to train third-party AI models. We maintain contractual agreements with our AI providers (including OpenAI and Anthropic) that explicitly prohibit the use of our API inputs for model training. All AI interactions use zero-retention API endpoints where available.

5-Layer Prompt Injection Defense

Our AI Gateway also employs a five-layer defense against prompt injection attacks, ensuring that malicious inputs cannot manipulate AI behavior or extract data from the system. These defenses include input validation, prompt sandboxing, output filtering, anomaly detection, and audit logging.

We do not sell your personal information. We share data with third-party service providers only as necessary to operate and improve the Service. All third-party providers are bound by data processing agreements.

Infrastructure & Hosting

• Supabase: Database hosting (PostgreSQL) and authentication services. Data stored in US-based data centers.

• Amazon Web Services (AWS): Cloud infrastructure, container orchestration (EKS), object storage (S3), and content delivery.

Payment Processing

• Stripe: Subscription billing and payment processing. We do not store your full credit card number; Stripe handles all payment card data in compliance with PCI DSS Level 1.

Communications

• SendGrid: Transactional email delivery (account notifications, password resets, deadline reminders). Only your email address and message content are shared.

AI Providers

• OpenAI / Anthropic: Language model processing for AI-assisted features. All data is PII-stripped before transmission (see Section 3). These providers process data under contractual agreements that prohibit data retention and model training on our inputs.

We may also disclose your information if required by law, court order, or governmental regulation, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others.

We implement comprehensive security measures to protect your data:

Encryption

• In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3. We enforce HTTPS on all endpoints and implement HTTP Strict Transport Security (HSTS).

• At Rest: All stored data is encrypted using AES-256 encryption. Database backups are also encrypted.

• Field-Level Encryption: Particularly sensitive data such as EIN numbers, financial account information, and API keys receive an additional layer of field-level encryption beyond standard at-rest protections.

Access Controls

• Row-Level Security (RLS) in our PostgreSQL database ensures that users can only access data belonging to their organization.

• Role-based access control (RBAC) limits data access based on user roles within each organization.

• All internal access to production systems is logged, audited, and restricted to authorized personnel.

Monitoring & Incident Response

• Continuous monitoring with Prometheus, Grafana, and OpenTelemetry for anomaly detection.

• Automated alerting for suspicious activity, failed authentication attempts, and unusual data access patterns.

• Documented incident response procedures with defined escalation paths and notification timelines.

We recognize that faith-based organizations handle data that may carry unique sensitivities. Religious affiliation, denominational membership, and faith-related activities may be considered sensitive personal data under certain jurisdictions.

• Denominational Information: When you provide your organization's faith tradition or denominational affiliation, this information is used solely for grant matching and impact scoring purposes. It is not shared with third parties for marketing or profiling.

• Congregant Data: If your grant applications reference community members, beneficiaries, or congregants, we apply enhanced protections to this data. We recommend anonymizing individual information in grant narratives wherever possible.

• Mission-Related Content: Faith-specific language, theological frameworks, and ministry descriptions in your grant content are treated with the same confidentiality as all other user data.

• No Faith-Based Profiling: We do not profile users based on their organization's faith tradition. All organizations receive equal treatment on the platform regardless of denomination or belief system.

We retain your data only as long as necessary to provide the Service and fulfill the purposes described in this Privacy Policy.

Active Accounts

While your account is active, we retain all account data, organization data, and grant content necessary to provide the Service.

Account Deletion

• Upon account deletion, we implement a soft delete that retains your data for 30 days. During this period, you may contact us to restore your account.

• After the 30-day grace period, all personal data and user-generated content is permanently and irreversibly deleted from our primary systems.

• Encrypted backups may retain deleted data for up to 90 days as part of our disaster recovery procedures. This data is inaccessible for any purpose other than disaster recovery and is permanently removed after 90 days.

Usage & Analytics Data

Aggregated, anonymized analytics data may be retained indefinitely to improve the Service. This data cannot be used to identify individual users or organizations.

Legal Obligations

We may retain certain information beyond the standard retention period if required by law, regulatory obligation, or to resolve disputes and enforce our agreements.

Depending on your jurisdiction, you may have the following rights regarding your personal data. We honor these rights for all users regardless of location, consistent with CCPA and emerging state privacy regulations:

• Right to Access: You may request a copy of all personal data we hold about you and your organization. We will provide this information in a portable, machine-readable format within 30 days.

• Right to Correction: You may request that we correct any inaccurate or incomplete personal data. Most data can be corrected directly through your account settings.

• Right to Deletion: You may request that we delete your personal data and account. Deletion requests are processed within 30 days, subject to our data retention policy and any applicable legal obligations.

• Right to Data Portability: You may export your organization data, grant content, and application history in standard formats (CSV, JSON) through the Service or by request.

• Right to Opt Out: You may opt out of non-essential data processing, marketing communications, and analytics tracking at any time through your account privacy settings.

• Right to Non-Discrimination: We will not discriminate against you for exercising any of your privacy rights. Your subscription features and pricing will not be affected.

To exercise any of these rights, contact us at privacy@greatgrants.ai. We may need to verify your identity before processing certain requests.

We use cookies and similar technologies to provide and improve the Service.

Essential Cookies

These cookies are strictly necessary for the Service to function. They include authentication tokens, session identifiers, and CSRF protection tokens. You cannot opt out of essential cookies while using the Service.

Analytics Cookies (Opt-In)

We may use analytics cookies to understand how users interact with the Service. These cookies are only set after you provide explicit consent through our cookie preferences panel. You can change your analytics preferences at any time through the privacy settings in your account.

No Third-Party Advertising

We do not use advertising cookies or trackers. We do not serve third-party advertisements on the Service, and we do not share your data with advertising networks.

Do Not Track

We honor Do Not Track (DNT) browser signals. When we detect a DNT signal, non-essential analytics tracking is disabled for your session.

The Service is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided personal information to us, please contact us at privacy@greatgrants.ai and we will promptly delete such information.

Users must be at least 18 years old or the age of majority in their jurisdiction to create an account and use the Service. Organizations are responsible for ensuring that only authorized adult representatives access the platform on their behalf.

GreatGrants.ai is based in the United States, and all data processing occurs within the United States. If you access the Service from outside the United States, your information will be transferred to, stored, and processed in the United States.

By using the Service, you consent to the transfer of your information to the United States, which may have different data protection laws than your country of residence. We take steps to ensure that your data receives adequate protection consistent with applicable privacy frameworks.

For organizations based in the European Economic Area (EEA) or the United Kingdom, we rely on standard contractual clauses and other approved transfer mechanisms to ensure lawful data transfers.

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will:

• Update the "Last Updated" date at the top of this page.

• Notify you via email to the address associated with your account at least 30 days before the changes take effect.

• Provide a summary of the changes in the notification.

Your continued use of the Service after the effective date of the revised Privacy Policy constitutes your acknowledgment and acceptance of the changes.

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• Privacy Inquiries: privacy@greatgrants.ai

• General Support: support@greatgrants.ai

• Data Protection Officer: dpo@greatgrants.ai

• Mailing Address: Great Grants, Inc., Attn: Privacy Team, Austin, TX 78701, United States

We aim to respond to all privacy-related inquiries within 10 business days. For data access, correction, or deletion requests, we will respond within 30 calendar days as required by applicable law.