Privacy Policy

1. Who We Are

Grantverse OÜ is a company registered in Estonia that operates the Grantverse platform. We are the data controller responsible for your personal data as described in this Privacy Policy.

As an EU-based company, we are subject to the General Data Protection Regulation (GDPR) and are committed to full compliance with all applicable data protection laws.

If you have any questions about how we handle your data, you can reach us at privacy@grantverse.io.

2. What Data We Collect

We collect different categories of data depending on how you interact with our platform. The table below provides a clear overview:

3. How We Use Your Data

We use the data we collect to power the core features of the Grantverse platform:

• Readiness Scores: Generating Readiness Scores based on your financial and company data to help you understand your fundraising position.
• Optimized Capital Stacks: Building personalized capital stack recommendations that combine grants, non-dilutive funding, and equity financing.
• Startup-Investor Matching: Matching startups with relevant investors based on mutual criteria, preferences, and compatibility signals.
• Opportunity Matching: Identifying Opportunities and non-dilutive funding you may be eligible for based on your company profile.
• Dilution Scenario Calculations: Running dilution modeling based on your cap table data to help you make informed funding decisions.
• Opportunity Deadline Notifications: Sending email notifications about upcoming Opportunity deadlines relevant to your profile. You can opt out of these notifications at any time via your account settings.
• Aggregate Analytics: Using anonymized, aggregated data to understand platform trends, improve our services, and publish industry insights. Individual users are never identifiable in aggregate data.

We do NOT sell your data. We do NOT use your financial data for advertising.

4. Who We Share Data With

We are selective and transparent about who has access to your data:

4.1 Matched Investors

When a match occurs, investors see your startup profile only: company name, sector, stage, and readiness score. Investors do NOT see your raw financial data such as revenue, burn rate, or cash on hand.

4.2 Matched Startups

When a match occurs, startups see investor profiles only: firm name, investment criteria, and thesis.

4.3 Service Providers

We work with the following trusted third-party providers who process data on our behalf:

• Stripe: Payment processing. Stripe is PCI-compliant and handles all card data directly.
• Resend: Transactional emails (account confirmations, notifications, password resets).
• Sentry: Anonymized error reporting to help us identify and fix bugs. No financial data is sent to Sentry.
• Vercel: Application hosting and edge network delivery.
• Railway: Database hosting and infrastructure.
• Anthropic (Claude AI): AI-powered features including win probability predictions, capital stack narratives, and grant eligibility analysis. Company and financial data may be sent to Anthropic's API for processing. Anthropic does not use API inputs to train its models. See Anthropic's Privacy Policy.
• Pusher: Real-time notifications and messaging. Pusher processes connection metadata to deliver real-time updates to your browser. No financial data is sent to Pusher.
• Microsoft Clarity: Session replay and heatmap analytics for usability analysis. Clarity records anonymised user interactions (clicks, scrolls, page navigation). It does not collect passwords, payment details, or sensitive form inputs. Clarity is only activated when you consent to analytics cookies.

We will NOT share your data with other third parties without your explicit consent.

5. GDPR Rights (EU/EEA Users)

Under the General Data Protection Regulation, if you are located in the EU or EEA, you have the following rights regarding your personal data:

• Right of Access: Request a copy of the personal data we hold about you.
• Right to Rectification: Request correction of inaccurate or incomplete personal data.
• Right to Erasure: Request deletion of your personal data ("right to be forgotten"), subject to certain legal exceptions.
• Right to Data Portability: Receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller.
• Right to Restrict Processing: Request that we limit the processing of your personal data in certain circumstances.
• Right to Object: Object to processing of your personal data based on our legitimate interests.
• Right to Withdraw Consent: Where processing is based on consent, withdraw your consent at any time without affecting the lawfulness of processing that occurred before withdrawal.

To exercise any of these rights, contact us at privacy@grantverse.io. We will respond to your request within 30 days.

5.1 Automated Decision-Making (GDPR Article 22)

Grantverse uses automated processing to generate Readiness Scores, investor match scores, win probability estimates, and capital stack recommendations. These automated outputs are designed to assist your decision-making and do not produce legal effects or similarly significantly affect you. You are never required to act on any automated recommendation.

If you believe an automated decision has significantly affected you, you have the right to request human review of that decision by contacting us at privacy@grantverse.io.

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority. The Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) is the supervisory authority for Grantverse OÜ.

6. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes described in this policy:

• Active Accounts: Your data is retained for as long as your account remains active and you continue to use our services.
• Deleted Accounts: Upon account deletion, your personal data will be permanently deleted within 30 days, unless retention is required by law.
• Payment Records: Transaction records and billing information are retained for up to 7 years as required by applicable tax and financial regulations.
• AI Interaction Logs: Prompts and responses from AI-powered features (e.g., win probability, capital narratives) are retained for up to 90 days for debugging and service improvement, then permanently deleted. These logs are not shared with third parties.
• Anonymized Aggregate Data: Anonymized and aggregated data that cannot identify any individual is retained indefinitely for analytics and service improvement.

7. Data Security

We implement robust technical and organizational measures to protect your data:

• Encryption in Transit: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS.
• Encryption at Rest: Database contents are encrypted at rest via Railway's infrastructure-level encryption.
• Password Security: All passwords are hashed using bcrypt via NextAuth. We never store passwords in plain text.
• Access Controls: Production database access is strictly restricted to authorized personnel only.
• No Card Storage: We do not store credit card numbers or sensitive payment details. All payment processing is handled by Stripe, which is PCI-DSS compliant.

8. Cookies

We use a limited number of cookies to operate our platform:

• Essential Cookies: Session authentication cookies are required for the platform to function. These cannot be disabled.
• Analytics Cookies: We use PostHog and Vercel Analytics to collect anonymized usage data that helps us improve the platform.

We do not use advertising cookies. We do not use third-party tracking cookies.

For more information, please see our Cookie Policy.

9. International Data Transfers

Grantverse OÜ is based in Estonia, within the European Union. Some of our service providers, including Vercel and Railway, may process data in the United States.

When personal data is transferred between the EU (Estonia) and the US, we ensure appropriate safeguards are in place. These transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission, in accordance with GDPR requirements.

10. CCPA Notice (California Users)

If you are a California resident, the California Consumer Privacy Act (CCPA) provides you with additional rights regarding your personal information:

• Right to Know: You have the right to know what personal information we collect, how we use it, and with whom we share it.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain legal exceptions.
• Right to Opt Out of Data Sales: You have the right to opt out of the sale of your personal information. However, we do not sell your data to any third party, so there is nothing to opt out of.
• Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA rights.

To exercise any of these rights, contact us at privacy@grantverse.io.

11. Children's Privacy

Grantverse is not intended for use by individuals under the age of 18. We do not knowingly collect personal data from children or minors. If we become aware that we have collected personal data from a person under 18, we will take steps to delete such information promptly. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at privacy@grantverse.io.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by email using the address associated with your account.

Your continued use of Grantverse after any changes to this policy constitutes your acceptance of the updated policy. We encourage you to review this page periodically.

Last updated: March 2026.

13. Contact

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please reach out to us:

• Email: privacy@grantverse.io
• Data Protection Officer: dpo@grantverse.io
• Mailing Address: Grantverse OÜ, Tallinn, Estonia