Privacy Policy

Last Updated: March 2, 2026

Introduction

Gridflo ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our application.

Information We Collect

Personal Information

  • Account Information: Name, email address, and profile information when you create an account
  • Authentication Data: Login credentials and authentication tokens from Google OAuth or email/password authentication
  • Contact Information: People and contact details you add to your blocks

Usage Data

  • Activity Data: Tasks, notes, habits, schedules, and other blocks you create
  • Interaction Data: How you interact with features, including clicks, views, and feature usage
  • Calendar Data: Events and scheduling information if you connect your Google Calendar

Technical Information

  • Device Information: Browser type, operating system, device type
  • Log Data: IP address, access times, pages viewed, and referring URLs
  • Cookies: Session cookies and authentication tokens

How We Use Your Information

We use your information to:

  • Provide Services: Enable core functionality including task management, note-taking, and habit tracking
  • Authentication: Verify your identity and maintain secure sessions
  • Calendar Integration: Sync with Google Calendar if you choose to connect
  • AI Features: Process your requests through third-party AI providers via an AI gateway (see "AI and Large Language Model Processing" below)
  • Communication: Send password reset emails and important service updates
  • Improvement: Analyze usage patterns to improve our services
  • Security: Detect and prevent fraud, abuse, and security incidents

Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encryption: SSL/TLS encryption for data in transit
  • Authentication: Secure password requirements and JWT tokens
  • Access Controls: Role-based access and authentication checks
  • Rate Limiting: Protection against abuse via Upstash Redis
  • Content Security Policy: CSP headers to prevent XSS attacks

Your Rights and Choices

Access and Control

  • Access: Request a copy of your personal information
  • Update: Modify your account information and preferences
  • Delete: Request deletion of your account and associated data
  • Export: Export your data in standard formats

Opt-Out Options

  • Calendar Sync: Disconnect Google Calendar integration at any time
  • Email Sync: Disconnect Gmail integration at any time
  • AI Features: Choose not to use AI-powered features
  • Analytics and Advertising: Limit tracking via browser settings, ad-blocking tools, or platform-specific opt-out mechanisms
  • Push Notifications: Disable push notifications through your device settings
  • Account Linking: Control how multiple authentication methods are linked

Data Retention

We retain your information for as long as your account is active or as needed to provide services. You can request deletion of your account at any time, and we will delete your personal information within 30 days, except where retention is required by law.

Children's Privacy

Our service is not directed to individuals under 13 years of age. We do not knowingly collect personal information from children under 13.

International Data Transfers

Your information may be transferred to and processed in countries other than your own. We ensure appropriate safeguards are in place for such transfers in compliance with applicable laws.

Google API Services Usage

Gridflo's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Google Calendar Integration

  • We access your Google Calendar events to display them alongside your Gridflo tasks in a unified view
  • We create, update, and delete calendar events when you schedule tasks through Gridflo
  • Calendar data is stored securely in our database to provide synchronization functionality
  • We do not sell, share, or use your calendar data for advertising purposes
  • You can disconnect Google Calendar integration at any time from your account settings

AI and Large Language Model Processing

Gridflo uses artificial intelligence and large language models (LLMs) to power features such as chat assistants, task suggestions, email processing, automatic tagging, and content analysis. When you use these features, content you provide — including messages, tasks, notes, and emails — may be sent to third-party AI providers for processing.

We route AI requests through an AI gateway service, which means the specific AI provider used to process your request may vary and may change over time without notice. You do not have control over which AI provider processes a given request. Providers we may use include, but are not limited to, OpenAI, Anthropic, Google, and other providers accessible through our gateway service. Each provider operates under its own terms of service and privacy policy.

We do not use your content to train AI models. However, third-party providers may have their own data retention and usage policies, which we encourage you to review. We select providers that offer appropriate data handling practices, but we cannot guarantee the policies of every provider at all times.

  • AI features are optional and can be avoided by not using AI-powered functionality
  • Content sent to AI providers includes the context necessary to generate a response, such as your messages, relevant tasks, notes, and other blocks
  • AI-generated content (suggestions, summaries, responses) is stored in our database and associated with your account
  • We track AI usage metrics (token counts) for billing and service management purposes

Analytics and Tracking

We use analytics and advertising tools to understand how our service is used, measure the effectiveness of our marketing, and improve the user experience.

Product Analytics

  • We use Amplitude for product analytics to track feature usage, user flows, and engagement patterns
  • Amplitude collects data such as events you perform within the application, session information, and device characteristics

Advertising and Conversion Tracking

  • Conversion events (such as account sign-ups) may be shared with Google Ads, Meta (Facebook), and Reddit for advertising attribution
  • For enhanced conversion tracking, hashed email addresses may be sent to advertising platforms
  • You can limit advertising tracking by adjusting your browser settings, using ad-blocking tools, or opting out via the advertising platforms directly

Cookies

Gridflo uses cookies and similar technologies for the following purposes:

Essential Cookies

  • Session cookies for authentication and maintaining your login state
  • Security cookies such as CSRF tokens to protect against cross-site request forgery

Analytics Cookies

  • Google Analytics cookies (_ga, _ga_*) for measuring site usage and session information
  • Amplitude cookies for tracking product analytics and feature usage

Advertising Cookies

  • Google Ads cookies (_gcl_au, _gcl_aw) for conversion tracking and advertising attribution
  • Meta/Facebook cookies (_fbc, _fbp) for advertising conversion measurement
  • Reddit cookies (_rdt_uuid) for advertising conversion tracking

You can manage or disable cookies through your browser settings. Disabling essential cookies may affect the functionality of the Service. Disabling analytics and advertising cookies will not affect your ability to use the Service.

Sub-processors

We use the following third-party service providers to operate and deliver the Service. Your data may be processed by these sub-processors in accordance with their respective privacy policies:

  • Vercel: Application hosting, serverless functions, analytics, and speed insights
  • Neon Postgres: Database hosting (PostgreSQL)
  • Stripe: Payment processing and subscription management
  • Google Cloud (Google APIs): OAuth authentication, Google Calendar sync, and Gmail integration
  • Upstash: Redis-based rate limiting and QStash message queue for background job processing
  • Resend: Transactional email delivery (password resets, welcome emails, notifications)
  • Amplitude: Product analytics, user behavior tracking, and feature flags
  • Google Tag Manager / Google Analytics: Conversion tracking and advertising analytics (server-side)
  • Ably: Real-time data synchronization across browser sessions
  • Expo (EAS): Mobile application distribution and push notification delivery
  • ContentSquare / Hotjar: User experience analytics and session analysis (loaded via Google Tag Manager)
  • AI Providers (via AI gateway): OpenAI, Anthropic, Google Gemini and others as described in the AI processing section above

Contact Us

If you have questions or concerns about this Privacy Policy, please contact us at:

  • Email: hello@gridflo.app
← Back to Home