GrantioGrantio
Get Started

Legal

Policies and agreements for using Grantio. Use the sidebar to jump to a document.
Browse legal+

Privacy Policy

This Privacy Policy explains how Grantio (“we”, “us”, “our”) collects, uses, and shares information when you use our website and services (the “Service”). It also describes rights available to you under the EU General Data Protection Regulation (“GDPR”) and similar UK rules when those laws apply to our processing of your personal data.

Effective as of Apr 15, 2026

1. Information we collect

We collect information in three categories:

  • Account information such as name, email, and authentication identifiers.
  • Customer content you choose to store in the Service, such as grant opportunities, applications, documents, notes, and reporting artifacts.
  • Public opportunity data. We may store and display information about grants and funding opportunities sourced from third parties (for example, public funders and portals). This information is generally not personal data, but it may include names or contact details published by the source.
  • Usage and device data such as pages viewed, feature usage, approximate location (derived from IP), and basic device/browser information.

2. How we use information

We use information to:

  • Provide, maintain, and improve the Service (including core grant lifecycle workflows).
  • Provide grants discovery features and links to official funder sources.
  • Authenticate users and secure accounts.
  • Communicate with you about updates, support requests, and service notices.
  • Monitor for abuse, prevent fraud, and enforce our Terms.
  • Analyze usage to improve performance and product experience.

Legal bases (GDPR): Where GDPR applies, we rely on appropriate bases such as: performance of a contract with you (providing the Service); our legitimate interests (for example, securing the Service, improving features, and limited analytics), balanced against your rights; compliance with legal obligations; and consent where we ask for it (for example, certain marketing cookies or optional communications), which you may withdraw at any time.

3. How we share information

We may share information with:

  • Service providers that help us run the Service (for example, hosting, analytics, and email).
  • Legal and safety recipients when required by law or to protect rights, safety, and the integrity of the Service.
  • Business transfers in connection with a merger, acquisition, or asset sale.

We do not sell your personal information. If you use the Service as part of an organization, your administrators may be able to access and manage your account and content.

4. Third party sources and compliance

We may ingest and display third party funding opportunity information to help you discover and manage grants. We aim to respect applicable terms, licenses, and laws and may adjust what we store or display for a given source (for example, link-only or limited factual metadata for “restricted sources”).

Data sources: We include high-level source names below for transparency. The official funder page remains the source of truth for deadlines, eligibility, and how to apply.

If you believe content in our grants database should be removed or corrected, please contact us via Contact.

4A. Data sources (high level)

Our grants database may include information sourced from public bodies and open-data publishers. We may also include links to official portals. Listing a name here does not imply endorsement.

  • Official funder program pages and portals
  • Open Government Licence (UK)
  • Other open-data publishers (as applicable)

5. Subprocessors

We use carefully vetted service providers to host and operate the Service. They process personal data only on our instructions and are contractually required to protect it.

The following third parties act as subprocessors: they process personal data on our behalf to provide the Service. We update this list when we onboard or replace providers.

SubprocessorPurposeEntity locationWebsite
Supabase
Supabase, Inc.
Managed database, authentication, storage, and related backend infrastructure for the Service. Project data region depends on your Supabase configuration.United Statessupabase.com
Vercel
Vercel Inc.
Application hosting, serverless functions, and content delivery for the website and Service.United Statesvercel.com
Google Analytics
Google LLC
Website analytics to understand usage and improve the marketing site and Service experience.United Statesanalytics.google.com
Brevo
Sendinblue SAS (Brevo)
Email marketing and newsletter delivery (for example, newsletter subscriptions) when enabled.Francewww.brevo.com
Resend
Resend, Inc.
Transactional email delivery (for example, auth and service notifications) when enabled.United Statesresend.com

Note: Some subprocessors may process data in regions beyond the entity location shown. Their privacy and security documentation describes regions, certifications, and transfer mechanisms (for example Standard Contractual Clauses).

For DPA or vendor security questions, contact us.

6. Data retention

We retain personal information and customer content for as long as necessary to provide the Service, comply with legal obligations, resolve disputes, and enforce agreements. Retention periods may vary depending on the type of data and your organization’s settings.

7. Security

We use reasonable administrative, technical, and organizational safeguards designed to protect information. No method of transmission or storage is completely secure, and we cannot guarantee absolute security.

8. Your rights and choices

Depending on your location, you may have rights to access, correct, delete, or export your personal information. You can also object to or restrict certain processing.

Marketing emails: You can opt out at any time using the unsubscribe link in our emails. Even if you opt out, we may still send non-promotional messages such as account, security, and service notices.

If you are in the European Economic Area, the United Kingdom, or Switzerland, GDPR-style rights are described in Section 9 below.

To make a request, contact us via Contact.

9. GDPR (EEA, UK, and Switzerland)

When we process personal data in scope of the GDPR (including the UK GDPR and Swiss law where aligned), the following applies in addition to the rest of this Policy.

  • Controller. Grantio is the controller of personal data we collect about you in connection with the Service, unless we process data solely on behalf of your organization as a processor, in which case your organization is typically the controller for that data.
  • Your rights. Subject to conditions and exceptions in applicable law, you may have the right to: access your personal data; rectify inaccurate data; erase data; restrict processing; data portability; object to processing based on legitimate interests or for direct marketing; and withdraw consent where processing is based on consent. You may also lodge a complaint with a supervisory authority in your country or region.
  • Exercising rights. Contact us through Contact. We may need to verify your identity before responding. You will not generally have to pay a fee, though we may charge a reasonable fee or refuse manifestly unfounded or excessive requests as permitted by law.
  • Automated decisions. We do not use solely automated decision-making, including profiling, that produces legal or similarly significant effects on you.

10. US state privacy disclosures

If you reside in a US state with privacy laws that provide consumer rights (for example, California, Colorado, Connecticut, Utah, or Virginia), you may have rights to: access, correct, delete, or obtain a copy of certain personal information; and to opt out of certain processing such as targeted advertising, “sale”, or “sharing” of personal information (as those terms are defined under applicable law).

Selling or sharing. We do not sell your personal information. We may share personal information with service providers to operate the Service, as described in Section 3.

To exercise rights (including appeals where required), contact us via Contact.

11. International transfers

If you access the Service from outside the country where our systems are located, your information may be transferred across borders. We take steps to ensure an appropriate level of protection where required.

Transfers from the EEA, UK, or Switzerland: Where personal data is transferred to countries not subject to an adequacy decision, we use appropriate safeguards such as the EU Standard Contractual Clauses (and UK or Swiss addenda or equivalents as applicable) with subprocessors, or other mechanisms permitted under GDPR.

12. Cookies

We use cookies and similar technologies to run the website and Service (for example, to keep you signed in and remember your language). Details are in our Cookie Policy.

13. Children

The Service is not directed to children, and we do not knowingly collect personal information from children under 13. If you believe a child has provided personal information to us, please contact us via Contact and we will take appropriate steps to delete it.

14. Changes to this Policy

We may update this Policy from time to time. If we make material changes, we will take reasonable steps to provide notice. Your continued use of the Service after changes become effective means you accept the updated Policy.