Privacy Policy
Last updated: February 16, 2026
Grafient ("we", "us", "our") is operated by Accelerated Ideas OÜ, a company registered in Estonia. This Privacy Policy explains how we collect, use, store, and protect your information when you use the Grafient platform at grafient.ai (the "Service").
1. Information We Collect
1.1 Account Information
When you create an account, we collect your email address. If you sign in with Google, we receive your email from Google's OAuth service. We do not collect your name, phone number, or physical address.
1.2 Organization Data
You may create organizations and invite team members by email. We store organization names, member roles (owner or member), and invitation details (invitee email and a one-time acceptance token).
1.3 Third-Party API Keys
To connect your AI provider accounts, you provide API keys for services such as Anthropic, OpenAI, OpenRouter, xAI, ElevenLabs, or Cursor. These keys are encrypted at rest using industry-standard encryption before storage. Keys are only decrypted server-side during cost synchronization and are never sent to your browser.
1.4 Cost & Usage Data
We periodically fetch cost and usage data from your connected AI providers using the API keys you supply. This includes:
- Daily cost totals (in USD)
- Per-model cost breakdowns
- Token usage metrics (input, output, cached tokens)
- Request counts
This data is stored in our database and retained according to your plan (30 days on Free, 365 days on Pro). Older data is automatically deleted.
1.5 Payment Information
Payments are processed by Stripe. We do not store your credit card number, expiration date, or CVC. We only store a Stripe Customer ID to link your organization to your subscription.
1.6 Cookies & Session Data
We use HTTP-only session cookies to keep you signed in. These cookies contain authentication tokens managed by Supabase. We also use Google Analytics to collect anonymized usage data (page views, device info) to help us improve the Service. Analytics tracking is active by default on public pages, but you can opt out at any time using the cookie banner. We do not use advertising pixels or sell analytics data to third parties.
2. How We Use Your Information
- Provide the Service — authenticate you, sync cost data from your AI providers, display dashboards, and send budget alerts.
- Process payments — manage your subscription via Stripe.
- Send transactional emails — OTP verification codes, team invitations, and budget alert notifications.
- Enforce rate limits — prevent abuse of our API endpoints.
We do not sell, rent, or share your personal data with third parties for advertising or marketing purposes.
3. Third-Party Services
We use the following third-party services to operate Grafient:
| Service | Purpose | Data shared |
|---|---|---|
| Supabase | Database & authentication | Email, session tokens, all app data |
| Stripe | Payment processing | Payment details (handled by Stripe) |
| Resend | Email delivery | Recipient email, email content |
| Upstash | Rate limiting | Request identifiers (IP/email hash) |
| Vercel | Hosting & serverless functions | Request logs, IP addresses |
| OAuth sign-in (optional) | Email address (during sign-in only) | |
| Google Analytics | Website analytics | Page views, anonymized IP, device info |
Each provider API (Anthropic, OpenAI, etc.) is called with your own API key to fetch your cost data. We do not share your API keys with any other party.
4. Data Security
- API keys are encrypted at rest using a server-side encryption key and are never exposed to the browser.
- All traffic is encrypted in transit via HTTPS.
- Database access is restricted with strict access-control policies so users can only access their own data.
- Rate limiting prevents brute-force and abuse.
5. Data Retention
- Account data — retained until you delete your account.
- Cost data — retained per your plan (Free: 30 days, Pro: 365 days). Older records are automatically purged.
- Session tokens — expire after 1 hour and are refreshed automatically.
- OTP codes — expire after 1 hour.
6. Your Rights
Depending on your jurisdiction (including under GDPR if you are in the EU/EEA), you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your account and associated data.
- Export your data in a portable format.
- Object to or restrict certain processing.
To exercise any of these rights, email us at hello@grafient.ai.
7. Children's Privacy
Grafient is not intended for use by anyone under the age of 16. We do not knowingly collect data from children.
8. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a revised "Last updated" date.
9. Contact
If you have questions about this Privacy Policy, contact us at hello@grafient.ai.
Accelerated Ideas OÜ
Estonia