Privacy Policy | TryGruff

TryGruff ("TryGruff," "we," "us," or "our") is operated by Gruffalo AI Ltd. This Privacy Policy explains how we collect, use, disclose, retain, and safeguard your information when you access or use our website at trygruff.com, our web application at app.trygruff.com, our WhatsApp-based services, our email intake services, and any related services (collectively, the "Service").

By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree, you must not access or use the Service.

1. Information We Collect

1.1 Information You Provide Directly

Account Information: When you register, we collect your name, email address, company name, company description, and phone number.
Financial Documents: Receipts, invoices, bills, and other financial documents you upload or send to us for processing via any channel (web upload, WhatsApp, email, or Gmail integration).
Payment Information: When you subscribe to a paid plan, payment processing is handled by Stripe, Inc. We do not store your full credit card number. We receive and store a tokenized reference, card brand, last four digits, and billing address from Stripe.
Communications: Messages you send to us via WhatsApp, email, in-app chat, or any other communication channel, including the content, attachments, and metadata of those messages.
Client Data: If you are an accountant using the Service, information about your clients that you input, including client names, contact details, business descriptions, and linked WhatsApp numbers.

1.2 Information Collected Automatically

Device and Usage Data: IP address, browser type and version, operating system, referring URLs, pages visited, click patterns, access times, and session duration.
Cookies and Similar Technologies: We use essential cookies for authentication and session management. We may use analytics cookies to understand how the Service is used. You can control cookies through your browser settings.
WhatsApp Metadata: When you interact with us via WhatsApp, we receive your WhatsApp phone number, display name, message timestamps, message IDs, and media metadata as provided by the Meta WhatsApp Business API.
Email Metadata: When you use our Gmail integration, we access email headers, sender/recipient information, subject lines, timestamps, and attachments of emails matching our processing criteria. We access only emails relevant to document processing as authorized by you.

1.3 Information from Third Parties

Authentication Providers: If you sign in via a third-party provider (e.g., Google), we receive your name, email address, and profile picture as permitted by your settings with that provider.
Accounting Integrations: If you connect Xero or other accounting platforms, we access financial data (chart of accounts, contacts, invoices) as authorized by you through the OAuth consent flow.
Meta/WhatsApp: Message content, media files, and sender information delivered to us through the WhatsApp Business API webhook.

2. How We Use Your Information

We use the information we collect for the following purposes:

Service Delivery: To process, extract data from, and categorize your financial documents using artificial intelligence and machine learning models.
AI Processing: Your documents are processed by third-party AI models (including Google Gemini and other providers) for data extraction. Document content is sent to these services for processing and is subject to their respective privacy policies.
Communication: To send you transactional messages (document processing results, approval requests, system notifications) via WhatsApp, email, and in-app notifications.
Account Management: To create, maintain, and secure your account; to authenticate your identity; and to process your subscription and payments.
Integration: To synchronize extracted data with connected accounting platforms (e.g., Xero) as authorized by you.
Improvement: To analyze usage patterns, diagnose technical issues, and improve the Service's accuracy, performance, and features.
Compliance: To comply with legal obligations, enforce our Terms of Use, and protect our rights and the rights of others.

3. How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

AI and Cloud Service Providers: Document content is processed by third-party AI providers (e.g., Google Cloud / Gemini API) for data extraction. These providers process data according to their data processing agreements and privacy policies.
Infrastructure Providers: We use Supabase (database and authentication), Amazon Web Services / AWS Amplify (hosting and compute), and Stripe (payment processing) to operate the Service. These providers have access to data necessary to perform their functions.
WhatsApp / Meta: Messages sent to you via WhatsApp are transmitted through Meta's WhatsApp Business API. Meta processes this data according to its Business Messaging terms.
Accounting Platforms: When you authorize an integration (e.g., Xero), extracted document data is transmitted to that platform as directed by you.
Accountant-Client Relationship: If your account is linked to an accountant, your uploaded documents and extracted data are accessible to your linked accountant through the Service.
Legal Requirements: We may disclose information if required by law, regulation, legal process, or governmental request, or if we believe disclosure is necessary to protect our rights, your safety, or the safety of others, investigate fraud, or respond to a government request.
Business Transfers: In connection with a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as a business asset. We will notify you of any such change.

4. Data Storage, Retention, and Security

4.1 Storage

Your data is stored on servers operated by our infrastructure providers, primarily located in the United States and the European Union. By using the Service, you consent to the transfer and storage of your data in these locations.

4.2 Retention

Account Data: Retained for as long as your account is active, plus a reasonable period thereafter for legal and operational purposes.
Financial Documents: Retained for as long as your account is active. Upon account deletion, documents are permanently deleted within 90 days, unless retention is required by law.
Communication History: WhatsApp and in-app message history is retained for as long as your account is active.
Payment Records: Retained as required by applicable tax and financial regulations (typically 7 years).
Aggregated and Anonymized Data: We may retain aggregated, anonymized data indefinitely for analytics and service improvement purposes. This data cannot be used to identify you.

4.3 Security

We implement industry-standard technical and organizational security measures, including encryption in transit (TLS/HTTPS), encryption at rest, access controls, and regular security assessments. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security. You are responsible for maintaining the confidentiality of your account credentials.

5. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights:

Access: Request a copy of the personal data we hold about you.
Correction: Request correction of inaccurate or incomplete personal data.
Deletion: Request deletion of your personal data, subject to legal retention requirements.
Portability: Request your data in a structured, commonly used, machine-readable format.
Restriction: Request that we restrict processing of your personal data in certain circumstances.
Objection: Object to processing of your personal data for certain purposes.
Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@trygruff.com. We will respond to your request within 30 days. We may require verification of your identity before processing your request.

6. International Data Transfers

If you are located outside the United States, your information will be transferred to, stored, and processed in the United States and potentially other countries where our service providers operate. These countries may have data protection laws different from your jurisdiction. By using the Service, you consent to such transfers. Where required, we rely on Standard Contractual Clauses or other approved transfer mechanisms.

7. Children's Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children under 18. If we become aware that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us at privacy@trygruff.com.

8. Third-Party Links and Services

The Service may contain links to third-party websites and services not operated by us. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

9. Cookies Policy

We use the following types of cookies:

Strictly Necessary Cookies: Required for authentication, security, and core functionality. These cannot be disabled.
Analytics Cookies: Help us understand how the Service is used. You may opt out of analytics cookies through your browser settings.

We do not use advertising or tracking cookies.

10. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA):

The right to know what personal information we collect, use, disclose, and sell.
The right to request deletion of your personal information.
The right to opt out of the sale or sharing of your personal information. We do not sell or share your personal information.
The right to non-discrimination for exercising your privacy rights.
The right to correct inaccurate personal information.
The right to limit use and disclosure of sensitive personal information.

11. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland:

Legal Basis: We process your data based on: (a) your consent, (b) performance of a contract (our Terms of Use), (c) compliance with legal obligations, and (d) our legitimate interests in operating and improving the Service.
Data Protection Officer: For GDPR-related inquiries, contact us at privacy@trygruff.com.
Supervisory Authority: You have the right to lodge a complaint with your local data protection supervisory authority.

12. Data Deletion

You may request deletion of your account and all associated data at any time by emailing privacy@trygruff.com. Upon receiving a valid deletion request:

Your account will be deactivated immediately.
Your personal data, documents, and message history will be permanently deleted within 90 days.
Certain data may be retained as required by applicable law (e.g., financial records, tax documentation).
Aggregated, anonymized data that cannot identify you may be retained.
Data already shared with connected third-party services (e.g., Xero) is not within our control to delete. You must contact those services directly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page with a new "Last updated" date. For significant changes, we may also notify you via email or in-app notification. Your continued use of the Service after any changes constitutes your acceptance of the updated Privacy Policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, contact us at:

Email: privacy@trygruff.com
General Inquiries: chen@trygruff.com