Privacy Policy

We collect the information described below to operate the Service.

·Account and contact information: your email address and any details you submit through forms or support requests.

·Billing information: payment details processed by our payment providers — we never store full card numbers on our own systems.

·GitHub integration data: your GitHub username, the identifiers of repositories you connect, and the OAuth access tokens needed to read repository content and open pull requests within the scopes you grant.

·Figma integration data: your Figma user identifier, the identifiers of teams and files you connect, and the OAuth access tokens needed to read or create Figma files within the scopes you grant.

·Automatically collected data: service usage logs, access logs, cookies, a first-party session identifier stored in sessionStorage (see §7), and device or browser metadata.

When you ask the Service to explore a product you own, screens and data of that product may incidentally be processed, including data of that product's end users. You must only submit products and test accounts for which you hold the necessary rights; you remain the controller of any end-user personal data in those screens. We process such data only to the extent strictly necessary to deliver the requested output, and delete it once that purpose is fulfilled.

·to operate the Service and the features you request, including product exploration, Figma Export, and Design Sync (GitHub pull-request generation);

·to process payments and provide customer support;

·to keep the Service secure, prevent abuse, and respond to legal obligations;

·to measure usage and improve the Service through aggregated analytics.

We use the following subprocessors to deliver the Service. Each receives only the data necessary for the function described.

·NHN KCP — domestic card and easy-pay processing (Republic of Korea)

·PayPal Holdings, Inc. — international payment processing (United States)

·Google LLC — Google Analytics and Google Sheets storage of form intake (United States)

·Channel Corp. — customer support chat (Republic of Korea)

·Vercel Inc. — web hosting (United States)

·Amazon Web Services, Inc. — application infrastructure (United States)

·GitHub, Inc. (a Microsoft company) — repository access and pull-request creation for Design Sync (United States)

·Figma, Inc. — file read/create for Figma Export and Design Sync (United States)

·AI model providers (OpenAI, L.L.C., Anthropic, PBC, and equivalent) — AI inference for product exploration, summarization, and code suggestions. Inputs are sent with no-training API options and are not used to train the providers' foundation models (United States).

We enter into data-protection agreements with each subprocessor and oversee their handling of personal data.

gridi operates from the Republic of Korea. The subprocessors listed above are primarily located in the United States, which means we transfer personal data outside Korea (and, where applicable, outside the EEA / United Kingdom) to deliver the Service.

Transfers take place over encrypted channels (HTTPS / TLS) and are limited to the data each subprocessor needs for its function. For transfers from the EEA or United Kingdom we rely on appropriate safeguards such as the EU Standard Contractual Clauses and the UK addendum, as offered by each subprocessor.

For users in the Republic of Korea, this section also serves as notice under Article 28-8 of the Personal Information Protection Act. You may decline cross-border transfers; in that case features that depend on the affected subprocessor (e.g. Design Sync, Figma Export, international payments) may not be available to you.

We retain personal data only for as long as needed to provide the Service or to comply with legal obligations.

OAuth access tokens for GitHub and Figma are deleted promptly when you disconnect the integration or close your account.

Billing, dispute, and transaction records may be retained for the period required by applicable consumer-protection or tax laws.

Depending on where you are located, you may have the following rights regarding your personal data: access, correction, deletion, restriction, portability, and objection to certain processing. You may also withdraw any consent you have given.

European Economic Area / United Kingdom residents have rights under the GDPR / UK GDPR.

California residents have rights under the CCPA/CPRA, including the right to know, delete, correct, and opt out of any "sale" or "sharing" of personal information. gridi does not sell personal information.

Residents of the Republic of Korea have rights under the Personal Information Protection Act, including the right to request access, correction, deletion, and suspension of processing.

To exercise any of these rights, contact us at admin@gridi.ai. You may also lodge a complaint with your local data-protection authority.

We use cookies and similar technologies to keep the Service working and to understand usage patterns. Categories include strictly necessary cookies and analytics cookies (Google Analytics).

To support session continuity we store a first-party session identifier (gridi_session_id) and the chosen interface language in your browser's sessionStorage. The identifier expires after a 1-hour sliding TTL or when you close the tab.

You can block cookies in your browser settings; some features may become unavailable as a result.

Some features (product exploration, summarization, code suggestion) rely on third-party AI model providers such as OpenAI and Anthropic. Inputs are sent with no-training API options enabled, and providers typically delete logged inputs within 30 days according to their published policies.

Because AI exploration may incidentally process data shown on the screens of the product you submit, you must ensure that you have the authority and lawful basis to send that data to gridi and our AI subprocessors.

We apply administrative and technical safeguards designed to protect personal data, including access controls, encryption in transit (HTTPS/TLS), encryption at rest for sensitive fields such as OAuth tokens, audit logging, and periodic reviews.

No service is perfectly secure; you are responsible for safeguarding your account credentials and for promptly reporting suspected unauthorized access.

The Service is not directed to children under 16. We do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal data, please contact admin@gridi.ai so we can delete it.

We may update this Privacy Policy from time to time. Where the change is material or adverse to you we will provide notice in the Service at least 30 days before the change takes effect; other changes take effect 7 days after posting.

If you have questions about this Privacy Policy or want to exercise your rights, contact our privacy lead at admin@gridi.ai.

·Privacy lead: Rudy Kim (Representative)

·Email: admin@gridi.ai

·Address: 3F LAB1, 63-1 Geumjeong-ro, Geumjeong-gu, Busan, Republic of Korea