Privacy Policy
Introduction
Grain (“we”, “us”, “our”) operates the Grain mobile application (the “App”). This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data.
By using the App, you agree to the collection and use of information as described in this policy. See also our Terms of Use.
Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), we process your data under the following legal bases:
- Contract performance — account data, captures, and widget content are necessary to provide the service you signed up for
- Legitimate interest — infrastructure logging and service reliability monitoring
- Consent — voice recordings submitted for transcription, which you initiate each time
Data We Collect
Account Information
When you create an account, we collect:
- Email address — used for authentication and account recovery
- Full name — used for display within the App
- Authentication credentials — managed securely through our authentication provider (BetterAuth)
If you sign in with Apple or Google, we receive your name and email address from the provider. We do not receive or store your Apple or Google password. Apple may provide a private relay email address at your discretion.
Voice & Audio Data
Grain’s primary input method is voice. When you record, your audio is sent to our servers for transcription using an AI speech model (Whisper via Cloudflare Workers AI). Audio is processed in memory and immediately discarded after transcription — we do not store audio files. Only the resulting text transcript is retained.
We never store your voice recordings. We store only the text transcript.
AI-Processed Data
Your text transcript is sent to an AI language model (Anthropic Claude) to extract structured items — notes, todos, reminders, habits, and reading list entries. The data sent to the AI model includes:
- Your transcript text
- The current date and time
- Titles and IDs of your existing items (up to 20 per widget type) — so the AI can update or complete existing items rather than create duplicates
The AI model returns structured data which we store as your widget items. The full AI response is also stored for debugging and service improvement.
The AI does not have access to: your email, name, account details, or any data beyond what is listed above. No personally identifiable information is included in AI requests beyond the content of your spoken words.
Widget Data
Items created from your captures are stored as structured data:
- Notes — title, content, tags
- Todos — title, description, due date, priority, completion status
- Reminders — title, description, scheduled time, recurrence
- Habits — name, frequency, goal, unit, daily completion tracking
- Library — books (title, author) and links (title, URL)
- Groups — user-defined collections with labels and emoji
Subscription Data
If you purchase a subscription, we collect:
- Subscription status — active, cancelled, or expired
- Subscription expiration date
Payment processing is handled entirely by Apple (App Store). We never receive or store your credit card number, bank account, or other payment details. Subscription state is synced through RevenueCat.
Session Data
When you sign in, we create a session that includes:
- A unique session token
- Your IP address
- Your device’s user agent string
- Session creation and expiration timestamps
Sessions expire after 30 days and are refreshed automatically on active use.
Automatically Collected Data
We do not use third-party analytics SDKs, advertising trackers, crash reporting services, or location services. Our infrastructure providers (Cloudflare, Neon) may log IP addresses and basic request metadata as part of standard operations.
How We Use Your Data
We use your data to:
- Provide the service — transcribe voice input, generate structured items via AI, and store your content
- Process subscriptions — verify your subscription status and manage access
- Maintain the service — debug failed captures, monitor infrastructure health
We do not use your data for advertising, sell it to third parties, share it with data brokers, or train AI models. Your transcripts and content are processed by Anthropic Claude solely to generate your widget items — Anthropic does not use this data for model training per their API data policy.
Data Storage & Security
Your data is stored in a PostgreSQL database hosted by Neon (neon.tech) in the US-East region. Data is:
- Encrypted in transit (TLS/SSL)
- Encrypted at rest (Neon default encryption)
- Scoped by user ID — you can only access your own data through authenticated API requests
- Protected by foreign key constraints ensuring referential integrity
Our API runs on Cloudflare Workers. Cloudflare may process standard web request metadata (IP address, user agent) as part of serving requests.
Third-Party Services
| Service | Purpose | Data Shared |
|---|---|---|
| Neon | Database hosting | All user data (encrypted) |
| Cloudflare | API hosting, AI gateway | API requests, transcription audio (not stored) |
| Anthropic (Claude) | Transcript processing | Transcript text, existing item titles, date/time |
| Apple Sign-In | Authentication | Email, name (from Apple to us) |
| Google Sign-In | Authentication | Email, name (from Google to us) |
| RevenueCat | Subscription management | User ID, subscription events |
| Apple App Store | Payment processing | Managed entirely by Apple |
Each third-party service has its own privacy policy. We encourage you to review them.
Data Retention
We retain your data for as long as your account is active.
Account Deletion
You can delete your account at any time from the App’s settings. When you delete your account, all of the following are permanently deleted:
- Your user record and profile
- All sessions and authentication data
- All captures and transcripts
- All notes, todos, reminders, habits, and habit completions
- All library items and groups
- All feedback you submitted
- Your subscription record (RevenueCat may retain its own records per their policy)
Deletion is immediate and irreversible. Residual copies in automated database backups are overwritten per Neon’s standard retention schedule and are not used to restore individual accounts.
Your Rights
Depending on your jurisdiction, you may have the right to:
- Access your personal data
- Correct inaccurate data
- Delete your account and all associated data
- Export your data
- Object to certain processing
- Withdraw consent for voice transcription at any time (by not recording)
To exercise these rights, contact us at the email below.
International Data Transfers
Your data is stored on servers in the United States (Neon, Cloudflare). If you are located outside the US, your data is transferred internationally. We rely on our providers’ compliance frameworks (including standard contractual clauses where applicable) to protect transferred data.
Data Breach Notification
In the event of a data breach that affects your personal data, we will notify affected users by email within 72 hours of becoming aware of the breach, as required by applicable law.
Children’s Privacy
Grain is not intended for users under 13. We do not knowingly collect data from children under 13. If you believe a child under 13 has provided us data, contact us and we will delete it.
Changes to This Policy
We may update this policy from time to time. We will notify you of material changes through the App or by updating the “Last updated” date above.
Contact
If you have questions about this Privacy Policy, contact us at:
Email: neilo.abanga@gmail.com