Grimoire

Privacy Policy

Last Updated: December 21, 2025

1. Introduction

Grimoire AI Platform ("Grimoire", "Service", "Platform", "we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, protect, and share your personal information when you use our Service.

By accessing or using Grimoire, you agree to the collection and use of information in accordance with this Privacy Policy. If you do not agree with our policies and practices, please do not use our Service.

This Privacy Policy is designed to comply with major data protection frameworks, including the General Data Protection Regulation (GDPR) in the European Union and the Lei Geral de Proteção de Dados (LGPD) in Brazil, while providing clear and transparent information about our data practices.

2. Information We Collect

We collect information that you provide directly to us, information that is automatically collected when you use the Service, and information from third-party sources.

2.1 Information You Provide Directly

Account Information:

  • Email address (required for account creation)
  • Password (stored securely using industry-standard hashing)
  • Name or display name
  • Profile picture or avatar (optional)
  • Email verification status

Content You Create:

  • AI prompts, templates, and related content
  • Organization and workspace information
  • Metadata associated with your content (titles, descriptions, tags, categories)
  • Version history of your prompts
  • Settings and preferences

Communication Information:

  • Support requests, feedback, or inquiries
  • Survey responses
  • Marketing communication preferences

Payment Information (for paid plans):

  • Billing address
  • Payment method details (processed securely through third-party payment processors)
  • Transaction history

API Usage:

  • API keys and credentials
  • API usage logs and metrics

2.2 Information Automatically Collected

Usage Data:

  • Log files (IP address, browser type, device information, operating system)
  • Pages visited, features used, and time spent on the Service
  • Clickstream data and navigation patterns
  • Search queries and filters used
  • Date and time of access

Technical Data:

  • Device identifiers (device ID, hardware model)
  • Browser type and version
  • Operating system and version
  • Screen resolution and display settings
  • Language preferences
  • Time zone

Session Information:

  • Session tokens and authentication cookies
  • Session duration and activity
  • Login and logout timestamps

Performance Data:

  • Response times and error logs
  • System performance metrics
  • Crash reports and diagnostic information

2.3 Information from Third Parties

Authentication Providers:

  • If you use social login (e.g., Google), we may receive:
    • Basic profile information (name, email, profile picture)
    • Authentication tokens

Payment Processors:

  • Payment confirmation and transaction details
  • Billing information (processed securely by third parties)

AI Providers:

  • If you integrate AI providers, we may receive usage statistics and configuration data related to those integrations

2.4 Cookies and Similar Technologies

We use cookies, web beacons, and similar tracking technologies to:

  • Authenticate your session and maintain login state
  • Remember your preferences and settings
  • Analyze usage patterns and improve the Service
  • Provide personalized content and features

Types of Cookies We Use:

  • Essential Cookies: Required for the Service to function (authentication, security)
  • Functional Cookies: Remember your preferences and settings
  • Analytics Cookies: Help us understand how users interact with the Service
  • Performance Cookies: Monitor Service performance and identify issues

You can control cookies through your browser settings, but disabling essential cookies may limit your ability to use certain features of the Service.

3. How We Use Your Information

We use the information we collect for the following purposes:

3.1 Service Provision

  • Account Management: Create and manage your account, authenticate your identity, and provide access to the Service
  • Content Management: Store, organize, and manage your prompts, organizations, and workspaces
  • Feature Delivery: Provide core features including prompt creation, versioning, sharing, and API access
  • Communication: Send service-related notifications, updates, and administrative messages

3.2 Service Improvement

  • Analytics: Analyze usage patterns to understand how users interact with the Service
  • Performance Monitoring: Monitor Service performance, identify issues, and optimize functionality
  • Feature Development: Develop new features and improve existing ones based on user needs
  • Quality Assurance: Test and ensure the reliability and security of the Service

3.3 Security and Compliance

  • Security: Detect, prevent, and respond to security threats, fraud, and abuse
  • Compliance: Comply with legal obligations, enforce our Terms of Use, and protect our rights
  • Audit Logging: Maintain audit logs for security and compliance purposes
  • Rate Limiting: Enforce usage limits and prevent abuse

3.4 Communication

  • Customer Support: Respond to your inquiries, provide support, and resolve issues
  • Service Updates: Notify you about changes to the Service, Terms of Use, or Privacy Policy
  • Marketing (with your consent): Send promotional communications, newsletters, and product updates

3.5 Legal Compliance

  • Legal Obligations: Comply with applicable laws, regulations, and legal processes
  • Dispute Resolution: Resolve disputes and enforce our agreements
  • Protection of Rights: Protect the rights, property, or safety of Grimoire, our users, or others

4. Legal Basis for Processing (GDPR/LGPD)

For users in the European Union and Brazil, we process your personal information based on the following legal bases:

  • Contract Performance: To provide the Service and fulfill our contractual obligations
  • Legitimate Interests: To improve the Service, ensure security, and prevent fraud
  • Consent: When you have provided explicit consent (e.g., marketing communications)
  • Legal Obligation: To comply with applicable laws and regulations
  • Vital Interests: To protect your or others' vital interests

5. How We Share Your Information

We do not sell your personal information. We share your information only in the following circumstances:

5.1 Public Content

  • Public Prompts: If you choose to make prompts public, they may be:
    • Viewed by other users
    • Indexed by search engines
    • Shared through the Service's public discovery features

5.2 Service Providers

We share information with trusted third-party service providers who assist us in operating the Service:

  • Cloud Infrastructure: Hosting and data storage providers
  • Payment Processors: Secure payment processing services
  • Email Services: Email delivery and communication services
  • Analytics Providers: Usage analytics and performance monitoring (with appropriate safeguards)
  • Security Services: Security monitoring, threat detection, and fraud prevention

These service providers are contractually obligated to:

  • Use your information only for the purposes we specify
  • Implement appropriate security measures
  • Comply with applicable data protection laws
  • Not use your information for their own purposes

5.3 Business Transfers

If Grimoire is involved in a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any such change in ownership or control of your personal information.

5.4 Legal Requirements

We may disclose your information if required by law or in response to:

  • Valid legal requests (subpoenas, court orders, search warrants)
  • Government investigations or regulatory inquiries
  • Protection of rights, property, or safety
  • Enforcement of our Terms of Use or other agreements

5.5 With Your Consent

We may share your information with third parties when you have provided explicit consent to do so.

6. Data Storage and Security

6.1 Data Storage

  • Location: Your data is stored on secure cloud infrastructure with industry-standard security measures
  • Retention: We retain your information for as long as your account is active or as needed to provide the Service, comply with legal obligations, resolve disputes, and enforce our agreements
  • Deletion: You may request deletion of your account and data at any time (see Section 9: Your Rights)

6.2 Security Measures

We implement industry-standard security measures to protect your information:

  • Encryption: Data in transit is encrypted using TLS/SSL. Sensitive data at rest is encrypted.
  • Authentication: Secure password hashing (bcrypt with 12 rounds) and session management
  • Access Controls: Role-based access controls and least-privilege principles
  • Security Monitoring: Continuous monitoring for security threats and vulnerabilities
  • Regular Audits: Security audits and assessments
  • Incident Response: Procedures for responding to security incidents

However, no method of transmission over the Internet or electronic storage is 100% secure. While we strive to protect your information, we cannot guarantee absolute security.

6.3 Data Breach Notification

In the event of a data breach that poses a risk to your rights and freedoms, we will:

  • Notify relevant supervisory authorities within 72 hours (as required by GDPR)
  • Notify affected users without undue delay
  • Provide information about the nature of the breach and steps being taken

7. International Data Transfers

Your information may be transferred to and processed in countries other than your country of residence. These countries may have data protection laws that differ from those in your country.

When we transfer data internationally, we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses: We use EU-approved standard contractual clauses for transfers
  • Adequacy Decisions: We rely on adequacy decisions where applicable
  • Other Safeguards: We implement additional technical and organizational measures as needed

By using the Service, you consent to the transfer of your information to countries outside your country of residence.

8. Children's Privacy

The Service is not intended for individuals under the age of 18 (or the age of majority in your jurisdiction). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately, and we will take steps to delete such information.

9. Your Rights and Choices

Depending on your location, you may have the following rights regarding your personal information:

9.1 Access and Portability

  • Right to Access: Request a copy of the personal information we hold about you
  • Data Portability: Receive your data in a structured, commonly used, and machine-readable format

9.2 Correction and Deletion

  • Right to Rectification: Request correction of inaccurate or incomplete information
  • Right to Erasure: Request deletion of your personal information ("right to be forgotten")

9.3 Restriction and Objection

  • Right to Restrict Processing: Request restriction of processing in certain circumstances
  • Right to Object: Object to processing based on legitimate interests or for direct marketing

9.4 Consent Withdrawal

  • Withdraw Consent: Withdraw consent for processing based on consent (e.g., marketing communications)

9.5 Account Controls

You can exercise many of these rights directly through your account settings:

  • Update Profile: Modify your account information and preferences
  • Privacy Settings: Control visibility of your content (public vs. private)
  • Email Preferences: Manage marketing and notification preferences
  • Delete Account: Request account deletion

9.6 How to Exercise Your Rights

To exercise your rights, you may:

  • Account Settings: Use the privacy and account settings in the Service
  • Contact Us: Send a request to support@grimoire.tech
  • Verification: We may require verification of your identity before processing requests

We will respond to your request within the timeframes required by applicable law:

  • LGPD (Brazil): Within 15 days from the date of receipt of your request
  • GDPR (EU): Within 30 days (one month) from the date of receipt of your request
  • General inquiries: Within 7 business days

9.7 Complaints

If you are located in the EU or Brazil, you have the right to lodge a complaint with your local data protection authority:

  • EU: Contact your local supervisory authority
  • Brazil: Contact the Autoridade Nacional de Proteção de Dados (ANPD)

10. Data Retention

We retain your personal information for as long as necessary to:

  • Provide the Service and fulfill our contractual obligations
  • Comply with legal obligations (e.g., tax, accounting, audit requirements)
  • Resolve disputes and enforce our agreements
  • Maintain security and prevent fraud

Retention Periods:

  • Account Information: Retained while your account is active and for a reasonable period after deletion
  • Content: Retained until you delete it or request deletion
  • Usage Data: Retained for analytics purposes (typically anonymized after a set period)
  • Payment Information: Retained as required by law (typically 7 years for tax/accounting purposes)
  • Logs: Retained for security and compliance (typically 90 days to 1 year)

After the retention period, we will securely delete or anonymize your information.

11. Third-Party Links and Services

The Service may contain links to third-party websites, services, or applications. This Privacy Policy does not apply to third-party services. We encourage you to review the privacy policies of third-party services before providing any information.

We are not responsible for the privacy practices or content of third-party services.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect:

  • Changes in our data practices
  • Legal or regulatory requirements
  • Service updates or new features
  • Feedback from users

Notification of Changes:

  • Material Changes: We will notify you of material changes through:

    • Email notification to your registered email address
    • Prominent notice on the Service
    • Updated "Last Updated" date

  • Continued Use: Your continued use of the Service after changes become effective constitutes acceptance of the updated Privacy Policy

Review Regularly: We encourage you to review this Privacy Policy periodically to stay informed about how we protect your information.

13. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

  • Right to Know: Request information about the categories and specific pieces of personal information we collect
  • Right to Delete: Request deletion of your personal information
  • Right to Opt-Out: Opt-out of the sale of personal information (we do not sell personal information)
  • Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise your California privacy rights, contact us at support@grimoire.tech.

14. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Privacy Contact: Email: support@grimoire.tech Address: Avenida Paulista, 1471, Conjunto 511, Bela Vista, São Paulo, SP, 01311-927, Brazil

Data Protection Officer (if applicable): If a Data Protection Officer has been designated, contact information will be provided through the Service or upon request.

We are committed to responding to your inquiries within 7 business days and in accordance with applicable law.

15. Additional Information

15.1 Controller Information

For GDPR purposes, Grimoire is the data controller responsible for your personal information.

Controller Details: Name: Grimoire AI Platform Address: Avenida Paulista, 1471, Conjunto 511, Bela Vista, São Paulo, SP, 01311-927, Brazil

15.2 Data Processing Activities

A detailed record of our data processing activities is maintained in accordance with GDPR Article 30 requirements.

15.3 Language

This Privacy Policy may be translated into other languages for convenience, but the English version shall govern in case of any conflict or discrepancy.