Privacy Policy

Last Updated: April 2026

GRAT (“we,” “us,” or “our”) respects your privacy and is committed to protecting it through compliance with this Privacy Policy. This policy describes the types of information we may collect from you or that you may provide when you visit the GRAT website or use our cloud-based HR documentation and workforce compliance platform (the “Service”), and our practices for collecting, using, maintaining, protecting, and disclosing that information.

1. Information We Collect

We may collect several types of information from and about users of our Service, including:

• Personal Information: Includes name, email address, phone number, employment details, and IP address. Specifically, we collect the personal information of your employees that you sync, upload, or input into the platform to track compliance certifications.
• Business Information: Corporate contact details, human resource records, corporate hierarchies, organization structure, and documents uploaded to the platform, such as onboarding forms, compliance attestations, or policy acknowledgments.
• Usage Details: Details of your visits to our Service, including traffic data, location data, logs, browser configuration, application telemetry, and other communication data and the resources that you access and use.

2. How We Collect Information

We collect this information:

• Directly from you: When you provide it to us as an Account Administrator, such as by filling out forms, creating user accounts, or uploading files.
• Automatically as you navigate: Information collected automatically may include usage details, IP addresses, and information collected through cookies, web beacons, and other tracking technologies.
• From Third-Party Integrations: When you authorize GRAT to connect with your payroll provider, HRIS, or scheduling software (e.g., Square, Gusto), we pull data via their APIs to synchronize your workforce roster.

3. How We Use Your Information

We use information that we collect about you or that you provide to us to:

• Provide, operate, and maintain the Service.
• Notify employees automatically about upcoming document expirations or required training tasks.
• Carry out obligations and enforce rights arising from any contracts entered into between you and us, including for billing and collection.
• Communicate with you for customer service, updates, and other relevant information relating to the Service.
• Marketing & Analytics: To send you marketing and promotional communications, product updates, and analytical surveys via email and SMS (text messages). You can opt out of these at any time.
• Detect, investigate, and prevent fraudulent transactions, abuse, or unauthorized access to the platform.
• AI Model Training, Knowledge Base Expansion & Product Improvement: To process, anonymize, and aggregate documents, system interactions, telemetry, metadata, and other information provided by you in order to train and fine-tune algorithms, improve our Retrieval-Augmented Generation (RAG) capabilities, and build a generalized global compliance library for the benefit of all users, as well as to enhance, test, and develop the overall Service and its features. We ensure all Personally Identifiable Information (PII) is removed before such aggregation.
  
  EXCLUSION OF EMPLOYEE DATA: We strictly separate employer-uploaded organizational templates from employee-submitted data. Under no circumstances do we ingest, process, or utilize employee-submitted forms, completed compliance receipts, signatures, medical records (e.g., TB tests), or financial information (e.g., direct deposit forms) for AI model training or Knowledge Base expansion.

4. Disclosure of Your Information

We do not sell, rent, or lease your Personal Information or your employees' Personal Information to third parties. We may disclose aggregated information about our users without restriction. We may disclose personal information that we collect or you provide as described in this privacy policy:

• To contractors, service providers, or hosting providers we use to support our business (e.g., AWS, Vercel) who are bound by contractual obligations to keep personal information confidential.
• To fulfill the purpose for which you provide it (e.g., sending an SMS or Email notification via Amazon SNS/AWS SES to an employee whose certification is expiring).
• If we believe disclosure is necessary or appropriate to comply with a court order, law, or legal process, including responding to any government or regulatory request.
• To enforce or apply our Terms of Service.
• To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of GRAT's assets, whether as a going concern or as part of bankruptcy, liquidation, or similar proceeding, in which personal information held by GRAT about our Service users is among the assets transferred.

5. Data Security

We have implemented leading industry-standard measures designed to secure your personal information from accidental loss and from unauthorized access, use, alteration, and disclosure. All information you provide to us is stored on our secure servers behind firewalls and encrypted at rest (AES-256) and in transit (TLS 1.2+). However, the transmission of information via the internet is not completely secure; we cannot guarantee the sheer absolute security of your personal information transmitted to our Service.

6. Data Retention

We retain personal information only for as long as necessary to fulfill the purposes for which it was collected, and as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Once your account is permanently closed, your associated documents and employee records may be queued for deletion in accordance with our data retention timelines.

7. Your State Privacy Rights

Depending on your location (e.g., California under the CCPA, Virginia under the VCDPA), you may have specific rights regarding your personal information, including the right to know what is collected and request deletion. To exercise these rights as an enterprise user, you may utilize the tools within the platform or contact us directly.

If you have any questions about this Privacy Policy, please reach out to us at privacy@mygrat.ai.