Privacy Policy

Last updated: 7 March 2026

1. Introduction

GrantIQ (“we,” “our,” or “us”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our AI-powered grant discovery and proposal drafting service at grantiq.co.uk (the “Service”).

We are registered in England and Wales. Our Service is primarily aimed at UK-based organisations including charities, non-profits, and SMEs seeking grant funding.

2. Information We Collect

Personal Information

We collect personal information that you provide directly to us, including:

  • Name, email address, and contact information
  • Organisation details, sector, and professional information
  • Account credentials and preferences
  • Payment information (processed securely through Stripe — we never store card details)
  • Grant application content and supporting documents you upload

Usage Information

We automatically collect certain information about your use of our Service:

  • Grant searches, bookmarks, and application tracking
  • AI-generated content and drafts
  • Feature usage and interaction data
  • Aggregate analytics data (see Section 9 below)

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Match you with relevant grant opportunities using AI
  • Generate personalised AI-powered application drafts
  • Send you notifications about new grant matches and deadlines
  • Process payments and manage subscriptions
  • Provide customer support and respond to enquiries
  • Analyse aggregate usage patterns to improve the Service
  • Comply with legal obligations

4. AI and Machine Learning

Our Service uses artificial intelligence provided by OpenAI to deliver grant recommendations and content generation. When you use our AI features, relevant information from your profile and project descriptions is sent to OpenAI's API to generate responses. OpenAI processes this data as a sub-processor under our instructions and does not use it to train their models.

Your specific grant applications and sensitive business information are never shared with third parties for AI training purposes.

5. Information Sharing and Disclosure

We do not sell, trade, or otherwise transfer your personal information to third parties except as described below:

Service Providers (Sub-processors)

We work with trusted third-party service providers who assist us in operating our Service:

  • Stripe (USA) — Payment processing. Stripe processes your payment card details directly; we never see or store your full card number.
  • OpenAI (USA) — AI-powered grant recommendations and content generation. Profile and project data is sent to generate AI responses.
  • SendGrid (USA) — Email delivery for notifications and alerts.
  • PostHog (EU — Frankfurt, Germany) — Privacy-preserving product analytics. See Section 9 for details.
  • Hetzner (Germany) — Cloud hosting and infrastructure.
  • Google (USA) — OAuth authentication (if you choose to sign in with Google).

Legal Requirements

We may disclose your information if required by law or if we believe such action is necessary to comply with legal processes or protect our rights.

6. Data Security

We implement appropriate technical and organisational security measures to protect your personal information against unauthorised access, alteration, disclosure, or destruction. These measures include encryption in transit (TLS) and at rest, secure server infrastructure hosted within the EU, and regular security reviews.

7. Data Retention

We retain your personal information for as long as necessary to provide our Service and fulfil the purposes outlined in this Privacy Policy. When you delete your account, we will delete or anonymise your personal information within 30 days, unless we are required to retain certain information for legal or regulatory purposes.

8. Your Rights (UK GDPR)

Under the UK General Data Protection Regulation (UK GDPR), you have the following rights regarding your personal data:

  • Right to Access: Request copies of your personal data
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your personal data
  • Right to Restrict Processing: Request limitation of data processing
  • Right to Data Portability: Request transfer of your data in a machine-readable format
  • Right to Object: Object to processing of your personal data, including analytics
  • Right to Withdraw Consent: Withdraw consent at any time where processing is based on consent

To exercise any of these rights, please contact us at privacy@grantiq.co.uk. We will respond to your request within one month.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk if you believe your data protection rights have been violated.

9. Analytics and Cookies

We use PostHog for product analytics to understand how our Service is used and to improve it. PostHog is configured in a privacy-preserving manner:

  • No cookies are set for analytics purposes
  • No data is stored on your device (no localStorage or sessionStorage)
  • Analytics data is hosted in the EU (Frankfurt, Germany)
  • IP addresses are not captured or stored
  • We collect only aggregate statistical data such as page views, feature usage counts, and conversion funnels to improve the Service

This analytics processing is carried out under the statistical purposes exception in the Privacy and Electronic Communications Regulations (PECR), as amended by the Data (Use and Access) Act 2025. The sole purpose is to collect aggregate statistics to improve our Service.

Opt out of analytics: You can opt out of analytics tracking at any time by contacting us at privacy@grantiq.co.uk. We also respect your browser's Do Not Track (DNT) signal and Global Privacy Control (GPC) signal.

Our Service uses essential cookies only for authentication (keeping you logged in) and security purposes. These are strictly necessary for the Service to function and do not require consent.

10. International Data Transfers

Your data is primarily stored and processed within the EU (Germany). Some of our sub-processors (OpenAI, Stripe, SendGrid, Google) are based in the United States. Where data is transferred outside the UK, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the ICO, and we verify that the receiving country provides an adequate level of data protection.

11. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact us immediately.

12. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the “Last updated” date. Significant changes will be communicated via email or prominent notice on our Service.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights, please contact us:

Email: privacy@grantiq.co.uk

Website: www.grantiq.co.uk

14. Legal Basis for Processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract: Processing necessary to provide the Service you have signed up for (account management, grant recommendations, AI drafting, notifications)
  • Legitimate interest: Improving and securing our Service, preventing fraud, and communicating service updates
  • Consent: Marketing communications (you can withdraw consent at any time)
  • Legal obligation: Complying with applicable laws and regulations
  • Statistical purposes (PECR): Aggregate analytics to improve the Service (see Section 9)