Trust & data governance
Funding work is confidential work. Before you commit anything to GrantIQ, here is exactly where your data sits, what we do and don't store, and the controls you keep. No certification badges we don't hold, no claims we can't stand behind.
Where your data is hosted
GrantIQ runs on managed infrastructure in the European Union (Germany). Your account data, organisation profile, and any content you enter are processed and stored in the EU. Data in transit is protected with TLS. We are honest about this rather than implying UK-only residency — for the overwhelming majority of UK and EU buyers, EU-region hosting under UK GDPR / EU GDPR is exactly the right footing, and we'd rather state it plainly than hide it.
We never train AI on your data
GrantIQ does not use your organisation profile, the grants you track, or anything you write into the product to train machine-learning models — ours or anyone else's. We use large language models as a tool to read funder documents and draft text on your behalf; your data is the input to that tool for your benefit, never training material.
One honest caveat worth stating: if you use GrantIQ through ChatGPT or Claude (our connector for AI assistants), the conversation also passes through that AI host, whose training behaviour depends on your plan with them. We surface that in detail on the connector privacy page so you can make an informed choice. It does not change how GrantIQ itself treats your data.
If you apply for UKRI or Innovate UK funding, this matters for policy reasons too: UKRI's generative AI policy warns applicants that the confidentiality of information entered into AI tools is not guaranteed, and holds you accountable for what you submit. So here is exactly what happens to text you draft with GrantIQ: it is sent to our AI provider under API terms that exclude training on your data, it is not retained as training material, and the draft always shows you what it was based on so you can stand behind every claim in it. We can't make the accountability go away — UKRI places it with you — but we can make sure using GrantIQ never puts your confidential information into a model's training set.
Every grant fact is traced to its source
GrantIQ is built on a provenance principle: a claim about a grant should be checkable, not taken on faith. When our system reads a funder's page, each extracted fact — the award amount, the deadline, the eligibility rule — carries a source chain back to where it came from, so it can be verified rather than trusted blindly.
The same discipline applies to eligibility. Rather than a single opaque “score”, GrantIQ produces a structured verdict — which rules a grant passed, which need human judgement, and the basis for each — so a reviewer can defend the reasoning instead of deferring to a black box.
And when GrantIQ helps you draft a proposal, every drafted section shows what it was based on — your organisation profile, your project, and the funder's published criteria, with a link to that criteria — so you can check the grounding rather than take the draft on faith.
The same discipline carries into managing a grant once it's won. Every change to a post-award obligation — its status or its owner — is recorded: who changed it, when, and the exact before and after. Your team can open any obligation's history and see precisely what was tracked and by whom, rather than relying on memory or a spreadsheet.
What we store, and what we don't
We store what we need to do the job for you: your account, your organisation profile (the sectors, location, organisation type and similar fields you provide), the grants you track, and the drafts and notes you create. We keep operational records — sign-ins, billing state, and product-usage events — to run the service securely and support you.
We do not sell your data, we do not share it with advertisers, and we do not build profiles of you for any purpose other than running GrantIQ for you.
Who is responsible for your data
Under UK GDPR, GrantIQ is the data controller for your account and the records described above. Where we use sub-processors to deliver the service — for example Stripe for payments — they act as processors under contract, and Stripe is the controller for the payment-card details you enter directly into its Checkout. If you connect GrantIQ to ChatGPT or Claude, that AI host is the controller for the contents of your conversation with it.
Your rights, and how to exercise them
Your UK GDPR rights of access, rectification, erasure, portability, and objection apply. Sign in to the GrantIQ web app to view and update your data directly. To request a full export or deletion, or to ask a data-protection question, contact us at contact@grantiq.co.uk and we will action it.
A Data Processing Agreement (DPA) is available to organisations that need one — request it through the same address and we will send our standard terms without a sales call.
Our security posture — stated honestly
We host in the EU, protect data in transit with TLS, follow least-privilege access for our own team, and keep a self-assessed Data Protection Impact Assessment on file. We do not currently hold SOC 2 or ISO 27001 certification, and we will not imply that we do. For organisations that need a security review, we're happy to complete a standard supplier questionnaire on request rather than point you at a badge we haven't earned.
Questions a policy can't answer? Email contact@grantiq.co.uk. For the formal legal text, see our Privacy Policy and Terms of Service.