Privacy Policy

Effective Date: December 8, 2025
Last Updated: December 8, 2025

1. Introduction

Welcome to GroundedNinja Business ("we," "our," or "us"). We respect your privacy and are committed to protecting your personal data. This privacy policy explains how we collect, use, and safeguard your information when you use our CRM application and related services (the "Service").

2. Information We Collect

2.1 Information You Provide

• Account Information: When you create an account, we collect your name, email address, and profile information through Google OAuth authentication or email/password signup.
• Contact Data: We store the contact information, interactions, notes, and pipeline data you create within the application.
• Communications: If you contact us directly, we may receive additional information about you.

2.2 Information We Collect Automatically

• Usage Data: We collect information about how you use our Service, including features accessed, time spent, and interaction patterns.
• Device Information: We may collect information about your device, including device type, operating system, and browser type.
• Log Data: Our servers automatically record information when you use our Service, including your IP address, timestamps, and requests.

3. How We Use Your Information

We process your personal data on the following legal bases:

Service Provision (Contract - GDPR Article 6(1)(b))

Processing necessary to provide GroundedNinja Business's core features, including:

• Contact and pipeline management
• Interaction tracking and notes
• Account management and authentication
• Data organization and search

Legitimate Interest (GDPR Article 6(1)(f))

For improving our Service, fixing bugs, and providing support. We process your data based on our legitimate interest in maintaining and enhancing the platform.

Legal Obligation (GDPR Article 6(1)(c))

To comply with legal requirements, tax obligations, and respond to lawful requests from authorities.

4. How We Share Your Information

We do not sell, trade, or otherwise transfer your personal information to third parties, except in the following circumstances:

4.1 Service Providers

We may share your information with trusted third-party service providers who assist us in operating our Service:

• Google Cloud Platform: Infrastructure hosting (servers, databases)
  • Data location: EU/UK regions
  • Privacy policy: Google Cloud Privacy Notice
  • Certifications: SOC 2, ISO 27001, GDPR-compliant
• Stripe: Payment processing (for paid plans)
  • We do not store your credit card information
  • Privacy policy: Stripe Privacy Policy
• Google OAuth: Authentication services (if you sign in with Google)

4.2 Legal Requirements

We may disclose your information if required by law or in response to valid legal requests from public authorities.

4.3 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our Service.

5. Data Security

We take the security of your data seriously and implement appropriate technical and organizational measures to protect your personal information.

What We Do to Protect Your Data:

Access Controls

• Multi-Tenant Isolation: Every account's data is completely isolated. Users can only access their own account's data through row-level security.
• Authentication: OAuth 2.0 (Google) or secure password hashing for email/password accounts.
• Session Management: Secure, time-limited sessions with automatic expiry.

Data Transmission

• TLS/HTTPS: All data transmitted between your device and our servers is encrypted using industry-standard TLS 1.3.
• Secure APIs: All API endpoints require authentication and use encrypted connections.

Infrastructure Security

• Google Cloud Platform: Our infrastructure is hosted on GCP, which maintains SOC 2 Type II, ISO 27001, and GDPR compliance.
• Database Security: PostgreSQL with Cloud SQL managed service, automatic security updates.
• Regular Backups: Automated daily backups with 30-day retention for disaster recovery.

Important Limitations (Transparency):

Staff Access Policy

Our team members have limited access to user data:

• Normal operations: Zero access to your content
• Debugging/support: Access only with your explicit permission or for critical system issues
• Audit logs: All staff access is logged and monitored

Your Responsibility

• Choose a strong, unique password
• Keep your login credentials secure
• Log out from shared devices
• Report any suspected security issues to joe@grounded.ninja

Security Disclaimer

While we implement industry-standard security practices, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you within 72 hours as required by UK GDPR Article 33.

6. Data Retention

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes outlined in this policy.

Account Data:

You may delete your account at any time through Settings. We will delete your personal information immediately upon request, including:

• Your account and profile
• All contacts, interactions, and notes
• All pipeline and action data
• All session and authentication data
• All billing records (except as required by law for tax purposes)

Retention Periods:

• Active accounts: Retained indefinitely while you use the service
• Deleted accounts: Immediately and permanently deleted
• Billing records: 7 years (UK tax law requirement)
• Session logs: 30 days after expiry

Backups: Database backups are retained for 30 days for disaster recovery. Deleted data is removed from backups within 30 days of deletion.

7. Your Rights

Under UK GDPR and other privacy laws, you have the following rights regarding your personal information:

• Access: Request access to your personal information (export data in settings)
• Correction: Request correction of inaccurate information (edit directly in the app)
• Deletion: Request deletion of your personal information (delete account in settings)
• Portability: Request a copy of your data in CSV or JSON format (export in settings)
• Objection: Object to certain processing of your information
• Lodge a Complaint: File a complaint with the ICO (UK Information Commissioner's Office) if you believe we've violated your rights

To exercise these rights, use the in-app settings or contact us at joe@grounded.ninja.

8. International Data Transfers

Your information is primarily stored in UK/EU data centers. If transferred to other countries, we ensure appropriate safeguards are in place to protect your information in accordance with UK GDPR.

Our service providers (Google Cloud Platform, Stripe) maintain GDPR compliance and use Standard Contractual Clauses (SCCs) for international data transfers where necessary.

9. Children's Privacy

Our Service is not intended for children under 13 years of age. We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we will delete such information immediately.

10. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to read their privacy policies.

11. Changes to This Policy

We may update this privacy policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last Updated" date. For significant changes, we will also email you at the address associated with your account.

Your continued use of our Service after such changes constitutes acceptance of the updated policy.

12. Contact Us

If you have any questions about this privacy policy or our data practices, please contact us at: