Privacy Policy
Last updated: July 3, 2026
1. Who we are and who this covers
GridStock (“GridStock,” “we,” “us”), operated by [LEGAL ENTITY, ADDRESS], provides a QR-driven inventory and material-movement platform for utility and line contractors.
Our customers are businesses (“Customers”) who are the controllers of the data they enter about their crews and operations; GridStock acts as a processor for that data. Individual users (owners, managers, technicians) access the product through their employer’s organization.
2. Data we collect
Account & identity: name, work email, hashed password (we never see plaintext), phone/avatar if provided, role, and organization membership.
Operational data (entered by Customers): organizations, warehouses, trucks, crews, jobs, materials, SKUs, quantities, unit costs, the movement ledger, and QR-code assignments.
AI feature data: text prompts and inventory snapshots sent to our AI provider to generate suggestions, and photos taken for “Receive by photo” (used to read a count and not stored after processing).
Billing: a Stripe customer/subscription identifier and plan. We do not store card numbers.
Analytics & technical: with your consent, product-usage events (PostHog); and standard server logs (timestamps, paths, error traces). We do not log passwords, session tokens, or API keys.
3. How we use data
To provide and secure the service; to run the ledger and generate the AI insights a Customer requests; to process billing; to debug and prevent abuse; and, where consented, to improve the product. We do not sell personal data, and we do not use Customer operational data to train AI models.
4. Legal bases (GDPR)
Contract (to provide the service); legitimate interests (security, abuse prevention, product improvement); and consent (non-essential cookies / analytics where required).
5. Service providers (subprocessors)
| Provider | Purpose | Data shared |
|---|---|---|
| Supabase | Database, authentication, file storage | Account + operational data |
| Vercel | Application hosting / edge | Request metadata, logs |
| Anthropic (Claude) | AI insights, suggestions, box-scan counts | Inventory snapshots, prompts, box photos (not retained by us) |
| Stripe | Subscription billing | Billing contact, subscription metadata (no card data stored by us) |
| PostHog | Product analytics (only with consent) | Usage events, pseudonymous identifiers |
6. Your rights (GDPR / CCPA)
You may access, export, correct, or delete your personal data, and object to or restrict processing. Under CCPA, we do not sell personal information.
Self-service: signed-in users can download their data and delete their account from Settings → Privacy & data. You can also email privacy@gridstockai.com; we respond to verified requests within 30 days (GDPR) / 45 days (CCPA).
7. Cookies
Essential cookies keep you signed in (set HttpOnly, Secure, SameSite). Non-essential product analytics run only after you accept them in our consent banner, and you can decline at any time without affecting core functionality.
8. Data retention
Account and operational data are retained for the life of the Customer’s subscription and deleted or anonymized on account closure. The transaction ledger is append-only and retained for audit and reporting. Box-scan photos are transient and not stored. Backups are retained for [30 days].
9. Security
We enforce tenant isolation at the database layer (row-level security), encrypt data in transit (HTTPS/HSTS) and at rest, follow least-privilege for service credentials, and keep an append-only audit ledger. Report vulnerabilities to security@gridstockai.com.
10. International transfers
Data is processed in [REGION]. Where data is transferred internationally, we rely on our providers’ Standard Contractual Clauses or equivalent safeguards.
11. Children
GridStock is a business tool not directed to children under 16, and we do not knowingly collect their personal data.
12. Changes & contact
We will post changes here and update the date above; material changes will be notified to Customers. Contact: privacy@gridstockai.com · [LEGAL ENTITY, ADDRESS].