Privacy Policy
Last updated: April 13, 2026
1. Introduction
GritShip ("we", "us", "our") operates the GritShip web application. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our Service.
We are the data controller for the personal data we process. You can reach us at contact@gritship.com for any privacy-related questions.
2. Data We Collect
Account Data
When you create an account, we collect your email address and name. If you sign in with Google OAuth, we receive your name, email, and profile picture from Google.
Content Data
Data you create within the Service: workspaces, projects, tasks, descriptions, comments, labels, file attachments, and activity logs.
Usage Data
We collect minimal technical data necessary to operate the Service: IP address (for rate limiting and security), browser type, and request timestamps in server logs. We do not use third-party analytics or tracking scripts.
Payment Data
Payments are processed by Freemius, Inc. (merchant of record), which uses Stripe and PayPal as payment processors. We never receive, process, or store your credit card number or payment method details. Freemius shares your email, transaction ID, and subscription status with us.
3. How We Use Your Data
We use your data for the following purposes:
- Provide the Service — host your workspaces, projects, and tasks; authenticate your sessions; deliver real-time updates (legal basis: contract performance)
- Send transactional emails — task assignments, due date reminders, comment notifications, workspace invitations (legal basis: contract performance)
- Maintain security — rate limiting, fraud prevention, abuse detection (legal basis: legitimate interest)
- Improve the Service — diagnose bugs, monitor performance (legal basis: legitimate interest)
We do not use your data for advertising, profiling, or automated decision-making.
4. Cookies
GritShip uses only strictly necessary cookies for authentication session management (Supabase Auth). These cookies are required for the Service to function and do not track you across websites. We do not use advertising, analytics, or marketing cookies.
5. Third-Party Services
We share data with the following third-party processors, solely to provide the Service:
| Provider | Purpose | Data Shared |
|---|---|---|
| Supabase | Database and authentication | Account data, content data |
| Vercel | Hosting and edge functions | Request metadata, IP address |
| Cloudflare R2 | File attachment storage | Uploaded files |
| Resend | Transactional email delivery | Email address, notification content |
| Freemius | Payment processing | Email, transaction data |
| Upstash | Rate limiting and caching | User ID, request counts |
We do not sell, rent, or share your personal data with third parties for their own marketing purposes.
6. International Data Transfers
Your data may be processed in the United States and other countries where our service providers operate. Where data is transferred outside the European Economic Area, we rely on Standard Contractual Clauses or equivalent safeguards provided by our processors.
7. Data Retention
- Active accounts — we retain your data for as long as your account is active.
- Deleted accounts — we delete your data within 30 days of account deletion.
- Server logs — retained for up to 30 days for security and debugging, then automatically purged.
- Billing records — retained as required by applicable tax and accounting laws (typically 7 years).
8. Your Rights
For all users
- Access — request a copy of your personal data
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and data
- Export — export your project data using the in-app export feature
Additional rights under GDPR (EEA residents)
- Right to restrict processing
- Right to data portability
- Right to object to processing based on legitimate interest
- Right to withdraw consent (where processing is based on consent)
- Right to lodge a complaint with your local data protection authority
Additional rights under CCPA/CPRA (California residents)
- Right to know what personal information is collected, used, and disclosed
- Right to delete personal information
- Right to correct inaccurate personal information
- Right to opt-out of the sale or sharing of personal information
- Right to non-discrimination for exercising your rights
We do not sell or share your personal information as defined by the CCPA.
How to exercise your rights
Email us at contact@gritship.com. We will respond within 30 days (or sooner if required by applicable law). We may ask you to verify your identity before processing your request.
9. Children's Privacy
GritShip is not intended for children under 16. We do not knowingly collect personal data from children. If you believe a child under 16 has provided us with personal data, please contact us and we will delete it.
10. Security
We implement industry-standard security measures including encrypted connections (TLS), secure authentication via Supabase Auth, input validation, rate limiting, and Content Security Policy headers. However, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by email or by a notice within the Service at least 14 days before they take effect. The "Last updated" date at the top reflects the most recent revision.
12. Contact
For privacy questions, data requests, or complaints, contact us at contact@gritship.com.