GrantFlow

Privacy Policy

Last updated: February 7, 2025

1. Introduction

GrantFlow ("we," "us," or "our") operates the GrantFlow platform, an AI-powered grant discovery and tracking service for Canadian businesses and non-profits. This Privacy Policy explains how we collect, use, disclose, and protect your personal information in accordance with Canada's Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

By creating an account or using GrantFlow, you consent to the practices described in this policy. If you do not agree, please do not use our service.

2. Information We Collect

Account Information

When you create an account, we collect your email address and password (or authentication credentials if you sign in via a third-party provider). We also store a unique user identifier and your subscription status.

Business Profile

To match you with relevant grants, we collect information about your business, including: company name, province and city, year founded, business structure, industry, revenue range, employee count, website URL, and special categories (such as Indigenous-owned or women-owned status). We may also collect founder information such as date of birth and years of entrepreneurial experience to determine eligibility for age-based or demographic-specific grants.

Grant Tracking & Application Data

When you use GrantFlow to track and apply for grants, we store your tracked grants, application status, checklist items, notes, activity history, and deadline reminder records.

Content & Documents

You may upload documents (such as PDFs and Word files) to your document vault and create reusable content blocks in your content library. We store these files and content on your behalf.

Usage & Technical Data

We automatically collect technical information needed to operate the service, including error logs, performance data, and request metadata used for rate limiting. We do not use third-party analytics or advertising trackers.

3. How We Use Your Information

We use your personal information for the following purposes:

  • Grant Matching: Your business profile is used to identify grants you may qualify for using AI-powered matching.
  • Application Assistance: Your profile and content are used to help draft and tailor grant applications.
  • Notifications: Your email and preferences are used to send deadline reminders, weekly grant digests, and service updates.
  • Billing: Your account information is shared with our payment processor to manage your subscription.
  • Service Operation: Technical data is used for error monitoring, rate limiting, and maintaining service reliability.
  • Team Collaboration: If you use team features, relevant data is shared with members of your organization as configured by the account owner.

4. Third-Party Services

We use trusted third-party service providers to operate GrantFlow. Each provider only receives the minimum data necessary for their function:

  • Hosting & Database: Our infrastructure provider stores your account data, business profiles, and documents with encryption at rest and in transit.
  • Payment Processing: Our payment processor (Stripe) handles subscription billing. We do not store your credit card details directly — they are managed by Stripe in accordance with PCI-DSS standards.
  • AI Services: We use third-party artificial intelligence services to power grant matching, eligibility analysis, and application drafting. When you use these features, portions of your business profile and grant descriptions are sent to these providers for processing. Your data is not used to train their AI models.
  • Email Delivery: We use a transactional email provider to send notifications, reminders, and digests to your email address.
  • Error Monitoring: We use an error tracking service to detect and fix issues. This service may receive technical error data and environment information but does not receive your business profile or documents.
  • Rate Limiting: We use a caching service to enforce rate limits and protect the platform from abuse. This service processes request metadata only.

We do not sell, rent, or trade your personal information to any third party for marketing or advertising purposes.

5. Data Storage & Security

Your data is stored on servers with encryption at rest and in transit (TLS/SSL). We implement row-level security policies to ensure your data is isolated from other users. Additional security measures include HTTP Strict Transport Security (HSTS), Content Security Policy headers, and strict access controls.

While we take reasonable steps to protect your information, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

6. Cookies & Tracking

GrantFlow uses only essential cookies required for the service to function. These include authentication session cookies that keep you signed in. We do not use advertising cookies, analytics trackers, or any third-party tracking technologies.

7. Data Retention & Deletion

We retain your personal information for as long as your account is active or as needed to provide you with our services. If you request account deletion, we will permanently delete your business profile, tracked grants, documents, content blocks, and all associated data.

We may retain billing and subscription records for up to 7 years after account deletion as required by Canadian tax and accounting laws. Our payment processor (Stripe) may also retain its own transaction records in accordance with its policies and legal obligations.

8. Your Rights Under PIPEDA

Under PIPEDA, you have the right to:

  • Access: Request a copy of the personal information we hold about you.
  • Correction: Request that we correct any inaccurate or incomplete personal information.
  • Deletion: Request that we delete your personal information, subject to legal retention requirements.
  • Withdraw Consent: Withdraw your consent for us to process your personal information at any time. Note that withdrawing consent may affect your ability to use GrantFlow.
  • Complaint: File a complaint with the Office of the Privacy Commissioner of Canada if you believe your privacy rights have been violated.

To exercise any of these rights, please contact us using the information in the Contact Us section below. We will respond to your request within 30 days.

9. Children's Privacy

GrantFlow is not directed at individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have inadvertently collected information from a child under 18, we will take steps to delete it promptly.

10. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. If we make material changes, we will notify you by email or by posting a prominent notice on our website prior to the changes taking effect. The "Last updated" date at the top of this page indicates when the policy was last revised.

11. Contact Us

If you have questions about this Privacy Policy, wish to exercise your privacy rights, or have a complaint, please contact us at:

GrantFlow
Email: privacy@grantflow.ca