Privacy Policy
Last updated June 23, 2026
Introduction
This Privacy Policy explains how GrantDuck collects, uses, discloses, and protects information when you use the GrantDuck website, application, and related services (collectively, the "Service"). GrantDuck is a software-as-a-service product operated from the United States (Utah). By creating an account or using the Service, you agree to the practices described in this Policy. If you do not agree, do not use the Service. This Policy is incorporated into and forms part of our Terms of Service; capitalized terms not defined here have the meaning given in the Terms, and your use of the Service is also governed by the Terms, including their disclaimers and limitation of liability.
GrantDuck helps businesses discover and draft applications for grant programs. To do that, GrantDuck necessarily processes information you provide about your business and the application content you generate. We have written this Policy to be clear about what we collect, why we collect it, who processes it on our behalf, and what choices you have.
Information We Collect
We collect the following categories of information.
Account information. When you register, we collect your email address and the authentication identifiers managed by our authentication provider (Supabase Auth). If you choose to sign in with Google (an optional OAuth method), we receive basic profile and email information from Google as permitted by the scopes you approve. We do not receive your Google password.
Business profile information. To match you with grant programs and to draft applications, you provide details about your company. This may include business name, location, industry, size, ownership characteristics you choose to share, mission and program descriptions, and other facts you enter into your profile or interview responses. You decide what to enter; we encourage you not to submit information you do not want processed for the purposes described here.
AI prompt and response content. When you use GrantDuck to draft, summarize, or refine grant application materials, the prompts you submit and the business and profile data needed to fulfill those prompts, together with the AI-generated responses, are processed to produce your drafts. This content is sent to our AI subprocessor (Anthropic) as described in the AI Processing Disclosure below.
Usage and analytics information. We collect information about how you interact with the Service, such as pages and features used, actions taken, approximate timing, device and browser type, and similar diagnostic and performance data. This helps us operate, secure, and improve the Service.
Payment metadata only. Payments are processed by Stripe. GrantDuck never receives or stores your full card number, CVC, or other full payment-card credentials. We receive and store limited payment metadata such as a transaction or customer identifier, subscription or purchase status, the last four digits and card brand where provided by Stripe, and amounts. Your full card data is handled directly by Stripe under Stripe's own terms and security controls.
Support and communications. When you contact us for support or otherwise communicate with us, we collect the contents of those messages and any information you choose to include.
Email delivery information. We use an email delivery provider (Brevo) to send transactional and account-related email. This involves processing your email address and message metadata necessary to deliver and confirm delivery.
How We Use Your Information
We use the information we collect to:
Provide and operate the Service, including authenticating you, maintaining your account, storing your business profile, and matching you to grant programs.
Generate AI drafts and related outputs at your direction, by processing your prompts and the business data needed to fulfill them.
Process billing and payments, manage subscriptions and one-time purchases, apply credits or coupons, and prevent payment fraud.
Secure the Service, including detecting, investigating, and preventing fraudulent, abusive, unauthorized, or unlawful activity, and enforcing our terms.
Provide customer support and respond to your requests.
Improve and develop the Service, including understanding usage, diagnosing problems, and refining features. We do not use your private business profile content or AI prompt content to train third-party foundation models, and our AI subprocessor does not train its models on your content as described below.
Comply with legal obligations and respond to lawful requests.
Legal Bases for Processing
Where required by applicable law (for example, for users in the European Economic Area or the United Kingdom), we rely on the following legal bases. We process your information to perform our contract with you (to provide the Service you requested, including AI drafting and billing). We process certain information based on our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights. We process information to comply with our legal obligations. And we process information based on your consent where consent is required, such as for certain optional integrations; you may withdraw consent at any time without affecting prior processing.
AI Processing Disclosure
GrantDuck uses artificial intelligence to help you draft grant application materials. To do this, the prompts you submit, together with the business profile and related data needed to fulfill your request, are transmitted to our AI subprocessor, Anthropic, which returns generated text that GrantDuck presents to you.
We send this content to Anthropic solely to generate outputs for you. Under the commercial terms applicable to GrantDuck's use of Anthropic's API, Anthropic does not use the prompts or outputs submitted through that API to train its models. Anthropic may process the content as necessary to provide and secure the service, including limited retention for safety and abuse-prevention purposes, consistent with its terms. We do not control and are not responsible for Anthropic's independent practices; we encourage you to review Anthropic's published terms and policies. Because AI outputs can be inaccurate, incomplete, or fabricated, and the Service does not provide professional advice or guarantee any grant, eligibility, funding, or outcome, you are solely responsible for reviewing, verifying, correcting, and editing any draft before relying on it and for submitting every application yourself, as further described in our Terms of Service.
Subprocessors
We use the following service providers ("subprocessors") to operate the Service. Each processes information only as needed to provide its function to GrantDuck and under contractual confidentiality and security obligations.
Supabase — backend data store and authentication. Hosts our Postgres database and manages account authentication and identifiers.
Anthropic — AI processing. Receives prompts and necessary business data to generate application drafts and related outputs, as described above.
Stripe — payment processing. Handles payment-card data and processes subscriptions and purchases. GrantDuck receives only payment metadata.
Brevo — email delivery. Sends transactional and account-related email on our behalf.
Google Firebase — hosting. Hosts and serves the GrantDuck web application and related infrastructure.
We may update our subprocessors as the Service evolves. Where a change is material, we will update this Policy and, where required, provide notice.
Sharing and Disclosure
We do not sell your personal information, and we do not share it for cross-context behavioral advertising.
We disclose information to the subprocessors listed above to provide the Service. We may disclose information to comply with applicable law, regulation, legal process, or enforceable governmental request; to enforce our terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of GrantDuck, our users, or the public. If GrantDuck is involved in a merger, acquisition, financing, reorganization, or sale of assets, information may be transferred as part of that transaction, subject to this Policy or a successor policy with comparable protections.
Data Retention and Deletion
We retain your information for as long as your account is active and as needed to provide the Service, and thereafter as necessary to comply with legal obligations, resolve disputes, prevent fraud and abuse, and enforce our agreements.
When you delete your account, GrantDuck applies a soft-delete: your account and associated data are marked for deletion and become inaccessible through the Service, and are then purged after a 14-day window. During that window, deletion can be reversed (for example, if the request was made in error or you contact us to restore the account). After the 14-day window elapses, the data is purged from our active systems. Residual copies may persist for a limited additional period in encrypted backups, from which they are removed in the ordinary backup-rotation cycle. We may also retain limited records as required by law or for legitimate fraud-prevention, security, accounting, and tax purposes.
Where subprocessors hold copies of data on our behalf (for example, payment metadata at Stripe or email logs at Brevo), retention by those providers is governed by their own policies and our agreements with them.
Security
We implement administrative, technical, and organizational measures designed to protect your information, including encryption in transit, access controls and role-based authorization, owner-restricted access to sensitive settings, scoped authentication tokens, and isolation of payment-card data with Stripe so that GrantDuck never handles full card numbers. No method of transmission or storage is completely secure, and we cannot guarantee absolute security. You are responsible for safeguarding your login credentials and for promptly notifying us of any suspected unauthorized access.
Your Rights and Choices
Subject to applicable law, you have rights regarding your information. You may access and review your account and business profile within the Service. You may correct inaccurate information by updating your profile. You may request export of your information in a portable format. You may delete your account, which triggers the soft-delete and purge process described above.
Privacy rights for U.S. state residents. If you are a resident of California or another U.S. state with a comprehensive privacy law, you may have the right to know what personal information we collect, the right to access and delete it, the right to correct it, and the right to portability. GrantDuck does not sell personal information and does not share it for cross-context behavioral advertising; there is therefore nothing to opt out of with respect to "sale" or "sharing," but you may still exercise the rights described here. We will not discriminate against you for exercising your rights.
Privacy rights for EEA, UK, and similar jurisdictions. If applicable law grants you rights of access, rectification, erasure, restriction, objection, and data portability, and the right to withdraw consent and to lodge a complaint with a supervisory authority, you may exercise those rights as provided by that law.
To exercise any right, contact us at the address in the Contact section. We may need to verify your identity before acting on a request, and we will respond within the timeframes required by applicable law. You may also have the right to authorize an agent to act on your behalf where the law permits.
Cookies, Local Storage, and Analytics
GrantDuck uses cookies, browser local storage, and similar technologies to keep you signed in, remember your preferences, operate core features, and understand usage. Some storage is strictly necessary for the Service to function (for example, maintaining your authenticated session). We also use analytics and diagnostic data to measure performance and improve the Service. You can control cookies through your browser settings, but disabling strictly necessary storage may prevent the Service from working. We do not use cookies for third-party behavioral advertising. Because we do not track users across third-party sites for advertising, we do not respond to "Do Not Track" browser signals; we treat the absence of cross-context advertising as our baseline.
Children's Privacy
GrantDuck is intended for businesses and the adults who operate them. The Service is not directed to children, and we do not knowingly collect personal information from anyone under 18, and in no event from anyone under 13. If you believe a child has provided us personal information, contact us and we will take appropriate steps to delete it.
International Data Transfers
GrantDuck is operated from the United States, and our subprocessors may process information in the United States and other countries. If you access the Service from outside the United States, you understand that your information will be transferred to, stored, and processed in the United States and other jurisdictions whose data-protection laws may differ from those of your country. Where required, we rely on appropriate safeguards (such as standard contractual clauses) for international transfers of personal information.
Changes to This Policy
We may update this Policy from time to time. When we make changes, we will revise the "Effective date" above. If a change is material, we will provide notice through the Service or by email and, where appropriate or required, ask you to review and re-accept the updated Policy before continuing to use the Service. Your continued use of the Service after an update takes effect constitutes acceptance of the updated Policy, except where re-acceptance is separately required.
Contact
If you have questions, requests, or concerns about this Policy or your information, contact us at granttruth@sethricks.org.
Questions? Email support@sethricks.org.