Privacy Notice

We regularly update our privacy notice and encourage you to read the latest version if you’d like to find out how we process your personal data.

This privacy notice will help you understand:

  1. Who we are and how to contact us (identity of the controller)
  2. Who it applies and does not apply to (scope)
  3. Why we collect and process your personal data (processing activities)
  4. Third-party services relied on and intended international transfers of your data (transfers of data)
  5. How we protect your data (technical and organizational measures)
  6. Rights you can exercise with regards to your data and how to apply them (data subject rights)

1. Who are we and how to contact us:

The entity responsible for your personal data is:

GrantAssistant Inc.
11428 Orchard Ln
Reston
VA 20190
United States of America

(further referred to as: “GrantAssistant”)

If you have additional questions or require more information about our data practices or our privacy policy, contact us directly : privacy@grantassistant.ai

2. Scope of this privacy notice:

This privacy notice APPLIES to the following categories of EU data subjects:

  1. visitors of our website (see section 3.1 below)
  2. leads or customers (see section 3.2 below)
  3. recipients of our newsletters (see section 3.3 below)

This notice DOES NOT APPLY to:

  • End users of our technology - please contact the organization you are attached to as an employee or external party provided with the use of our technology to understand how your data is processed in the scope of using our tools.
  • Our employees - GrantAssistant is not registered in the EU and our staff is not in the EU.

3. When and why we collect and process your data:

3.1 Visiting our website

a. Activity processing your data b. Purpose served c. Data collected / processed d. Legal base for the processing of the data (GDPR Art. 6) e. Retention period for this data f. Available data subject rights
User Analytics Allows GrantsAssistant to collect and analyze website user interactions on behalf of GrantAssistant's prospective customers. IP address, browser details, page interactions, anonymized session data Consent (Art.6.1(a)) Up to 3 months All (see section 6 below)
Marketing Analytics Allows GrantsAssistant to enable website conversion tracking, measure LinkedIn ad effectiveness, and facilitate retargeting for GrantAssistant customers. IP address, LinkedIn user ID (hashed), page visits, interactions with LinkedIn ads Consent (Art.6.1(a)) 90 days All (see section 6 below)
Website hosting and content management Allows GrantsAssistant to host and serve website content, enabling dynamic user experiences on behalf of GrantAssistant's customers. IP address, browser type, operating system, page visit history Consent (Art.6.1(a)) Up to 90 days All (see section 6 below)
Website Analytics and Tag management Allows GrantsAssistant to manage and deploy analytics and tracking scripts on behalf of GrantAssistant's customers. IP address, browsing behavior, page interactions Consent (Art.6.1(a)) Up to 90 days All (see section 6 below)

3.2 Prospective and existing customers

a. Activity processing your data b. Purpose served c. Data collected / processed d. Legal base for the processing of the data (GDPR Art. 6) e. Retention period for this data f. Available data subject rights
Customer acquisition Allows GrantsAssistant to collect and manage inbound leads from potential customers explicitly opting in to learn about GrantAssistant. Contact details (name, email, phone);
organization info (if B2B)
Consent (Art.6.1(a)) Up to 90 days All (see section 6 below)
Online Appointment Scheduling Allows GrantsAssistant to enable customers to schedule and manage meetings on the GrantAssistant platform. Name, email address, phone number (if provided),
meeting details
Consent (Art.6.1(a)) Up to 90 days All (see section 6 below)
Initial onboarding Allows GrantsAssistant to register and manage users accessing the platform. Name, email address, phone number. Performance of a contract (Art.6.1(b)) Duration of Contract, and 45 working days after the termination of the contract. All except right to opt-out from automated decision making (see section 6 below)
Managing user logins Allows GrantsAssistant to authenticate and manage user logins Authentication data: User-Email,
Hashed/salted passwords.
Performance of a contract (Art.6.1(b)) Duration of the contract, and 45 working days after termination of the contract All except right to opt-out from automated decision making (see section 6 below)
Provisions of customization options Allows GrantsAssistant to give users the option to customize the use of the platform based on the needs of the organization. Professional/Organizational Data: Job title,
department, organizational details,
grant history.
Performance of a contract (Art.6.1(b)) Duration of the contract, and 45 working days after termination of the contract All except right to opt-out from automated decision making (see section 6 below)
Tracking user logins Allows GrantsAssistant to record logins for auditing and legal obligation purposes. Login history, IP addresses. Legal Obligation (Art.6.1(c)) Duration of the contract, and 45 working days after termination of the contract All except right to erasure and data portability (see section 6 below)
Customer support Allows GrantsAssistant to respond to user queries and provide customer support. User-submitted queries, attachments, and chat transcripts. Performance of a contract (Art.6.1(b)) Duration of Contract, and 45 working days after the termination of the contract. All except right to opt-out from automated decision making (see section 6 below)
Billing Allows GrantsAssistant to handle subscription fees, invoicing, and payment records for GrantAssistant services. Billing details (name, address), payment info, transaction records Performance of a contract (Art.6.1(b)) Data relevant to compliance and auditing retained as required by law, 3 years after end of customer relationship. All except right to opt-out from automated decision making (see section 6 below)

3.3 Marketing and outreach activities

a. Activity processing your data b. Purpose served c. Data collected / processed d. Legal base for the processing of the data (GDPR Art. 6) e. Retention period for this data f. Available data subject rights
Informing users via newsletters Allows GrantsAssistant to keep users informed about new funding opportunities, and deadlines. Full name, email address, phone number Consent (GDPR Art.6.1.a) Duration of Contract, and 45 working days after the termination of the contract. All (see section 6 below)
Informing users about System Status Allows GrantsAssistant to inform users about platform notifications Interaction: Support tickets, email correspondence logs, FAQ usage history. Consent (GDPR Art.6.1.a) Duration of Contract, and 45 working days after the termination of the contract. All except right to data portability (see section 6 below)

4. Third-party services relied on and intended international transfers of your data:

4.1 Visiting our website

a. Third parties / categories of 3rd parties b. Purpose served c. International transfers of data
User behaviour analytics tools Collecting and analyzing website visitor analytics United States through Data Processing Agreement with Standard Contractual Clauses
Website building and hosting service Building and hosting the website United States through Data Processing Agreement with Standard Contractual Clauses

4.2 Prospective and existing customers

d. Third parties / categories of 3rd parties e. Purpose served f. International transfers of data
CRM Storage and management of prospective and current customers United States through Data Processing Agreement with Standard Contractual Clauses
Cloud Hosting solution Hosting the service/product United States through Data Processing Agreement with Standard Contractual Clauses
Customer Service Platform Providing customer service support e.g. responding to customer queries and feedback United States through Data Processing Agreement with Standard Contractual Clauses

4.3 Marketing and outreach activities

g. Third parties / categories of 3rd parties h. Purpose served i. International transfers of data
CRM Storage and management of prospective and current customers United States through Data Processing Agreement with Standard Contractual Clauses
Cloud Email Sending Service Sending emails for marketing purposes United States through Data Processing Agreement with Standard Contractual Clauses

5. How we protect your data:

We use the following organisational, technical and administrative measures to protect personal data under our control.

  • Access controls
    • Role-based permission assignments aligned with job responsibilities.
    • Electronic access control systems with individual credentials and robust authentication.
  • Physical Security
    • Secure facility entry points requiring keycards or biometrics.
    • 24/7 on-site security, complemented by CCTV surveillance and intrusion detection.
    • Strict visitor protocols, including identification checks and supervised access.
  • Pseudonymisation
    • Pseudonymization to minimize exposure of personal identifiers.
    • Tokenization of critical fields to reduce the risk of data misuse.
  • Encryption
    • TLS (in transit).
    • AES-256 (at rest).
  • Availability
    • Multiple network and power sources (UPS, backup generators).
    • High-availability server clusters with automatic failover.
    • Daily incremental and weekly full backups are stored off-site.
    • Biannual testing of comprehensive disaster recovery procedures.
    • Environmentally friendly fire suppression systems.
    • 24/7 real-time monitoring of system performance
    • Climate regulation for optimal operating conditions.
    • Early warning systems for critical environmental factors (e.g., temperature, humidity).
  • Data privacy and confidentiality
    • Enforceable confidentiality agreements for employees and subcontractors.
    • Recurring staff training on GDPR obligations and data handling.
    • Documented protocols for secure transmission and storage of sensitive data.
    • Secure erasure or destruction of data upon contract completion, meeting legal requirements
  • Data integrity and confidentiality
    • Formal plan for breach detection, containment, and notification.
    • Regular vulnerability scanning.
    • Regular assessments by certified internal specialists.
    • Prompt remediation of discovered vulnerabilities.
    • VPN access is supplemented by multi-factor authentication (MFA).
    • Ongoing updates to firewalls and intrusion prevention systems.
    • Defined user privileges (read, write, modify, delete) according to role.
    • Segregation of duties to reduce risks of unauthorized changes.
    • Comprehensive logs recording data access and system modifications.
    • Regular log reviews to identify anomalies or unauthorized activities.
    • Distinct environments for development, testing, and production.
    • Controlled release processes to minimize vulnerabilities during deployment.
    • Cryptographic checks to maintain data consistency.
    • Secure handling and certified disposal of physical media.
  • Incident response
    • Development and maintenance of a comprehensive incident response plan specifically addressing data and AI systems.
    • Regular incident response drills to prepare for potential security incidents.
    • Affected systems are isolated promptly to prevent further damage.

If you have reason to believe that your interaction with us is no longer secure (for example, if you feel that the security of any account you might have with us has been compromised), please immediately notify us of the problem by contacting us at privacy@grantassistant.ai.

6. Exercising your data subject rights:

You have the following rights with respect to us regarding the data relating to you:

  • Right to information about your stored personal data, its origin and possible recipients and the purpose of the data processing (Art. 15 GDPR);
  • Right to rectification of inaccurate data (Art. 16  GDPR);
  • Right to erasure of processed personal data, unless processed to fulfill a legal obligation or public interest (Art.17 GDPR), or there are statutory retention periods;
  • Right to restriction of processing (Art. 18 GDPR);
  • Right to data portability but only in instances where data is processed on the basis of consent or performance of a contract (Art. 20 GDPR).

You have the right to revoke your consent at any time. This means that we will no longer process the data based on this consent in the future. The revocation of consent does not affect the lawfulness of the processing carried out on the basis of the consent until the revocation.

If we process your data on the basis of legitimate interests, you have the right to object to the processing of your data at any time on grounds relating to your particular situation. If it is a matter of objecting to the processing of data for direct marketing purposes, you have a general right of objection, which will also be implemented by us without giving reasons.

If you wish to exercise your right of revocation or objection, it is sufficient to send an informal message to the above contact details.

Please get in touch using the following: privacy@grantassistant.ai.

When you submit your request through the email, you will receive a copy at the email address you indicate. We will strive to address your subject right request at the earliest but no later than within a month of receiving it.

If you are in the EU and have not received a response from us or are not satisfied with our response, you have the right to lodge a complaint with the data protection authority where you reside.