← Grej

Effective version 2026-07-06

Grej — Privacy Policy (DRAFT)

DRAFT — NOT LEGAL ADVICE. Working draft for review by qualified Finnish/EU data-protection counsel and to be reconciled with the actual data flows before publication. Bracketed items […] and every [TO VERIFY] flag must be resolved first. Companion: COMPLIANCE-ANALYSIS.md, END-USER-LICENSE-AGREEMENT.md.

1. Who we are (Controller)

[Grej Oy / legal name], [address], is the data controller for the personal data processed through the Grej application and platform. Contact: [privacy@grej…]. [Data Protection Officer / representative, if appointed: …].

For business and operator customers who use Grej to process personal data of their own customers or guests, Grej acts as a processor; that processing is governed by a separate Data Processing Agreement.

2. What data we process

3. Purposes and legal bases (GDPR Art. 6)

Purpose Data Legal basis
Provide the Service (Digital Twins, AI assistant, storage) Account, asset, uploaded content Contract (Art. 6(1)(b))
AI processing of your uploads to deliver features to you Uploaded content, derived data Contract (Art. 6(1)(b))
Metering, quotas and billing AI usage, payment Contract; legal obligation for invoicing
Security, fraud and abuse prevention Technical, usage Legitimate interest (Art. 6(1)(f))
Product analytics to improve the Service Pseudonymous events Consent or legitimate interest, per local rules
Contribution to cross-owner/fleet intelligence De-identified signals Explicit, revocable consent (Art. 6(1)(a))
Marketing communications Contact Consent

4. How AI processes your content

To provide AI features, your uploaded content and asset data are processed by our AI sub-processor (Google — Gemini/Vertex AI). Key points:

5. Sub-processors and international transfers

We use sub-processors to run the Service, including: Google Cloud (hosting; region europe-north1, EU), Google Gemini/Vertex AI (AI processing — see §4 [TO VERIFY region]), [Stripe] (payments), and [analytics provider / first-party]. A current sub-processor list is available at [link]. Where personal data is transferred outside the EU/EEA, we rely on an adequacy decision or Standard Contractual Clauses. [TO VERIFY all transfer mechanisms.]

6. Sharing your data

We share your data only: with the household members, collaborators, and (for operator accounts) the temporary guests you designate; with sub-processors under contract (§5); and where required by law. We do not sell your personal data.

7. Retention

We retain personal data for as long as your account is active and as needed to provide the Service. AI inputs sent to the model provider are transient (the Files API copy is deleted within ~48h; the durable copy is your own upload in our storage). On account deletion, we delete or anonymise your personal data; aggregated/de-identified and metering records may be retained in anonymised form. [Define specific retention periods per data type.]

8. Your rights

Subject to applicable law, you may: access your data; correct it; delete it; obtain a portable copy; restrict or object to certain processing; and withdraw consent at any time (including for fleet contribution and marketing). To exercise these rights contact [privacy@grej…]. You may also lodge a complaint with your supervisory authority — in Finland, the Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto).

9. Fleet / community-intelligence contribution

Contribution of de-identified lifecycle signals to any cross-owner intelligence layer is off by default and requires your explicit consent, which you can withdraw at any time. These signals are de-identified by construction and do not include your identity or your copyrighted materials.

10. Children

The Service is not directed at children under [16 / the local digital-consent age]. Within a Family workspace, accounts for minors are managed by the adult account Owner, who is responsible for any required parental consent.

11. Security

We apply technical and organisational measures appropriate to the risk (GDPR Art. 32), including encryption in transit, access controls, tenant isolation, and the principle that uploads and derived data stay scoped to their owner.

12. Data location

Primary hosting and storage are in the EU (europe-north1). AI processing region: see §4 [TO VERIFY].

13. Changes and contact

We will update this policy as needed and notify you of material changes. Questions: [privacy@grej…].


Draft v0.1 — for counsel review. Resolve every [TO VERIFY] before publication.