Privacy Policy
1.Who We Are
Grapescale is a product of Vent Neuf Limited, a company incorporated in Ireland (Company Number 802038), with its registered office at The Black Church, St. Mary's Place, Dublin 7, Ireland, D07 P4AX.
For the purposes of the EU General Data Protection Regulation (GDPR), Vent Neuf Limited is the data controller responsible for your personal data.
Contact: [email protected]
2.What Grapescale Does
Grapescale is an AI-powered platform that helps businesses generate personalised cold email content for sales outreach. Users create projects, upload lead information, configure email style preferences, and use AI to generate email drafts. Grapescale generates email content — it does not send emails on your behalf.
3.What Data We Collect
3.1Account Data
When you create an account, we collect:
- First name and last name
- Email address
- Password (stored in hashed form by our authentication provider)
- Email verification status
- Account creation date
If you sign up via Google, we receive your name, email address, and profile information from Google via OAuth.
3.2Company & Project Data
When you set up a project or complete onboarding, we collect:
- Company name, website URL, and description
- Your offer/value proposition and success stories
- Social media links
- Email sender name and signature
- Email style preferences (tone, language, emoji usage, follow-up configuration, custom rules)
- Call-to-action text
3.3Website Enrichment Data
When you provide a website URL, our system accesses publicly available information on that website to auto-populate project fields such as company name, description, offer details, success stories, and social links. Only publicly accessible content is retrieved.
3.4Lead Data
When you upload leads (contacts you wish to generate emails for), the data may include:
- First name, last name, and email address
- Company name and website
- Job title
- LinkedIn profile URL
- Phone number
- Any custom fields you define
Important: You are responsible for ensuring you have a lawful basis to provide us with the personal data of your leads. See Section 8 for more detail.
3.5Generated Email Content
We store the AI-generated email subjects and bodies, including follow-up sequences, along with associated metadata (generation status, timestamps, credit cost).
3.6Payment & Billing Data
When you subscribe to a paid plan or purchase credits, we collect:
- Subscription plan and billing period
- Card brand and last four digits (for display purposes only)
- Billing cycle and subscription status
- Cancellation reason (if you cancel)
Full payment card details are handled exclusively by Stripe and are never stored on our servers.
3.7Usage & Activity Data
We track service usage internally, including:
- Number of emails generated and credits consumed
- Projects created, leads imported, and exports downloaded
- Notification history
- Generation job progress
3.8Technical Data
- Authentication tokens (session management)
- API request timestamps
- Browser cookies required for authentication (see Section 11)
4.How We Use Your Data
| Purpose | Lawful Basis (GDPR) |
|---|---|
| Create and manage your account | Performance of contract |
| Generate personalised email content using AI | Performance of contract |
| Process payments and manage subscriptions | Performance of contract |
| Provide customer support | Performance of contract |
| Enrich project data via website scraping | Performance of contract |
| Track credit usage and enforce plan limits | Performance of contract |
| Send service-related notifications | Performance of contract |
| Maintain platform security and prevent abuse | Legitimate interest |
| Improve our AI models and service quality | Legitimate interest |
| Comply with legal and regulatory obligations | Legal obligation |
We do not use your data for third-party advertising or sell your personal data to anyone.
5.Third-Party Service Providers
We share data with the following processors, who act on our instructions:
| Provider | Purpose | Location |
|---|---|---|
| AWS Cognito | User authentication | EU (Ireland) |
| Stripe | Payment processing | EU/US |
| AI Providers | Email generation | Per provider terms |
All third-party processors are bound by data processing agreements that require them to protect your data in accordance with GDPR.
6.International Data Transfers
Our primary infrastructure is hosted in the EU (Ireland). Where data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place, including:
- EU Standard Contractual Clauses (SCCs)
- Adequacy decisions by the European Commission
- Certification under recognised frameworks
7.Data Retention
| Data Type | Retention Period |
|---|---|
| Account data | Retained while active; deleted within 30 days of deletion request |
| Project and email data | Retained while active; deleted with your account |
| Lead data | Retained while project exists; deleted when project is deleted |
| Payment records | 7 years (Irish tax/accounting obligations) |
| Exports | Limited time after creation, then auto-removed |
| Authentication logs | Up to 12 months (security purposes) |
You can delete individual projects and their associated leads and emails at any time through the platform.
8.Your Responsibilities as a Data Controller
When you upload lead data (names, emails, job titles, etc.) to Grapescale, you are the data controller for that lead data, and we act as your data processor.
You are responsible for:
- Having a lawful basis (e.g., legitimate interest) to process your leads' personal data
- Providing appropriate privacy notices to your leads where required
- Responding to data subject requests from your leads
- Ensuring the lead data you upload is accurate and lawfully obtained
We process lead data solely to provide you with the email generation service and do not use it for any other purpose.
9.Your Rights Under GDPR
As a data subject in the EU/EEA, you have the right to:
- Access — Request a copy of the personal data we hold about you
- Rectification — Request correction of inaccurate data
- Erasure — Request deletion of your personal data (right to be forgotten)
- Restriction — Request that we limit how we process your data
- Data Portability — Receive your data in a structured, machine-readable format
- Object — Object to processing based on legitimate interest
- Withdraw Consent — Where processing is based on consent, withdraw it at any time
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.
If you are not satisfied with our response, you have the right to lodge a complaint with the Data Protection Commission (DPC) of Ireland: www.dataprotection.ie
10.Data Security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption of data in transit (TLS/HTTPS)
- Secure authentication via AWS Cognito with OAuth 2.0
- Bearer token authentication on all API endpoints
- Password hashing (never stored in plaintext)
- Route-level access controls
- Email verification requirement for new accounts
- Regular security reviews of our infrastructure
12.Children's Privacy
Grapescale is a business tool not intended for use by anyone under the age of 18. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will delete it promptly.
13.Changes to This Policy
We may update this privacy policy from time to time. When we make material changes, we will notify you by email or through the platform. The 'Last Updated' date at the top of this page indicates when the policy was last revised.
Your continued use of Grapescale after changes are posted constitutes acceptance of the updated policy.
14.Contact Us
If you have any questions about this privacy policy or how we handle your data:
Vent Neuf Limited
The Black Church, St. Mary's Place
Dublin 7, Ireland, D07 P4AX
Email: [email protected]
15.Data Processing Agreement
If you require a formal Data Processing Agreement (DPA) for lead data you upload to Grapescale, please contact us at [email protected] and we will provide one.