Back to Dashboard

Legal

Privacy Policy

Last updated: May 2026

1. Who we are

GraftLabs AI Ltd is a company registered in England and Wales. We operate the GraftLabs platform — a private AI-powered business advisory tool for founders and business owners. We are the data controller for personal data processed through this platform.

Contact us at hello@graftlabs.uk for any privacy-related queries, including requests for our registered address.

2. What data we collect

We collect and process the following categories of personal data:

  • Account information — your email address and authentication credentials
  • Profile data — your name, business name, and business context you provide during onboarding
  • Conversation data — messages you send to the AI Co-Pilot and responses received
  • Brain dumps — short-form notes and thoughts you log in the platform
  • Uploaded documents — business files you store in the Business Vault
  • Check-in responses — your weekly reflection answers
  • Usage data — how you interact with the platform (pages visited, features used, last active timestamps)
  • Billing data — subscription status and payment history (we do not store card details)

3. How we use your data

We use your data to:

  • Provide and improve the GraftLabs service
  • Generate AI responses contextualised to your business situation
  • Build and maintain a long-term memory of your business context to improve advice quality over time
  • Send service-related communications (account confirmation, password reset, subscription updates)
  • Process subscription payments and manage your account tier

We do not sell your data to third parties. We do not use your personal data or conversation content to train AI models.

4. Data processors and international transfers

We use the following third-party processors to operate the platform. Where a processor is based outside the UK or EEA, we have ensured appropriate safeguards are in place — typically the UK International Data Transfer Agreement (UK IDTA) or Standard Contractual Clauses (SCCs) approved by the ICO.

Database & authentication provider

Country: Ireland (EU)

Purpose: Secure storage of all account data, member records, and authentication. All primary personal data is held within the EU.

Transfer basis: EEA — no transfer

AI model provider

Country: United States

Purpose: Powers the AI Co-Pilot. Processes conversation content to generate responses. Data is not retained for model training.

Transfer basis: UK IDTA / SCCs

Semantic search provider

Country: United States

Purpose: Enables contextual memory and search across your conversation history. Processes text to generate vector representations; no personal data is stored by this provider beyond the processing window.

Transfer basis: UK IDTA / SCCs

Cloud hosting provider

Country: United States

Purpose: Hosts and delivers the GraftLabs application. Processes requests in transit; no persistent personal data stored beyond standard infrastructure logs.

Transfer basis: UK IDTA / SCCs

Transactional email provider

Country: United States

Purpose: Delivers service emails such as account confirmation, password reset, and platform notifications. Processes your email address and message content.

Transfer basis: UK IDTA / SCCs

Payment processing provider

Country: United States / Ireland

Purpose: Handles subscription billing and payment processing. Acts as an independent data controller for payment data; GraftLabs does not store card details.

Transfer basis: UK IDTA / SCCs

Each processor operates under a data processing agreement (DPA) with GraftLabs AI Ltd and is required to process your data only in accordance with our instructions and applicable data protection law. To request copies of applicable SCCs or DPAs, contact us at hello@graftlabs.uk.

5. Legal basis for processing

We process your personal data on the following legal bases under UK GDPR:

  • Contract — processing necessary to provide the GraftLabs service you signed up for
  • Legitimate interests — improving our service, security monitoring, and fraud prevention
  • Legal obligation — where required to comply with applicable law

6. Data retention

We retain your personal data for as long as your account is active. If you close your account or request deletion, we will erase your personal data within 30 days, except where we are required to retain certain records for legal or accounting purposes (typically 6 years).

To request deletion, email hello@graftlabs.uk.

7. Your rights (UK GDPR)

Under UK GDPR, you have the right to:

  • Access — request a copy of the personal data we hold about you
  • Rectification — correct inaccurate or incomplete data
  • Erasure — request deletion of your data (“right to be forgotten”)
  • Restriction — ask us to limit how we use your data in certain circumstances
  • Portability — receive your data in a structured, machine-readable format
  • Objection — object to processing based on legitimate interests
  • Complaint — lodge a complaint with the Information Commissioner’s Office at ico.org.uk

To exercise any of these rights, email hello@graftlabs.uk. We will respond within one calendar month.

8. Security

All data is encrypted in transit (TLS 1.2+) and at rest. Access to personal data is restricted to authorised personnel only. We conduct regular reviews of our security practices and access controls. Our primary database is hosted in the European Union.

9. Cookies

We use strictly necessary cookies only — specifically session cookies required to keep you logged in. We do not use advertising, analytics, or third-party tracking cookies.

10. Changes to this policy

We may update this policy from time to time to reflect changes in our processing activities or applicable law. We will notify you of material changes via email or an in-app notice. The date at the top of this page always reflects when it was last updated.

11. Contact

For any privacy-related queries, subject access requests, or to exercise your rights, contact us at hello@graftlabs.uk.