Legal
Last updated: May 2026
GraftLabs AI Ltd is a company registered in England and Wales. We operate the GraftLabs platform — a private AI-powered business advisory tool for founders and business owners. We are the data controller for personal data processed through this platform.
Contact us at hello@graftlabs.uk for any privacy-related queries, including requests for our registered address.
We collect and process the following categories of personal data:
We use your data to:
We do not sell your data to third parties. We do not use your personal data or conversation content to train AI models.
We use the following third-party processors to operate the platform. Where a processor is based outside the UK or EEA, we have ensured appropriate safeguards are in place — typically the UK International Data Transfer Agreement (UK IDTA) or Standard Contractual Clauses (SCCs) approved by the ICO.
Database & authentication provider
Country: Ireland (EU)
Purpose: Secure storage of all account data, member records, and authentication. All primary personal data is held within the EU.
Transfer basis: EEA — no transfer
AI model provider
Country: United States
Purpose: Powers the AI Co-Pilot. Processes conversation content to generate responses. Data is not retained for model training.
Transfer basis: UK IDTA / SCCs
Semantic search provider
Country: United States
Purpose: Enables contextual memory and search across your conversation history. Processes text to generate vector representations; no personal data is stored by this provider beyond the processing window.
Transfer basis: UK IDTA / SCCs
Cloud hosting provider
Country: United States
Purpose: Hosts and delivers the GraftLabs application. Processes requests in transit; no persistent personal data stored beyond standard infrastructure logs.
Transfer basis: UK IDTA / SCCs
Transactional email provider
Country: United States
Purpose: Delivers service emails such as account confirmation, password reset, and platform notifications. Processes your email address and message content.
Transfer basis: UK IDTA / SCCs
Payment processing provider
Country: United States / Ireland
Purpose: Handles subscription billing and payment processing. Acts as an independent data controller for payment data; GraftLabs does not store card details.
Transfer basis: UK IDTA / SCCs
| Processor | Country | Purpose | Transfer basis |
|---|---|---|---|
| Database & authentication provider | Ireland (EU) | Secure storage of all account data, member records, and authentication. All primary personal data is held within the EU. | EEA — no transfer |
| AI model provider | United States | Powers the AI Co-Pilot. Processes conversation content to generate responses. Data is not retained for model training. | UK IDTA / SCCs |
| Semantic search provider | United States | Enables contextual memory and search across your conversation history. Processes text to generate vector representations; no personal data is stored by this provider beyond the processing window. | UK IDTA / SCCs |
| Cloud hosting provider | United States | Hosts and delivers the GraftLabs application. Processes requests in transit; no persistent personal data stored beyond standard infrastructure logs. | UK IDTA / SCCs |
| Transactional email provider | United States | Delivers service emails such as account confirmation, password reset, and platform notifications. Processes your email address and message content. | UK IDTA / SCCs |
| Payment processing provider | United States / Ireland | Handles subscription billing and payment processing. Acts as an independent data controller for payment data; GraftLabs does not store card details. | UK IDTA / SCCs |
Each processor operates under a data processing agreement (DPA) with GraftLabs AI Ltd and is required to process your data only in accordance with our instructions and applicable data protection law. To request copies of applicable SCCs or DPAs, contact us at hello@graftlabs.uk.
We process your personal data on the following legal bases under UK GDPR:
We retain your personal data for as long as your account is active. If you close your account or request deletion, we will erase your personal data within 30 days, except where we are required to retain certain records for legal or accounting purposes (typically 6 years).
To request deletion, email hello@graftlabs.uk.
Under UK GDPR, you have the right to:
To exercise any of these rights, email hello@graftlabs.uk. We will respond within one calendar month.
All data is encrypted in transit (TLS 1.2+) and at rest. Access to personal data is restricted to authorised personnel only. We conduct regular reviews of our security practices and access controls. Our primary database is hosted in the European Union.
We use strictly necessary cookies only — specifically session cookies required to keep you logged in. We do not use advertising, analytics, or third-party tracking cookies.
We may update this policy from time to time to reflect changes in our processing activities or applicable law. We will notify you of material changes via email or an in-app notice. The date at the top of this page always reflects when it was last updated.
For any privacy-related queries, subject access requests, or to exercise your rights, contact us at hello@graftlabs.uk.