Privacy Policy

When you sign up and use Grid, we collect:

• Email address, used as your sign-in identifier (Supabase magic-link auth).
• Workspace data you create: scheduled posts, captions, drafts, asset uploads, comments, mentions, tag definitions.
• Usage data: which features you use, error logs, request timestamps. Used for performance monitoring and abuse prevention. We do not run third-party analytics or advertising trackers.
• Payment information (when paid plans launch): card data is collected and stored by Stripe; we never see or store full card numbers. We retain a customer ID, last-four digits, and billing email for receipts.

Grid syncs and displays public profile data for the Instagram handles you choose to track. For each tracked handle, we collect:

• For your own connected accounts: handle, display name, bio, follower count, following count, post count, post images and captions, engagement counts (likes, comments) — all from the publicly visible profile page.
• For competitors you add: the same categories of public profile data — handle, display name, follower count, post images and captions, like and comment counts. Grid stores this in a profile-data field that captures the same fields visible on the public profile page; we do not request authenticated fields from our scraping provider.
• For inspo references: image URLs, captions, and notes you save when adding inspiration links. Inspo accepts links from Instagram, TikTok, and Pinterest.

We do not collect: private direct messages, private account content, email addresses of Instagram users, phone numbers, location data, or any information that requires logging in to view.

Public Instagram profile data is fetched from publicly accessible profile pages — the same pages anyone can view without an Instagram account. Grid does not log into Instagram, bypass authentication, or scrape private accounts.

Recent U.S. federal court rulings (Meta v. Bright Data, 2024) confirm that scraping publicly available data is legal under U.S. federal law. Grid operates within that framework.

Grid is not affiliated with, endorsed by, or sponsored by Meta Platforms, Inc.

• Your account data: retained until you delete your account.
• Instagram public profile data: refreshed on each sync. Competitor data is cached for up to 7 days; cache hits skip the upstream fetch.
• Deleted workspaces: database rows are removed on workspace delete via cascade. Storage objects (images, video files) are cleaned up asynchronously within 30 days.
• Audit and admin logs: retained indefinitely while the workspace exists; required for security and compliance.

You can exercise the following rights over your own data:

• Access: request a copy of the data we hold about you. Email hello@gridplanner.app.
• Deletion: delete your account anytime via Settings → Account.
• Correction: update your account email, workspace settings, and any user-created content in-app.
• Portability: request a machine-readable export of your data. Email hello@gridplanner.app.

If you are an Instagram user and your public profile data has been collected by a Grid customer (as a competitor or inspo reference), you can request its removal from Grid.

Submit a request via the erasure request form, or email privacy@gridplanner.app with the Instagram handle in question. We review every request manually and respond within 30 days.

Note: Grid does not contact Instagram users. We only store public profile data that other Grid users have explicitly chosen to track.

We rely on the following processors. Each operates under its own privacy policy and applicable data-protection agreements:

• Supabase — database, auth, file storage. Hosted in the United States.
• Vercel — application hosting and edge network.
• Resend — transactional email delivery (sign-in links, invites, notifications).
• Apify — public Instagram profile data collection. Apify accesses public profile pages on our behalf; no Instagram login is involved.
• Anthropic — AI caption generation. Captions and brand-voice prompts you submit are sent to Anthropic for processing. Anthropic does not retain content for training.
• Stripe (when paid plans launch) — payment processing. Card data is collected and stored by Stripe; Grid never sees full card numbers.

• All traffic is encrypted in transit (HTTPS / TLS).
• All data is encrypted at rest using Supabase's standard encryption.
• Row-level security (RLS) policies prevent cross-workspace data access at the database layer.
• Service-role keys are server-only and never exposed to client code.
• Sign-in is via single-use magic links; no passwords are stored.

Grid is not intended for users under 13. We do not knowingly collect personal data from children under 13. If you believe a child has signed up, email privacy@gridplanner.app and we will delete the account.

We may update this policy from time to time. Material changes will be announced via email to registered users with at least 14 days notice before taking effect. Continued use after the effective date constitutes acceptance.

• General: hello@gridplanner.app
• Privacy specifically: privacy@gridplanner.app
• Mailing address: Las Vegas, NV — full address pending. Until then, contact privacy@gridplanner.app for postal correspondence.