1. Introduction

Grafica ("we," "us," or "our") provides a diagramming and collaboration platform (the "Service"). This Privacy Policy explains what personal information we collect, how we use it, who we share it with, and the rights you have over your information.

This Policy applies to your use of Grafica AI, our websites, applications, and APIs. It should be read together with our Terms of Service.

2. Who is Responsible for Your Data

2.1 Individual Accounts

If you signed up for an individual account, we act as the controller of your personal information and are responsible for how it is processed.

2.2 Team and Business Accounts (Tenants)

If you use the Service as part of a team, organization, or business workspace (a "Tenant"), the Tenant administrator is generally the controller of personal information and content within that Tenant, and we act as a processor on their behalf. In that case, the Tenant's own privacy policy may govern how your information is handled. Please contact your Tenant administrator with questions about your Tenant's data practices.

We remain a controller for limited categories of information (such as account-level identity, billing, and security data) regardless of whether you use the Service through a Tenant.

3. Information We Collect

3.1 Information You Provide

We collect information you provide when you use the Service, including:

Account information: name, email address, password (hashed), profile details, and organization name.
Billing information: billing name, billing address, tax identifiers, and the last four digits of your payment method. Full payment card details are processed by our payment processor and not stored on our systems.
User Content: diagrams, documentation, comments, custom icons, file uploads, and other content you create or upload to the Service.
Communications: messages you send to support, feedback, and survey responses.

3.2 Information Collected Automatically

When you use the Service, we automatically collect:

Usage data: features used, actions taken (such as creating, editing, or sharing diagrams), session duration, and similar telemetry.
Device and log data: IP address, browser type and version, operating system, device identifiers, referring URLs, and timestamps.
Cookies and similar technologies: see Section 9 for details.

3.3 Information from Third Parties

We may receive information about you from:

Single sign-on (SSO) and identity providers, when you choose to sign in using a third-party account.
Tenant administrators, when they invite you to or manage you within their Tenant.
Payment processors, regarding the status of your transactions.
Analytics, security, and fraud-prevention partners.

4. How We Use Information

We use personal information for the following purposes:

Providing the Service: creating and managing your account, hosting your User Content, enabling collaboration, and delivering features you request.
Billing and payments: processing subscriptions, calculating usage and overage charges, issuing invoices, and preventing payment fraud.
Service improvement: understanding how the Service is used, diagnosing issues, and developing new features.
AI Features: processing inputs and generating outputs from AI-powered diagramming features (see Section 6).
Security and abuse prevention: detecting unauthorized access, abuse, and violations of our Terms of Service.
Communications: sending transactional messages (such as account, billing, and security notices) and, where permitted, product updates and marketing.
Legal and compliance: complying with applicable laws, responding to lawful requests, enforcing our Terms, and protecting our rights.

5. Legal Bases for Processing (EEA, UK, and Switzerland)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under GDPR (and equivalent UK/Swiss law) to process your personal information:

Contract: to provide the Service you have signed up for and fulfill our obligations under our Terms of Service.
Legitimate interests: to operate, secure, and improve the Service, prevent fraud and abuse, and conduct business analytics, where these interests are not overridden by your rights.
Consent: for certain optional processing such as marketing emails or non-essential cookies. You may withdraw consent at any time.
Legal obligation: to comply with applicable laws, including tax and accounting requirements.

6. AI-Powered Features

The Service includes features that use artificial intelligence and machine learning, including diagram generation and iterative refinement assistants ("AI Features").

6.1 Inputs and Outputs

When you use AI Features, the prompts, diagrams, documentation, and other content you submit ("Inputs") and the content generated in response ("Outputs") are processed to deliver the requested functionality. Inputs and Outputs are treated as User Content under our Terms of Service.

6.2 Third-Party AI Providers

We use third-party AI model providers to power some AI Features. Inputs and Outputs may be transmitted to these providers solely for the purpose of generating the requested response. We have contractual safeguards in place with our AI providers, including commitments that your Inputs are not used to train their general-purpose foundation models.

6.3 Improving Our Own Models

We do not train general-purpose AI models on your User Content. Where we use aggregated or de-identified data to improve the Service or our internal AI tooling, we do so in a manner that does not identify you or your Tenant. You may opt out of any non-essential use of your data for product improvement through your account settings, where such an option is offered.

7. How We Share Information

We share personal information only as described below.

7.1 Within Your Tenant

If you are a member of a Tenant, your profile information, activity, and User Content created within the Tenant may be visible to other Tenant members and administrators in accordance with their assigned roles and permissions.

7.2 Service Providers and Subprocessors

We share information with third-party vendors who help us operate the Service, including:

Category	Purpose	Examples
Cloud hosting and storage	Hosting the Service and storing User Content	AWS (including S3) and PostgreSQL infrastructure
Payment processing	Processing subscription and overage charges	[Payment processor]
AI model providers	Powering AI-driven diagramming features	[AI provider(s)]
Analytics	Understanding product usage and performance	[Analytics provider]
Customer support	Responding to support requests	[Support tool]
Email and communications	Sending transactional and marketing emails	[Email provider]
Security and fraud prevention	Detecting and preventing abuse	[Security vendor]

7.3 Legal and Safety

We may disclose information when we believe in good faith that disclosure is necessary to comply with a legal obligation, respond to lawful requests by public authorities, enforce our Terms, or protect the rights, property, or safety of us, our users, or others.

7.4 Business Transfers

If we are involved in a merger, acquisition, financing, reorganization, or sale of assets, personal information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have.

7.5 With Your Consent

We may share information with third parties when you direct us to do so, such as when you connect a third-party integration.

7.6 No Sale of Personal Information

We do not sell personal information for monetary consideration. Some privacy laws (such as the CCPA/CPRA) define "sale" and "share" broadly; see Section 12 for details on how we handle such activities and your related rights.

8. International Data Transfers

We are based in Australia and our service providers may operate in various countries. When we transfer personal information across borders, we use lawful transfer mechanisms, such as Standard Contractual Clauses approved by the European Commission, the UK International Data Transfer Addendum, or equivalent safeguards. Where a transfer is to a country with an adequacy decision, we rely on that decision.

9. Cookies and Similar Technologies

We use cookies and similar technologies to operate, secure, and improve the Service. Cookies fall into the following categories:

Strictly necessary: required for core functionality such as authentication and security.
Functional: remember your preferences and settings.
Analytics: help us understand how the Service is used.
Marketing: used to deliver and measure marketing campaigns (only with consent where required).

You can manage cookie preferences through your browser settings or our cookie preference center, where available.

10. Data Retention

We retain personal information for as long as necessary to provide the Service and for the purposes described in this Policy, unless a longer retention period is required by law (for example, for tax, accounting, or dispute-resolution purposes).

10.1 Account Deletion

When you delete your individual account, we mark the account as deleted and disable access. After a grace period, we anonymize the personal information associated with the account. Following a further period, the underlying records are permanently deleted in accordance with our retention schedule.

10.2 Tenant Deletion

Deletion of a Tenant is an explicit action initiated by an authorized administrator and is never triggered automatically by an individual user action. Following Tenant deletion, Tenant data is briefly retained to allow recovery from accidental deletion and is then permanently removed.

10.3 Backups

Backups are retained for a limited period and are overwritten on a rolling basis. Information may persist in backups for a short time after deletion, but will not be restored to active systems except as required for disaster recovery.

10.4 Aggregated and De-identified Data

We may retain aggregated or de-identified information indefinitely for analytics, research, and product improvement, provided it can no longer reasonably identify you.

11. Your Rights

Depending on where you live, you may have some or all of the following rights with respect to your personal information:

Access: request a copy of the personal information we hold about you.
Correction: ask us to correct inaccurate or incomplete information.
Deletion: request deletion of your personal information, subject to limited exceptions.
Portability: receive your information in a structured, commonly used, machine-readable format.
Objection and restriction: object to or restrict certain processing, including direct marketing.
Withdraw consent: where processing is based on consent, withdraw it at any time.
Lodge a complaint: file a complaint with your local data protection authority.

Many of these rights can be exercised directly through your account settings. Otherwise, please contact us at admin@grafica-ai.com. If you are a member of a Tenant, you may need to direct certain requests to your Tenant administrator, and we will assist them as required.

We will not discriminate against you for exercising your privacy rights.

12. U.S. State Privacy Rights

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, or another U.S. state with a comprehensive privacy law, you have specific rights regarding your personal information, including the rights to know, access, correct, delete, and obtain a copy of your personal information, and to opt out of targeted advertising and the "sale" or "sharing" of personal information as those terms are defined under applicable law.

As noted above, we do not sell personal information for monetary consideration. To the extent any of our analytics or advertising activities constitute a "sale" or "share" under your state's law, you may opt out using the controls in our cookie preference center or by contacting us. We honor Global Privacy Control (GPC) signals where required.

California residents may also designate an authorized agent to make a request on their behalf. To submit a request, contact us at admin@grafica-ai.com. We will verify your identity before responding.

13. Australian Privacy Notice

If you are in Australia, we handle personal information in accordance with the Australian Privacy Principles (APPs) under the Privacy Act 1988 (Cth). You have the right to access and correct your personal information and to make a complaint about how we handle it. If you are not satisfied with our response, you may contact the Office of the Australian Information Commissioner (OAIC).

14. Children's Privacy

The Service is not directed to children under the age of 16 (or the minimum age of digital consent in your jurisdiction). We do not knowingly collect personal information from children. If you believe a child has provided us personal information without appropriate consent, please contact us and we will take steps to delete it.

15. Security

We implement reasonable technical and organizational measures designed to protect personal information against unauthorized access, disclosure, alteration, and destruction. These measures include encryption in transit, access controls, monitoring, and regular security reviews. However, no system is completely secure, and we cannot guarantee absolute security.

If you become aware of a security issue, please contact us at admin@grafica-ai.com.

16. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (for example, by email or through the Service) before they take effect. The "Last updated" date at the top of this Policy indicates when it was last revised.

17. Contact Us

If you have questions or concerns about this Privacy Policy or our handling of your personal information, contact us at:

Grafica — admin@grafica-ai.com