Grapha

Legal · Last updated July 3, 2026

Privacy Policy

This explains what Grapha collects, why, who we share it with, and the control you have over it. Plain language, no surprises.

What this covers

This policy applies to the Grapha workspace and website (the “Service”). It describes the data we handle when you use Grapha. If a term is defined in our Terms of Service, it has the same meaning here.

What we collect

  • Account information. Your email address, and basic profile details you choose to add. You sign in with an email magic link or with GitHub.
  • Content you create. The plans, docs, and files you create or upload in Grapha, and what your agents write into your workspace. This is your work, and you control it. Teammates you invite to a project can see that project's content, and anything you share by link can be viewed by anyone who has the link.
  • Connected-database metadata and queries. When you connect a read-only database, we handle connection details, schema information, and the read-only queries and results needed to power answers and dashboards. Connections are read-only; we do not write to your database.
  • Repository context. When you connect a Git repository, we store the context your coding agent shares into your workspace, as you direct.
  • Connected tools. If you connect tools such as Gmail or Slack, we handle the connection and use it only as you and your agents direct. You can disconnect a tool at any time.
  • Usage data. Standard logs and product analytics, such as actions taken, feature use, device and browser type, and approximate location from your IP address, so we can keep the Service running and improve it.
  • Cookies. We use cookies to keep you signed in and to remember preferences such as your theme. We do not use advertising or cross-site tracking cookies.
  • Payment information. If you subscribe to a paid plan, payments are processed by Stripe. Stripe handles your card details; Grapha receives limited billing information such as plan, status, and the last digits of your card, and does not store full card numbers.

How we use it

  • To provide, maintain, and secure the Service, and to sign you in.
  • To power AI features, including sending your Content and related context to AI model providers so they can generate responses for you.
  • To run dashboards and answers from your connected read-only database.
  • To run features you ask for, such as web search, monitors that watch the web, and previews for links you paste.
  • To process payments, manage subscriptions, and prevent fraud.
  • To send you transactional email, such as sign-in links and account notices.
  • To understand usage so we can fix problems and improve the product.
  • To comply with the law and enforce our terms.

We do not sell your personal information, and we do not sell your Content.

Providers we work with

We rely on a set of providers (sub-processors) to run Grapha. Each receives only what it needs to do its job for us:

  • OpenRouter and the AI model providers it routes to: processing AI requests. Your Content and related context are sent to these providers to generate responses. If you add your own API key for a model provider, those requests go to that provider directly.
  • Stripe: payment processing and billing.
  • Resend: transactional email delivery, such as sign-in links and invites.
  • Vercel: application hosting, file storage for your uploads, and product analytics.
  • Turso: database hosting for Grapha's own data store.
  • Composio: tool connections. It holds the credentials for tools you connect, such as Gmail or Slack, and performs actions your agents request.
  • Parallel: web search and the monitors you set up.
  • Sentry: error monitoring. When something breaks, it receives technical details such as browser type and what went wrong.
  • Upstash: rate-limiting infrastructure that protects the Service.
  • Microlink: screenshots of links you paste, so previews can render.
  • GitHub: sign-in, if you choose it.

This list changes as the product evolves. We keep it current and note material changes here.

Retention

We keep your data for as long as your account is active and as needed to provide the Service. We retain some information for longer where we must to meet legal, tax, security, or accounting obligations, or to resolve disputes. When data is no longer needed, we delete or anonymize it.

Your choices and account deletion

  • Access and correction. You can view and update much of your information from within Grapha, including disconnecting a database, repository, or tool at any time.
  • Deletion. To delete your account, email us at the address below. We then delete or anonymize your personal data and Content, except for anything we are required to keep.
  • Data requests. Depending on where you live, you may have rights to access, correct, export, or delete your personal data, or to object to certain processing. To make a request, email us using the contact below, and we will respond as required by the law that applies to you.

Security

We take reasonable measures to protect your data, including access controls, encrypted storage of connected-database credentials, and read-only, least-privilege handling of connected databases. No system is perfectly secure, so we cannot guarantee absolute security. Use a strong, read-only credential for any database you connect, and revoke it whenever you choose.

Children

Grapha is for adults. We do not knowingly collect personal information from children. If you believe a child has given us data, email us and we will delete it.

Changes to this policy

We may update this policy as the product changes. When we make a material change, we will update the date at the top of this page and, where appropriate, let you know in the product or by email.

Contact and data requests

For privacy questions or data requests, email us at support@grapha.ai. Grapha is based in Ottawa, Ontario, Canada. We read every message and reply as soon as we can.