Privacy Policy

1. Who We Are (Controller)

Grimdex is the data controller for personal data processed in connection with the Service. Contact us for privacy matters at [email protected]. Grimdex is based in the United Kingdom. If we later appoint an EU representative or Data Protection Officer, we will update this Policy. If applicable, we will also include our ICO registration details here.

2. Information We Collect

We collect the following types of information when you use the Service:

A. Information You Provide

• Account Information: email address, username, and optional profile details.
• User-Generated Content: images, descriptions, comments, and other content you upload.
• Communication Data: messages you send to us (e.g., support inquiries).

B. Information Collected Automatically

• Usage Data: interactions with the Service (e.g., page views, clicks).
• Device & Log Data: IP address, browser type, and operating system for security and performance.
• Cookies & Similar Technologies: used for essential functionality and, with consent, analytics. Manage your preferences in your browser or in the app under Settings → Privacy.

3. How We Use Your Information and Legal Bases (UK GDPR)

We process personal data for the following purposes and legal bases:

• Provide and operate the Service (account creation, hosting your content) — performance of a contract (UK GDPR Art. 6(1)(b)).
• Security, fraud prevention, and service integrity (logging, abuse monitoring) — legitimate interests (Art. 6(1)(f)).
• Service communications (transactional emails, policy updates) — performance of a contract (Art. 6(1)(b)) and legal obligations (Art. 6(1)(c)).
• Analytics and performance measurement — consent (Art. 6(1)(a)) where required. You can manage consent in Settings → Privacy.
• Direct marketing (product updates, newsletters) — consent, or legitimate interests where permitted (soft opt-in for existing users). You can opt-out at any time via unsubscribe links or in Settings.

We do not sell your personal data. We share data with service providers only as needed to operate the Service or as required by law.

4. How We Protect Your Information

We implement technical and organisational measures appropriate to the risk, including:

• Secure data transmission (HTTPS encryption).
• Role‑based access controls and least‑privilege practices.
• Routine dependency and security updates.

However, no method of transmission or storage is 100% secure.

5. Your Rights and Choices

Subject to conditions and exceptions, you have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate or incomplete data.
• Erase data in certain circumstances.
• Restrict or object to processing, including for legitimate interests.
• Data portability.
• Withdraw consent where processing is based on consent (e.g., analytics).

To exercise your rights, contact us at [email protected]. You can also manage analytics consent in the app under Settings → Privacy.

You have an absolute right to object to direct marketing at any time, including profiling related to direct marketing.

We will respond to requests without undue delay and in any event within one month, in accordance with GDPR.

You also have the right to lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local data protection authority.

6. Service Providers (Processors)

We use trusted service providers to operate the Service. These providers process data on our behalf and only as instructed by us:

• Vercel, Inc. — hosting and edge network (IP address, headers, logs).
• Supabase — authentication and database (account data, session data).
• Cloudflare R2 — media storage/CDN (request metadata, IP address).
• Brevo — transactional email delivery (recipient email, content).
• Sentry — error monitoring (error telemetry; session replay only with consent).
• Analytics (if enabled) — Google Analytics or Vercel Analytics/Speed Insights (usage metrics, cookie‑less where applicable).

We have data processing agreements in place and require our processors to implement appropriate security. We may update this list as our Service evolves and will keep this page current.

7. International Transfers

Where data is transferred outside the UK/EEA, we rely on adequacy regulations (where available) or appropriate safeguards such as the UK Addendum to the EU Standard Contractual Clauses or other recognised transfer mechanisms. For US providers participating in the Data Privacy Framework, we may rely on that participation where applicable.

8. Children's Privacy

Grimdex is not intended for users under the age of 16. We do not knowingly collect personal data from children. If you believe we have collected information from a minor, please contact us to have it removed.

9. Changes to This Policy

We may update this Privacy Policy from time to time. If significant changes are made, we will notify users through the Service. Continued use of Grimdex after changes means you accept the updated policy.

10. Cookies and Tracking Technologies

We use essential cookies to enable core functionality (such as authentication and security). With your consent, we may also use analytics technologies to measure usage and improve performance. You can change your choice anytime in Settings → Privacy.

• Essential: required for the Service to function.
• Analytics (optional): help us understand how the Service is used; disabled unless you opt-in.

You can also access cookie settings via the cookie banner’s “Cookie Settings” link at any time.

11. Data Retention and Deletion

We retain personal data only for as long as necessary to provide the Service and meet legal, accounting, or reporting obligations. When data is no longer needed, we will delete or anonymise it.

• Account data: kept while your account remains active or as required by law. If you delete your account, we will delete or anonymise your personal data subject to any legal obligations.
• User‑generated content: remains published until you remove it or your account is deleted. Removed content may persist temporarily in caches or backups.
• Security logs: typically retained up to 90 days for protection and diagnostics.
• Analytics data: typically retained 14–26 months (per provider settings).
• Backups: typically retained on a rolling basis up to 30 days.

12. No Sale or Share of Personal Data

We do not sell personal data. We also do not share personal data for cross‑context behavioural advertising.

13. Contact Us

If you have any questions or concerns about this Privacy Policy, please contact us at [email protected]

By using Grimdex, you acknowledge that you have read, understood, and agreed to this Privacy Policy.

You may also complain to the UK Information Commissioner’s Office at ico.org.uk. If you are in the EEA, contact your local data protection authority.