Privacy Policy

Last Updated: April 13, 2026

Your Privacy Matters. At Gryffi, we are committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your data. This Privacy Policy explains our practices in clear, straightforward language.

🇪🇺 EU Data Residency: All your data stays within the European Union. Our hosting and backups are in Germany, our AI processing is in France, and our development team is based in the Netherlands.

🔒 No Data Sales: We will never sell your personal data or your users' data to third parties. Period.

1. Who We Are

Gryffi is an employee engagement and training platform that helps organizations create interactive onboarding, training, and policy experiences.

Legal Name: Gryffi
Trading As: Gryffi
Address: Jhr. Van Sypesteynlaan 7, 1231XL Loosdrecht, The Netherlands
VAT Number: NL003440983B28
KvK Number: 80453783
Contact: info@gryffi.com

Data Protection Contact

Gryffi is a sole proprietorship and does not meet the thresholds for appointing a Data Protection Officer (DPO) under GDPR Article 37 (we are not a public authority, do not carry out large-scale systematic monitoring, and do not process special categories of data on a large scale). For all data protection inquiries, you can contact us directly at info@gryffi.com.

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company name, and password when you create an account
  • Profile Information: Job title, department, and other optional profile details
  • Content: Journeys, guides, training materials, and other content you create using our platform
  • Communications: Messages you send to our support team or feedback you provide
  • Payment Information: Billing address and payment details (processed securely through Creem, our payment processor and Merchant of Record)

2.2 Information We Collect Automatically

  • Usage Data: How you interact with our platform, features used, time spent, and completion rates
  • Device Information: Browser type, operating system, IP address, and device identifiers
  • Cookies: We use cookies and similar technologies for authentication, preferences, and analytics

2.3 Information from Third Parties

  • Authentication Services: If you sign up using SSO (Single Sign-On), we receive basic profile information
  • AI Services: We use EU-based AI services (hosted in France) to power our intelligent guides

3. How We Use Your Information

We use your information for the following purposes, based on legitimate business interests and contractual necessity:

  • Provide Our Service: To operate, maintain, and deliver the features of our platform
  • Process Transactions: To handle billing, payments, and subscription management
  • Improve Our Platform: To understand usage patterns and enhance features
  • Customer Support: To respond to your inquiries and resolve issues
  • Security: To detect, prevent, and address technical issues, fraud, and abuse
  • Legal Compliance: To comply with legal obligations and protect our rights
  • Communications: To send service updates, security alerts, and (with consent) marketing messages

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on:

  • Contract Performance: Processing necessary to provide our service to you
  • Legitimate Interests: For improving our service, security, and customer support
  • Consent: For marketing communications and optional features (you can withdraw consent anytime)
  • Legal Obligation: To comply with applicable laws and regulations

5. Data Sharing and Disclosure

We Never Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We Share Data Only In These Limited Cases:

  • Payment Processing (Creem): Our payments are processed by Creem, who acts as Merchant of Record for all transactions. When you make a purchase, Creem collects and processes your payment information according to their Privacy Policy. Creem is PCI-DSS compliant and we do not store your credit card details.
  • Service Providers: EU-based hosting (Germany), AI services (France), all under strict data processing agreements
  • Your Organization: If you're a user within an organization, your admin may access usage data and content
  • Legal Requirements: When required by law, court order, or to protect rights and safety
  • Business Transfers: In connection with a merger or acquisition (with continued privacy protections)

6. Sub-processors

To deliver our service, we work with a limited number of carefully selected sub-processors. We have Data Processing Agreements (DPAs) in place with each sub-processor in accordance with GDPR Article 28. All core sub-processors operate within the European Union.

Core Sub-processors (EU)

Sub-processor Purpose Location
Hetzner Online GmbH Hosting, servers, storage, and backups Germany (EU)
Mistral AI AI processing (Guides, translations, embeddings) France (EU)
Nuntly Transactional email (invitations, magic links, notifications) EU
Creem Payment processing (Merchant of Record) EU

Additionally, we self-host Umami (privacy-friendly analytics) on our own infrastructure in Germany. No data is shared with any third party for analytics purposes.

Customer-Initiated Integrations

Organizations using Gryffi may choose to connect their Microsoft 365 (Azure AD) or Google Workspace directory to automatically synchronize end users. When this integration is enabled:

  • Gryffi sends read-only API requests to Microsoft Graph or Google Admin SDK to retrieve directory information (names, email addresses, departments).
  • The retrieved data is stored exclusively on Gryffi's EU-based infrastructure (Germany).
  • OAuth tokens are stored encrypted on our EU servers and are immediately deleted when the integration is disconnected.
  • Microsoft and Google process these API requests on their global infrastructure. This means that while Gryffi stores all data within the EU, the API communication itself may be routed through servers outside the EU.
  • Both Microsoft and Google offer EU Data Boundary options and have adopted Standard Contractual Clauses (SCCs) for international data transfers.

Connecting a directory provider is entirely optional and is always initiated by the customer organization's administrator. Without this integration, no data is exchanged with Microsoft or Google.

Changes to Sub-processors

We will notify customers of any material changes to our sub-processor list in advance, giving them the opportunity to object before the change takes effect.

7. Data Storage and Security

Where We Store Your Data

All data remains in the European Union:

  • Primary hosting: Germany
  • Backup storage: Germany
  • AI processing: France
  • Development and support: Netherlands

How We Protect Your Data

  • Encryption in transit (TLS/SSL) and at rest
  • Regular security audits and penetration testing
  • Access controls and authentication
  • Regular automated backups
  • Employee training on data protection

Data Retention

We retain your data for as long as your account is active or as needed to provide services. After account deletion, we retain data for 30 days for recovery purposes, then permanently delete it (except where required by law for tax or legal purposes).

Data Breach Response

In the event of a personal data breach, we follow a documented incident response procedure in accordance with GDPR Articles 33 and 34. If a breach poses a risk to your rights and freedoms, we will notify the relevant supervisory authority within 72 hours and inform affected individuals without undue delay. All incidents are logged in an internal breach register. For more details, see our Security page.

8. Record of Processing Activities

We maintain a Record of Processing Activities (RoPA) as required by GDPR Article 30. This register documents all categories of personal data we process, the purposes, legal bases, retention periods, and security measures. The register is available to the relevant supervisory authority upon request.

9. Your Rights Under GDPR

As an EU resident, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing or optional features
  • Right to Complain: Lodge a complaint with your local data protection authority

To exercise these rights, contact us at info@gryffi.com. We will respond within 30 days.

Supervisory Authority

If you are not satisfied with our response or believe we are processing your data unlawfully, you have the right to lodge a complaint with the Dutch Data Protection Authority:

Autoriteit Persoonsgegevens (AP)
PO Box 93374, 2509 AJ The Hague, The Netherlands
Phone: +31 (0)70 888 85 00
Website: autoriteitpersoonsgegevens.nl

You may also contact the supervisory authority in your own EU/EEA member state.

10. Automated Decision-Making

Gryffi does not use automated decision-making or profiling that produces legal effects or similarly significantly affects individuals, as described in GDPR Article 22.

While our platform includes AI-powered Guides that answer questions based on uploaded knowledge bases, these provide informational responses only and do not make decisions about individuals. Challenge scores and journey completion are determined by criteria configured by your organization's administrators, not by automated profiling.

11. Cookies and Tracking

Essential Cookies

Required for authentication, security, and basic functionality. These cannot be disabled as they are strictly necessary under Article 5(3) of the ePrivacy Directive. They include:

  • Session cookies for keeping you logged in
  • Security cookies for preventing fraud
  • Preference cookies for your settings
  • gryffi_lang_pref — remembers your chosen language preference (expires after 1 year). Only set after you actively select a language.
  • gryffi_lang_checked — prevents the language suggestion banner from reappearing after you've made a choice (expires after 30 days). Only set after you actively dismiss or accept the suggestion.

These language cookies are set only in response to an explicit action by you (choosing a language or dismissing the language banner). Because they solely store a user-requested preference and are strictly necessary to provide the functionality you asked for, they are exempt from the consent requirement under EU ePrivacy rules (Article 5(3) of Directive 2002/58/EC).

Analytics (Umami)

We use Umami, a privacy-friendly, open-source analytics service that we self-host on our own EU-based servers. Umami:

  • Does not use cookies
  • Does not track individuals across sites
  • Does not collect personal data
  • Is fully GDPR compliant
  • Runs on our own servers in the EU (self-hosted)

We only collect anonymous, aggregated data about page views and usage patterns to improve our service. No data is shared with third parties.

No Third-Party Tracking

We do not use Google Analytics, Facebook Pixel, or other tracking technologies that follow you across the web. Your privacy matters to us.

Managing Cookies

You can control essential cookies through your browser settings. Note that disabling these may affect functionality (e.g., staying logged in).

12. Children's Privacy

Gryffi is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

13. International Data Transfers

All data stored and processed by Gryffi resides within the European Union. Our servers, databases, backups, AI processing, and email infrastructure are all EU-based.

The only exception is when an organization chooses to enable a directory sync integration with Microsoft 365 or Google Workspace (see section 6). In that case, API requests are made to Microsoft or Google infrastructure, which may involve routing through servers outside the EU. Both providers have adopted Standard Contractual Clauses (SCCs) and offer EU Data Boundary commitments for qualifying services. No Gryffi user data is stored outside the EU by Gryffi.

If our data processing practices change in any material way, we will implement appropriate safeguards and notify you in advance.

14. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent notice on our platform. Continued use after changes constitutes acceptance.

15. Data Processing Agreement (DPA)

Our Data Processing Agreement governs how Gryffi processes personal data on behalf of customer organizations, in accordance with GDPR Article 28. The DPA is automatically incorporated into our Terms of Service and applies to all customers. If your organization requires a countersigned copy, contact us at info@gryffi.com.

16. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data:

  • General Information: info@gryffi.com
  • Technical Support: support@gryffi.com
  • Billing Questions: billing@gryffi.com

We take your privacy seriously and will respond to all inquiries promptly.