Privacy Policy

Last Updated: February 10, 2026

Your Privacy Matters. At Gryffi, we are committed to protecting your privacy and ensuring transparency in how we collect, use, and safeguard your data. This Privacy Policy explains our practices in clear, straightforward language.

πŸ‡ͺπŸ‡Ί EU Data Residency: All your data stays within the European Union. Our hosting and backups are in Germany, our AI processing is in France, and our development team is based in the Netherlands.

πŸ”’ No Data Sales: We will never sell your personal data or your users' data to third parties. Period.

1. Who We Are

Gryffi is an employee engagement and training platform that helps organizations create interactive onboarding, training, and policy experiences.

Legal Name: Gryffi
Trading As: Gryffi
Address: Jhr. Van Sypesteynlaan 7, 1231XL Loosdrecht, The Netherlands
VAT Number: NL003440983B28
KvK Number: 80453783
Contact: info@gryffi.com

2. Information We Collect

2.1 Information You Provide

  • Account Information: Name, email address, company name, and password when you create an account
  • Profile Information: Job title, department, and other optional profile details
  • Content: Journeys, guides, training materials, and other content you create using our platform
  • Communications: Messages you send to our support team or feedback you provide
  • Payment Information: Billing address and payment details (processed securely through Paddle.com, our payment processor and Merchant of Record)

2.2 Information We Collect Automatically

  • Usage Data: How you interact with our platform, features used, time spent, and completion rates
  • Device Information: Browser type, operating system, IP address, and device identifiers
  • Cookies: We use cookies and similar technologies for authentication, preferences, and analytics

2.3 Information from Third Parties

  • Authentication Services: If you sign up using SSO (Single Sign-On), we receive basic profile information
  • AI Services: We use EU-based AI services (hosted in France) to power our intelligent guides

3. How We Use Your Information

We use your information for the following purposes, based on legitimate business interests and contractual necessity:

  • Provide Our Service: To operate, maintain, and deliver the features of our platform
  • Process Transactions: To handle billing, payments, and subscription management
  • Improve Our Platform: To understand usage patterns and enhance features
  • Customer Support: To respond to your inquiries and resolve issues
  • Security: To detect, prevent, and address technical issues, fraud, and abuse
  • Legal Compliance: To comply with legal obligations and protect our rights
  • Communications: To send service updates, security alerts, and (with consent) marketing messages

4. Legal Basis for Processing (GDPR)

Under GDPR, we process your personal data based on:

  • Contract Performance: Processing necessary to provide our service to you
  • Legitimate Interests: For improving our service, security, and customer support
  • Consent: For marketing communications and optional features (you can withdraw consent anytime)
  • Legal Obligation: To comply with applicable laws and regulations

5. Data Sharing and Disclosure

We Never Sell Your Data

We do not sell, rent, or trade your personal information to third parties for their marketing purposes.

We Share Data Only In These Limited Cases:

  • Payment Processing (Paddle.com): Our payments are processed by Paddle.com, who acts as Merchant of Record for all transactions. When you make a purchase, Paddle collects and processes your payment information according to their Privacy Policy. Paddle is PCI-DSS compliant and we do not store your credit card details.
  • Service Providers: EU-based hosting (Germany), AI services (France)β€”all under strict data processing agreements
  • Your Organization: If you're a user within an organization, your admin may access usage data and content
  • Legal Requirements: When required by law, court order, or to protect rights and safety
  • Business Transfers: In connection with a merger or acquisition (with continued privacy protections)

6. Data Storage and Security

Where We Store Your Data

All data remains in the European Union:

  • Primary hosting: Germany
  • Backup storage: Germany
  • AI processing: France
  • Development and support: Netherlands

How We Protect Your Data

  • Encryption in transit (TLS/SSL) and at rest
  • Regular security audits and penetration testing
  • Access controls and authentication
  • Regular automated backups
  • Employee training on data protection

Data Retention

We retain your data for as long as your account is active or as needed to provide services. After account deletion, we retain data for 30 days for recovery purposes, then permanently delete it (except where required by law for tax or legal purposes).

7. Your Rights Under GDPR

As an EU resident, you have the following rights:

  • Right of Access: Request a copy of your personal data
  • Right to Rectification: Correct inaccurate or incomplete data
  • Right to Erasure: Request deletion of your data ("right to be forgotten")
  • Right to Restriction: Limit how we process your data
  • Right to Data Portability: Receive your data in a structured, machine-readable format
  • Right to Object: Object to processing based on legitimate interests
  • Right to Withdraw Consent: Withdraw consent for marketing or optional features
  • Right to Complain: Lodge a complaint with your local data protection authority

To exercise these rights, contact us at info@gryffi.com. We will respond within 30 days.

8. Cookies and Tracking

Essential Cookies

Required for authentication, security, and basic functionality. These cannot be disabled. They include:

  • Session cookies for keeping you logged in
  • Security cookies for preventing fraud
  • Preference cookies for your settings

Analytics (Plausible)

We use Plausible Analytics, a privacy-friendly, EU-based analytics service. Plausible:

  • Does not use cookies
  • Does not track individuals across sites
  • Does not collect personal data
  • Is fully GDPR compliant
  • Stores all data in the EU

We only collect anonymous, aggregated data about page views and usage patterns to improve our service.

No Third-Party Tracking

We do not use Google Analytics, Facebook Pixel, or other tracking technologies that follow you across the web. Your privacy matters to us.

Managing Cookies

You can control essential cookies through your browser settings. Note that disabling these may affect functionality (e.g., staying logged in).

9. Children's Privacy

Gryffi is not intended for children under 16. We do not knowingly collect data from children. If you believe we have collected data from a child, please contact us immediately.

10. International Data Transfers

All data processing occurs within the European Union. We do not transfer data outside the EU/EEA. If this changes, we will implement appropriate safeguards (Standard Contractual Clauses) and notify you.

11. Changes to This Policy

We may update this Privacy Policy to reflect changes in our practices or legal requirements. We will notify you of material changes via email or prominent notice on our platform. Continued use after changes constitutes acceptance.

12. Data Processing Agreement (DPA)

For enterprise customers who need a Data Processing Agreement to comply with GDPR Article 28, please contact us at info@gryffi.com. We provide standard DPAs that outline our roles as data processors and include all required terms.

13. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or your data:

  • General Information: info@gryffi.com
  • Technical Support: support@gryffi.com
  • Billing Questions: billing@gryffi.com

We take your privacy seriously and will respond to all inquiries promptly.