Privacy Policy
This Privacy Policy describes how Grasp Co (“Grasp,” “we,” “us,” or “our”) collects, uses, and shares information when you use the Grasp platform and related services (the “Service”). It also describes your choices. Capitalized terms not defined here have the meaning given in our Terms of Service.
A note on our business model
Grasp is a business-to-business product. Our customer is your organization, and your administrators decide which data to upload and which employees the Grasp agent talks to. We do not sell personal information, we do not use Customer Data to train shared or third-party foundation models, and we do not show ads.
1. Information we collect
Account information
When you or a teammate create an account, we collect your name, work email address, and, if you sign in with Google, your Google profile identifier and avatar URL.
Organization data
When an administrator uploads an organization chart, we receive employee names, work email addresses, titles, manager relationships, and any additional fields in the upload. We process this data on behalf of your organization as described in our Terms of Service.
Change plans and agent conversations
We store the change plans your administrators create and the messages, survey responses, and outcomes generated as the agent communicates with employees across channels you have connected.
Technical information
Like most web applications, we automatically log IP address, approximate location derived from IP, user-agent, timestamps, and product events (for example, “change plan created”). We use a small number of strictly necessary cookies and session tokens to keep you signed in.
2. How we use information
- Operate the Service. Authenticating you, generating change plans, sending messages to employees through channels you have authorized, and producing administrator reports.
- Improve the Service. Debugging, monitoring, and measuring product performance. We use aggregated or de-identified metrics only.
- Communicate with you. Service announcements, security notices, and, if you opt in, product updates. You can opt out of marketing messages at any time.
- Comply with law. Responding to lawful requests and enforcing our Terms of Service.
3. Employee confidentiality
When an individual employee answers the baseline survey or corresponds with the Grasp agent, the free-text content of that exchange is treated as confidential between that employee and the agent. Administrators see aggregated sentiment, rollout readiness, and risks — not individual verbatim responses, unless the employee explicitly asks the agent to escalate a specific concern to a named person.
4. How we share information
We share information only in the limited ways described below.
- With your organization. Your administrators can access account and usage data for your workspace, subject to the confidentiality rules above.
- With service providers (sub-processors). We use a small number of vendors to run the Service, including cloud hosting, database hosting, authentication, email delivery, error monitoring, and AI model providers. A current list is available on request at privacy@withgrasp.com.
- With channels you connect. Slack, Microsoft Teams, Google Workspace, and similar integrations receive only the data needed to deliver messages you have asked the agent to send.
- For legal reasons. If required by law, subpoena, or to protect the rights, property, or safety of Grasp, our customers, or the public.
- Business transfers. If Grasp Co is involved in a merger, acquisition, financing, or sale of assets, information may be transferred as part of that transaction, subject to this Privacy Policy.
5. Data retention
We retain Customer Data for as long as your organization uses the Service, plus up to sixty (60) days after termination for backup cycles to complete, unless a longer retention period is required by law or you request earlier deletion. Account and authentication logs are retained for up to twelve (12) months for security purposes.
6. Security
We encrypt data in transit with TLS and at rest using industry standard encryption provided by our cloud and database vendors. Access to production systems is limited to employees who need it to operate the Service, and is protected by single sign-on and hardware-backed second factors. No system is perfectly secure, and we will notify affected customers without undue delay if we become aware of a breach that affects Customer Data.
7. International transfers
Grasp Co is headquartered in the United States and our primary infrastructure is located in the United States. If you access the Service from outside the United States, you understand that your information will be transferred to and processed in the United States.
8. Your choices and rights
Depending on where you live, you may have rights to access, correct, delete, or export your personal information, and to object to or restrict certain processing. To exercise these rights, email privacy@withgrasp.com. If you are an employee of a Grasp customer, we will generally forward your request to your administrator, who acts as the controller of your data, and support them in responding.
9. Children
The Service is designed for workplace use and is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us and we will delete it.
10. Changes to this Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice (such as via email or in-product notice) before they take effect and update the “Effective” date above.
11. Contact
Privacy questions? Email privacy@withgrasp.com, write us at Grasp Co, 1007 N Orange St, 4th Floor, Wilmington, DE 19801, or text us at (832) 570-7361.