Privacy policy

At GrailForge, the right to privacy is a virtue. Transparency and clarity in how we handle your data are of utmost importance to us. If you ever have any questions or concerns about the information provided in this document, please reach out to us without hesitation.

As a company based in the European Union, our website’s privacy policy aligns with the strict guidelines set forth by the General Data Protection Regulation (GDPR).

By using our website, you agree to abide by the terms outlined in this policy regarding the collection and use of information.

Personally identifying information

We don’t track any personally identifying information about visitors by default.

If we do need to collect personal data through our web site, such instances will always be clearly indicated, entirely optional and explicitly ‘opt-in’.

Some examples where we may collect data include when you:

  • buy our products or services
  • subscribe to our newsletter
  • provide us with your contact details, e.g. give us your business card
  • contact us via phone, text, email, social media or our website
  • apply for a job
  • otherwise use our website

It is voluntary to provide us with personal data, but if you choose not to, we may not be able to provide you with our services.

Non-Personally Identifying Information

Whenever you visit our sites, we may collect some information that your browser sends. This log data may include information such as your IP address, browser version, which pages you visit, the time and date of your visit, and other statistics. This data is stored in aggregate, and none of it is used to identify individual users.

Our website doesn’t use any cookies for analytics or tracking.

How We Share Your Personal Data

Ensuring the smooth and secure operation of our business sometimes requires us to share your personal data with various parties. These may include:

  • data processors (e.g. payment processor, email host)
  • professional advisors (e.g. legal, accounting)
  • public authorities, if we are legally obligated to report certain information

We hold all recipients accountable for maintaining stringent data security measures that align with our privacy standards.

We never share your personal data with third parties for marketing purposes.

We won’t ever sell any data you share with us without your explicit consent. Even then, it’s extremely unlikely.

Children’s Privacy

We do not knowingly collect identifiable information from children under 13, and we promptly delete any such information if brought to our attention by a parent or guardian.

Data Transfer

We only store and process your personal data within the EU/EEA.

Data Retention

Our processing of your personal data is contingent upon having a legitimate purpose and lawful basis as outlined in GDPR Article 6-1. These bases typically include:

a) Your consent b) We have a contractual obligation (contract) c) We have a legal obligation

It is our standard practice not to retain personal data beyond the necessary timeframe for fulfilling the processing purpose. Your personal data is retained only as long as we maintain a valid purpose and lawful basis, which includes:

  • Until you withdraw your consent (e.g. for email marketing)
  • Throughout the duration of contractual obligations, aligning with accounting and bookkeeping standards and rules, for instance in sales contexts.
  • In compliance with legal obligations, such as those mandated by accounting and bookkeeping rules or other legal necessities, such as in employment scenarios.
  • While a legitimate interest exists or until you request that we cease processing your data for specific purposes, such as marketing to existing customers.

You retain the option to withdraw your consent for any data processing that relies on consent as well as request us to halt processing and/or delete any of your data at any time.

We have established protocols to ensure that personal data is promptly deleted from all pertinent systems once the processing purpose and legal basis have concluded.

Information security

In the event of a personal data breach, which involves the accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to personal data, we will promptly inform the national data authority within 72 hours if it poses a medium to high risk to affected individuals. If the risk is determined to be high, we will also directly notify those affected, if feasible

Your Rights

You have the right to access, rectify, restrict processing, object to processing, and request data portability.

If necessary, you can file a complaint with the appropriate supervisory authority.

Please contact us if you have any questions about or want to exercise one of your rights. You are entitled to a reply within 30 days.

Data controller contact information

For any questions regarding our GDPR policy or our use of your personal data, please contact us at

Changes to this privacy policy

We may update this privacy policy at any time. You acknowledge and agree that it is your responsibility to review this Privacy policy periodically and become aware of modifications.

Last updated on Wednesday 22 May 2024