Privacy Policy

This Privacy Policy explains what personal data GreyScape.ai (the “Service”) collects, why we collect it, how we use it, who we share it with, and the rights you have over it. The Service is operated by KARRD Services FZCO (“GreyScape.ai”, “we”, “us”), registered at IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates. Where this Policy refers to “personal data”, the term has the meaning given to it under the UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection (the “UAE PDPL”), the EU General Data Protection Regulation 2016/679 (“GDPR”), and the UK General Data Protection Regulation.

1. Roles — who is the controller, and who is the processor

GreyScape.ai acts in two distinct roles depending on whose data is being processed:

• Customer personal data — for personal data belonging to your organisation's employees, contractors, or end users that you upload into or generate within the Service (for example, the names and email addresses of employees you attribute AI spend to), your organisation is the controller and GreyScape.ai is the processor. The terms of that relationship are set out in our Data Processing Agreement.
• Account holder data — for personal data relating to the individual who creates a GreyScape.ai account (account email, name, sign-in metadata, support communications), GreyScape.ai is the controller. This Policy explains how we process that data.
• Marketing & visitor data — for personal data submitted via the public site (e.g., the beta-access application form, the demo email gate, contact forms), GreyScape.ai is the controller.

2. Personal data we collect

We collect personal data in the following categories:

2.1 Account and authentication data

• Your email address, display name, and (if your identity provider supplies them) first and last name.
• The identity provider you used to sign in (Google, Microsoft, GitHub, Apple) and an opaque user identifier assigned by that provider.
• Sign-in timestamps, IP addresses, and user-agent strings.
• Your role within your tenant workspace (owner, admin, member, etc.).

Authentication is brokered by WorkOS; we receive only the profile information they pass to us after a successful sign-in. We do not store passwords ourselves.

2.2 Workload and usage metadata

• For each AI usage event ingested from a provider you have connected (OpenAI, Anthropic, Azure OpenAI, etc.), we store: provider, model, API key label, project name, token counts, cost in cents, and the timestamp of the call.
• Where you have mapped a provider API key to an employee, we associate that event with that employee's record so the Service can roll spend up by person and team.

We do not ingest the contents of any prompts, completions, embeddings, attachments, or training data. The provider admin APIs we use do not expose that content to us.

2.3 Workflow data you supply

• AI approval requests, including the scoping conversation between the requester and our LLM-driven advisor, the recommended model, the monthly cost estimate, and any free-text justification or notes.
• Subscriptions, attestations, key-capture responses, and other forms submitted by your employees through the Service.

2.4 Visitor and marketing data

• Email and (optionally) name + company collected via the public demo email gate after a visitor has navigated to four or more demo pages.
• Beta-access application form submissions, including company name, contact name, role, team size, and free-text answers.
• Sign-in attempts where the authenticated email is not tied to a workspace, including the email tried, the identity provider used, and the IP address. Used to surface real prospects to our team and to detect abusive patterns.
• Approximate geolocation derived from IP address (country, region, city, network operator) where available, for fraud and abuse triage.

2.5 Operational and security data

• Server logs, error reports, and audit records of administrative actions taken in the Service.
• Encrypted copies of API credentials you provide to connect third-party services. Provider credentials are encrypted at rest using AES-256-GCM under a key controlled by us; we never store them in plaintext.

3. Why we use it (purposes & legal bases)

The lawful bases on which we process personal data are:

• Performance of a contract (GDPR Art. 6(1)(b)) — providing the Service to you under the Terms of Service.
• Legitimate interests (GDPR Art. 6(1)(f)) — securing the Service, detecting abuse, improving the product, and communicating about the product. Where we rely on legitimate interests, we have balanced those interests against your rights and freedoms; you may object at any time (see Your rights).
• Consent (GDPR Art. 6(1)(a)) — for optional things like the demo email gate (you submit voluntarily) and marketing emails (you can opt out).
• Legal obligation (GDPR Art. 6(1)(c)) — where applicable laws require retention (e.g., tax records).

Specific purposes include: authenticating users; rendering dashboards, attribution, and budget reports; running the approval workflow; sending transactional emails (sign-in confirmations, approvals, invites); operating the demo environment; sending the periodic admin digests if you have configured them; detecting fraud and abuse; and responding to enquiries.

4. How we share it

We share personal data only with carefully chosen sub-processors who help us deliver the Service. The full list, together with the data each one accesses and the region they operate in, is on our Sub-processors page. At the time of writing, the primary sub-processors are:

• Railway — hosting and managed Postgres database (United States).
• WorkOS — authentication and identity (United States).
• Resend — transactional email (United States).
• Cloudflare — DNS, email routing, edge delivery (global).
• OpenAI / Anthropic — LLM provider for the optional in-product advisor (United States).

We do not sell personal data. We do not share personal data with advertisers. We may disclose personal data where compelled by law, by court order from a competent authority, or to protect the vital interests of users where we believe there is a credible and immediate threat to safety.

5. International transfers

Personal data we process is typically stored on infrastructure operated from the United States, the European Union, or the United Arab Emirates depending on the sub-processor. Where personal data originates in the EU/EEA, UK, or another jurisdiction with cross-border transfer restrictions, we rely on appropriate safeguards including Standard Contractual Clauses, equivalent UK transfer mechanisms, and the adequacy frameworks recognised by the relevant authority. A copy of the transfer mechanism applicable to a specific data flow is available from [email protected].

6. How long we keep it

• Account data: kept for as long as your account is active. Deleted within 90 days of account closure unless legally required to retain it for longer.
• Workload usage metadata: retained for the duration of your contract, then anonymised or deleted within 90 days of termination.
• Audit log entries: retained for two years from the date of the action to support security investigations.
• Sign-in attempts and demo leads: retained for 12 months from capture.
• Marketing email subscriptions: kept until you unsubscribe.

7. Your rights

Where the GDPR, UK GDPR, or UAE PDPL apply to our processing of your personal data, you have the following rights. To exercise any of them, contact [email protected] from the email address associated with your account. We respond within 30 days; we may need to verify your identity first.

• Access — ask us what personal data we hold about you and receive a copy.
• Rectification — ask us to correct inaccurate or incomplete data.
• Erasure — ask us to delete your data, subject to our legal obligation to retain certain records.
• Restriction — ask us to limit processing in certain circumstances.
• Portability — receive your data in a structured, machine-readable format and transmit it elsewhere.
• Objection — object to processing based on our legitimate interests.
• Withdraw consent — where we rely on your consent, you may withdraw it at any time without affecting the lawfulness of prior processing.
• Complain — lodge a complaint with the UAE Data Office or the data protection authority in your country of residence.

8. Security

Detailed in our Security Statement. In short: TLS 1.2+ on every connection; AES-256-GCM at rest for credentials and sensitive payloads; principle-of-least-privilege for operator access; audit logging on all admin actions; SOC 2 Type I audit in progress.

9. Children

GreyScape.ai is a business-to-business service intended for organisational use only. It is not directed at children under 16. We do not knowingly collect personal data from children.

10. Changes to this Policy

We may update this Policy from time to time to reflect changes in our practices or applicable law. Material changes will be communicated by email to account owners and via a prominent notice on the Service at least 14 days before they take effect. The “Last updated” date at the top of this page reflects the latest revision.

11. Contact

Privacy questions, rights requests, and complaints: [email protected]. Postal address: KARRD Services FZCO, IFZA Business Park, Dubai Silicon Oasis, Dubai, United Arab Emirates.