Privacy Policy

GradeVault is operated as a solo/micro-enterprise based in Sweden. For the purposes of the General Data Protection Regulation (GDPR) (EU) 2016/679, GradeVault is the data controller of personal data collected through this website and its services.

Contact: privacy@gradevaultai.com
Supervisory authority: Integritetsskyddsmyndigheten (IMY) — the Swedish Authority for Privacy Protection, imy.se. You have the right to lodge a complaint with IMY at any time.

We only collect data that is necessary to provide and improve the service.

We use the following sub-processors who handle data on our behalf. All are bound by data processing agreements and, where applicable, EU Standard Contractual Clauses for international transfers.

• –Supabase, Inc. (USA) — database, authentication, file storage. EU data residency region selected where available.
• –Anthropic, PBC (USA) — Claude AI API for card image analysis. Images are not stored by Anthropic beyond the API request. Governed by Anthropic's API data processing terms.
• –Stripe, Inc. (USA) — payment processing. Stripe is PCI DSS Level 1 certified.
• –Resend, Inc. (USA) — transactional email (newsletter welcome and subscription emails).

We do not sell personal data to any third party. We do not use personal data for advertising profiling.

• –Account data: retained for the duration of your account, plus 90 days after deletion to allow account recovery.
• –Grade records in your binder: deleted when you delete your account or individual records.
• –Newsletter subscription: retained until you unsubscribe.
• –Payment records: retained for 7 years as required by Swedish accounting law (Bokföringslagen).
• –Server logs: 30 days maximum.

As a data subject in the EU/EEA, you have the following rights. To exercise any of them, contact us at privacy@gradevaultai.com. We will respond within 30 days.

• –Right of access (Article 15) — request a copy of all personal data we hold about you.
• –Right to rectification (Article 16) — correct inaccurate data.
• –Right to erasure / "right to be forgotten" (Article 17) — request deletion of your account and data.
• –Right to restriction of processing (Article 18) — ask us to limit how we use your data.
• –Right to data portability (Article 20) — receive your data in a machine-readable format (JSON).
• –Right to object (Article 21) — object to processing based on legitimate interests.
• –Right to withdraw consent — where processing is based on consent (e.g. newsletter), you may withdraw at any time without affecting lawfulness of prior processing.
• –Right to lodge a complaint with IMY — imy.se, +46 8 657 61 00.

We use cookies and similar technologies. Strictly necessary cookies are set automatically. Optional cookies require your consent, which you can provide or withdraw via the cookie banner or our Cookie Policy.

Some of our processors are based in the United States. Transfers are protected by Standard Contractual Clauses (SCCs) approved by the European Commission (Commission Decision 2021/914), or covered by processors that participate in equivalent transfer mechanisms. You may request a copy of the applicable transfer safeguards by contacting us.

GradeVault is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be notified via email (if you have an account) or via a prominent notice on the website. Continued use of the service after the effective date of a change constitutes acceptance of the updated policy.