Legal

Privacy Policy

Last updated: April 5, 2026 · Effective: April 5, 2026

DPDP Act 2023GDPR AlignedCCPA Compliant

1. Introduction

Welcome to Grapli (“we”, “our”, or “us”). Grapli is an AI-powered short-form video creation platform accessible at grapli.tech. We are incorporated in India and operate globally.

This Privacy Policy explains how we collect, use, store, share, and protect your personal data when you use our platform, and describes the rights you have over your data. It applies to all users worldwide who access or use any Grapli service.

By using Grapli, you confirm that you have read and understood this Privacy Policy. If you do not agree, please discontinue use immediately and contact us at privacy@grapli.tech to request deletion of any data we may have collected.

This policy complies with India’s Digital Personal Data Protection Act 2023 (DPDP Act), the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable international privacy laws.

Definitions

  • Personal Data — Any information that relates to an identified or identifiable individual.
  • Data Fiduciary / Controller — Grapli; determines the purpose and means of processing your data.
  • Data Principal / Data Subject — You, the user providing personal data.
  • Data Processor — Third-party services that process data on our behalf (Clerk, Supabase, AWS, etc.).
  • User Content — Scripts, videos, preferences, and other creative material you create using Grapli.
  • AI-Generated Output — Videos, captions, voiceovers, and scripts produced by Grapli’s AI pipeline.

2. Data We Collect

We collect only the data necessary to provide and improve our services. Here is a complete breakdown:

Data CategoryWhat We CollectPurpose
Account IdentityEmail address, first name, last name, profile photoAccount creation, authentication, communications, support
Contact InformationPhone number (optional)Account verification, important service notifications
Payment DataBilling name, last 4 digits of card, billing address, transaction historySubscription billing via Razorpay (full card numbers never stored by Grapli)
Video & Creative ContentScripts, video metadata, voiceover preferences, template selections, scheduled job configurationsGenerating and storing your videos; providing the core service
User PreferencesNiche, tone, voice settings, timezone, connected social platformsPersonalizing your experience and pre-filling creation workflows
Social Media TokensEncrypted OAuth access tokens for TikTok, Instagram, YouTube (never passwords)Publishing your videos to connected social accounts
Usage & BehaviorPages visited, features used, session duration, clicks, error interactionsProduct analytics, improving features, usage tracking (PostHog)
Device & NetworkIP address, browser type, operating system, device identifiersSecurity, fraud prevention, rate limiting, approximate geolocation for pricing
Error & Diagnostic DataCrash logs, error stack traces, session context at time of errorDebugging and improving service reliability (Sentry)
Generated Video FilesRendered .mp4 videos, thumbnail images stored in AWS S3Providing access to your generated videos; publishing via CDN

We do not collect sensitive personal data such as biometric data, health records, financial account credentials, or government identification numbers.

3. How We Use Your Data

We use your personal data only for specific, clearly stated purposes:

Service Delivery

Processing your video creation requests, generating scripts, voiceovers, captions, and rendering final videos. This is the core contractual use of your data.

Contract

Account Management

Creating and maintaining your account, verifying your identity, managing your subscription and credits, and providing customer support.

Contract

Payment Processing

Charging your subscription fees and managing credits via Razorpay. Payment details are processed directly by Razorpay — we never see your full card number.

Contract

Automated Publishing

When you enable scheduled automation, we use your stored OAuth tokens and configurations to generate and publish videos at your chosen times.

Consent + Contract

Service Communications

Sending transactional emails (video ready, payment receipts, account alerts, scheduled job completions). These cannot be opted out of while you have an active account.

Contract

Product Improvement

Analyzing aggregated usage patterns to improve features, prioritize roadmap, and fix bugs. Analytics are collected with your consent and can be opted out of in Settings > Privacy.

Consent

Security & Fraud Prevention

Monitoring for unauthorized access, unusual activity, abuse of the platform, and enforcing rate limits.

Legitimate Interest

Legal Compliance

Retaining financial records for tax compliance, responding to lawful requests from courts or government authorities, and complying with applicable laws.

Legal Obligation
We never sell your personal data. We do not sell, rent, or trade your personal information to third parties for their own marketing purposes. Your data is used solely to provide and improve Grapli.

4. Third-Party Services & Data Processors

Grapli uses third-party services to deliver its features. Each service receives only the data strictly necessary for its function and operates under a Data Processing Agreement with us.

Clerk

Authentication & User Management

United StatesPrivacy →

Data shared: Email, name, phone number, authentication tokens

Supabase (PostgreSQL)

Database & Storage

United StatesPrivacy →

Data shared: User profiles, video metadata, scripts, preferences, encrypted OAuth tokens

Amazon AWS (S3 + CloudFront + SQS + Bedrock)

File Storage, CDN, Job Queue, AI (Claude)

United States (us-east-1)Privacy →

Data shared: Video files, thumbnail images, queue messages, AI script prompts

Razorpay

Payment Processing

IndiaPrivacy →

Data shared: Payment method details, transaction amounts, billing address

ElevenLabs

AI Text-to-Speech Voiceover

United StatesPrivacy →

Data shared: Script text sent for voiceover generation

OpenAI (Whisper API)

Automatic Caption Generation

United StatesPrivacy →

Data shared: Audio portions of videos for transcription

PostHog

Product Analytics

United States / EUPrivacy →

Data shared: Anonymized usage events, page views, feature interactions, session ID

Sentry

Error Monitoring

United StatesPrivacy →

Data shared: Error logs, stack traces, session context at time of errors

Pexels & Pixabay

Stock Footage APIs

United States / GermanyPrivacy →

Data shared: Anonymized API requests (no personal data shared)

We do not share your personal data with any other third parties except as required by law or with your explicit consent.

5. Social Media Integrations

When you connect TikTok, Instagram, or YouTube to Grapli, you grant us OAuth 2.0 access to publish videos on your behalf. Here is exactly what happens and how we protect you:

What access we request

  • TikTok — Permission to upload videos to your TikTok account (including to your inbox/drafts). We do not access your followers, messages, or analytics.
  • Instagram (Meta) — Permission to publish videos as Reels to your connected Instagram Business or Creator account. We do not access your DMs, followers, or story content.
  • YouTube — Permission to upload videos as YouTube Shorts to your channel. We do not access your private playlists, subscribers, or account settings.

How we store and protect your tokens

  • Access tokens are encrypted at rest using AES-256 before being stored in our database.
  • Tokens are never logged, included in error reports, or shared with any party other than the issuing social platform.
  • Tokens are used only to perform the specific publishing action you requested or scheduled.
  • Tokens are automatically refreshed; expired tokens are deleted immediately.

How to revoke access

  • In Grapli: Settings → Connected Accounts → Disconnect
  • In TikTok: Settings → Privacy → Apps and Websites
  • In Instagram: Settings → Security → Apps and Websites
  • In YouTube/Google: Google Account → Security → Third-party apps with account access
Important: By connecting your social media accounts, you also agree to those platforms’ terms of service. Grapli is not responsible for content moderation decisions, account suspensions, or policy changes made by TikTok, Meta (Instagram), or Google (YouTube).

6. Data Security

We implement industry-standard technical and organizational measures to protect your personal data:

Encryption at Rest

All data in Supabase is encrypted using AES-256. OAuth tokens receive an additional layer of application-level encryption before database storage.

Encryption in Transit

All data transmitted between your browser, our servers, and third-party services is protected using TLS 1.2 or higher (HTTPS everywhere).

Row-Level Security

Our Supabase database enforces row-level security policies ensuring each user can only query and modify their own data, even within the same database.

Access Controls

Staff access to production systems is role-based, logged, and requires multi-factor authentication. No staff member has unrestricted access to all user data.

Rate Limiting

All public APIs are rate-limited to prevent brute-force attacks, credential stuffing, and abuse.

Dependency Monitoring

We continuously monitor our codebase for known vulnerabilities using automated scanning tools and patch critical issues within 48 hours.

Security Incident Response

In the event of a personal data breach that risks your rights and freedoms, we will notify you and relevant authorities within 72 hours of discovery (as required by GDPR) or within 30 days (as required by India’s DPDP Act). Notifications will be sent to your registered email address.

To report a security vulnerability, email security@grapli.tech. We commit to acknowledging all reports within 48 hours.

7. Data Retention

We retain your data only as long as necessary for the stated purposes or as required by law:

Data CategoryWhat We CollectPurpose
Account & Profile DataActive account durationDeleted within 90 days of account deletion, subject to legal holds
Video Files (S3)Until you delete them or 365 days after account deactivationGiving you access to your generated content
Payment Records & Invoices10 years from transaction dateTax compliance, Indian accounting standards, financial audits
Usage & Analytics Logs90 daysProduct improvement and debugging
Error Logs (Sentry)90 daysTechnical debugging
Device / IP Logs90 daysSecurity and fraud prevention
OAuth TokensUntil you disconnect the account or token expiresPublishing videos to social platforms
Automated DB Backups30 days rollingDisaster recovery

When an account is deleted, we initiate an automated deletion workflow. Most personal data is purged within 30 days; payment records are retained for 10 years as required by Indian law. You can request a complete data deletion status report by emailing privacy@grapli.tech.

8. Your Rights

Depending on your location, you have the following rights over your personal data. All rights can be exercised by contacting privacy@grapli.tech or through your account settings where available. We respond within 30 days.

Right to Access

All users

Request a copy of all personal data we hold about you in a portable, machine-readable format (JSON/CSV). Available via Settings → Privacy → Download My Data.

Right to Correction

All users

Request correction of inaccurate or incomplete personal data. Most data can be updated directly in Settings → Profile.

Right to Erasure

All users

Request deletion of your account and personal data. Initiated via Settings → Account → Delete Account. Some data may be retained for legal compliance (see Section 7).

Right to Withdraw Consent

All users

Withdraw consent for non-essential processing (analytics, AI training opt-in) at any time via Settings → Privacy. Withdrawal does not affect prior lawful processing.

Right to Data Portability

EU/UK/India users

Receive your data in a structured, commonly used, machine-readable format and transfer it to another service.

Right to Object

EU/UK users

Object to processing based on legitimate interests (such as analytics). We will cease unless we demonstrate compelling legitimate grounds.

Right to Restrict Processing

EU/UK users

Request restriction of processing while a complaint or correction request is pending.

Right to Non-Discrimination

California (CCPA) users

We will not discriminate against you (e.g., deny service or charge different prices) for exercising your CCPA rights.

Grievance Redressal

India (DPDP) users

File a complaint with our Grievance Officer (see Section 14). If unsatisfied, escalate to India's Data Protection Board.

9. Cookies & Analytics

We use cookies and similar technologies to operate and improve Grapli:

Data CategoryWhat We CollectPurpose
Essential / AuthenticationSession cookies, login tokens, CSRF protection tokensRequired for the service to function. Cannot be opted out of.
Preference CookiesTheme, language, timezone settingsRemembering your settings across sessions.
Analytics (PostHog)Anonymous usage events, session ID, feature interactionsUnderstanding how users navigate Grapli to improve product. Requires consent.
Error Tracking (Sentry)Crash reports, session replay snapshots at time of errorDebugging technical issues. Requires consent.

You can manage your cookie preferences at any time via Settings → Privacy → Cookie Preferences. Revoking consent for analytics stops future data collection but does not delete data already collected.

We do not use advertising cookies, tracking pixels for retargeting, or share behavioral data with ad networks.

10. International Data Transfers

Grapli is operated from India, but our infrastructure providers are primarily based in the United States. When you use Grapli, your personal data is transferred to and processed in the United States.

Legal basis for transfers

  • EU / EEA / UK users: Data transfers are protected by Standard Contractual Clauses (SCCs) per GDPR Article 46 and supplementary technical measures (encryption, access controls) per the Schrems II requirements.
  • Indian users: Transfers comply with India’s DPDP Act 2023. We ensure adequate safeguards are in place for all cross-border transfers.
  • Other jurisdictions: Transfers comply with applicable local privacy laws. By using Grapli, you consent to the transfer of data to the United States.

To request a copy of the Standard Contractual Clauses applicable to your data transfers, email privacy@grapli.tech.

11. Children's Privacy

Grapli is designed for content creators who are at least 18 years old. We do not knowingly collect personal data from children under 13 (or under 16 for users in the EU/UK, per GDPR).

If we discover that a child under 13 has created an account, we will immediately delete the account and all associated personal data. If you believe a child has registered on Grapli, please contact privacy@grapli.tech immediately.

12. AI Processing & Data Usage

Grapli uses AI services to generate scripts, voiceovers, and captions. Here is exactly how your data flows through our AI pipeline:

Anthropic Claude (via AWS Bedrock)

Data sent: Your script topic/prompt and generation parameters

AI training: Anthropic does not use API data to train models by default. No opt-in required.

ElevenLabs (Text-to-Speech)

Data sent: The generated script text for voiceover production

AI training: ElevenLabs does not use API data to train models by default. You can verify this in your ElevenLabs account settings.

OpenAI Whisper (Captions)

Data sent: Audio portions of generated videos for transcription

AI training: OpenAI does not use API data to train models by default. They maintain a signed DPA for API customers.

Default setting: Your content is NOT used to train any AI models — ours or our providers’. This is the default for all Grapli users. If we ever introduce an optional program to contribute content for model improvement, it will be strictly opt-in with separate, explicit consent.

13. Policy Changes

We may update this Privacy Policy to reflect changes in our practices, technology, legal requirements, or for other operational reasons. When we make material changes, we will:

  • Send an email notification to your registered email address at least 30 days before the changes take effect.
  • Display a prominent banner on the Grapli dashboard.
  • Update the “Last Updated” date at the top of this page.

Your continued use of Grapli after the effective date of the updated policy constitutes your acceptance. If you disagree with the changes, you may delete your account before the effective date.

Previous versions of this Privacy Policy are available on request at privacy@grapli.tech.

14. Contact & Grievances

For any privacy-related questions, requests, or complaints, please contact us:

Privacy & Data Protection

privacy@grapli.tech

Response within 48 hours acknowledgment, resolution within 30 days.

General Support

hello@grapli.tech

For account issues, billing questions, and general inquiries.

Grievance Officer (DPDP Act — India)

As required by India’s Digital Personal Data Protection Act 2023, we have appointed a Grievance Officer for data protection matters. Indian residents may submit formal complaints to:

Email: privacy@grapli.tech
Subject line: “DPDP Grievance — [Your Name]”
Address: Grapli, India

If your complaint is not resolved within 30 days, you may escalate to India’s Data Protection Board once it is operational.

EU / UK Supervisory Authority

If you are based in the EU or UK and believe we have not handled your data in accordance with GDPR or UK-GDPR, you have the right to lodge a complaint with your local data protection supervisory authority.

© 2026 Grapli. All rights reserved.

Terms of ServiceBack to Home