Privacy Policy

Introduction

Welcome to Grimmsly. We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform to connect families with professional storytellers.

By using Grimmsly, you agree to the collection and use of information in accordance with this policy. If you do not agree with our policies and practices, please do not use our services.

1. Information We Collect

1.1 Information You Provide Directly

When you create an account or use our services, we collect:

• Account Information: Name, email address, password (encrypted), profile photo, role (customer or artist), and website URL
• Location Information: Address, city, state, country, and geographic coordinates (obtained via Google Maps Geocoding API)
• Profile Information: Bio, interests, cultural background, family size, budget preferences, professional experience, education, credentials, languages, specializations, and portfolio links
• Payment Information: Payment method details (tokenized through Stripe), transaction history, and for artists: hourly rates, project minimums, earnings, and payout information
• Project Information: Project descriptions, requirements, budgets, timelines, milestones, and related documentation
• Communications: Messages exchanged between users, project discussions, and customer support inquiries
• Verification Documents: For artists, we may collect credentials and verification documents to ensure quality standards

1.2 Information Collected Automatically

• Technical Data: IP address (used only for rate limiting and security), session data, browser type, and device information
• Usage Data: How you interact with our platform, features used, and navigation patterns
• Cookies: Session cookies for authentication (30-day duration) and CSRF protection cookies (24-hour duration)

1.3 Information from Third-Party Services

• Google Calendar & Meet: With your explicit consent, we access your Google Calendar to create video conference events and Google Meet links for project collaboration
• Stripe: Payment processing information, transaction details, and for artists, payout account information

2. How We Use Your Information

We use your information to:

• Provide Our Services: Create and manage your account, facilitate connections between customers and artists, enable project collaboration, and process payments
• Communication: Send you service notifications, project updates, payment confirmations, and respond to your inquiries
• Matching & Search: Display artist profiles to customers based on location, skills, specializations, and project requirements
• Video Conferencing: Create Google Meet conferences and calendar events for project discussions and collaboration
• Payment Processing: Facilitate secure payments between customers and artists, calculate platform fees (10% markup), manage artist earnings and payouts
• Platform Improvement: Analyze usage patterns to improve our services, features, and user experience
• Security & Fraud Prevention: Protect against unauthorized access, fraud, and abuse through rate limiting, authentication, and security monitoring
• Legal Compliance: Comply with legal obligations, enforce our terms of service, and protect our rights

3. How We Share Your Information

3.1 With Other Users

• Artist Profiles: Your artist profile (name, bio, location city/state, portfolio, rates, specializations) is visible to customers browsing the platform
• Project Collaboration: Information shared within a project (messages, files, timelines) is visible to all project participants
• Reviews & Ratings: Reviews and ratings you provide or receive may be publicly displayed

3.2 With Third-Party Service Providers

• Google (Calendar & Meet): OAuth access tokens and calendar data for creating video conferences. We only request the minimum necessary scope (calendar.events)
• Stripe: Payment processing information, transaction details, and payout data. Stripe handles all sensitive financial data according to PCI DSS standards
• Resend: Email delivery service for account verification, password resets, notifications, and payment communications
• Vercel: Infrastructure and file storage (Vercel Blob) for profile images, portfolio items, and uploaded files
• Google Maps: Address validation and geocoding for location-based features

3.3 Legal Requirements

We may disclose your information if required by law, legal process, or government request, or to protect the rights, property, or safety of Grimmsly, our users, or others.

3.4 Business Transfers

In the event of a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity.

4. Data Security

We implement industry-standard security measures to protect your information:

• Encryption: All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. Passwords are hashed using bcrypt with 10 salt rounds
• Authentication: Secure JWT-based session management with 30-day maximum session duration
• CSRF Protection: All state-changing operations are protected with CSRF tokens using HMAC-SHA256 signing
• Rate Limiting: Protection against brute force attacks and abuse with comprehensive rate limits on login attempts, API requests, and sensitive operations
• Access Controls: Role-based access control ensures users can only access their own data and authorized resources
• Secure Storage: Database and file storage provided by trusted infrastructure partners with enterprise-grade security
• Regular Security Audits: We conduct regular security reviews and updates to maintain protection standards

While we strive to protect your personal information, no method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security.

5. Data Retention and Deletion

5.1 Account Deletion

You can delete your account at any time from your account settings. When you delete your account:

• Your profile information (name, bio, portfolio, location) will be cleared and replaced with "Deleted Account"
• Your email and password are retained for account restoration purposes
• You will no longer be able to log in or access the platform
• You can restore your account by logging in with your original credentials, but you will need to re-complete your profile

5.2 Data We Retain After Deletion

Even after account deletion, we retain certain information for legal and operational purposes:

• Payment Records: Transaction history, invoices, and financial records are retained for tax compliance, legal requirements, and dispute resolution
• Project History: Project information may be retained to maintain context for other users involved in the project
• Messages: Messages within projects are retained for project continuity

5.3 Automatic Data Cleanup

• Google Meet sessions automatically expire after 60 minutes
• Rate limiting records are automatically deleted after the rate limit window expires
• Expired email verification tokens and password reset tokens are periodically cleaned

6. Your Rights and Choices

You have the following rights regarding your personal information:

• Access: You can view and access your personal information through your account dashboard
• Correction: You can edit and update your profile information, contact details, and preferences at any time
• Deletion: You can delete your account from your account settings
• Notification Preferences: You can control which notifications you receive (both in-app and email) through your notification settings
• Disconnect Third-Party Services: You can disconnect your Google account at any time, which will revoke our access to your Google Calendar
• Payment Method Management: You can add, update, or remove payment methods from your account
• Opt-Out of Marketing: You can unsubscribe from marketing emails using the link in any marketing message

For additional data requests or questions about your privacy rights, please contact us at privacy@grimmsly.com.

7. Cookies and Tracking

We use cookies for essential platform functionality:

• Authentication Cookie: Maintains your logged-in session (30-day duration, HTTP-only, secure)
• CSRF Protection Cookie: Protects against cross-site request forgery attacks (24-hour duration, HTTP-only, secure)

We do not use third-party tracking cookies, advertising cookies, or analytics services like Google Analytics. Our cookies are essential for the platform to function and cannot be disabled without affecting your ability to use our services.

8. Third-Party Links and Services

Our platform may contain links to third-party websites, services, or resources (such as artist portfolio websites, Google Docs, or YouTube videos). We are not responsible for the privacy practices or content of these third-party services. We encourage you to review their privacy policies before providing any personal information.

9. Children's Privacy

Grimmsly is not intended for use by children under the age of 18. We do not knowingly collect personal information from children under 18. If you are under 18, please do not use our services or provide any personal information. If we become aware that we have collected personal information from a child under 18 without parental consent, we will take steps to delete that information promptly.

10. International Data Transfers

Grimmsly is based in the United States. If you are accessing our services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate. These countries may have data protection laws that differ from the laws of your country.

By using our services, you consent to the transfer of your information to the United States and other countries as necessary to provide our services.

11. California Privacy Rights (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):

• Right to Know: You can request information about the personal information we collect, use, disclose, and sell
• Right to Delete: You can request deletion of your personal information (subject to certain exceptions)
• Right to Opt-Out: We do not sell your personal information to third parties
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights

To exercise these rights, please contact us at privacy@grimmsly.com.

12. European Privacy Rights (GDPR)

If you are located in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation (GDPR):

• Right to Access: Request access to your personal data
• Right to Rectification: Request correction of inaccurate personal data
• Right to Erasure: Request deletion of your personal data
• Right to Restriction: Request restriction of processing your personal data
• Right to Data Portability: Request a copy of your personal data in a structured format
• Right to Object: Object to processing of your personal data
• Right to Withdraw Consent: Withdraw consent for data processing at any time

To exercise these rights, please contact us at privacy@grimmsly.com.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. We will notify you of any material changes by posting the new Privacy Policy on this page and updating the "Last updated" date. We encourage you to review this Privacy Policy periodically.

Your continued use of Grimmsly after any changes to this Privacy Policy constitutes your acceptance of the updated policy.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us: