KODA TECHNOLOGIES, INC.
PRIVACY POLICY

Effective as of January 29, 2026

This Privacy Policy explains how Koda Technologies, Inc. ("Company," "we," "us," or "our") collects, uses, and shares personal information through our Griddy platform, an AI-powered Microsoft Excel add-in and standalone web application, including our website at https://getgriddy.ai, marketing activities, and related services (collectively, the "Service"). The Service is offered through three plans: Free Trial (free, with limited prompts), Pro (paid, with unlimited prompts and advanced features), and Teams (paid, for organizations with centralized billing and admin features). Details on plans are available at https://getgriddy.ai/pricing. We may provide supplemental privacy notices for specific products or services at the time of data collection.

INDEX

PERSONAL INFORMATION WE COLLECT

We collect personal information you provide, from third-party sources, or automatically through the Service. The type and amount of data collected depend on your plan (Free Trial, Pro, or Teams).

Information You Provide to Us or That We Generate About You:

  • Contact Data: Email address and, if provided, first and last name.
  • Profile Data: Password (stored in hashed form) and account preferences.
  • Communications Data: Information from interactions with us, including via email or customer support.
  • Payment Data: Payment card or billing details for Pro and Teams plan transactions, processed by Stripe, Inc. We do not store full payment card numbers on our servers.
  • Transactional Data: Subscription status, plan type, billing history, and transaction identifiers.
  • Marketing Data: Preferences for receiving marketing communications and engagement details.
  • User-Generated Content Data: Prompts, queries, and other content you submit to the AI-powered features of the Service, including limited metadata. We do not store full spreadsheet files. We may store prompt text and limited metadata for support, debugging, abuse prevention, and internal analytics, and transmit inputs to our third-party AI service providers for processing.
  • Referral Data: Referral codes used during registration.
  • Team Data: For Teams plan users, team membership, roles, and usage analytics.
  • Derived Data: Preferences or interests inferred from your activities on the Service.

Third-Party Sources:

  • Payment Processor: Stripe, Inc. provides us with subscription status and payment confirmation data.
  • Analytics Partners: PostHog and similar analytics services provide usage analytics data, which may include identifiers.

Automatic Data Collection:

We, our service providers, and partners may automatically collect:

  • Device Data: Operating system, browser type, IP address, unique device identifiers, and device fingerprint (for fraud prevention).
  • Online Activity Data: Pages viewed, features used, time spent, navigation paths, access times, and referring URLs.
  • Communication Interaction Data: Email open and click-through data for marketing communications.

Cookies and Similar Technologies:

  • Cookies: Session and persistent cookies for authentication, tracking, and preferences.
  • Local Storage: HTML5 local storage for authentication tokens and user preferences.
  • Web Beacons: Pixel tags to track email and page interactions.
  • Analytics SDKs: PostHog and similar tools for product analytics and user behavior tracking.

HOW WE USE YOUR PERSONAL INFORMATION

Service Delivery and Operations:

  • Provide and operate the Service, including AI-powered spreadsheet analysis and automation
  • Process your queries and spreadsheet data through our AI systems to generate outputs
  • Personalize your experience and preferences
  • Establish and maintain your Account
  • Process payments and manage subscriptions
  • Communicate Service-related information, including updates and security alerts
  • Provide customer support and respond to inquiries
  • Detect, prevent, and address fraud, abuse, and security issues

AI and Machine Learning:

We process your inputs (spreadsheet data and queries) through third-party AI models to generate outputs for you. This processing is necessary to deliver the core functionality of the Service.

Model Training: We do not use identifiable customer data to train AI models. We may use anonymized and aggregated usage data to improve the Service and our proprietary systems. Pro and Teams users can contact us to opt out of anonymized usage data. We store prompt text and limited metadata for up to thirty (30) days for support, debugging, abuse prevention, and internal analytics (see Data Retention).

Third-Party AI Providers: Our third-party AI service providers process your data to provide the Service. We select providers that state they do not use API data to train their models without permission, and we do not authorize them to do so.

Marketing and Advertising:

  • Direct Marketing: Personalized communications about the Service with opt-out available via unsubscribe link or Account settings
  • Analytics: Product usage analytics to improve the Service experience

HOW WE SHARE YOUR PERSONAL INFORMATION

  • Affiliates: Our parent company, subsidiaries, and affiliates, if any
  • Service Providers: Third parties that help us operate the Service (hosting, email delivery, analytics, error monitoring, observability, fraud prevention, customer support)
  • Third-Party AI Providers: AI service providers that process your inputs to generate outputs (see Sub-processors section below)
  • Payment Processor: Stripe, Inc. for processing subscription payments
  • Analytics Partners: PostHog for product analytics (event metadata and identifiers; we do not send prompt content)
  • Team Administrators: If you are part of a Teams plan, your team administrator may have access to usage data and Account information
  • Authorities: Law enforcement, regulators, or other parties when required by law, to protect our rights, or to ensure the safety of our users
  • Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your data may be transferred to the acquiring entity

We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes.

SUB-PROCESSORS

We use the following third-party sub-processors to deliver the Service. Each sub-processor is contractually obligated to protect your data and process it only as necessary to provide services to us:

Sub-processorPurposeLocation
xAI Corp.AI model inference (processing queries and generating outputs)United States
Amazon Web Services (AWS)Cloud hosting, infrastructure, and email delivery (SES)United States
Stripe, Inc.Payment processingUnited States
PostHog, Inc.Product analytics (event metadata and identifiers)United States
Sentry, Inc.Error monitoring and diagnosticsUnited States
Grafana Labs, Inc.Frontend observability and telemetry (Faro)United States
FingerprintJS, Inc.Fraud prevention device fingerprintingUnited States
Google LLC (Google Workspace)Customer support email communicationsUnited States

We may update this list when we add or change sub-processors. Our Data Processing Addendum (DPA) is available at getgriddy.ai/dpa. For Teams plan customers with a DPA, we will make reasonable efforts to provide advance notice of any new sub-processor additions. If you object to a new sub-processor, you may terminate your subscription by contacting us.

YOUR CHOICES

  • Access or Update: Access or update your Account information via Account settings at https://getgriddy.ai/settings
  • Data Export: Request an export of your personal data by contacting us at will@getgriddy.ai
  • Account Deletion: Delete your Account through Account settings or by contacting us. Deletion will be processed within a reasonable timeframe
  • Opt Out of AI Data Usage: Pro and Teams users can opt out of anonymized data usage for Service improvement by contacting us
  • Marketing Communications: Opt out of marketing emails by clicking "unsubscribe" in any marketing email or visiting https://getgriddy.ai/unsubscribe
  • Cookies: Control cookies through your browser settings. Note that disabling cookies may affect Service functionality

DATA RETENTION AND DELETION

We retain your personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Specific retention periods include:

  • Account Data: Retained for the duration of your Account plus ninety (90) days after deletion to allow for account recovery and dispute resolution
  • Prompt Logs: Prompt text and limited metadata retained for up to thirty (30) days for support, debugging, abuse prevention, and internal analytics, then deleted or anonymized
  • Usage Metadata: Token usage, model identifiers, and billing records retained as required for accounting, audits, or service reliability
  • Payment Data: Retained as required by tax and financial regulations (typically seven (7) years for transaction records)
  • Analytics Data: Anonymized or aggregated analytics data may be retained indefinitely
  • Legal Hold: Data may be retained beyond standard periods if required for legal proceedings, regulatory investigations, or to enforce our agreements

When personal data is no longer needed, we securely delete or anonymize it in accordance with our data management practices.

OTHER SITES AND SERVICES

The Service may contain links to third-party websites or services, including Microsoft AppSource and Stripe. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

SECURITY

We employ commercially reasonable technical and organizational safeguards to protect your personal information, including encryption of data in transit (TLS) and at rest, secure authentication mechanisms, access controls, and regular security assessments. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. We encourage you to use a strong, unique password for your Account.

DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify affected individuals without undue delay via email and, where appropriate, via a notice on our Website
  • Notify the relevant supervisory authority and affected users as required by applicable law
  • Provide information about: the nature of the breach, the categories and approximate number of individuals and data records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects
  • Maintain appropriate records of incidents as required by applicable law

Teams plan customers with a DPA will receive breach notifications in accordance with the terms of their DPA.

INTERNATIONAL DATA TRANSFERS

Your personal information may be transferred to and processed in the United States, where our servers and service providers are located. If you are located outside the United States, please be aware that data protection laws in the U.S. may differ from those in your jurisdiction.

For EU/EEA and UK users, we will work with customers to put appropriate safeguards in place for international data transfers where required, which may include Standard Contractual Clauses (SCCs). Teams plan customers may request copies of applicable safeguards by contacting us.

CHILDREN

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us at will@getgriddy.ai.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. For material changes, we will make reasonable efforts to provide notice via email to the address associated with your Account and/or by posting a prominent notice on our Website. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

HOW TO CONTACT US

For privacy-related inquiries, data subject requests, or to exercise any of your rights: will@getgriddy.ai

For general inquiries: will@getgriddy.ai

Mailing Address:
Koda Technologies, Inc.
850 New Burton Road, Suite 201
City of Dover, County of Kent, Delaware 19904

STATE PRIVACY RIGHTS NOTICE

Residents of certain U.S. states have additional privacy rights under state law. To exercise these rights, contact will@getgriddy.ai. We will respond to verifiable requests within the timeframes required by applicable law.

California Residents (CCPA/CPRA):

  • Right to Know: Request details about the personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information, subject to legal exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt Out: We do not sell personal information or share it for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Shine the Light Law: Request information about personal data shared with third parties for their direct marketing purposes (we do not share data for this purpose)

Colorado, Connecticut, Virginia, and Other State Residents:

If you are a resident of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or other states with comprehensive privacy laws, you may have similar rights to access, delete, correct, and opt out of certain data processing. Contact us to exercise these rights.

Nevada Residents:

Nevada residents may opt out of the future sale of personal information by contacting will@getgriddy.ai. We do not currently sell personal information as defined under Nevada law.