Skip to content

KODA TECHNOLOGIES, INC.
PRIVACY POLICY

Effective as of February 26, 2026

This Privacy Policy explains how Koda Technologies, Inc. ("Company," "we," "us," or "our") collects, uses, and shares personal information through our Griddy platform, an AI-powered spreadsheet assistant available as a Microsoft Excel add-in, Google Sheets add-on, and standalone web application, including our website at https://getgriddy.ai, marketing activities, and related services (collectively, the "Service"). The Service is offered through three plans: Free Trial (free, with limited prompts), Pro (paid, with unlimited prompts and advanced features), and Teams (paid, for organizations with centralized billing and admin features). Details on plans are available at https://getgriddy.ai/pricing. We may provide supplemental privacy notices for specific products or services at the time of data collection.

INDEX

PERSONAL INFORMATION WE COLLECT

We collect personal information you provide, from third-party sources, or automatically through the Service. The type and amount of data collected depend on your plan (Free Trial, Pro, or Teams).

Information You Provide to Us or That We Generate About You:

  • Contact Data: Email address and, if provided, first and last name.
  • Profile Data: Password (stored in hashed form) and account preferences.
  • Communications Data: Information from interactions with us, including via email or customer support.
  • Payment Data: Payment card or billing details for Pro and Teams plan transactions, processed by Stripe, Inc. We do not store full payment card numbers on our servers.
  • Transactional Data: Subscription status, plan type, billing history, and transaction identifiers.
  • Marketing Data: Preferences for receiving marketing communications and engagement details.
  • User-Generated Content Data: Prompts, queries, tool inputs and outputs, and model responses associated with your use of the AI-powered features of the Service. In Standard mode, we may retain this interaction content for up to thirty (30) days for support, debugging, abuse prevention, and service reliability. In Privacy mode, we suppress storage of this interaction content and retain operational metadata only. We do not store full spreadsheet files.
  • Spreadsheet Data: When using the Google Sheets add-on, we access your spreadsheet data (cell values, sheet names, and structure) to process your prompts. We do not store full spreadsheet files.
  • Referral Data: Referral codes used during registration.
  • Team Data: For Teams plan users, team membership, roles, and usage analytics.
  • Derived Data: Preferences or interests inferred from your activities on the Service.

Third-Party Sources:

  • Payment Processor: Stripe, Inc. provides us with subscription status and payment confirmation data.
  • Analytics Partners: PostHog and similar analytics services provide usage analytics data, which may include identifiers.
  • Google Sign-In: If you sign in with Google, we receive your name, email address, and Google user identifier.

Automatic Data Collection:

We, our service providers, and partners may automatically collect:

  • Device Data: Operating system, browser type, IP address, unique device identifiers, and device fingerprint (for fraud prevention).
  • Online Activity Data: Pages viewed, features used, time spent, navigation paths, access times, and referring URLs.
  • Communication Interaction Data: Email open and click-through data for marketing communications.

Cookies and Similar Technologies:

  • Cookies: Session and persistent cookies for authentication, tracking, and preferences.
  • Local Storage: HTML5 local storage for authentication tokens and user preferences.
  • Web Beacons: Pixel tags to track email and page interactions.
  • Analytics SDKs: PostHog and similar tools for product analytics and user behavior tracking.

HOW WE USE YOUR PERSONAL INFORMATION

Service Delivery and Operations:

  • Provide and operate the Service, including AI-powered spreadsheet analysis and automation
  • Process your queries and spreadsheet data through our AI systems to generate outputs
  • Personalize your experience and preferences
  • Establish and maintain your Account
  • Process payments and manage subscriptions
  • Communicate Service-related information, including updates and security alerts
  • Provide customer support and respond to inquiries
  • Detect, prevent, and address fraud, abuse, and security issues

AI and Machine Learning:

We process your inputs (spreadsheet data and queries) through third-party AI models to generate outputs for you. This processing is necessary to deliver the core functionality of the Service.

Model Training: We do not use identifiable customer data to train AI models. We may use anonymized and aggregated usage data to improve the Service and our proprietary systems. Pro and Teams users can contact us to opt out of anonymized usage data. In Standard mode, interaction content logs may be retained for up to thirty (30) days. Operational metadata logs may be retained for up to ninety (90) days. In Privacy mode, interaction content storage is suppressed and metadata-only logging applies (see Data Retention).

Third-Party AI Providers: Our third-party AI service providers process your data to provide the Service. We select providers that state they do not use API data to train their models without permission, and we do not authorize them to do so.

Marketing and Advertising:

  • Direct Marketing: Personalized communications about the Service with opt-out available via unsubscribe link or Account settings
  • Analytics: Product usage analytics to improve the Service experience

HOW WE SHARE YOUR PERSONAL INFORMATION

  • Affiliates: Our parent company, subsidiaries, and affiliates, if any
  • Service Providers: Third parties that help us operate the Service (hosting, email delivery, analytics, error monitoring, observability, fraud prevention, customer support)
  • Third-Party AI Providers: AI service providers that process your inputs to generate outputs (see Sub-processors section below)
  • Payment Processor: Stripe, Inc. for processing subscription payments
  • Analytics Partners: PostHog for product analytics (event metadata and identifiers; we do not send prompt content)
  • Team Administrators: If you are part of a Teams plan, your team administrator may have access to usage data and Account information
  • Authorities: Law enforcement, regulators, or other parties when required by law, to protect our rights, or to ensure the safety of our users
  • Business Transfers: In connection with a merger, acquisition, bankruptcy, or sale of all or a portion of our assets, your data may be transferred to the acquiring entity

We do not sell your personal information. We do not share your personal information with third parties for their direct marketing purposes.

SUB-PROCESSORS

We use the following third-party sub-processors to deliver the Service. Each sub-processor is contractually obligated to protect your data and process it only as necessary to provide services to us. We may route your data through one or more of the following AI providers depending on model availability and performance:

Sub-processorPurposeLocation
xAI Corp.AI model inference (processing queries and generating outputs)United States
Anthropic, PBCAI model inference (processing queries and generating outputs)United States
OpenAI, LLCAI model inference (processing queries and generating outputs)United States
Fireworks AI, Inc.AI model inference (processing queries and generating outputs)United States
Amazon Web Services (AWS)Cloud hosting, infrastructure, email delivery (SES), and AI model inference via Amazon BedrockUnited States
Stripe, Inc.Payment processingUnited States
PostHog, Inc.Product analytics (event metadata and identifiers)United States
Sentry, Inc.Error monitoring and diagnosticsUnited States
Grafana Labs, Inc.Frontend observability and telemetry (Faro)United States
FingerprintJS, Inc.Fraud prevention device fingerprintingUnited States
Google LLC (Google Sheets API)Spreadsheet data access on behalf of user via the Google Sheets add-onUnited States
Google LLC (Google Workspace)Customer support email communicationsUnited States

We may update this list when we add or change sub-processors. Our Data Processing Addendum (DPA) is available at getgriddy.ai/dpa. For Teams plan customers with a DPA, we will make reasonable efforts to provide advance notice of any new sub-processor additions. If you object to a new sub-processor, you may terminate your subscription by contacting us.

YOUR CHOICES

  • Access or Update: Access or update your Account information via Account settings at https://getgriddy.ai/settings
  • Data Export: Request an export of your personal data by contacting us at will@getgriddy.ai
  • Account Deletion: Delete your Account through Account settings or by contacting us. Deletion will be processed within a reasonable timeframe
  • Privacy Mode: Enable Privacy mode from Account settings to suppress storage of prompt/tool/response content and keep metadata-only logs. Team owners may enforce Privacy mode for all team members.
  • Opt Out of AI Data Usage: Pro and Teams users can opt out of anonymized data usage for Service improvement by contacting us
  • Marketing Communications: Opt out of marketing emails by clicking "unsubscribe" in any marketing email or visiting https://getgriddy.ai/unsubscribe
  • Cookies: Control cookies through your browser settings. Note that disabling cookies may affect Service functionality
  • Revoke Google Access: You can revoke the Griddy add-on's access to your Google account at any time via your Google Account settings (Security → Third-party apps)

DATA RETENTION AND DELETION

We retain your personal information only as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required by law. Specific retention periods include:

  • Account Data: Retained for the duration of your Account plus ninety (90) days after deletion to allow for account recovery and dispute resolution
  • Interaction Content Logs (Standard Mode): Prompts, tool inputs and outputs, and model responses retained for up to thirty (30) days for support, debugging, abuse prevention, and service reliability, then deleted.
  • Interaction Content Logs (Privacy Mode): Prompt/tool/response content is not persistently stored in product logs.
  • Operational Metadata Logs: Timestamps, tool names, status, latency, token and cost usage, and error codes retained for up to ninety (90) days for reliability, security, abuse prevention, and billing operations, then deleted or anonymized.
  • Payment Data: Retained as required by tax and financial regulations (typically seven (7) years for transaction records)
  • Analytics Data: Anonymized or aggregated analytics data may be retained indefinitely
  • Legal Hold: Data may be retained beyond standard periods if required for legal proceedings, regulatory investigations, or to enforce our agreements

When personal data is no longer needed, we securely delete or anonymize it in accordance with our data management practices.

OTHER SITES AND SERVICES

The Service may contain links to third-party websites or services, including Microsoft AppSource, Google Workspace Marketplace, and Stripe. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.

SECURITY

We employ commercially reasonable technical and organizational safeguards to protect your personal information, including encryption of data in transit (TLS) and at rest, secure authentication mechanisms, access controls, and regular security assessments. However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security. We encourage you to use a strong, unique password for your Account.

DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will:

  • Notify affected individuals without undue delay via email and, where appropriate, via a notice on our Website
  • Notify the relevant supervisory authority and affected users as required by applicable law
  • Provide information about: the nature of the breach, the categories and approximate number of individuals and data records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects
  • Maintain appropriate records of incidents as required by applicable law

Teams plan customers with a DPA will receive breach notifications in accordance with the terms of their DPA.

INTERNATIONAL DATA TRANSFERS

Your personal information may be transferred to and processed in the United States, where our servers and service providers are located. If you are located outside the United States, please be aware that data protection laws in the U.S. may differ from those in your jurisdiction.

For EU/EEA and UK users, we will work with customers to put appropriate safeguards in place for international data transfers where required, which may include Standard Contractual Clauses (SCCs). Teams plan customers may request copies of applicable safeguards by contacting us.

CHILDREN

The Service is not intended for users under 18 years of age. We do not knowingly collect personal information from children under 18. If we learn that we have collected personal information from a child under 18, we will take steps to delete that information promptly. If you believe we have inadvertently collected information from a child, please contact us at will@getgriddy.ai.

GOOGLE API SERVICES USER DATA POLICY

Griddy's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time. For material changes, we will make reasonable efforts to provide notice via email to the address associated with your Account and/or by posting a prominent notice on our Website. Your continued use of the Service after the effective date of the updated Privacy Policy constitutes your acceptance of the changes. We encourage you to review this Privacy Policy periodically.

HOW TO CONTACT US

For privacy-related inquiries, data subject requests, or to exercise any of your rights: will@getgriddy.ai

For general inquiries: will@getgriddy.ai

Mailing Address:
Koda Technologies, Inc.
850 New Burton Road, Suite 201
City of Dover, County of Kent, Delaware 19904

STATE PRIVACY RIGHTS NOTICE

Residents of certain U.S. states have additional privacy rights under state law. To exercise these rights, contact will@getgriddy.ai. We will respond to verifiable requests within the timeframes required by applicable law.

California Residents (CCPA/CPRA):

  • Right to Know: Request details about the personal information we collect, use, and share
  • Right to Delete: Request deletion of your personal information, subject to legal exceptions
  • Right to Correct: Request correction of inaccurate personal information
  • Right to Opt Out: We do not sell personal information or share it for cross-context behavioral advertising
  • Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights
  • Shine the Light Law: Request information about personal data shared with third parties for their direct marketing purposes (we do not share data for this purpose)

Colorado, Connecticut, Virginia, and Other State Residents:

If you are a resident of Colorado, Connecticut, Virginia, Utah, Texas, Oregon, Montana, or other states with comprehensive privacy laws, you may have similar rights to access, delete, correct, and opt out of certain data processing. Contact us to exercise these rights.

Nevada Residents:

Nevada residents may opt out of the future sale of personal information by contacting will@getgriddy.ai. We do not currently sell personal information as defined under Nevada law.