The Grid

Legal

Privacy Policy

Effective 2026-05-26

1. Who we are

The Grid, Inc. (“The Grid”, “we”, “us”) operates the marketing operations calendar at tothegrid.co. This Privacy Policy describes how we collect, use, share, and protect data in connection with our service. It applies to brand operators who use The Grid (“operators”, “you”) and to visitors of our marketing site.

2. Data we collect from you directly

  • Account information — name, email address, password hash, account preferences
  • Brand workspace information — brand name, description, configured settings, billing details
  • Content you create — campaigns, channel plans, event cards, sticky notes, documents, brief sections, postmortems, comments, and any other content authored inside the service
  • Communications — emails to support, feedback you provide, responses to our customer interviews
  • Usage telemetry — pages visited, features used, captured via Vercel Analytics, which is cookie-free

3. Data we collect from connected channel APIs

When you connect a third-party tool to your brand workspace, we ingest data from that provider using the scopes you grant via OAuth, or via API credentials you provide when OAuth is unavailable. The scopes and data categories per provider:

  • Meta (Ads, Instagram, Facebook) — scopes including ads_read, business_management, instagram_basic, and instagram_manage_insights: campaign objects, ad set objects, ad creative, performance metrics, audience insights
  • Google Ads — campaign objects, ad group objects, keyword performance, conversion data
  • Google Analytics 4 — session, page-view, and event metrics for properties you authorize
  • Klaviyo — campaign sends, opens, clicks, unsubscribes, flow performance, subscriber counts, audience segments
  • Postscript — SMS campaign sends, opens, clicks, subscriber lifecycle events
  • Shopify — order data, product data, promo code performance, discount usage, customer count
  • Amazon Seller (SP-API) — order data, advertising performance, sales reports
  • Recharge — subscription counts, MRR, churn, subscriber lifecycle events
  • TikTok Ads — campaign objects, ad performance, audience insights
  • Gorgias — ticket volume, response times, channel breakdowns
  • Google Drive — files and folders in folders you specifically authorize for asset ingestion

4. How we use your data

  • Display in product — to show campaigns, signals, attribution, and analytics in your brand workspace
  • Power AI features — campaign drafting, brand-voice priming, and tactical priming use your data as context to produce drafts within your account. We do not sell, share, or use your data to train third-party general-purpose models.
  • Run analytics for your connected brand — compute KPIs, forecasts, attribution windows, cohort analyses, and other derived metrics for your dashboards
  • Communicate with you — transactional emails about your account, the service, security, and product updates
  • Improve the service — anonymized aggregate usage data informs product decisions

We do not sell your data. We do not share it with third parties for their own marketing or advertising purposes. The only third parties that receive your data are the subprocessors named below, who process it strictly on our behalf under contract.

5. Subprocessors

The following service providers process data on our behalf, under contract, in support of the service:

  • Vercel — application hosting, edge network, deployment analytics
  • Liveblocks — multiplayer state, presence, real-time collaborative editing
  • OpenAI and Anthropic — AI model providers used for campaign drafting and brand-voice priming. Prompts are sent to these providers but neither is authorized to use your data to train their models.
  • Resend — transactional email delivery

We update this list when our subprocessors change. Material changes are communicated to operators via in-product notification or email.

6. Retention

  • Signal data ingested from channel APIs — default retention of 24 months from ingestion. You can configure retention in Settings → Data retention, subject to a minimum required by your subscription tier.
  • Campaign content you author — retained while your account is active. Deleted on account closure or upon explicit deletion request.
  • Account records — retained while active. Deleted within 30 days of account closure, subject to legal compliance retentions described below.
  • Backups — encrypted backups are retained for up to 90 days for disaster recovery. Deleted data may persist in backups for the duration of that window before being overwritten.
  • Compliance retentions — anonymized aggregate usage data, records required by tax authorities, and limited records required to enforce our Terms of Service (such as a hash of an account email to prevent re-registration in cases of policy violation) may be retained longer than the windows above.

7. Your rights

If you are in the EU, UK, California, or another jurisdiction with comparable data protection law, you have the rights to:

  • Access — request a copy of the personal data we hold about you (GDPR Article 15)
  • Rectification — correct inaccurate or incomplete data (Article 16)
  • Erasure — request deletion (Article 17). See our Data deletion page for the process.
  • Restriction — restrict our processing of your data (Article 18)
  • Portability — receive your data in a portable, machine-readable format (Article 20)
  • Objection — object to our processing on grounds relating to your particular situation (Article 21)
  • Automated decision-making — opt out of decisions made solely by automated means (Article 22). We do not currently use solely-automated decision-making.

You also have the right to lodge a complaint with your local data protection authority.

8. Data deletion process

For the canonical deletion process, see our Data deletion page. Requests are processed within 30 days.

9. Cookies and tracking

We use Vercel Analytics for usage telemetry, which is cookie-free and privacy-friendly. We do not use Google Analytics, Facebook Pixel, Hotjar, or other tracking tools that require consent banners. If we add any cookies that require consent in the future, we will display a consent banner before any such cookie is set.

10. Security

We protect your data with industry-standard measures including encryption in transit (TLS 1.2+) and at rest, OAuth-based authentication with connected providers, scoped API tokens, and regular access audits. We restrict access to production systems to authorized personnel and require strong multi-factor authentication. We will notify affected operators without undue delay in the event of a personal data breach that is likely to result in a high risk to their rights and freedoms.

11. International transfers

Our infrastructure is hosted in the United States. If you access the service from outside the United States, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses or other lawful transfer mechanisms where applicable to safeguard cross-border transfers.

12. Children

The Grid is a business-to-business product not directed to children. We do not knowingly collect personal data from anyone under 18.

13. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be announced in-product, and the Effective date above will be revised. We encourage you to review this policy periodically.

14. Contact

For data requests — including access, deletion, or any of the rights described in Section 7 — contact us at privacy@tothegrid.co. We aim to respond within 30 days.

For general questions about this policy, contact hello@tothegrid.co.