Privacy Policy

Last updated: December 25, 2025

1. Introduction

Welcome to Grabient ("we," "our," or "us"). We are committed to protecting your privacy and being transparent about how we collect, use, and share your personal information. This Privacy Policy explains our practices regarding data collection when you use our website at grabient.com (the "Service").

By using Grabient, you agree to the collection and use of information in accordance with this policy. If you do not agree with our practices, please do not use our Service.

2. Information We Collect

2.1 Information You Provide

When you create an account or use our Service, you may provide:

  • Account Information: Email address, username (optional), and profile avatar image (optional)
  • Authentication Data: If you sign in with Google OAuth, we receive your Google account email and profile information
  • User-Generated Content: Gradient palettes you create and save, including gradient parameters (seed, style, steps, angle)
  • Contact Information: Email address and message content when you use our contact form

2.2 Information Collected Automatically

When you access or use our Service, we automatically collect:

  • Device and Browser Information: IP address, browser type and version, operating system, and user agent
  • Usage Data: Pages visited, features used, gradient actions (copying, downloading, saving), and interaction patterns
  • Session Information: Session tokens, login timestamps, and session expiration data

3. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve our Service
  • Create and manage your account, including authentication
  • Save and display your gradient palettes and preferences
  • Respond to your inquiries and provide customer support
  • Send transactional emails (magic links for authentication, account deletion confirmation)
  • Analyze usage patterns to improve user experience
  • Monitor and prevent fraud, abuse, and security issues
  • Comply with legal obligations

4. Third-Party Services

We use the following third-party services to operate and improve our Service. These services may collect information about you as described below:

4.1 Analytics Services

  • PostHog: We use PostHog for product analytics to understand how users interact with our Service. PostHog may collect usage events, page views, and interaction data. With your consent, PostHog may also record sessions (with sensitive data masked). PostHog is GDPR-compliant and participates in the EU-US Data Privacy Framework. Learn more: PostHog Privacy Policy
  • Google Analytics 4: We use Google Analytics to analyze website traffic and usage patterns. Google Analytics collects information such as pages visited, time spent on pages, and demographic data. IP addresses are anonymized by default in GA4. Learn more: Google Privacy Policy

4.2 Advertising

  • Google AdSense: We display ads served by Google. Google may use cookies to serve ads based on your prior visits to this or other websites. You can opt out of personalized advertising at Google Ads Settings. Learn more: Google Privacy Policy

4.3 Error Tracking

  • Sentry: We use Sentry to monitor and fix errors in our Service. Sentry may collect error reports, browser information, and diagnostic data. With your consent, Sentry may also record sessions for debugging purposes (with sensitive data masked). Sentry is GDPR-compliant and certified under the EU-US Data Privacy Framework. Learn more: Sentry Privacy Policy

4.4 Infrastructure Services

  • Cloudflare: Our Service is hosted on Cloudflare's infrastructure, including Cloudflare Workers (computing), D1 (database), and R2 (file storage). All data is encrypted at rest and in transit. Cloudflare is GDPR-compliant and offers data processing agreements. Learn more: Cloudflare GDPR Compliance
  • Resend: We use Resend to send transactional emails (authentication links, account notifications). Resend processes email addresses and message content. Resend is GDPR-compliant and certified under the EU-US Data Privacy Framework. Learn more: Resend Privacy Policy

4.5 Authentication Services

  • Google OAuth: If you choose to sign in with Google, we receive basic profile information from Google (email, name, profile picture). We do not receive your Google password. Learn more: Google Privacy Policy

5. Cookies and Tracking Technologies

We use cookies and similar technologies to operate our Service and collect information:

5.1 Cookie Consent Management

We use Cloudflare Zaraz to manage third-party tools and cookie consent in compliance with GDPR and other privacy regulations. Zaraz loads third-party scripts through Cloudflare's edge network, improving privacy and performance. Learn more: Cloudflare GDPR Compliance

5.2 Essential Cookies

These cookies are necessary for the Service to function and cannot be disabled:

  • Session cookies: Used to maintain your login session (HTTP-only, secure)
  • Consent preferences: Stored in localStorage to remember your privacy choices
  • Theme preference: Stored in localStorage to remember your light/dark mode setting

5.3 Analytics Cookies (Consent Required)

With your consent, we use analytics cookies from:

  • PostHog (product analytics)
  • Google Analytics 4 (web analytics)
  • Sentry (error tracking)

5.4 Advertising Cookies (Consent Required)

With your consent, we use advertising cookies from:

  • Google AdSense (personalized advertising)

These cookies enable personalized ads based on your browsing activity. You can opt out of personalized advertising at any time through our cookie consent banner or in your account settings.

5.5 Regional Consent Behavior

Our consent defaults vary by region based on applicable privacy laws:

  • EEA, UK (GDPR regions): All non-essential cookies and tracking are disabled by default. You must explicitly opt-in to enable analytics, session replay, or advertising features.
  • Other regions: Analytics and advertising are enabled by default under legitimate interest. You can opt-out at any time in your account settings.

5.6 Session Recording (Separate Consent Required)

With your explicit consent to Session Replay, we may record your session to understand how users interact with our Service and identify usability issues. Session Replay is a separate consent option from Analytics. Session recordings:

  • Are fully anonymized with all text and inputs masked
  • Block media and images from being recorded
  • Require separate opt-in via the Session Replay toggle in your settings

6. Your Privacy Choices

6.1 Consent Management

You can manage your privacy preferences at any time by visiting the Privacy & Consent section in your account settings. There you can individually toggle:

  • Analytics: Anonymous usage analytics to help us improve
  • Session Replay: Anonymized session recordings
  • Marketing: Personalized ads and marketing content

6.2 Account Controls

If you have an account, you can:

  • Update your profile information in account settings
  • Delete your saved gradients
  • Delete your account entirely (this permanently removes all your data)

6.3 Browser Controls

Most browsers allow you to control cookies through their settings. You can also use browser extensions to block tracking. Note that blocking essential cookies may affect the functionality of our Service.

7. Data Retention

We retain your personal information for as long as necessary to provide our Service and fulfill the purposes described in this policy:

  • Account data: Retained until you delete your account
  • Session data: Sessions expire after 7 days of inactivity
  • Magic link tokens: Expire after 5 minutes
  • Account deletion tokens: Expire after 24 hours
  • Analytics data: Retained according to each third-party provider's retention policy
  • Contact form messages: Retained as needed to respond to inquiries

8. Data Security

We implement appropriate technical and organizational measures to protect your personal information:

  • All data is encrypted in transit using TLS/HTTPS
  • All data is encrypted at rest (AES-256)
  • Passwords are hashed using scrypt algorithm
  • Session cookies are HTTP-only and secure
  • Rate limiting protects against abuse
  • CSRF protection is enabled on all forms

While we strive to protect your information, no method of transmission over the Internet is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own, including the United States. Our service providers maintain appropriate safeguards for international data transfers:

  • EU-US Data Privacy Framework certification (where applicable)
  • Standard Contractual Clauses (SCCs) for EU data
  • Data Processing Agreements with all subprocessors

10. Your Rights

10.1 Rights for All Users

Regardless of your location, you have the right to:

  • Access the personal information we hold about you
  • Correct inaccurate personal information
  • Delete your account and associated data
  • Withdraw consent for analytics and tracking

10.2 Additional Rights for EU/EEA Residents (GDPR)

If you are in the European Union or European Economic Area, you also have the right to:

  • Request restriction of processing of your personal data
  • Object to processing based on legitimate interests
  • Request data portability (receive your data in a structured, machine-readable format)
  • Lodge a complaint with your local data protection authority

10.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what personal information we collect, use, and disclose
  • Request deletion of your personal information
  • Opt-out of the "sale" or "sharing" of your personal information
  • Non-discrimination for exercising your privacy rights

We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising.

11. Children's Privacy

Our Service is not directed to children under 13 years of age (or 16 in the EU). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any material changes by posting the new policy on this page and updating the "Last updated" date. We encourage you to review this policy periodically.

13. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your privacy rights, please contact us. For data protection inquiries, please include "Privacy Request" in your message subject.