Privacy Policy

Effective Date: March 29, 2026 | Last Updated: March 29, 2026

GrantDrop LLC, a Texas limited liability company ("GrantDrop," "we," "us," or "our"), operates the website at grantdrop.com (the "Service"). This Privacy Policy explains how we collect, use, disclose, and protect your personal information when you use our Service.

GrantDrop acts as the data controller (or "business" under CCPA) for the personal information described in this policy. Third-party services listed in Section 3 act as data processors (or "service providers") on our behalf, subject to written agreements restricting their use of your data.

This policy applies to all users of the Service. The Service is intended for users in the United States. All data is processed and stored in the United States.

By creating an account, you acknowledge that you have read and understand this Privacy Policy. Your use of the Service is also governed by our Terms of Service.

1. Information We Collect

1.1 Information You Provide Directly

  • Account information: Email address used for registration and login.
  • Organization information: Employer Identification Number (EIN), organization name, city, county, and mission statement as entered during onboarding or in account settings.
  • Project information: Project descriptions, problem statements, activities, target populations, outcomes, staff details, and other information you provide through the grant draft wizard.
  • Communication data: Information you provide when contacting us at support@grantdrop.com.

1.2 Information from Public Sources

  • IRS data: Publicly available nonprofit data from IRS Business Master File records and IRS Form 990 filings, including organization name, address, NTEE code, financial data (revenue, expenses, assets), officer names, and program descriptions.
  • ProPublica data: We use the ProPublica Nonprofit Explorer API to enrich organization profiles with publicly available 990 data.
  • Grant data: Grant opportunities sourced from Grants.gov, foundation websites, and other public sources.

1.3 Information Collected Automatically

  • Session data: We use a single session cookie ("gd_session") to maintain your login state. See Section 11 for details.
  • Log data: Our servers automatically record your IP address, browser type, pages visited, and timestamps. This data is used for security monitoring, rate limiting, and error diagnosis.
  • Error monitoring: We use Sentry for error tracking. Sentry receives technical error information (stack traces, request URLs) but not personally identifiable information (PII transmission to Sentry is disabled in our configuration).

1.4 Information We Do Not Collect

  • We do not use analytics cookies, advertising cookies, or social media tracking pixels.
  • We do not collect payment card numbers. All payment information is processed directly by Stripe and never touches our servers.
  • We do not knowingly collect personal information from children under 13 (see Section 13).

2. How We Use Your Information

  • Providing the Service: To match your organization with grant opportunities, generate grant proposal drafts, and manage your account.
  • AI processing: Your organization information and project details are sent to our AI provider (Anthropic) to generate grant matches and draft content. See Section 4 for details.
  • Communication: To send magic link login emails, deadline alerts, weekly grant digests, and service notifications via SendGrid.
  • Payment processing: To process subscription payments through Stripe.
  • Security and fraud prevention: To monitor for unauthorized access, enforce rate limits, and protect against abuse.
  • Personalization: To learn your grant preferences from your save and dismiss actions and adjust match rankings accordingly. This personalization is based solely on your in-app actions, not on external data.
  • Service improvement: To identify and fix bugs and understand aggregate usage patterns (e.g., which features are most used, error rates). We do not review individual user content for improvement purposes, and we do not use your data to train AI models.

3. How We Share Your Information

We do not sell your personal information. We do not share your personal information for targeted advertising or cross-context behavioral advertising. We share information only with the following processors/service providers, solely to operate the Service:

Provider Purpose Data Shared Policy
Anthropic AI processing Org name, mission, EIN, project details, grant info Policy
Stripe Payments Email, EIN (metadata) Policy
SendGrid (Twilio) Email delivery Email address, email content Policy
Sentry Error monitoring Technical error data (no PII) Policy
Google OAuth (optional) Email and profile name (openid, email, profile scopes) Policy
Railway Hosting All Service data (encrypted) Policy

We may also disclose your information: (a) if required by law, court order, or governmental authority; (b) if we believe disclosure is necessary to protect our rights, your safety, or the safety of others; or (c) in connection with a merger, acquisition, or sale of all or substantially all of our assets, in which case your data would be transferred to the successor entity, which would be bound by this Privacy Policy. We will notify you by email and post a notice on the Service if such a transfer occurs.

4. AI Data Processing and Automated Decision-Making

GrantDrop uses Anthropic's Claude API to provide AI-powered grant matching and draft generation. This constitutes automated decision-making and profiling as follows:

  • What AI does: AI analyzes your organization's profile against grant opportunities to produce match scores, match analyses, and draft proposal text. These scores and analyses influence which grants are presented to you and in what order.
  • No training on your data: We use Anthropic's commercial API, governed by Anthropic's Commercial Terms of Service. Under these terms, Anthropic does not use API inputs or outputs to train their AI models. This is contractually enforced.
  • Data retention by Anthropic: Anthropic may retain API inputs and outputs for up to 30 days for safety monitoring and abuse prevention, after which they are deleted. Anthropic processes data in the United States.
  • What is sent to Anthropic: Organization name, mission, city, county, NTEE code, financial summary, project descriptions, and grant details. We do not send your email address or payment information to Anthropic.
  • Significance and automated decision-making: AI matching determines which grants you see and their relevance scores. AI draft generation produces text you may use in grant applications. These are informational outputs, not consequential decisions as defined by applicable law. No automated decision made by the Service determines your eligibility for any grant, benefit, or opportunity. All AI outputs are advisory and require human review before action.
  • Your choices: You may edit or discard any AI-Generated Content. You may delete your account to remove all stored AI outputs. The core Service functionality (AI matching and drafting) requires AI processing; if you do not wish your data to be processed by AI, you should not use the Service.
  • AI interaction logs: GrantDrop retains records of AI-Generated Content (including the prompts sent to the AI provider and the outputs received) as part of your account data. These records are retained for as long as your account is active and are deleted upon account deletion. This retention enables us to provide support, investigate disputes, and respond to legal claims.
  • Contractual safeguards: GrantDrop's use of Anthropic's API is governed by Anthropic's Commercial Terms of Service, which include a Data Processing Addendum with data protection commitments. We maintain contractual safeguards with all sub-processors to protect your data in accordance with applicable law.

5. Data Retention

  • Account data: Retained for as long as your account is active.
  • After account deletion: All associated data (client record, matches, drafts, email logs) is permanently deleted from our production database immediately. Database backups may retain deleted data for up to 30 days before being overwritten. Data previously sent to Anthropic may be retained by Anthropic for up to 30 days per their retention policy. Total maximum retention after deletion: up to 60 days across all systems.
  • Public nonprofit data: Publicly sourced IRS data is retained independently of user accounts, as it is public information.
  • Server logs: IP addresses and request logs are retained for up to 90 days for security purposes.
  • Payment data: Transaction history and subscription records are retained by Stripe in accordance with Stripe's privacy policy. We retain billing metadata (subscription tier, dates) as part of your account data.

6. Your Privacy Rights

Depending on your location, you have the following rights regarding your personal information:

  • Right to know: Request details about the personal information we collect, use, and share.
  • Right to access: Request a copy of the personal information we hold about you.
  • Right to correction: Update your organization information through the settings page, or contact us to correct inaccurate data.
  • Right to deletion: Delete your account and all associated data through the account settings page, or by contacting us.
  • Right to data portability: Export your data in a structured, commonly used format (JSON) at any time through Settings → Account → Export my data, or contact us at support@grantdrop.com to request an export.
  • Right to opt out of sale: We do not sell personal information. No opt-out is necessary.
  • Right to non-discrimination: We will not discriminate against you for exercising any of your privacy rights.

How to exercise your rights: You may submit a request by:

Verification: To protect your privacy, we will verify your identity before processing rights requests. For account holders, we verify by confirming the email address associated with your account via magic link. For non-account-holders, we may request additional identifying information.

Response time: We will respond to verifiable requests within 45 days. If we need additional time (up to 45 more days), we will notify you of the extension and the reason.

Appeals: If we decline to act on your privacy request, we will inform you of our reasons within 45 days. You may appeal our decision by emailing support@grantdrop.com with the subject line "Privacy Appeal." We will respond to your appeal within 60 days. If we deny your appeal, we will provide information on how to contact the Texas Attorney General to submit a complaint.

7. Texas Data Privacy and Security Act (TDPSA)

GrantDrop is based in Texas and complies with the Texas Data Privacy and Security Act (effective July 1, 2024):

  • We collect only personal data that is reasonably necessary to provide the Service (data minimization).
  • We do not process sensitive personal data (as defined by TDPSA) without consent.
  • We do not sell personal data or use it for targeted advertising.
  • We honor Global Privacy Control (GPC) signals as required since January 1, 2025. Because GrantDrop does not engage in targeted advertising or data sales, GPC signals have no functional effect on our Service, but we recognize and respect them.
  • Texas residents may exercise all privacy rights described in Section 6, including the right to appeal denied requests.
  • We have entered into written data processing agreements with our processors as required by TDPSA Section 541.107.

8. California Privacy Rights (CCPA/CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

Categories of personal information collected:

  • Identifiers (email address, EIN, IP address)
  • Commercial information (subscription status, billing dates)
  • Internet or electronic network activity (log data, pages visited)
  • Professional or employment-related information (organization name, role)

Categories of sources:

  • Directly from you (registration, settings, draft wizard)
  • Public records (IRS BMF, IRS 990 filings, ProPublica)
  • Automatically collected (server logs, session cookie)

Categories of third parties receiving personal information:

  • AI processing providers (Anthropic)
  • Payment processors (Stripe)
  • Email service providers (SendGrid/Twilio)
  • Cloud hosting providers (Railway)
  • Error monitoring services (Sentry)
  • Authentication providers (Google, only if you use Google Sign-In)

Purpose of collection: To provide grant matching and draft generation services, process payments, communicate with you, and maintain security. See Section 2 for full details.

Sale or sharing: We do not sell or share (as defined by CCPA/CPRA) personal information for cross-context behavioral advertising. Data shared with Anthropic is for service provision only, not for advertising or behavioral purposes, as contractually enforced under Anthropic's Commercial Terms.

Sensitive personal information: We collect your email address in combination with your magic link authentication token, which may constitute sensitive personal information under CCPA. This data is used solely for authentication purposes and is not used for any purpose other than providing the Service. You have the right to limit the use of sensitive personal information to uses necessary to perform the Service.

Because GrantDrop does not sell or share personal information, a "Do Not Sell or Share" link is not required. You may contact us at support@grantdrop.com at any time to confirm your data is not being sold or shared.

Retention: For data retention periods by category, see Section 5 of this Privacy Policy.

California residents may exercise all rights described in Section 6 by emailing support@grantdrop.com or through the settings page.

9. Data Security

We implement reasonable administrative, technical, and physical safeguards to protect your personal information, including:

  • Encryption in transit (HTTPS/TLS for all connections)
  • Encryption at rest (database and backups)
  • Passwordless authentication (no passwords stored)
  • Session security (HttpOnly, SameSite, Secure cookies)
  • CSRF protection on all form submissions
  • Content Security Policy headers
  • Rate limiting to prevent brute-force attacks
  • Input validation and XSS sanitization

No method of transmission or storage is completely secure. While we strive to protect your data, we cannot guarantee absolute security.

10. Data Breach Notification

If we become aware of a data breach affecting your personal information, we will:

  • Notify affected users by email without unreasonable delay, and in any event within 60 days of confirming the breach, as required by Texas law (Tex. Bus. & Com. Code 521.053).
  • Notify the Texas Attorney General if the breach affects 250 or more Texas residents.
  • Describe in the notification: the nature of the breach, the categories of data affected, the steps we are taking to address it, and recommended steps you can take to protect yourself.

11. Cookies

GrantDrop uses a single, essential session cookie ("gd_session") to maintain your authentication state. This cookie:

  • Is strictly necessary for the Service to function
  • Contains an encrypted session identifier only
  • Uses a sliding expiration of 30 days (resets on each authenticated visit)
  • Is not used for tracking, analytics, or advertising
  • Is marked HttpOnly (inaccessible to JavaScript), SameSite=Lax, and Secure (HTTPS only in production)

We do not use analytics, advertising, or third-party tracking cookies.

12. Do Not Track and Global Privacy Control

GrantDrop does not track users across third-party websites and does not use advertising or analytics tracking. We honor Global Privacy Control (GPC) signals. Because we do not engage in data sales, sharing for advertising, or cross-site tracking, all users are treated as if tracking is disabled, regardless of browser settings.

13. Children's Privacy

The Service is not directed at children under 13 years of age. The Service is restricted to authorized representatives of nonprofit organizations who must be at least 18 years old (per our Terms of Service, Section 2), which functionally excludes minors. We do not knowingly collect personal information from children under 13. If we learn that we have collected personal information from a child under 13, we will delete that information promptly. If you believe a child under 13 has provided us with personal information, please contact us at support@grantdrop.com.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes (including changes to data sharing practices, AI processing, or your rights), we will notify you by email at least 30 days before the changes take effect. The "Last Updated" date at the top indicates the most recent revision.

15. Contact Information

If you have questions about this Privacy Policy or wish to exercise your privacy rights:

Email: support@grantdrop.com

Privacy requests: grantdrop.com/settings (account holders)

Website: grantdrop.com