Privacy Policy

Last updated: 10 June 2026

1. Who we are

Grix (“Grix”, “we”, “us”, “our”) is a SaaS automation platform for content creators. The service is operated by Grzegorz Olszewski, based in Poland, EU.

Contact: hello@grix.co

2. What data we collect

2.1 Account and profile data

  • Name and email address (provided when signing up or submitting the lead form)
  • Social media platform handles and account IDs (provided during onboarding)
  • Billing address and payment method (handled by Stripe — we never store card numbers)

2.2 Usage and automation data

  • Workflow execution logs (timestamps, status, module name) — stored for 30 days
  • AI style samples you provide (your own message examples) — stored until you delete them
  • Social media messages processed by our automation (DMs, comments) — not stored persistently; processed in memory and discarded

2.3 Technical data

  • IP address and browser type when using our web dashboard
  • Anonymous analytics events (page views, form submissions) via privacy-first analytics (no cookies, no fingerprinting)

3. Legal basis for processing (GDPR)

  • Contract performance (Art. 6(1)(b)) — processing necessary to provide the automation service you subscribed to.
  • Legitimate interest (Art. 6(1)(f)) — fraud prevention, security monitoring, and service improvement.
  • Consent (Art. 6(1)(a)) — marketing emails (you can withdraw at any time).
  • Legal obligation (Art. 6(1)(c)) — tax records required by Polish law.

4. How we use your data

  • To operate and improve the automation modules you use
  • To send transactional emails (receipts, onboarding, service alerts)
  • To send marketing emails if you opted in (unsubscribe at any time)
  • To detect and prevent abuse, fraud, and security incidents
  • To comply with legal obligations (tax, accounting)

We never sell your data. We never use your private messages to train public AI models.

5. Third-party processors

We share data with the following processors under Data Processing Agreements:

ProcessorPurposeLocation
StripePayment processing and subscriptionsUSA (SCCs)
Oracle Cloud (OCI)Hosting infrastructureEU (Frankfurt, Germany)
Meta PlatformsInstagram and Messenger APIUSA (SCCs)
AnthropicAI text generation (Claude API)USA (SCCs)
Brevo (Sendinblue)Transactional and marketing emailEU (France)

SCCs = EU Standard Contractual Clauses for transfers to third countries.

6. Data retention

  • Account data: retained while your subscription is active + 90 days after cancellation
  • Workflow execution logs: 30 days rolling
  • Billing records: 7 years (Polish accounting law)
  • AI style samples: deleted immediately on your request
  • Lead form submissions: 12 months or until you opt out

7. Your rights (GDPR)

If you are based in the EU/EEA, you have the right to:

  • Access — request a copy of your personal data
  • Rectification — correct inaccurate data
  • Erasure — request deletion (“right to be forgotten”)
  • Portability — receive your data in a machine-readable format
  • Restriction — restrict processing in certain circumstances
  • Object — object to processing based on legitimate interest
  • Withdraw consent — for any consent-based processing (e.g. marketing)

To exercise any right, email hello@grix.co. We will respond within 30 days. You also have the right to lodge a complaint with your national supervisory authority (in Poland: UODO — uodo.gov.pl).

8. California residents (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA):

  • Right to know — what personal information we collect, use, disclose, and sell
  • Right to delete — request deletion of personal information we collected from you
  • Right to opt-out of sale — we do not sell personal information. We do not share personal information for cross-context behavioural advertising.
  • Right to non-discrimination — we will not discriminate against you for exercising your rights

To submit a CCPA request, email hello@grix.co with the subject line “CCPA Request”.

9. Cookies and analytics

Our website uses privacy-first, cookieless analytics. We do not use tracking cookies, fingerprinting, or any technology that requires a cookie consent banner under EU law. We do not use Google Analytics. All analytics data is anonymised and aggregated.

10. Security

Grix is built with security as a first principle. All webhooks from Meta, TikTok, and Stripe are HMAC-SHA256 signature-verified. Data is encrypted in transit (TLS 1.3) and at rest. Access to production systems is restricted to the operator and uses multi-factor authentication. We conduct regular security reviews.

11. Changes to this policy

We may update this policy from time to time. When we make material changes, we will notify you by email (if you are a subscriber) at least 14 days before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.

12. Contact

For any privacy-related questions or requests:
hello@grix.co
Grzegorz Olszewski, Poland, EU