Privacy Policy

Last Updated: March 2026

1. Introduction

Welcome to Gritworks Collective LLC. We respect your privacy and are committed to protecting your personal data. This privacy policy will inform you as to how we look after your personal data when you visit our website (regardless of where you visit it from) and tell you about your privacy rights and how the law protects you.

Effective Date: March 2026. This policy applies to all users of gritworkscollective.com and related services.

2. The Data We Collect About You

Personal data, or personal information, means any information about an individual from which that person can be identified. We may collect, use, store and transfer different kinds of personal data about you which we have grouped together follows:

Age Requirement: The Service is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18. If we learn we have collected personal information from a user under 18, we will delete that information immediately.

  • Identity Data includes first name, last name, username or similar identifier.
  • Contact Data includes email address and telephone numbers.
  • Technical Data includes internet protocol (IP) address, your login data, browser type and version, time zone setting and location.
  • Profile Data includes your username and password, purchases or orders made by you, your interests, preferences, and feedback.
  • Questionnaire Data includes responses provided during mission onboarding, focus areas, and personal progress tracking metrics.
  • Friction Check-in Data includes responses from optional friction mapping quizzes (Flashpoints) used to personalize your mission recommendations.
  • Third-Party Contact Data — If you designate an Accountability Partner, we store their phone number solely to send program milestone texts on your behalf.
  • Invited Partner Data — If you invite a partner (Partnering program), we collect and store their email address and any responses they provide to shared check-ins.

3. How We Use Your Personal Data

We will only use your personal data when the law allows us to. Most commonly, we will use your personal data in the following circumstances:

  • Where we need to perform the contract we are about to enter into or have entered into with you (e.g., providing advising services).
  • Where it is necessary for our legitimate interests (or those of a third party) and your interests and fundamental rights do not override those interests.
  • Where we need to comply with a legal or regulatory obligation.

4. Data Security

We have put in place appropriate security measures to prevent your personal data from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal data to those employees, agents, contractors and other third parties who have a business need to know. They will only process your personal data on our instructions and they are subject to a duty of confidentiality.

5. How We Keep Your Data Safe

Your security is foundational to everything we build. Here's how we protect your data at every level:

  • Encryption in Transit — All communication between your device and our servers uses HTTPS/TLS encryption. Your data is never transmitted in plain text.
  • Secure Authentication — We use industry-standard OAuth 2.0 authentication through Google. We never store your password directly — authentication is handled by trusted providers.
  • Database Protection — Your personal data, questionnaire responses, and progress records are stored in encrypted databases with strict access controls. Backups are encrypted at rest.
  • Push Notifications — Streak reminders use the Web Push Protocol with VAPID keys. Your push subscription is stored securely and only used to send reminders you've opted into. You can unsubscribe at any time.
  • No Data Selling — We will never sell, rent, or trade your personal data to third parties. Period.
  • Minimal Data Collection — We only collect what's needed to provide your advising experience. Questionnaire responses are used solely for personalized mission recommendations.

6. Data Retention

We will only retain your personal data for as long as necessary to fulfil the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements.

7. Third-Party Integrations

Our application integrates with the following third-party service providers. We do not sell your personal data to any third parties. Each provider processes only the data necessary to perform their function:

  • Google — Authentication only. We store your Google-issued user ID and email. No additional Google data is accessed.
  • Google Gemini AI — The "I'm Stuck" advisor (gritBOT) and mission analysis tools send your message content to Google's Gemini API for response generation. No personally identifiable information is included in AI requests. Google does not use API data for model training per their API terms of service.
  • Stripe — Payment processing. Stripe collects and stores your payment card information directly. Gritworks Collective does not store full card numbers. Stripe's privacy policy governs their data handling.
  • Twilio — SMS delivery. Your phone number (and your Accountability Partner's phone number, if designated) is shared with Twilio solely to deliver opt-in SMS notifications (streak reminders, accountability prompts, onboarding messages). Message logs are retained by Twilio per their data retention policy.
  • Resend — Transactional email delivery. Your email address is shared with Resend to deliver account-related emails (welcome, password reset, enrollment confirmations). Resend does not use your email for marketing purposes.

All third-party providers are contractually prohibited from using your data for any purpose other than providing services to Gritworks Collective.

8. SMS Communications

If you provide a phone number and opt in to SMS notifications during registration, we may send you text messages related to your advising experience. These include:

  • Onboarding Messages — A welcome text with your login link when you first sign up.
  • Streak Reminders — Daily reminders to maintain your consistency tracker streaks (if enabled in your profile settings).
  • Account Alerts — Important updates about your advising enrollment or account status.
  • Accountability Partner Texts — If you designate an Accountability Partner, they will receive occasional milestone texts (capped at 1–2 per week) on your behalf. Your AP can opt out at any time by replying STOP.

Message Frequency: You may receive up to 2 messages per day, depending on your notification preferences and active streaks.

Opting Out: You can opt out of SMS at any time by replying STOP to any message, or by disabling SMS notifications in your profile settings. Standard message and data rates may apply.

Your Phone Number & Consent: We store your phone number securely and use it only for the purposes described above. No mobile information will be shared with third parties/affiliates for marketing/promotional purposes. All other categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

9. Your Legal Rights

Under certain circumstances, you have rights under data protection laws in relation to your personal data. These include the right to:

  • Request access to your personal data.
  • Request correction of your personal data.
  • Request erasure of your personal data.
  • Object to processing of your personal data.

If you wish to exercise any of the rights set out above, please contact us at info@gritworkscollective.com.

10. Do Not Sell or Share My Personal Information

Gritworks Collective LLC does not sell or share your personal information with third parties for monetary or other valuable consideration, as defined under the California Consumer Privacy Act (CCPA/CPRA). We do not engage in cross-context behavioral advertising. If this practice ever changes, we will update this policy and provide a conspicuous opt-out mechanism.

11. Data Breach Notification

In the event of a data breach involving your unencrypted personal information, Gritworks Collective LLC will notify affected California residents within 72 hours of discovery, as required by California Civil Code § 1798.82. Notification will be provided via email to the address on file. If the breach affects more than 500 California residents, we will also notify the California Attorney General.

12. Delete Your Data

You have the right to request permanent deletion of all your personal data under GDPR (EU) and CCPA (California). This includes your:

  • Account information (name, email, phone number)
  • Questionnaire responses and typology results
  • Mission progress and action logs
  • Goals, KPI tracking, and streak data
  • Payment records and enrollment history
  • Accountability Partner contact information (if designated)

This action is permanent and cannot be undone.

To request data deletion, you can either:

  • Visit your Profile page and use the "Delete Account" option under Account Details
  • Email us directly at info@gritworkscollective.com with the subject line "Data Deletion Request"

We will process your request within 30 days as required by law.