❓ What is this notice all about?
We want to be completely transparent about how we collect and use your personal data and this privacy notice exists to tell you exactly how we do this.
This notice applies wherever we decide why and how we process personal data (and therefore act as a Data Controller under data protection law). It covers the personal data we process when you use our services.
Our privacy notice tells you the journey of your personal data from the moment it enters our systems up until it's time for us to say "goodbye 👋", as well as the various stops it makes along the way.
📮 Our contact details
Email: privacy@graphyapp.com
Address: Octagon Point, 5 Cheapside, London EC2V 6AA, United Kingdom
👇 The different ways we process personal data
When you first set up a Graphy account, we need some information about you to create and manage your account. We'll ask for your work email address, job title, company name, company size, financial details and some information about which types of reports you are interested in generating using Graphy products. The legal basis we rely on for this is Article 6(1)(b) of the GDPR - Contract.
During your onboarding, we may also invite you to a video call where we will confirm your account details. Calls are recorded for training and reference purposes. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.
To keep in touch with you, we will use your name and email to provide you with account updates and relevant communications, and also to invite you to join our customer community. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interest.
To allow you to embed your graph and save your work, or to take advantage of our AI options and features, you would need to be logged in to your account. If you choose not to generate an embed code, you won’t need to be logged in to an account. For this processing we rely on Article 6(1)(f) of the GDPR - Legitimate Interest.
To deliver our service, we process and store data using cloud-based applications.
We use survey and automated workflow tools to collect your onboarding information and get you set up quickly.
We use standard applications to process data, such as email, word processing and other office cloud-based software alongside a Customer Relationship Management platform (CRM) and communication services.
We collect payment for our service via a finance platform.
If we ever need to speak with you via video call, we make use of an online booking system and a video call platform. We may use call recording and note taking software which we make use of for training and reference purposes.
Most of the data we process is stored in the EEA, including our platform servers. If any data is transferred to a third country such as the US, we make use of Standard Contractual Clauses, along with the UK Addendum where necessary, to secure the transfer of the data.
If you opt to make use of the AI features on the platform, your data may be processed in the US by Open AI and this transfer is secured by the use of Standard Contractual Clauses, along with the UK Addendum. Open AI will not use your data for model training purposes.
We will retain your personal data while you are a customer of Graphy and for up to 3 months after you leave, in line with our business needs.
We keep financial data for a minimum of 6 years, in line with UK law.
When you use our website, the cookies can be stored on your device are either first party cookies, which are placed and read by us directly while you are using our website or third party cookies, which are set by other third parties we have partnered with.
Below is a list of the cookies we use and the purposes for which they are used:
Name | Provider | Purpose | Expiry |
graphy_lockbox; graphy-app | Graphy | Authentication cookies | 2 years |
Cookie Name | Provider | Purpose | Expiry |
ajs_user_id, ajs_group_id, ajs_anonymous_id | Segment | Data analytics for improving the product | 1 year |
intercom-session-* | Intercom | Live chat software | 1 week |
amplitude_* | Amplitude | Data analytics for improving the product | 10 years |
_gid, _gat, _ga | Google Analytics | Data analytics for improving the product | 1 day |
_dd_s | Datadog | Data analytics for improving the product | 15 minutes |
fs_uid,
fs_session,
fs_csrftoken,
fs_trusted_device,
fs_last_activity,
fs_cid_,
_fs_tab_id,
fs_lua | FullStory | Data analytics for improving the product | 1 year,
30 days,
30 days,
60 days,
When the session/browser closes,
1 year,
When the tab is closed,
30 minutes |
You can choose not to store Non-essential cookies on your computer when you visit our website, or you can adjust your browser settings to prevent cookies from being saved on your computer. You can find information about how to manage Cookies in the most commonly used browsers at the following addresses:
When you first visit our web app, you will be prompted to customise your cookies selection and be provided with a link to this policy, where you can find more information about the cookies we use.
If you would like to revisit the cookie banner at a later time, open your Settings by clicking on your avatar in the bottom left corner of the screen and then Cookie preferences.
When we raise awareness of our business, we use your name and email address to share information with you about similar products and services that we offer. The legal basis that we rely on for this processing is Article 6(1)(f) of the GDPR - Legitimate Interest.
We make use of a Customer Relationship Management (CRM) software, email, and a mail merge system, based in the EEA and US, to share marketing messages with our customers. Wherever any data is transferred to a third country such as the US, we make use of Standard Contractual Clauses, along with the UK Addendum where necessary, to secure the transfer of the data.
We'll retain your name and email address on a marketing list, in line with our retention schedule unless you unsubscribe. Anyone who unsubscribes will be transferred to our ‘do not contact list’. We retain your name and email address so that we know not to contact you with marketing messages.
When you apply for a job with us, we ask you for some information about you to manage your recruitment process, such as your name, contact details and CV. We may also invite you to attend an interview via video call. The legal basis we rely on for this is Article 6(1)(f) of the GDPR - Legitimate Interests.
We use hiring platforms based in the EEA and US to manage job applications. A US based platform is used for video interviews.
Where data is transferred to a third country such as the US, we make use of Standard Contractual Clauses, along with the UK Addendum where necessary, to secure the transfer of the data.
If you're offered a job with us, we'll retain your data during your employment and remove it in line with our obligations under UK law. Otherwise we will keep your data during your the interview process and remove it after 12 months.
When using the Graphy Browser Extension to extract charts from Google products, you may be asked to provide us with additional permissions that enable us to read data from your Google account. We use these permissions to access the data associated with any charts you have created in Google in order to transfer that data to a Graphy chart.
Graphy's use and transfer to any other app of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements
📜 What are your rights?
Your personal data is yours and you have rights in relation to it granted by the UK GDPR, which include:
You have the right to be informed about the collection and use of your personal data, the purposes for processing, retention periods for that personal data and who it will be shared with.
You have the right to ask us for copies of the data we hold about you.
You have the right to ask us to stop processing your personal information in some circumstances, such as when we are relying on our own (or someone else’s) legitimate interests to process your personal information, when we are processing your personal information for direct marketing or when we are processing your personal information for research.
You have the right to ask us to rectify the personal information you think is inaccurate or to complete information you think is incomplete.
You have the right to ask us to erase your personal information, in some circumstances.
You have the right to ask us to restrict the processing of your personal information for a duration of time, in some circumstances.
You have the right to ask that we transfer the personal information you gave us to another organisation, or to someone else, in some circumstances.
You don't have to pay anything in order to exercise your rights. Please contact us at privacy@graphyapp.com, Octagon Point, 5 Cheapside, London EC2V 6AA, United Kingdom, if you wish to make a request under your rights. We have a calendar month to get back to you with a response.
💔 How you can complain
If you have any concerns about our use of your personal information, please let us know by writing to us at privacy@graphyapp.com
If you are not satisfied with our response or you are unhappy with how we have used your data, you can complain to the Information Commissioner's Office (ICO). You can find the ICO contact details below:
Trust Keith