Privacy Policy

Who we are

greatVibe is a product of Gravient Systems Ltd (incorporated in Auckland, New Zealand) and Gravient Pty Ltd (incorporated in Australia). This policy applies to both entities and explains what personal information we collect, how we use it, and what rights you have.

Questions about this policy can be sent to privacy@gravient.ai.

What we collect

When you create an account, we collect:

• Your name and email address
• Your workspace name and organisation name
• Payment information, handled directly by Stripe, our payment processor. We do not store card numbers.
• Server logs including IP address, browser type, timestamps, and request paths. Retained for 90 days for security and debugging.

We also collect anonymised usage metrics such as feature usage counts and error rates. These do not contain personal information and help us improve the product.

Information we receive from others

Sometimes we receive personal information about you from someone other than you. This can happen when a workspace admin invites you, when Stripe confirms billing status, when Google confirms sign-in details, or when a connected service sends account metadata needed to complete work you direct.

We use that information only to provide the service, secure your account, manage billing, and support your workspace. We do not use it for advertising.

What we do not collect

We do not collect or see:

• The content of your AI sessions as a normal Gravient service record. Work you direct through greatVibe runs on controlled nodes.
• Your files, code, or documents as marketing, analytics, or support data. These stay in the connected systems and nodes you control unless you direct a tool or provider connection to use them.
• Your model API keys as a normal Gravient service secret. These are encrypted at rest on controlled nodes in the bring-your-own-key architecture.

Your infrastructure

greatVibe is designed around nodes you own or control. Product data, credentials, and session history live in that controlled environment. We provide the software and operate the account, billing, support, and service metadata needed to run it.

The greatvibe.ai website serves the marketing site and account management. Product session payloads are processed on controlled nodes, not retained by the marketing site.

Enterprise customers have access to dedicated infrastructure options and audit evidence for credential access and security-sensitive session activity.

Security

Credentials stored on your nodes are encrypted with AES-256-GCM. All traffic between nodes uses mutual TLS (mTLS) with ECDH P-256 key exchange. Credentials never travel in plaintext.

Enterprise accounts get access to audit logs. Self-serve accounts have session history on their own nodes.

Third parties

Stripe processes your subscription payments. We share only the information Stripe needs to do that.

Google may process your email address and basic profile information if you choose Google sign-in. The public website also loads Inter from Google Fonts.

AI providers are services you choose to connect. greatVibe is a platform. We are not party to your conversations with those providers, and we do not control how they handle data you send to them. Refer to each provider's own privacy policy.

Marketing site infrastructure. The public greatvibe.ai marketing site is fronted by Cloudflare for CDN, DNS, and edge security. Cloudflare sees the IP address and TLS metadata of visitors to the site. The site itself is hosted on Amazon Web Services. AWS sees connection-level metadata required to deliver the site. Neither sees the content of your AI sessions; sessions run on controlled nodes as described above.

We do not sell your data. We do not share it with advertisers or analytics platforms.

Overseas disclosures

We operate from New Zealand and Australia. The service providers named in this policy may process personal information in other countries where they or their subprocessors operate. We take reasonable steps to use providers with privacy and security commitments appropriate for the information they handle.

Where transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland occur, we rely on the European Commission's Standard Contractual Clauses or applicable adequacy decisions.

Cookies

We use only essential cookies. These are required for the service to work and cannot be disabled. They keep you signed in and maintain your session. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

Because we use only essential cookies, no consent banner is required under GDPR or the ePrivacy Directive.

Your rights

If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR). These include the right to:

• Access the personal data we hold about you
• Correct inaccurate data
• Delete your data (right to erasure)
• Receive your data in a portable format (right to portability)
• Object to certain uses of your data

If you are in New Zealand, you have rights under the Privacy Act 2020, including the right to access and correct information we hold about you. We will respond to access requests within 20 working days, as required by law.

If you are in Australia, you have rights under the Privacy Act 1988 (Cth), including the right to access and correct information we hold about you. If you are not satisfied with how we handle your personal information, contact us first so we can investigate. We will respond within a reasonable time. You may also make a complaint to the Office of the Australian Information Commissioner (OAIC).

Regardless of where you are based, we will respect your rights under your local law. To exercise any of these rights, email privacy@gravient.ai.

We do not make decisions about you based solely on automated processing.

Data breach notification

If we become aware of a privacy breach that is reasonably likely to cause serious harm, we will notify affected individuals and the relevant regulator (Office of the Privacy Commissioner in New Zealand, Office of the Australian Information Commissioner in Australia) as required by law.

Children

greatVibe is intended for users aged 16 or older. We do not knowingly collect information from anyone under 16. If you believe we have, contact privacy@gravient.ai and we will delete it.

Data retention

We keep your account information for 30 days after you cancel your subscription, then delete it. Enterprise audit logs are retained for the period you configure in your account settings.

You can request deletion of your data at any time by emailing privacy@gravient.ai.

Changes to this policy

We will post any changes to this page and update the date at the top. If changes are significant, we will notify you by email.

Lawful basis for processing

For users in the European Economic Area, we process your personal data on the following lawful bases:

• Contract: processing your name, email, and payment details to provide the subscription you signed up for
• Legitimate interest: collecting anonymised usage metrics to improve the product. These contain no personal data.
• Legal obligation: retaining billing records as required by law

We do not process any personal data based on consent.

EU representative

Gravient Systems Ltd is based in New Zealand and Gravient Pty Ltd is based in Australia. Neither entity has an establishment in the European Union. If you are an EU resident with a question or complaint, contact us at privacy@gravient.ai. We will respond within 20 working days.

We have not appointed an EU representative at this stage. If our processing changes in a way that requires a representative under GDPR Article 27, we will appoint one and update this policy.

Contact

Privacy Officer: David Jenkinson

Privacy questions: privacy@gravient.ai

Gravient Systems Ltd
Auckland, New Zealand

Gravient Pty Ltd
Australia