Privacy Policy

Effective Date: 22.06.2026

This privacy notice provides information on how GRAI Inc. ("GRAI", "we", "us") processes your personal data when you use the GRAI mobile application and related services. We have written this notice in simple language to help you make informed decisions, ensuring that you understand and have control over the information we collect, how it is used, and when it is shared.


Who we are

GRAI Inc., a company with its registered office at 3 Germay Dr, Unit 4 #1908 Wilmington, DE 19804 United States, is the controller of your personal data — this means we determine the purposes and means of processing. This notice applies to participants in our closed beta ("Testers").

In this notice, "GDPR" refers to both the EU General Data Protection Regulation (Regulation (EU) 2016/679) and the UK GDPR (as retained in UK law and supplemented by the Data Protection Act 2018). We comply with both regimes in respect of the personal data covered by this notice. Where we cite an Article (for example, Art. 6(1)(b) GDPR), the same provision applies under both regimes, which share identical Article numbering.

To review, correct, or erase your personal information, to object to processing or to transfer your personal information to another party, please email us at [email protected].


Scope of this notice

This notice applies to the personal data we process about Testers in connection with:

  • the GRAI app and its features (our service);

  • our website, grai.fm; and

  • your communications with us, including by email.

It does not cover third-party services, platforms or websites — for example, the app stores from which you download the app, or external sites we link to — which are governed by their own privacy notices.


Where we get your data from

  • Directly from you

    We may obtain personal data directly from you, for example, when you register for our service or contact us.

  • Automatically through the app and SDKs

    When you use the GRAI app, we and our service providers automatically collect certain data through software development kits (SDKs) integrated into the app. This may include device information, IP address, usage and behavioural data, and recordings of your session activity (the screens you view and your interactions). We use this data to operate, secure, analyse and improve the service.


How we process your data

We act as a controller in the processing operations below. They are listed in the order you encounter them — from joining the beta and using the app, through background operations that keep it running and secure, to your activity on our website.

We process your data for the purposes below. For each purpose, we describe the legal basis, the data categories, typical retention, and recipient categories.

A) Create, manage and secure access to your account

  • Legal basis: Art. 6(1)(b) GDPR (Contract — see Terms)

  • Data: Nickname; phone number; account identifier; profile picture (avatar); referral account identifier (only if you join via an invite; when you invite someone, your nickname and profile picture are shown to them)

  • Storage period: 12 months from collection, or earlier if you delete your account

  • Data recipients: Cloud hosting providers; authentication and communications providers; messaging providers; attribution and analytics providers

B) Provide the GRAI app and deliver its music and audio features

  • Legal basis: Art. 6(1)(b) GDPR (Contract — see Terms)

  • Data: IP address; country (derived from app-store billing country; no precise location or unique location identifiers are collected); device information; account identifier; preferences; usage data

  • Storage period: 12 months from collection, or earlier if you delete your account

  • Data recipients: Cloud hosting providers; analytics providers; app distribution providers; music and audio providers

C) Send service and operational notifications about the beta

  • Legal basis: Art. 6(1)(b) GDPR (Contract — see Terms)

  • Data: Push notification token; device information; account identifier

  • Storage period: 12 months from collection, or earlier if you delete your account

  • Data recipients: Cloud hosting providers; messaging and push-notification providers

D) Provide tester support and handle inquiries and complaints

  • Legal basis: Art. 6(1)(b) GDPR (Contract — see Terms)

  • Data: Nickname; contact details (email, phone); message content and attachments; account identifier; log data

  • Storage period: 12 months from collection, or longer where necessary to establish, exercise or defend legal claims (for example, to handle and resolve complaints)

  • Data recipients: Support and form providers

E) Keep the service secure and prevent fraud and abuse

  • Legal basis: Art. 6(1)(f) GDPR (Legitimate interest — our interest in keeping the service and our users secure and in preventing fraud and abuse)

  • Data: Device information; log data; account identifier; usage data

  • Storage period: 90 days from collection

  • Data recipients: Security and error-monitoring providers

F) Analyse usage and develop, test and improve the app

  • Legal basis: Art. 5(3) ePrivacy Directive (UK: PECR reg. 6) (Consent)

  • Data: Usage and behavioural data (including recordings of session activity — screens and interactions); IP address; device information; device identifiers; account identifier; nickname; log data; authentication data

  • Storage period: 12 months from collection, or earlier if you delete your account

  • Data recipients: Cloud hosting providers; analytics providers; messaging and attribution providers

G) Analyse your activity on our website

  • Legal basis: Art. 5(3) ePrivacy Directive (UK: PECR reg. 6) (Consent)

  • Data: Device information; IP address; usage data collected via cookies

  • Storage period: 90 days from collection, or earlier if you withdraw consent

  • Data recipients: Website hosting and analytics providers


Retention periods

We keep your personal data only for as long as necessary for the purposes described in this notice, after which it is deleted or anonymised. The storage period for each operation is shown in section 4. In summary:

Retention summary:

  • Account and profile data, and data used to provide the service (account management and authentication, the GRAI app and its music and audio features, service notifications, and usage analytics and app development and testing): 12 months from collection, or earlier if you delete your account

  • Tester support and handling of inquiries and complaints: 12 months from collection, or longer where necessary to establish, exercise or defend legal claims (for example, to handle and resolve complaints)

  • Security and fraud-detection logs: 90 days from collection

  • Behavioural tracking (based on consent): 90 days from collection, or earlier if you withdraw consent

Where a longer period is required by law, or to establish, exercise or defend legal claims, we may retain the relevant data for that limited additional period.


Data sharing and transfers

We share your personal data only with categories of recipients who help us provide and operate our services; we do not sell your personal data. Depending on the processing operation (see section 4), these categories are:

  • Cloud hosting and infrastructure providers

  • Authentication and communications providers

  • Messaging and attribution providers

  • Analytics providers

  • App distribution providers

  • Music and audio providers

  • Support and form providers

  • Security and error-monitoring providers

  • Website hosting and analytics providers

A current list of the specific recipients we share data with — including those that act as independent controllers — is available here: GRAI Recipients.

Some recipients are located outside the European Economic Area (EEA) or the UK. Where we transfer your personal data to such countries, we ensure appropriate safeguards in accordance with Chapter V GDPR, namely:

  • an adequacy decision (for example, the EU-US Data Privacy Framework, where the recipient is certified); or

  • the European Commission's Standard Contractual Clauses together with the UK Addendum (or the UK International Data Transfer Agreement (IDTA) for UK transfers); and

  • additional technical and organisational measures, where appropriate.

Recipients established within the EEA or the UK do not require third-country transfer safeguards.


Automated decisions

We neither use automated decision-making nor your personal data to automatically assess aspects of your personality (automated profiling).


Your rights

As a data subject, you have certain rights regarding your personal information. We are committed to upholding these rights and ensuring that you can exercise them effectively. Please note that these rights are subject to certain limitations and exceptions as provided by law. To exercise any of these rights or for further inquiries, please contact us at at [email protected].

We will review your request as soon as possible, but not longer than one (1) month following your request. Please keep in mind that this period may be extended for an additional two (2) months, if necessary, based on the complexity and number of requests we have received. If we need to extend the response timeframe, we will tell you about the response extension within one (1) month of receipt of your request and explain the reasons for the delay.

  • Here you can find the information regarding your rights as a data subject under the EU GDPR and the UK GDPR

    Right of access

    This right allows you to request access to the personal data we hold about you.

    To exercise this right, please contact us at the following e-mail address: [email protected]. Upon receiving your request, we will provide you with a copy of the personal data we process in the form in which you have requested the provision of this information. Please note that in some cases we may charge you a reasonable fee for providing this information. If we are unable to fulfil your request for any reason, we will provide you with an explanation and inform you of your rights to appeal the decision.

    Right to rectification

    This right enables you to request the correction or updating of any inaccurate or incomplete personal data we hold about you.

    You can exercise this right by contacting us by e-mail at [email protected].

    Upon receiving your request for rectification, we will review the accuracy and completeness of your personal data and make any necessary corrections or updates.

    Right to erasure

    This right allows you to request the deletion or destruction of your personal data in certain circumstances, such as when the data is no longer necessary for the purposes for which it was collected or processed (or, as we all know, the “right to be forgotten”).

    You can exercise this right by contacting us at [email protected].

    Upon receiving your request for erasure, we will assess whether the conditions for erasure are met and, if so, promptly delete or anonymise your personal data from our systems and notify any third parties to whom the data have been disclosed.

    Right to restrict processing

    This right allows you to request the restriction of processing of your personal data in certain circumstances, such as when the processing is unlawful, when we no longer need the personal data, or when you have objected to the processing.

    To exercise this right, please contact us at [email protected]. Upon receiving your request to restrict processing, will not process your personal data (except for storage) unless it is based on consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest.

    Right to data portability

    This right allows you to receive a copy of your personal data in a structured, commonly used, and machine-readable format if it is technically possible to do so and to transmit those data to another controller.

    To exercise this right, please contact us at [email protected]. Upon receiving your request for data portability, we will provide you with a copy of your personal data in the requested format, where technically feasible.

    Right to object

    This right enables you to object to the processing of your personal data in certain circumstances, such as where the processing is based on legitimate interests or for direct marketing purposes.

    To exercise this right, please contact us at [email protected]. Upon receiving your objection to processing, we will assess the validity of your objection and, if valid, cease processing your personal data for the purposes to which you have objected.

    Right to withdraw consent

    You have the right to withdraw your consent to the processing of your personal data at any time. This means that if we are processing your personal data based on your consent, you have the right to revoke that consent.

    To exercise this right, please contact us at [email protected]. Upon receiving your request to withdraw consent if we do not have any other legal basis for processing your personal data, we will stop processing it.

    Right to lodge a complaint

    If you believe that our processing of your personal data violates applicable legislation, you have the right to lodge a complaint with a supervisory authority.

    You can contact the authority in your country of residence, place of work, or where the alleged breach took place. A list of EU supervisory authorities and their contact details is available here. Supervisory authority in the UK: https://ico.org.uk.


Children’s privacy

We do not knowingly collect or solicit your personal data to anyone under the age of 16 or knowingly allow such persons to use our services. If you are under the age of 16, please do not provide any personal data to us. If we learn that we have collected personal data about a child under the age of 16, we will delete that personal data as soon as possible. If you believe that we might have any personal data from or about a child under the age of 16, please contact us at [email protected].

10. Changes to the privacy notice

This privacy notice may be changed from time to time due to the implementation of new technologies, changes in applicable laws or for other purposes.

When we make changes, we will update the date at the top of this privacy notice. Use the date below the title to view earlier versions of this notice. For material changes that significantly affect your rights or the way we process your personal data, we will take additional steps to inform you, such as:

  • displaying a prominent notice on the website; and/or

  • sending you an email notification if we have your email address and the changes are relevant to your relationship with us.

By continuing to use the Website, you acknowledge that you have been notified of the changes to this privacy notice. If we make any changes that require your explicit consent for further processing of your personal data, we will request your consent or renewed consent (in case it was obtained previously) for such processing before it will begin.


Last Updated: 22.06.2026