Privacy Policy

GRILLR is operated by Longwaves FZ-LLC, a company incorporated in the Dubai Free Zone, United Arab Emirates. When this policy says “GRILLR”, “we”, or “us”, it refers to Longwaves FZ-LLC.

Contact us at hello@grillr.io for any privacy-related questions or requests.

2.1 Account & Identity Data

• Email address (collected when you create an account)
• Authentication tokens managed by Supabase Auth

2.2 Founder Profile Data

During onboarding, our AI asks structured questions to personalise your execution plan. We store your responses, which may include:

• First name
• Age
• Country of residence
• Business stage, structure, and type
• Available hours per day and estimated budget
• Business goal and 12-month success definition
• Self-reported discipline score (1–10)

2.3 Business Idea & Conversation Data

• Your startup idea text as submitted
• Full conversation history between you and GRILLR’s AI
• Work submissions you provide for task evaluation (text and uploaded images)
• AI-generated feedback and pass/fail verdicts for each submission
• Your generated 4-week execution plan, tasks, and tech tree

2.4 Technical & Usage Data

• IP address — stored temporarily for rate limiting (prevents abuse of AI endpoints)
• Number of plans generated per month and messages sent per day (for usage limits)
• An authentication session cookie used to keep you signed in. It contains a session token, not your personal data.

2.5 Data We Do NOT Collect

• Payment or card details (not applicable — no billing is currently processed)
• Device fingerprints, behavioural tracking, or advertising identifiers
• Location beyond country of residence (which you self-report)

• Service delivery: To run the onboarding conversation, generate your personalised execution plan, evaluate your submitted work, and save your progress across sessions.
• AI processing: Your ideas, messages, and submitted work are sent to Google’s Gemini API to generate AI responses. Google processes this data as a sub-processor under our instructions. We do not use your data to train Google’s models (governed by Google’s API terms).
• Safety & abuse prevention: IP addresses are used solely to enforce rate limits (e.g., 5 access attempts per 15 minutes). We store only a counter and a timestamp per IP — not browsing data.
• Age gating: If you report being under 18, we ask for parental/guardian confirmation before proceeding. We do not knowingly collect data from children under 13 without verified parental consent.
• Waitlist: Your email is stored to notify you when GRILLR launches or when your access tier changes. We do not send marketing emails without your explicit consent.

We do not sell your data to any third party. We do not use advertising networks or social tracking pixels.

• Account & project data: Retained while your account is active. You can request deletion at any time by emailing hello@grillr.io.
• Rate limit records: Automatically expire after their time window (60 seconds to 1 hour depending on the endpoint).
• Waitlist emails: Retained until GRILLR launches or you request removal.
• Uploaded images: Images submitted for task evaluation are processed in-memory and are not stored on our servers after the evaluation response is returned.
• Server logs (Vercel): Retained per Vercel’s default log retention policy (typically 1–3 days for free plans, up to 30 days on paid plans). Logs contain route names and error messages — no plaintext secrets.

Depending on your jurisdiction, you may have the following rights:

• Access: Request a copy of the personal data we hold about you.
• Correction: Ask us to correct inaccurate data.
• Deletion: Request that we delete your account and associated data.
• Portability: Request your data in a machine-readable format.
• Objection / Restriction: Object to or restrict processing in certain circumstances.
• Withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of processing before withdrawal.

To exercise any of these rights, email hello@grillr.io. We will respond within 30 days. If you are in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority.

GRILLR is designed for founders aged 13 and above. We do not knowingly collect personal data from children under 13. If you are under 13, do not create an account or submit any personal information.

If you are between 13 and 17, our onboarding AI will ask for confirmation that a parent or guardian is aware before you proceed. By continuing after that prompt, you confirm that acknowledgement has been given.

If we discover we have inadvertently collected data from a child under 13, we will delete it promptly. Parents or guardians can contact us at hello@grillr.io.

• All data in transit is encrypted via HTTPS (enforced by HSTS headers).
• The Supabase service role key and all API secrets are stored exclusively as server-side environment variables — never exposed to the browser.
• Access tokens are stored in httpOnly, secure, SameSite cookies — inaccessible to JavaScript.
• AI endpoints are rate-limited per IP to prevent brute-force and abuse.
• All user text input is sanitised before processing (HTML stripped, control characters removed).
• Security headers are set on every response: Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and Strict-Transport-Security.

No system is perfectly secure. If you discover a security vulnerability, please disclose it responsibly to hello@grillr.io.

We may update this policy as the product evolves. When we make material changes, we will update the “Last updated” date at the top of this page. Continued use of GRILLR after changes are posted constitutes acceptance of the revised policy.

Longwaves FZ-LLC
Dubai, United Arab Emirates
hello@grillr.io