Privacy Policy

Who we are (data controller)

Gridwinner is a trading name of Basil Paulose, a sole trader established in the United Kingdom and the data controller for the personal data described here. Contact address: 41 Western Drive, Newcastle Upon Tyne, Tyne and Wear, NE4 8SQ. For any privacy question or to exercise your rights, email legal@gridwinner.com.

Scope

Gridwinner is available worldwide. This policy explains how we handle personal data and applies regardless of where you access the Service. We comply with the UK GDPR and the Data Protection Act 2018, and with the EU GDPR for users in the EEA. Where local law gives you stronger rights, those apply.

Privacy by design — what we don't collect

• We don't upload your files. All CSV and Excel processing happens entirely in your browser using Web Workers.
• We don't store your supplier lists. Your product data, prices, ASINs, costs, and Keepa-style analysis are not uploaded to or stored on our servers.
• We mask your analysis from session tools.The analysis dashboard is masked at the DOM level, so analytics/session-replay can't capture the ASINs, costs, or margins you're working with.

What we collect, why, and our lawful basis

You can use Gridwinner as a guest with no account. If you create an account or subscribe, we process a limited amount of personal data:

• Account data (email address, authentication identifiers) — to create and secure your account and provide the Service. Lawful basis: performance of a contract.
• Subscription & payment data (your plan/tier, billing status, a Stripe customer ID; card details are handled by Stripe, never by us) — to take payment and manage your subscription. Lawful basis: performance of a contract; and our legal obligation to keep tax records.
• Messages you send us through the contact, bug-report, or idea forms — to respond and improve the Service. Lawful basis: legitimate interests (handling your enquiry) and/or performance of a contract.
• Usage analytics (page views, feature usage, anonymised session interactions) — only after you accept analytics cookies. Lawful basis: consent.
• Security & technical logs (e.g. IP address, error diagnostics) — to keep the Service secure and working and to prevent abuse. Lawful basis: legitimate interests.

Where we rely on legitimate interests, we have balanced those interests against your rights; contact us if you would like more detail.

Analytics & session tools

Only after you accept analytics cookies in our consent banner do we load Google Analytics and Google Tag Manager, Microsoft Clarity, PostHog, and Mixpanel to understand how the site and app are used. None of these load until you opt in. Microsoft Clarity records anonymised session interactions on the marketing site; the analysis dashboard is masked so your supplier ASINs, costs, and margins are never captured. You can change your choice anytime from the Cookies Policy page.

Service providers (processors)

We rely on a small set of vetted providers to run the Service:

• Clerk — authentication (SOC 2 Type II). We never see or store your password.
• Stripe — payment processing (PCI DSS Level 1). We never see your full card number.
• Resend — delivers your contact, bug-report, and idea-form messages to us by email.
• Vercel — hosting and basic performance metrics.
• Google (Analytics / Tag Manager), Microsoft Clarity, PostHog, Mixpanel — consent-gated analytics. PostHog and Mixpanel are configured to use EU-based hosting.

International data transfers

Some providers (for example Clerk and Stripe) may process data in the United States or other countries outside the UK/EEA. Where we transfer personal data internationally we rely on a lawful transfer mechanism — an adequacy decision, the UK International Data Transfer Agreement/Addendum, or the EU Standard Contractual Clauses — to keep your data protected.

Cookies

We use necessary cookies (authentication, theme, and remembering your cookie choice) and, only with your consent, analytics cookies. We do not use advertising cookies or sell your data. Full details and a cookie table are in our Cookies Policy.

Data retention

• Supplier files / analysis: never stored — processed in your browser and discarded when you close or reload the page.
• Account data: kept while your account is active and deleted within 30 days of account closure or a valid deletion request, unless we must keep it longer by law.
• Payment & tax records: retained for 6 years to meet UK tax and accounting obligations.
• Support messages: kept for up to 24 months after your query is resolved.
• Analytics & logs: retained per each provider's standard period (typically up to 14–26 months), or less.

Your rights

Under the UK GDPR you have the right to:

• access the personal data we hold about you;
• have inaccurate data corrected;
• have your data erased (“right to be forgotten”);
• restrict or object to processing, including profiling;
• data portability;
• withdraw consent at any time (e.g. for analytics) without affecting prior processing.

To exercise any of these, email legal@gridwinner.com. We will respond within one month, as required by the UK GDPR.

Complaints

If you have a concern we would like the chance to resolve it first. You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk, or to your local supervisory authority if you are in the EEA.

Children

Gridwinner is intended for businesses and adults. It is not directed at children and we do not knowingly collect data from anyone under 18. If you believe a child has provided us with personal data, contact us and we will delete it.

Changes to this policy

We may update this policy occasionally. Significant changes will be communicated by email to registered users. The “Last updated” date above reflects the latest revision.

Contact us

For any privacy question or request, contact legal@gridwinner.com.