Privacy policy

Privacy policy

Last updated: August 16, 2025

This Privacy Policy explains how Grandest Inc (to be renamed Grandist Inc, also referred to as “Grandist,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data when you use our websites, apps, products, and services (collectively, the “Platform”). It applies to fans, creators, and visitors. If you do not agree with this Policy, do not use the Platform. Terms not defined here have the meanings in our Terms of Service.

1) Who we are & scope
Grandist is the controller of personal data described in this Policy (except where we act as a processor for specific optional features noted below). This Policy covers data we collect online and offline related to the Platform.

We may provide additional notices (e.g., in-product popups) for certain features; those notices supplement this Policy.

2) What we collect
We collect data in three ways—(a) you provide it, (b) it’s collected automatically, and (c) from third parties.

A. Data you provide

  • Account & profile: name, username, email, password or SSO tokens, country, language, photo, biography, preferences.
  • Payments & payouts: billing country, last4 and tokenized payment method via processors; creator payout details (e.g., bank info via payout providers), tax identifiers (e.g., TIN, VAT), forms and certificates.
  • Content & activity: posts, media, captions, schedules; fan subscriptions, purchases, ratings, reports.
  • Direct Messages (DMs): message content you send/receive.
  • Calls: scheduling details; if both parties consent to record, call audio/video and transcripts.
  • Identity/KYBC (EU trader verification): government ID/face match snapshots (where required), business name/address, VAT.
  • Support: tickets, email/chat communications, survey responses.

B. Data collected automatically

  • Device & usage: app/browser identifiers, device type, OS, IP address, timestamps, referral/UTM, pages/screens, buttons clicked, crash logs.
  • Approximate location: derived from IP (city/region-level).
  • Cookies/SDKs: for authentication, security, fraud detection, preferences, and basic analytics. See “Cookies & Similar Technologies.”

C. Data from third parties

  • Payment processors & app stores (e.g., Stripe, Apple, Google): payment tokens, limited billing details, purchase status.
  • Verification, fraud & safety partners: signals for identity, sanctions/PEP screening where lawful, and risk scoring.
  • Analytics & support: aggregated usage, diagnostics, satisfaction metrics.

We do not ask you to disclose protected health information; please do not share sensitive data in DMs or calls unless necessary.

3) How we use data (purposes & legal bases)
We use personal data to:

  • Provide the Platform: create/manage accounts; deliver content, subscriptions, credits, DMs, and calls; operate search/recommendations.
  • Payments & payouts: process purchases and subscriptions; remit creator earnings; taxes.
  • Safety & integrity: detect/prevent fraud, spam, abuse, prohibited content, and off‑platform payment attempts. We scan DMs with automated tools (e.g., keyword filters) and may review flagged items.
  • Communications: service messages (transactional), reminders (e.g., renewal notices), and—with your consent where required—marketing.
  • Personalization & recommendations: tailor feeds and suggestions (see §12).
  • Compliance & reporting: DMCA, DAC7, 1099‑K, sanctions screening; respond to lawful requests.
  • Research & improvement: debug, analytics, testing new features.

We do not use DMs, call audio, or paywalled content to train general‑purpose AI models. For AI likeness tools, see §7.

4) Credits, purchases & app‑store flows
We process payments through third parties; we do not store full card numbers. In‑app purchases on iOS/Android are billed by Apple/Google; cancellation/refunds are handled in your app‑store settings. We retain purchase and subscription records for accounting and fraud prevention.

5) What we share & why
We do not sell personal information. We do not share personal information for cross‑context behavioral advertising. We disclose data to:

  • Service providers/Processors: cloud hosting, content delivery, analytics, anti‑abuse, customer support, communications, verification/KYBC, and payment/payout providers—bound by contract.
  • Creators & fans: data needed to complete transactions and interactions (e.g., a creator sees your username and purchase/subscription status; you see a creator’s profile).
  • Enterprise/admin tools (if applicable): for creator teams and brand accounts you join.
  • Legal & safety: law enforcement/legal requests; to enforce our Terms, investigate fraud/abuse, or protect rights.
  • Business transfers: in mergers, acquisitions, or asset sales, with notice where required.

6) Cookies & similar technologies
We use cookies/SDKs for: authentication, security/fraud, preferences, and basic analytics. You can manage cookies in your browser/device settings. Where required, we provide consent banners and granular controls. We honor browser Global Privacy Control (GPC) signals for applicable opt‑outs.

7) Regional compliance (tax & creator obligations)
If you are a creator, we may collect/verify tax information and report earnings where required (e.g., U.S. 1099‑K; EU DAC7 for “personal services”). We may withhold or delay payouts until required tax/identity info is provided.

8) Data retention
We retain data only as long as needed for the purposes above, including for legal, accounting, and dispute‑resolution requirements. Typical periods:

  • Account & profile: for the life of the account, then up to 24 months.
  • Purchases & payouts: 7–10 years (tax/accounting).
  • DMs & activity logs: for the life of the account, then up to 24 months (shorter if you delete).
  • Call recordings (if both consent): stored for up to 180 days by default for safety/dispute resolution (creators may retain copies they control).
  • Biometric identifiers (AI templates): see §7 (≤ 3 years or upon request).

We may anonymize or aggregate data and retain it longer for analytics.

9) Security
We employ administrative, technical, and physical safeguards (e.g., encryption in transit and at rest, access controls, network protections). No system is 100% secure; please use unique strong passwords and enable device security.

10) Your choices & rights

A. In-product controls

  • View, edit, or delete profile data; download a copy of your data; delete content; manage cookies; manage marketing preferences.
  • Cancel subscriptions in one step and manage notifications in Settings.

B. U.S. state privacy rights
Depending on your state, you may have rights to access, correct, delete, port, and opt out of certain processing (e.g., targeted advertising, sale, profiling for significant decisions). We do not sell personal information and do not share for cross‑context behavioral advertising. Submit requests at privacy.grandist.com/requests or legal@grandist.com. If we decline, you may appeal within 45 days.

C. California (CPRA) notices

  • Do Not Sell or Share: We do not sell or share personal information as defined by CPRA.
  • Limit Use of Sensitive PI: We use sensitive data (e.g., ID for verification, tax IDs) only as necessary to provide the service and meet legal obligations.
  • Notice at Collection: See §13 for categories, purposes, and retention.
  • Non‑discrimination: We will not discriminate for exercising your rights.
  • Shine the Light: We do not share personal data with third parties for their own direct marketing.

D. EEA/UK data subject rights
If GDPR/UK GDPR applies, you have rights to access, rectify, erase, restrict, port, and object; and to withdraw consent where processing is based on consent. You may lodge a complaint with your supervisory authority (e.g., ICO in the UK).

11) Recommendation systems (DSA)
We explain the main parameters we use to rank and recommend content: (a) your follows/subscriptions, (b) engagement (likes, watch time, saves), (c) freshness, and (d) quality & safety signals (policy compliance, spam likelihood). You can influence recommendations by following/unfollowing, managing interests, and hiding content. EU users can choose a less‑personalized feed that emphasizes recency and popularity with minimal profiling.

12) International transfers
We are based in the United States and may process data there and in other countries. Where required, we use approved transfer tools (e.g., SCCs and the UK IDTA).

13) Children
Grandist is 18+ only. We do not knowingly collect personal data from children. If you believe a minor is using the Platform, contact legal@grandist.com so we can investigate and remove the account and associated data.

14) Changes to this Policy
We may update this Policy from time to time. If we make material changes, we will notify you (e.g. in‑app, email) and update the “Last updated” date. Continued use after the effective date means you accept the changes.

15) Contact
Questions or requests: legal@grandist.com

DMCA: legal@grandist.com (see Terms)

Tax/reporting questions: legal@grandist.com

HomeEngageManage