Legal

Privacy Policy

Last updated: May 25, 2026

This Privacy Policy explains what personal data Gripe (“Gripe”, “we”, “us”) collects, why we collect it, how we use it, and the rights you have under the EU General Data Protection Regulation (GDPR) and the French Data Protection Act (loi Informatique et Libertés).

1. Who we are

Gripe is operated by ⟪Legal entity name⟫, ⟪Form (SAS, SARL, etc.)⟫, registered office ⟪Postal address⟫, France. SIREN ⟪SIREN⟫. We are the data controller for the personal data described below.

For any privacy question or to exercise your rights, contact us at privacy@usegripe.com.

2. What data we collect

  • Beta waiting list.When you sign up on usegripe.com, we store your email address, the date you signed up, the page section from which you signed up, a hashed version of your IP address (SHA-256, not the raw address), and your browser's user-agent string.
  • Account data (once you receive an invite and log in to app.usegripe.com): name, email, and authentication identifiers from your sign-in method.
  • Feedback data you or your end-users submit through the Gripe widget: voice recordings, transcripts, text messages, optional screenshots, page URL, device and browser metadata. End-users provide explicit consent before any voice or text capture.
  • Technical data: short-lived authentication cookies (strictly necessary), HTTP logs (for security and rate-limiting), and aggregate usage metrics. No advertising or cross-site tracking cookies.

3. Why we collect it (legal basis — art. 6 GDPR)

  • Performance of a contract (art. 6.1.b): providing the service you signed up for (account, feedback processing, invitations).
  • Legitimate interest (art. 6.1.f): securing the service (rate-limiting, abuse prevention), improving the product (aggregate analytics), and communicating product updates to existing users. You can object at any time.
  • Consent (art. 6.1.a): sending you the beta invitation email and any optional communication you opt into. Consent can be withdrawn at any time without affecting the lawfulness of prior processing.
  • Legal obligation (art. 6.1.c): retaining billing records once paid plans launch.

4. How long we keep it

  • Beta waiting list: until the Beta closes or you ask us to delete your record, whichever comes first.
  • Account data: as long as your account exists. We delete it within 30 days of account closure (unless we're required to keep it longer for legal reasons).
  • Feedback content: retained as long as the workspace exists. You can delete individual feedback items at any time.
  • Security and HTTP logs: 90 days, then automatically purged.

5. Who we share it with

We do not sell your data and we never share it for advertising purposes. We use the following sub-processors, all bound by data-processing agreements:

  • Supabase (EU region): database, authentication and storage. Data is stored at rest in the European Union.
  • Vercel: hosting and edge delivery of the landing and dashboard.
  • OpenAI (Whisper API): voice transcription. Audio is processed in transit; OpenAI confirms it is not used for model training.
  • Anthropic (Claude API): AI clarification and categorization of feedback. Anthropic confirms inputs are not used for model training.
  • Resend: transactional email delivery (invitations and account emails).
  • Sentry: error monitoring (no feedback content sent; scrubbed payloads).

6. International transfers

Some of our sub-processors (OpenAI, Anthropic, Vercel) are based in the United States. Transfers are covered by the European Commission's Standard Contractual Clauses (SCC) and supplementary measures (encryption in transit and at rest, access controls). You can request a copy of the relevant SCCs.

7. Your rights

Under the GDPR, you have the right to:

  • access the personal data we hold about you (art. 15);
  • rectify inaccurate data (art. 16);
  • erase your data (art. 17), subject to legal exceptions;
  • restrict processing in specific cases (art. 18);
  • receive your data in a portable format (art. 20);
  • object to processing based on legitimate interest (art. 21);
  • not be subject to a decision based solely on automated processing (art. 22);
  • lodge a complaint with the French data-protection authority, CNIL.

To exercise any of these, write to privacy@usegripe.com. We respond within 30 days.

8. Cookies

usegripe.com (this site) uses no tracking or advertising cookies. app.usegripe.com (the dashboard) sets a strictly necessary authentication cookie when you log in — this cookie is required for the service to function and is exempt from prior consent under the ePrivacy directive.

9. Security

We encrypt data in transit (TLS 1.2+) and at rest. Access to production systems is restricted to the people who strictly need it and is logged. We follow the principle of least privilege and a strict secret-rotation policy. We will notify affected users and the CNIL within 72 hours of becoming aware of a personal data breach, as required by art. 33 GDPR.

10. Children

Gripe is a B2B SaaS for product teams. It is not directed to children under 16, and we do not knowingly collect personal data from them.

11. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the latest revision. Material changes will be communicated by email to registered users.

12. Contact

⟪Legal entity name⟫
⟪Postal address⟫, France
privacy@usegripe.com