00//Privacy Policy

How we handle your data

GracePeak Labs ("we", "the service") is a platform that lets agents actually do work inside your operations. This policy explains what data we collect, what we use it for, who else sees it, and what rights you have. Plain language. No legalese theatre.

Last updated ·

01

Scope

This policy covers everything you do through gracepeak.dev, the GracePeak Labs dashboard, our CLI, and our APIs.

When we say "workspace content," we mean the data you and your workspace teammates create or upload during use — work items, comments, attachments, Agent and Runtime configuration, skills, conversation logs, and so on.

02

What we collect

Account information: email, display name, password hash (never the plaintext), and avatar.

Workspace content: work items, projects, Agent configuration, Runtime metadata, skills, conversations and comments, and any files you upload as attachments.

Usage logs: per-task execution steps, token consumption, and error traces — used so you can replay and debug.

Runtime telemetry: heartbeats from your CLI / daemon, currently-online runtimes, and the IDs of tasks they've claimed. We don't peek at other processes on your machine.

Basic technical signals: IP, user-agent, login times — for anti-abuse and incident response.

03

What we use it for

To run the product: actually executing the tasks you hand to agents, surfacing the results, and routing your content to the right workspace.

Billing and quota: tallying credits consumed per workspace per month and tracking free-tier usage.

Security and anti-abuse: detecting unusual logins, rate-limiting, blocking malicious behavior.

Product improvement: aggregate usage analytics (which features get used, where bugs cluster). We never use your private workspace content to train any model.

04

Third-party processors

To run the service, we work with a set of trusted third-party vendors. Each category sees only the data it needs:

·Cloud infrastructure and object storage providers — host our network, compute, and uploaded files.

·Database hosting providers — store the primary database.

·Transactional email providers — deliver system emails (invitations, notifications).

·Large language model (LLM) providers — when you trigger an agent task, we forward the necessary prompt and context to the selected model. The data flow per task is visible in the task detail page.

·Third-party application integration providers (optional) — used when you connect external SaaS tools yourself.

All vendors are vetted and operate under appropriate data-processing agreements. We don't sell your data to advertisers and we don't integrate any ad networks.

05

When we share

We disclose your information in these cases: to other workspace members (within their permission level), to the processors listed above (minimum necessary scope), when required by law (court order, regulatory request), and to respond to urgent security incidents.

Outside of those, we don't share your data with anyone.

06

Retention

Your workspace content is retained for as long as your account is active. After account deletion, there's a 30-day hard-delete window during which you can restore; after that, content is physically deleted.

Log data is retained for 90 days for debugging and audit. Anonymized aggregate analytics are retained indefinitely.

R2 objects (your uploaded attachments, agent-generated artifacts) are deleted along with the workspace.

07

Security

Passwords are stored as industry-standard one-way hashes — never in plaintext. Sessions use short-lived tokens in httpOnly cookies. All traffic is HTTPS-only. We continuously monitor for and patch security vulnerabilities.

Agent execution actually happens on your own machine (the runtime is a daemon you install locally). Your code, sessions, and local credentials never reach our cloud. This is the most important isolation in the product's design.

08

Cookies

We only use the cookies we have to: session identity, CSRF defense, and language preference. No third-party tracking cookies. No advertising cookies.

09

Your rights

You can view, edit, export, or delete your account information at any time under Preferences → Account. You can also email hello@gracepeakglobal.com to request a data export (a JSON bundle of all your workspace content).

Depending on your jurisdiction (GDPR, CCPA, PIPL, etc.), you have rights of access, correction, deletion, and portability. We typically respond within 14 days.

10

Changes

Material changes will be announced via in-product notice and email 14 days in advance, and the "Last updated" date on this page will move. Continued use after the new version takes effect constitutes acceptance.

Questions about this policy? Email hello@gracepeakglobal.com — we usually reply within a couple of business days.