GrantSpark
Start free

Legal

Privacy Policy

Last updated: 19 May 2026

This policy explains what personal data we collect when you use GrantSpark, why we collect it, who we share it with, how long we keep it, and the rights you have under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

Who we are

GrantSpark is a trading name of Grant Finder Limited, a company registered in England and Wales. We are the data controller for the personal data described in this policy. You can contact us at hello@grantspark.co.uk.

What data we collect and why

We collect only what we need to run the service:

  • Account data: your email address and a hashed password. We use these to identify you and to let you sign in. Legal basis: contract (necessary to provide the service you signed up for).
  • Organisation profile: the details you enter during onboarding and on the profile page — organisation name, description, nation, postcode area, sectors, team size, etc. We use these to match you to relevant grants. Legal basis: contract.
  • Match results: the AI-generated match list, kept so it appears instantly when you return without re-running the matching engine. Legal basis: contract.
  • Usage data: we record IP address and request timestamps for rate-limiting (to stop a single account accidentally or maliciously running up large bills). Legal basis: legitimate interest (protecting the service and other users).
  • Cookies: see our Cookie Policy. We use only strictly necessary cookies; no analytics or marketing trackers.

We do not collect payment details directly — when billing launches we will use Stripe as a payment processor and you will enter card details on Stripe’s systems, not ours. We do not collect special-category personal data (health, religion, etc.).

Who we share data with

We use a small number of trusted sub-processors to operate the service. Each is bound by a data-processing agreement:

  • Supabase (database and authentication) — EU-Central region (Frankfurt). Stores your account and organisation data.
  • Vercel (hosting) — runs the website and API routes that you interact with.
  • Anthropic (AI matching) — receives your organisation profile and a list of candidate grants in order to produce match scores. Anthropic does not train on or store the requests we send via their API.
  • Upstash (rate limiting) — stores per-user request counters keyed on your user ID; no profile data.
  • Stripe (payments — when billing launches) — processes card payments. Card details are never seen or stored by GrantSpark.
  • IONOS (domain registrar) — provides the grantspark.co.uk domain.

We do not sell, rent or share your personal data with third parties for marketing purposes.

International transfers

Anthropic processes data in the United States, and some of our sub-processors operate globally. Where data leaves the UK or EEA we rely on the UK’s International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK addendum. We choose providers with strong privacy practices and appropriate certifications (SOC 2 Type II or equivalent).

How long we keep your data

Account and organisation data: for as long as your account is active, plus 90 days after deletion so we can recover from accidental deletions and meet audit obligations. After 90 days we delete it permanently.

Match results: held while the related grant is active; rerun regularly. Old results are overwritten when you run a fresh match.

Rate-limit counters in Upstash: short-lived (one day for the daily quota, one minute for the burst window) — they expire automatically.

Your rights

Under UK GDPR you have the right to:

  • Ask for a copy of the personal data we hold about you
  • Ask us to correct data that is inaccurate
  • Ask us to delete your data
  • Ask us to restrict or object to certain processing
  • Ask for your data in a portable format
  • Withdraw consent where we rely on consent (rare for us)
  • Complain to the Information Commissioner’s Office (ICO) if you believe we’ve handled your data improperly — see ico.org.uk/make-a-complaint

To exercise any of these rights, email hello@grantspark.co.uk. We’ll respond within one calendar month.

Security

We use industry-standard encryption in transit (TLS 1.2+) and at rest (AES-256). Passwords are hashed using bcrypt. Access to production data is restricted to the people who operationally need it. We do not have a sales team or analytics team with access to your data.

Changes to this policy

We will update this page when we change how we process data. If the changes are material we’ll email account holders before they take effect.

Contact us

Email hello@grantspark.co.uk for any privacy question, data subject request or concern.

See also our Terms of Service, Cookie Policy and AI Disclaimer.