grāmatr

The Product

Overview How It Works The Science Proof

The Buying Case

For Enterprise ROI Security & Trust Governance Pricing
For Partners →
Insights
Log in ↗ Book a Conversation →
grāmatr

The Product

Overview How It Works The Science Proof

The Buying Case

For Enterprise ROI Security & Trust Governance Pricing For Partners
Insights
Log in ↗ Book a Conversation →
Request Early Access

Every application is reviewed individually.

Sign in to verify your identity. Access still requires approval.

Talk to Us

Tell us about your organization.

Get in Touch

We'll get back to you within 24 hours.

Legal

Privacy Policy

Last updated: June 12, 2026

The short version

  • This policy covers gramatr.com — the enterprise and partner surface. Individual and team users are covered by the privacy policy at app.gramatr.com/privacy
  • We run Google Analytics 4 and a NEXT90 measurement tag on this website — production only
  • We do not sell data
  • Enterprise platform data is processed under a Data Processing Agreement (DPA) — contact [email protected] to obtain the DPA
  • EU and UK data subjects have full rights under GDPR — access, correction, deletion, portability
  • International transfers rely on Standard Contractual Clauses (SCCs)
  • Email [email protected] for any privacy or data-rights request

1. Who we are

grāmatr℠ is operated by gramatr, LLC, a Missouri limited liability company. “We,” “us,” and “our” refer to gramatr, LLC throughout this policy.

Contact: [email protected]
gramatr, LLC · 167 Lamp & Lantern Village, Suite 253, Chesterfield, MO 63017

EU and UK visitors: gramatr, LLC does not currently have an in-EU representative under GDPR Article 27. If you are in the EU or UK and need to exercise your rights or file a complaint, email [email protected] directly. This page will be updated when a representative is appointed.

2. What this policy covers

This policy covers gramatr.com — the enterprise and partner surface operated by gramatr, LLC. It governs data collected through the gramatr.com website, enterprise inquiry and onboarding flows, and partner engagement activities.

Individual and team SaaS users of the grāmatr platform (app.gramatr.com, the API, and client integrations with Claude, ChatGPT, Gemini, VS Code, Cursor, and other connected tools) are covered by the separate privacy policy at app.gramatr.com/privacy.

Enterprise platform deployments are governed by the applicable enterprise agreement and Data Processing Agreement (DPA) executed between gramatr, LLC and the enterprise data controller. Where a DPA is in place, it takes precedence over this policy for platform data processing.

3. What we collect

Information provided through enterprise and partner engagement

  • Enterprise inquiries and contact: organisation name, contact name, work email address, role or title, intended deployment scope, and message content — collected when a representative contacts us via gramatr.com forms or email
  • Partner and procurement engagement: information submitted as part of vendor assessments, partnership evaluations, or procurement intake processes
  • Enterprise onboarding: information provided during commercial agreement execution, including authorised signatory details and billing contact information

Information the website collects automatically

  • Standard server logs: IP address, user agent, pages visited, referring URL, timestamps
  • Google Analytics 4 (measurement ID: G-6210ZW2CHV) — standard site analytics. GA4 uses its own cookies; see Google’s cookie policy for details. GA4 data is subject to Google’s privacy policy.
  • NEXT90 measurement tag — page visit data and engagement behaviour for site analytics. See the NEXT90 privacy policy for details on what the tag collects.

Analytics tags run only on production (gramatr.com). They do not run on preview deployments, staging, or localhost.

Enterprise platform data (governed by DPA)

When gramatr, LLC processes data on behalf of an enterprise customer as a data processor, the lawful basis, scope, and retention of that processing are defined in the Data Processing Agreement (DPA) between the parties. See Section 11 (Data Processing Agreement) for details.

Information collected automatically (website)

  • Standard server logs: IP address, user agent, pages visited, referring URL, timestamps
  • Google Analytics 4 (measurement ID: G-6210ZW2CHV) — standard site analytics. GA4 uses its own cookies; see Google’s cookie policy for details. GA4 data is subject to Google’s privacy policy.
  • NEXT90 measurement tag — page visit data and engagement behavior for site analytics. See the NEXT90 privacy policy for details on what the tag collects.

Analytics tags run only on production (gramatr.com). They do not run on preview deployments, staging, or localhost.

Cookies

We use essential cookies for session state on this website. Google Analytics 4 sets its own cookies for site analytics. We do not use advertising cookies.

4. How we use it

  • To evaluate and respond to enterprise inquiries, partnership requests, and procurement submissions
  • To contact enterprise and partner representatives about grāmatr commercial arrangements, product updates, and deployment readiness
  • To operate, secure, and improve this website
  • To generate aggregated, de-identified site metrics for marketing and product planning
  • To comply with legal obligations

Lawful bases for processing (GDPR Article 6): legitimate interests (operating the website, evaluating commercial inquiries, and communicating with prospective enterprise customers); contractual necessity (performing obligations under an enterprise agreement or DPA); legal obligation (compliance with applicable law).

For enterprise platform processing, lawful bases are specified in the applicable DPA.

5. Enterprise platform data processing

The grāmatr platform processes intelligence data on behalf of enterprise customers. This section provides a summary for data controllers conducting due diligence. Full processing details are set out in the Data Processing Agreement (DPA).

Data processor role: For enterprise platform deployments, gramatr, LLC acts as a data processor under GDPR Article 4(8). The enterprise customer is the data controller and determines the purposes and means of processing.

Processing activities under the DPA include:

  • Storing and retrieving knowledge graph entities, observations, and session data on behalf of the enterprise
  • Classifying requests and routing intelligence within the enterprise deployment boundary
  • Applying the enterprise governance hierarchy (system, enterprise, team, user, project) to enforce data visibility controls
  • Generating aggregated, de-identified usage metrics for the enterprise administrator

Model training: Enterprise interaction data does not contribute to grāmatr’s shared model training by default. This default is set at the enterprise tier and cannot be overridden below that level without explicit enterprise administrator action. The DPA records this as a processing restriction.

6. Sub-processors and data flows

We engage the following sub-processors in delivering the platform. Enterprise customers may request a complete sub-processor list under their DPA.

Website sub-processors (gramatr.com):

VendorPurposeLocation
CloudflareWebsite hosting (Cloudflare Pages), CDN, DDoS protectionGlobal edge, US-based
Google (GA4)Website analyticsUS/EU
NEXT90Website measurementUS (self-hosted infrastructure)

Platform sub-processors for enterprise deployments are listed in the applicable DPA addendum.

7. How we share it

We do not sell personal information. We disclose data to third parties only in the following circumstances:

  • Sub-processors — as listed in Section 6 and, for enterprise deployments, the DPA sub-processor addendum
  • Legal requirements — disclosure required by law, court order, regulatory authority, or to protect legal rights and safety
  • Business transfers — in connection with a merger, acquisition, or sale of assets, with written notice to affected enterprise customers
  • Enterprise customer direction — when an enterprise administrator configures integrations with third-party AI tools, the intelligence packet is delivered to that provider under the terms of the enterprise agreement

8. How we protect it

  • Encryption at rest — all platform data is encrypted at the storage level
  • Row-level security — enforced at the PostgreSQL database level. Every query is scoped to your user ID via per-transaction session variables. This is architectural isolation, not application-level filtering.
  • Encryption in transit — all connections use TLS
  • API key security — API keys are SHA-256 hashed before storage. Raw keys are shown once at creation and never stored in plaintext.
  • Access controls — access to customer data is limited to personnel with a business need

For a fuller picture of our security posture, see the Security page.

9. How long we keep it

Data typeRetention
Enterprise inquiry and contact dataAs long as needed to evaluate and progress the commercial relationship, deleted on request
Enterprise platform data (knowledge graph, classification records, session metadata)Per the DPA — default is until enterprise agreement termination, then deletion within 30 days
Server logs (website)30 days
GA4 dataPer Google Analytics default retention (currently 14 months)

Upon enterprise agreement termination, platform data covered by the DPA is permanently deleted within 30 days of the termination date, unless a longer retention period is required by law or agreed in writing. Aggregated, de-identified model improvements derived from enterprise data during the active agreement (where permitted under the DPA) are retained as gramatr intellectual property. Deletion is prospective and does not unwind previously derived model improvements.

10. Data subject rights

Enterprise data controllers

Where gramatr, LLC acts as a data processor, the enterprise data controller is responsible for handling data subject rights requests from their own personnel or end users. gramatr, LLC will assist the controller in fulfilling such requests as required by the DPA and GDPR Article 28(3)(e).

Website visitors and enterprise contact representatives

Individuals whose data is processed through gramatr.com (e.g., enterprise contact representatives whose details are held in our CRM) may exercise the following rights:

  • Access — request a copy of your personal data
  • Correction — request correction of inaccuracies
  • Deletion — request erasure where no overriding legitimate purpose or legal obligation applies
  • Portability — receive your data in a machine-readable format
  • Restriction — limit processing pending resolution of an accuracy or objection dispute
  • Objection — object to processing based on legitimate interests

Our lawful bases for processing contact representative data are: legitimate interests (evaluating commercial inquiries and maintaining enterprise relationships) and contractual necessity (performing obligations under an enterprise agreement). Where we rely on legitimate interests, you may object at any time.

California representatives (CCPA/CPRA)

Individuals acting in a B2B capacity are generally exempt from CCPA consumer rights. To the extent CCPA applies, contact representatives have the right to know, delete, and correct their personal information, and the right to opt out of sale or sharing (we do not sell or share personal information in the CCPA sense).

To exercise any right: email [email protected]. We will respond within the timelines required by applicable law (30 days for GDPR, 45 days for CCPA).

11. Data Processing Agreement (DPA)

Enterprise customers who are subject to GDPR or other data protection legislation requiring a data processor agreement may request gramatr, LLC’s standard Data Processing Agreement.

The DPA covers:

  • Subject matter, nature, duration, and purpose of processing
  • Categories of personal data and categories of data subjects
  • Obligations and rights of the data controller
  • Sub-processor list and change notification process
  • Data subject rights assistance obligations (GDPR Article 28(3)(e))
  • Security measures (Article 32)
  • Breach notification procedures (Articles 33–34)
  • Data deletion and return on termination
  • Standard Contractual Clauses (SCCs) for transfers out of the EU/UK

To request the DPA or negotiate custom processing terms: email [email protected].

12. International transfers

grāmatr is operated from the United States. Data transferred from the EU or UK to the U.S. is protected by Standard Contractual Clauses (SCCs) executed between gramatr, LLC and the enterprise data controller (or, where gramatr acts as processor, between gramatr and its sub-processors). Copies of applicable SCCs are available on request.

13. Children

gramatr.com is directed exclusively at enterprise and professional audiences. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided us with personal information, contact [email protected] and we will delete it.

14. Changes to this policy

We may update this policy as grāmatr evolves. When we do, we will update the “Last updated” date above. For material changes affecting enterprise data processing, we will provide written notice to enterprise customers. Changes to the DPA are subject to the amendment provisions in the applicable enterprise agreement.

15. Contact

Questions about this policy, data subject rights, or enterprise data processing:

[email protected]

gramatr, LLC · 167 Lamp & Lantern Village, Suite 253, Chesterfield, MO 63017 · Missouri, USA

Related: Terms of Service · Security

grāmatr

Pre-model reasoning infrastructure.

The Product
Overview How It Works The Science Proof
The Buying Case
For Enterprise ROI Security & Trust Governance Pricing For Partners
Company
Insights Book a Conversation Status LinkedIn GitHub
Legal
Privacy Terms Privacy Settings

Patent-pending context-engineering architecture.
grāmatr℠ is a service mark of gramatr, LLC.

Encrypted at rest with row-level security.

© 2026 gramatr, LLC. All rights reserved.

ESC