Privacy Policy

1. About the Platform

Grishya is a platform where creators ("Community Owners" or "Owners") build and manage private communities. Community Owners manage their community's members, content, and offerings. Users who join a community become Members of that community. The Platform acts as a technology facilitator and does not determine or control the independent data processing practices of Community Owners, except to the extent required by law.

The Platform enables interaction between Community Owners and Members through community content, discussions, and offerings.

The Platform acts as a facilitator of community engagement and does not itself determine the content, methodology, or outcomes of any community's offerings.

While each Community Owner controls their community's membership, content, and offerings, Grishya retains access to all content and data hosted on the Platform for the purpose of operating and improving platform-wide features and services.

2. Intended Use and Purpose

Grishya is designed to enable creators to build and manage private communities where Members can connect, interact, and engage with content and with one another. The Platform enables Community Owners to create and offer content and offerings within their communities.

Members may participate in these offerings, or engage directly with the community through content and collaborative activities. The Platform provides a secure and organized digital environment to support these interactions, allowing Members and Community Owners to share insights, ask questions, and collaborate around shared interests.

As a facilitator, the Platform provides the tools and infrastructure for community engagement, but does not determine or control the content, methodology, or outcomes of any community's offerings, which remain under the sole responsibility of the Community Owners.

The primary purpose of processing Personal Data through the Platform is to enable the delivery, administration, and continuous improvement of services. This includes creating and managing user accounts; facilitating membership, participation in community activities and offerings; enabling communication between Members and Community Owners; processing subscriptions, payments, and refunds; providing technical and customer support; and ensuring secure access to Platform features.

Personal Data and community content are also processed to operate and improve platform-wide features and services. This processing maintains the integrity, security, and reliability of the Platform, including monitoring system performance, preventing fraud or misuse, detecting unauthorized access, and complying with applicable legal, regulatory, and contractual obligations. Limited technical and usage data may be used for analytics and platform optimization to improve user experience and service quality, without engaging in intrusive profiling or automated decision-making that produces legal or similarly significant effects on Users.

We process Personal Data only to the extent reasonably necessary to fulfill these purposes, and strictly in accordance with User consent, contractual necessity, legitimate business interests, and applicable data protection laws.

3. Consent

By using the Platform or Services and/or by providing your information, you consent to the collection and use of the information you disclose on the Platform in accordance with this Privacy Policy, including but not limited to your consent for sharing or using your information as described herein.

Our processing activities rely on lawful bases such as contractual necessity, consent, and compliance with legal obligations. Users must provide explicit consent before uploading any data that may contain personal information. Consent is captured electronically through our interfaces, and Users retain the right to withdraw it at any time.

Consent provided by Users shall be freely given, specific, informed, and unambiguous, and may be withdrawn at any time in accordance with applicable laws. Where Users provide data that includes personal information, consent will be recorded electronically and retained for audit purposes.

If you disclose any personal information relating to other people to us, you represent that you have the authority to do so and to permit us to use the information in accordance with this Privacy Policy.

You may consent to providing your email address for the purpose of receiving marketing emails from us. While you may unsubscribe at any time, we cannot recall any email we have already sent. If you have any further enquiries about how to withdraw your consent, please contact us using the details provided in the Contact Us section.

4. Categories of Data Collected

We collect, process, and retain the following categories of information as necessary to deliver our Services (collectively referred to as "Personal Data" or "Data"):

• Personal and Account Information: Includes name, email address, mobile number, username, account credentials, profile details, communication preferences, billing information, subscription details, and other information necessary to create, manage, and administer User accounts on the Platform.
• Community and Engagement Information: Includes community membership details, participation logs, interaction data within community content, discussions, offerings, and other community activities conducted through the Platform.
• Payment and Transaction Information: Includes billing details, transaction identifiers, subscription plans, invoices, payment status, and refund records required to process payments and manage subscriptions. We do not store complete payment instrument details and rely on secure third-party payment gateways for processing such transactions.
• User-Generated Content: Includes content voluntarily submitted by Users during community interactions, sessions, or through communication channels available on the Platform. This content may be indexed and analyzed for platform-wide features and services.
• Audio, Video, and Session Data: Includes audio, video, chat messages, participation indicators, and session recordings generated during live sessions or other offerings where recording features are enabled. Users are notified in advance where sessions are recorded, and access to such data is restricted in accordance with Platform policies.
• Technical and Device Information: Includes Internet Protocol (IP) address, device type, browser type, operating system, session identifiers, timestamps, log files, error reports, and usage analytics automatically collected when Users access or use the Platform.
• Cookies and Similar Technologies: Includes information collected through cookies and similar tracking technologies used to enable core Platform functionality, remember user preferences, improve user experience, and perform limited analytics, subject to User-controlled settings.
• Compliance, Security, and Consent Records: Includes access logs, audit trails, consent records, security alerts, and other information necessary to comply with applicable laws, enforce Platform policies, detect and prevent fraud, and respond to lawful requests from regulatory or law enforcement authorities.
• Information Received from Third Parties: Includes limited Personal Data received from Community Owners, payment service providers, or other third-party partners solely for the purpose of delivering Services, processing transactions, or integrating Platform functionalities, and processed in accordance with this Privacy Policy and applicable law.

5. Children and Minors' Data

The Platform is not directed toward children below the age at which valid consent for data processing may be provided under applicable law. We do not knowingly collect or process Personal Data of minors without verifiable consent from a parent or legal guardian, where such consent is required.

Where we become aware that Personal Data of a minor has been collected without appropriate consent, we will take reasonable steps to delete such data or suspend processing until lawful consent is obtained. Access to certain services or content may be restricted where age-based consent requirements cannot be satisfied.

6. Security and Data Protection

We maintain strict administrative, physical, and technical safeguards to ensure the confidentiality, integrity, and availability of all data processed through the Platform. Security measures include:

• Encryption of data in transit and at rest
• Controlled access with strict and limited access for employees and contractors
• Regular monitoring and vulnerability assessments
• Secure data storage and deletion in compliance with applicable laws

We do not sell, process, or rent personal or organizational data. In the unlikely event of a Personal Data breach, we will notify the relevant supervisory authority and affected Users, where required by law, within the timelines prescribed under applicable data protection laws.

We implement security controls consistent with globally recognized standards. Users are responsible for maintaining security of their access credentials and systems used to connect with the Platform.

7. Third Party Involvement

We engage only with secure cloud infrastructure as sub-processors for hosting, storage, and system operations. All third-party service providers are contractually bound to maintain appropriate security measures and process data only in accordance with our instructions and applicable data protection laws.

Third-Party AI Services. The Platform uses third-party artificial intelligence services to process community content for platform operations, including content moderation, discovery, and service improvement. By using the Platform, Community Owners and Members consent to their content being processed by these services. Content shared with third-party AI service providers is subject to those providers' own data handling and privacy policies. Grishya selects providers whose policies are consistent with our commitment to data protection, but does not control third-party data practices beyond contractual terms.

Google Calendar Integration. Users may optionally connect their Google Calendar account to sync events created on Grishya to their personal Google Calendar. When connected, we access your Google Calendar events (read and write) and your Google account email address. We use this data solely to: (i) create, update, and remove Grishya events on your Google Calendar, and (ii) identify your connected Google account. Your Google OAuth tokens (access and refresh tokens) are stored securely in our database and are used only for the purposes described above. We do not share your Google Calendar data with any third parties. You may disconnect your Google Calendar at any time from your account settings, which will revoke our access.

8. Community Owner Obligations

This Privacy Policy governs the collection, use, and processing of Personal Data across the Platform, including within all communities hosted on it. Community Owners operate under Grishya's policies and are bound by the following obligations regarding Member data and content:

8.1 Data Handling

• Community Owners may access Member information made available through Platform features solely for the purpose of managing their community.
• Community Owners must not sell, export, or use Member data for purposes unrelated to their community on the Platform.
• Community Owners must not collect sensitive personal information from Members outside of Platform-provided tools.
• Community Owners must comply with applicable data protection laws in their interactions with Members.

8.2 Content Safety

• Community Owners are responsible for ensuring that content within their communities complies with Grishya's Terms of Service and Acceptable Use Policy.
• Community Owners must make reasonable efforts to moderate content and address violations promptly.
• Community Owners must not knowingly allow prohibited, illegal, or harmful content to remain within their communities.

8.3 Platform Policies Govern

All data processing within communities hosted on the Platform is subject to this Privacy Policy. Community Owners are not independent data controllers for data processed through Platform features, tools, or infrastructure. Community Owners are not employees, agents, joint ventures, or representatives of the Platform.

8.4 Enforcement

Grishya reserves the right to suspend or terminate any community or Community Owner account that violates these obligations, Grishya's Terms of Service, or applicable law, without prior notice. Grishya may also report violations to relevant authorities where required or permitted by law.

9. Legal Basis for Processing

We collect Personal Data in digital or other forms to perform our business activities and render our services. We collect only the minimum data necessary for the stated purposes and ensure that no excessive, irrelevant, or unnecessary personal data is collected. The following explains the types of data we collect and the legal basis on which this data is processed:

• User account creation and management: Name, email, mobile number, username, password, profile details
  — Performance of contract
• Identity verification and platform access: Login credentials, authentication logs, IP address, device identifiers
  — Performance of contract; Legitimate interests (security, fraud prevention, and platform integrity)
• Community membership and offering participation: Membership details, participation data, interaction and engagement records
  — Performance of contract
• Conduct of live sessions and offerings: Audio, video, chat messages, participation indicators, session metadata
  — Performance of contract; Consent (for recordings where enabled)
• Content indexing, discovery, and moderation: Community content, engagement metrics, moderation outcomes
  — Legitimate interests (platform operations, content safety, service improvement)
• Payment processing and subscription management: Billing details, transaction identifiers, subscription status, invoices, refund records
  — Performance of contract; Legal obligation
• Compliance with legal and regulatory requirements: Transactional records, logs, consent history, audit trails
  — Legal obligation

10. Usage of Personal Data

We may use Personal Data for the following purposes:

• Deliver and operate community services: to enable account access, community membership, participation in offerings, access to content, and other community activities on the Platform.
• Facilitate communication and community interactions: to enable communication between Members and Community Owners within their communities.
• Provide content discovery and recommendations: to index, analyze, and surface community content across the Platform to power discovery, recommendations, and other platform features.
• Moderate content and enforce policies: to use automated and manual review processes, including third-party moderation services, to detect and act on content that violates Platform policies or applicable laws.
• Provide platform functionality and support: to operate, maintain, and improve Platform features, provide customer support, respond to User queries, and resolve technical or service-related issues.
• Process payments and manage subscriptions: to process fees, subscriptions, refunds, Community Owner payouts (where applicable), and maintain transaction records in accordance with legal and contractual requirements.
• Ensure platform security and integrity: to authenticate Users, monitor usage, prevent fraud or misuse, detect unauthorized access, and safeguard the security and reliability of the Platform.
• Comply with legal and regulatory obligations: to meet statutory requirements, respond to lawful requests from authorities, and enforce applicable terms, policies, and agreements.
• Communicate essential updates: to notify Users of important service-related communications, including changes to features, maintenance updates, or revisions to this Privacy Policy.

11. Automated Decision Making

The Platform uses automated tools for content moderation (e.g., image safety review via third-party services) and content indexing for search and recommendations. These tools support platform operations and do not produce legal effects or similarly significant consequences for Users, including decisions relating to access to services, pricing, eligibility, or contractual rights.

Content flagged by automated moderation systems may be restricted pending manual review. Users are notified when content is rejected and may contact support for further review.

Automated tools and algorithms used by us are limited to supporting platform functionality, content safety, content organization, and service optimization, and operate with appropriate human oversight. Such tools are not used to infer sensitive characteristics, beliefs, or personal attributes of Users.

12. Retention Period of Personal Data

We retain Personal Data only for as long as is reasonably necessary to fulfil the purposes for which it was collected, including the provision of community services, operation of the Platform, compliance with legal and regulatory obligations, resolution of disputes, and enforcement of applicable agreements.

Personal Data associated with active User accounts is generally retained for the duration of the User's relationship with the Platform. Upon deletion or deactivation of an account, Personal Data is securely deleted or anonymized within a reasonable period, unless continued retention is required or permitted under applicable law, including for compliance with statutory, accounting, tax, or regulatory obligations.

Certain categories of data, such as transaction records, consent logs, and audit trails, may be retained for longer periods where required by law or necessary to establish, exercise, or defend legal claims. Technical logs and usage data are retained for limited periods and are periodically reviewed and deleted or anonymized when no longer required for security, analytics, or operational purposes.

Where Personal Data is retained beyond active use, we ensure that such data is subject to appropriate safeguards and access restrictions. Anonymized or aggregated data that does not identify individuals may be retained for analytical, research, or service improvement purposes.

13. Data Accuracy and User Responsibility

We take reasonable steps to ensure that Personal Data processed is accurate, complete, and up to date, having regard to the purposes for which it is processed. Users are responsible for ensuring that the information they provide is accurate and for promptly notifying us of any changes or inaccuracies.

Where Personal Data is found to be inaccurate or incomplete, we will take reasonable steps to correct or update such data upon request or when otherwise required by applicable law.

14. Sharing of Personal Data

We may share your Personal Data only where necessary to provide our Services, to comply with applicable law, or to protect the security and integrity of our systems. We do not sell or share your Personal Data for marketing, profiling, or cross-context behavioral advertising. We follow a strict principle of limited disclosure, ensuring that any sharing of Data is lawful, proportionate, and consistent with the purposes described in this Privacy Policy.

• With Community Owners: We may share Personal Data with Community Owners for the purpose of managing their communities and delivering offerings within their private communities. Such sharing is limited to what is necessary for performance of their services. Community Owners act as independent data controllers in respect of any Personal Data processed by them outside Platform-controlled systems and shall be responsible for compliance with applicable data protection laws.
• Within Group Companies: We may share Personal Data with affiliates, subsidiaries, or parent entities solely for the purposes set forth in this Privacy Policy, such as service delivery, security management, internal auditing, or compliance. All intra-group transfers are governed by confidentiality agreements and appropriate safeguards.
• Service Providers: We engage select third-party service providers to support our operations, such as secure cloud hosting, data storage, and system monitoring. They process and store Data only on our instructions and under strict contractual terms consistent with applicable data protection laws. They are not authorized to use or disclose Personal Data for any purpose other than the provision of contracted services.
• Professional Advisors: We may disclose limited personal information to professional advisors such as legal counsel, auditors, insurers, or financial consultants, but only when necessary for legitimate business purposes such as audit, risk assessment, legal compliance, or enforcement of contractual rights.
• Law Enforcement and Regulatory Authorities: We may disclose your personal information to government or law enforcement officials: (a) for security, compliance, fraud prevention and safety purposes; (b) as required by law, lawful requests or legal process; (c) where permitted by law in connection with any legal investigation; and (d) to prosecute or defend legal claims.
• Corporate Restructuring: In the event of a merger, acquisition, reorganization, or sale of business assets, Personal Data relevant to the transaction may be transferred to the acquiring entity. Any such entity will be required to use and protect the information in accordance with this Privacy Policy and applicable laws.

15. International Data Transfers

Grishya operates and processes personal data primarily in the United States (us-east). Where personal data originating from the EEA, UK, or other regions with data transfer laws is transferred outside those regions, we implement appropriate safeguards, including Standard Contractual Clauses (SCCs) approved by the European Commission, or other lawful transfer mechanisms.

Australia — Australian Privacy Act

Personal Data is handled in accordance with the Australian Privacy Principles, including requirements relating to cross-border disclosure. Grishya takes reasonable steps, including contractual and security safeguards (such as data processing agreements where applicable), to ensure that overseas recipients of Personal Data handle such data in a manner consistent with Australian privacy obligations.

United States — CPRA/CCPA

Users have rights to know, access, correct, and delete Personal Data, and to opt out of the sale or sharing of Personal Data, as defined under applicable law. Grishya does not currently sell or share Personal Data for cross-context behavioural advertising purposes.

Canada — PIPEDA

Personal Data is collected, used, and disclosed with meaningful consent and in accordance with PIPEDA. Grishya remains accountable for Personal Data transferred to third parties for processing and ensures appropriate contractual and security safeguards are in place.

European Union — EU GDPR

Processing of Personal Data is carried out on a lawful basis under the GDPR. EU Users have rights including access, rectification, erasure, restriction, portability, and objection. Transfers of Personal Data outside the European Economic Area are subject to appropriate safeguards as required under the GDPR.

United Kingdom — UK GDPR

Personal Data is processed in accordance with the UK GDPR and the Data Protection Act 2018. UK Users have the right to lodge complaints with the Information Commissioner's Office (ICO), and international data transfers are subject to appropriate safeguards under UK law.

16. Rights You Have Over Your Data

As a User you have specific rights regarding the Personal Data being processed by us. We respect and uphold these rights, ensuring that you maintain control over your Personal Data:

• Right to Access: You have the right to obtain confirmation on whether we process your Personal Data, and to request information about the nature, purpose, and categories of data being processed, as well as the recipients of such data.
• Right to Correction and Erasure: You may request the correction or updating of inaccurate or incomplete Personal Data. You may also request the deletion of your Personal Data when it is no longer required for the purpose for which it was collected.
• Right to Withdraw Consent: You have the right to withdraw your consent for processing at any time. Withdrawal of consent will not affect the lawfulness of processing based on consent before its withdrawal, but it may limit your access to certain services that rely on such consent.
• Right to Restrict or Object to Processing: You may object to the processing of your Personal Data if you believe it impacts your fundamental rights and freedoms, unless we demonstrate compelling legitimate grounds for the processing. You may also request restriction of processing in certain circumstances.
• Right to Lodge a Complaint: You have the right to raise a grievance or lodge a complaint regarding the handling of your Personal Data.
• Right to Marketing Preferences: You may opt in or withdraw consent for receiving marketing communications at any time using the opt-out options provided or by contacting us.
• Right to Data Portability: You may request a copy of the Personal Data you have provided to us in a commonly used, machine-readable format, subject to identity verification and applicable legal limitations.
• Right to Non-Discrimination: You will not be denied services, charged differently, or treated unfairly for exercising your data protection rights, except where certain data is necessary to provide a requested service.
• Rights with Community Owners: Where Personal Data is processed directly by a Community Owner in its independent capacity, Users may be required to exercise their rights directly with such Community Owner, in accordance with its applicable privacy policy.

To exercise these rights, please contact us at [email protected]

17. Right to be Informed

Users have the right to be informed, in a clear and accessible manner, about how their Personal Data is collected, used, shared, retained, and protected by Grishya. This Privacy Policy, together with any notices provided at the time of data collection, constitutes our fulfilment of this obligation.

18. Use of Cookies

A cookie is a small piece of information stored by a web server on a web browser so that it can be later read from that browser. Cookies are useful for enabling the browser to remember information specific to a given User. This is done to recognize your device during future visits to our Platform, primarily to provide a better user experience.

We use essential cookies to enable website functionality and security. Non-essential cookies (e.g., for analytics) are used only with explicit User consent. Users can control cookie preferences through browser settings or consent banners.

19. Modifications

We reserve the right, at our sole discretion, to change, modify, add, remove, or impose restrictions on features or services or any portion of this Privacy Policy in whole or in part, at any time. However, our commitment to protecting Users' privacy will remain our main emphasis. Changes in this Privacy Policy will be effective when they are updated on the Platform. You are requested to keep checking the Privacy Policy from time to time for any changes made. Your continued use of the Platform after any changes are posted will be considered acceptance of those changes. Material changes to this Privacy Policy will be communicated to Users via a prominent notice on our Platform prior to their effective date.

20. Consequences of Not Providing Personal Data

If you choose not to provide your Personal Data, which is mandatory to process your request or provide Services, we may not be able to provide the corresponding experience.

21. Contact Us

If you have any questions, concerns, or requests relating to this Privacy Policy or any of our data protection practices, please contact us:

Email: [email protected]