Privacy Policy

1. Who we are

Greymill ("we", "us", "our") operates the Greymill platform at greymill.ai. Greymill is a trading name of a company registered in England & Wales. We are registered with the UK Information Commissioner's Office (ICO). This policy explains what personal information we collect, how we use it, and the rights you have over your data, whether you are located in the UK, European Union, United States, or elsewhere.

2. Scope

This policy applies to all users of the Greymill platform worldwide. Where specific regional laws grant additional rights — such as the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA) — those rights are respected and are explained in sections 9 and 10 below.

3. What data we collect

We collect the following categories of personal information when you use Greymill:

• Account information: your email address, an encrypted password hash, your chosen workspace name, and optionally your full name and phone number.
• Business information: details about your business that you choose to share during onboarding, including industry, company name, and any context you provide to your AI specialists.
• Conversation data: the messages you send to Greymill's AI specialists and the responses you receive.
• Documents: any files or documents you upload to the platform.
• Usage data: which specialists you interact with, the frequency and length of your conversations, response times, and approximate timestamps.
• Technical data: IP address, browser type, device type, and approximate location (city-level) derived from IP address, collected automatically for security and analytics purposes.

4. How we use your data

We use your data to:

• Provide and operate the Greymill service, including powering your AI specialists with the business context you have shared.
• Process subscription payments and manage your account.
• Generate usage reports and savings summaries that are visible only to you.
• Send transactional emails such as welcome messages, password resets, billing notifications, and weekly savings reports.
• Detect and prevent abuse, fraud, and security incidents.
• Respond to support requests and feedback.
• Improve the Greymill product based on aggregated, anonymised usage patterns.

5. Lawful basis for processing (UK and EU users)

For users in the UK and European Economic Area, we process your personal data on the following legal bases under UK GDPR and EU GDPR:

• Contract: to provide the service you have subscribed to.
• Legitimate interests: to secure the platform, prevent fraud, and improve our product, where these interests are not overridden by your rights.
• Legal obligation: where we must retain or disclose data to comply with law.
• Consent: for any non-essential cookies or marketing communications, which you may withdraw at any time.

6. How we protect your data

Your data is stored in encrypted databases hosted in the European Union. Passwords are hashed using bcrypt. All communications with Greymill servers are encrypted in transit using HTTPS (TLS 1.2 or above). Access to production systems is restricted to authorised personnel using multi-factor authentication. We do not sell, rent, or trade your personal data to third parties for their marketing purposes under any circumstances.

7. AI processing and your conversations

Your conversations with Greymill's AI specialists are processed by large language models provided by a specialist AI infrastructure partner under a commercial agreement that prohibits the use of your data to train AI models. Your business data and conversation history are used solely to personalise your experience within your own Greymill workspace. Each workspace is logically isolated — users cannot see or access any other user's conversations, documents, or business information.

8. Cookies and analytics

We use strictly necessary cookies to maintain your login session and deliver the service. We use a product analytics tool to understand how the platform is used in aggregate; this tool is hosted in the EU and is configured so that personally identifying information is pseudonymised where possible. We do not use advertising cookies, do not participate in ad networks, and do not sell or share data with advertisers. You can control cookies through your browser settings, though disabling essential cookies will prevent you from using the service.

9. Your rights under UK and EU GDPR

If you are located in the UK or EEA, you have the following rights regarding your personal data:

• Access: request a copy of the personal data we hold about you.
• Rectification: ask us to correct any inaccurate or incomplete data.
• Erasure ("right to be forgotten"): request deletion of your data.
• Restriction: ask us to stop processing your data in certain circumstances.
• Portability: receive your data in a structured, commonly-used format.
• Objection: object to processing based on legitimate interests.
• Withdraw consent: where processing is based on consent, withdraw it at any time.
• Complain: lodge a complaint with your local supervisory authority. In the UK, this is the Information Commissioner's Office (ico.org.uk).

To exercise any of these rights, email support@greymill.ai. We will respond within one month.

10. Your rights under California law (CCPA / CPRA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act as amended by the California Privacy Rights Act:

• Right to know: request disclosure of the categories and specific pieces of personal information we have collected about you, the sources of that information, the business purposes for collecting it, and the categories of third parties with whom we share it.
• Right to delete: request that we delete personal information we have collected from you, subject to certain exceptions.
• Right to correct: request that we correct inaccurate personal information.
• Right to opt out of sale or sharing: Greymill does not sell your personal information and does not share it for cross-context behavioural advertising, so there is nothing to opt out of.
• Right to limit use of sensitive personal information: we do not use sensitive personal information beyond what is necessary to provide the service.
• Right to non-discrimination: you will not receive discriminatory treatment for exercising any of your privacy rights.

California residents may exercise these rights by emailing support@greymill.ai. We will verify your identity before acting on any request and respond within 45 days.

11. International data transfers

Greymill is operated from the United Kingdom. Your data may be transferred to and processed in countries other than the one in which you reside, including the United States and the European Economic Area. Where we transfer personal data from the UK or EEA to a country not deemed to have adequate data protection, we rely on Standard Contractual Clauses approved by the UK ICO and European Commission to ensure an equivalent level of protection.

12. Data retention

We retain your personal data for as long as your account is active. If you cancel your subscription, we retain your data for 30 days to allow reactivation, after which it is permanently deleted from our production systems. Backup copies may persist for up to a further 30 days before being overwritten. You may request immediate deletion at any time by emailing support@greymill.ai, subject to any legal or contractual retention obligations we may have.

13. Children's privacy

Greymill is not intended for use by anyone under the age of 18, and we do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact support@greymill.ai and we will delete it promptly.

14. Service providers

To deliver the Greymill service, we share certain personal data with a small set of trusted infrastructure providers, including those who provide AI model inference, authentication and database hosting, web hosting and edge delivery, transactional email, and product analytics. Each is contractually bound by a Data Processing Agreement with Greymill and may only process your data on our instructions. A current named list with full company details is available on request to support@greymill.ai, and is provided to enterprise customers as part of our Data Processing Agreement. We will notify active users by email at least thirty (30) days before adding or replacing a service provider that materially changes how personal data is processed.

For data transferred to the United States or other third countries, we rely on the European Commission's Standard Contractual Clauses (or the equivalent UK International Data Transfer Agreement) together with supplementary technical measures, including encryption in transit and at rest.

15. Changes to this policy

We may update this policy from time to time to reflect changes in our practices or applicable law. When we make material changes, we will notify active users by email and update the "Last updated" date at the top of this page. Your continued use of the Greymill service after the effective date of an updated policy constitutes acceptance of the changes. If you do not agree to an updated policy, you may close your account at any time.

16. Contact

For any questions about this policy, to exercise your data protection rights, or to raise a privacy concern, please contact our data protection team at support@greymill.ai. We aim to respond to all enquiries within five working days.

Subscription billing is provided by FastSpring (Bright Market, LLC, United States) acting as Merchant of Record. See our Terms of Service for the billing relationship and FastSpring's privacy policy for how billing data is handled.

Greymill Limited · Registered in England and Wales · Company number 17144930 · 71-75 Shelton Street, Covent Garden, London, WC2H 9JQ