Privacy Policy

Last updated: 2025-12-10

1. Data controller

The Grant 360 software suite is operated by Innotrope SAS, which acts as the data controller for all processing activities described in this Privacy Policy.

Innotrope SAS
[Address]
Email: contact@grant360.eu

2. Personal data we collect

All Grant 360 applications rely on a single central users table, shared across all apps. A user is created only once, regardless of how many apps they access.

From this central table, we collect and process:

• First name and last name
• Email address (required for login and communication)
• Role and status (e.g. registered user, invited user, contact)
• Notification and communication preferences
• Activity history (for example: logins, settings changes, key actions)
• Consent and legal basis settings

Additional personal data may be collected by each application where strictly necessary, for example:

• Grant Mind: notes content (which may incidentally include personal data if you write it), metadata (status, theme, project, actions, dates), sharing rights between users.
• Grant Hub: files and folders you upload, access rights per user, temporary sharing links.
• Grant Tracker: history of calls viewed or saved, notification settings, optional scientific profile information for recommendations.
• Grant Connect: contact details and preferences provided in service request forms.
• Grant Genius: proposal content, co-author information, uploaded scientific files (PDF, TXT, BibTeX, public data from HAL / ORCID), and a history of interactions with the AI assistant.
• Grant Planner: information on projects, participants, roles, deliverables, deadlines and KPIs.

Authentication is provided by Cidaas (Germany). Cidaas manages your password and multi-factor authentication. We never see or store your password; we only receive confirmation that your login is valid.

For paid plans, MangoPay (France) processes payment data. We do not have access to your card or bank details. We only receive payment status information (e.g. “payment successful”) to activate or renew your subscription.

For invoicing, we collect billing information (organisation name, address, VAT number if applicable) and transmit it securely to Pennylane (France), which generates and stores the invoices.

3. Purposes and legal bases

We process personal data only when it is necessary and on the basis of one of the legal grounds provided by the GDPR.

The main purposes and legal bases are:

• Provision of the services (user account, access to apps, collaboration features, exports, etc.) – processing is necessary for the performance of a contract (Article 6(1)(b) GDPR).
• User support, security and fraud prevention (activity logs, access control, incident resolution) – based on our legitimate interest in ensuring the security and proper functioning of Grant 360 (Article 6(1)(f) GDPR).
• Billing and accounting (invoicing data, payment status, mandatory records) – necessary for compliance with legal obligations, in particular accounting and tax laws (Article 6(1)(c) GDPR).
• Notifications and functional communications (deadlines, system alerts, important changes) – necessary for the performance of the contract and, in some cases, our legitimate interest in ensuring that you are informed about the proper use of the apps.
• Analytics strictly necessary to improve the service – where used, based on our legitimate interest and, when required, your prior consent.
• Marketing communications (newsletters, product updates) – sent only with your explicit consent (Article 6(1)(a) GDPR). You can withdraw this consent at any time.
• Use of AI features (for example in Grant Genius or Grant Tracker) – performed only after explicit opt-in and a clear explanation of what is processed. The legal basis is your consent (Article 6(1)(a) GDPR).

We do not sell, rent or exploit your data for advertising or unrelated profiling, and we do not use your content to train AI models.

4. Data retention

We keep personal data only for as long as it is necessary for the purposes described above, or to comply with legal obligations.

• Your account data and content are stored for the duration of your active use of Grant 360.
• When you request deletion of your account, we delete or anonymise your personal data, except for data that must be retained to comply with legal obligations (for example, invoices that must be kept for accounting or tax purposes).
• Technical logs and security records are kept for limited periods, sufficient to ensure security, investigate incidents and demonstrate compliance.

Non-production environments (development, test, staging) use anonymised or synthetic data; only the production environment contains real user data.

5. Your rights (GDPR)

In accordance with the GDPR, you have the following rights regarding your personal data:

• Right of access – to obtain confirmation that we process your data and to receive a copy of it.
• Right to rectification – to correct inaccurate or incomplete personal data.
• Right to erasure (“right to be forgotten”) – in the cases provided by law.
• Right to restriction of processing – in certain circumstances, for example during the verification of contested data.
• Right to data portability – to receive your data in a structured, commonly used and machine-readable format and to transmit it to another controller. Grant 360 includes an export function (e.g. .zip export).
• Right to object – to processing based on our legitimate interest, on grounds relating to your particular situation.
• Right to withdraw consent – at any time, for processing based on your consent (for example, marketing emails or AI features).

You can exercise these rights by contacting us at: contact@grant360.eu. You also have the right to lodge a complaint with your local data protection authority if you consider that your rights have not been respected.

6. Security and hosting

We apply a “GDPR-max” approach to security and hosting:

• Encryption: all data is protected in transit (HTTPS/TLS) and at rest. Sensitive user and project data is encrypted by default. Certain features may also support end-to-end encryption.
• Hosting in the EU: databases are hosted on Supabase Postgres in France, and application code runs on Scalingo in France. AI models are provided by Mistral (France). No data is intentionally transferred outside the European Economic Area.
• Access control: strict, role-based access control is applied across all apps, with per-project and per-resource permissions (for example, read / edit rights on notes, files, deliverables).
• Third-party providers: we only use trusted, EU-based providers – Cidaas for authentication, MangoPay for payments, Pennylane for invoicing, Brevo for emails – all of whom are contractually bound by GDPR requirements.
• AI integration: data sent to Mistral models is processed within the EU, is not used to train the models, and is not retained beyond the time necessary to provide the requested response.

While no system can be guaranteed 100% secure, we continuously improve our technical and organisational measures to protect your data and ensure a high level of confidentiality, integrity and availability.