Version 2.0 — Effective: March 6, 2026
We take your privacy seriously. This policy describes how GridBoost Platform collects, uses, and protects your information.
Effective Date: March 6, 2026 Version 2.0.0
GridBoost, Inc. ("GridBoost," "we," "us," or "our") is a Delaware corporation that operates the GridBoost platform, accessible at gridboost.io (the "Service"). GridBoost is a DOE-funded B2B AI SaaS platform that automates and accelerates grid interconnection processes for utilities, energy developers, consultants, and related organizations.
We are committed to protecting the privacy and security of information entrusted to us by our customers, their authorized users, and visitors to our website. This Privacy Policy describes what information we collect, how we use it, when we share it, and what rights you have with respect to your information.
By accessing or using the Service, you acknowledge that you have read, understood, and agree to the practices described in this Privacy Policy. If you are using the Service on behalf of an organization, you represent that you have the authority to bind that organization to this Privacy Policy.
This Privacy Policy applies to all users of the Service, including administrators, authorized users within customer organizations, and visitors to our public-facing website. It does not apply to third-party websites or services that may be linked from our platform.
We collect the following categories of information in connection with your use of the Service:
When you create an account or are provisioned as a user within a customer organization, we collect:
In the course of using the Service, you may upload or submit documents including but not limited to:
These documents are collectively referred to as "Customer Data." Customer Data is owned by the customer and processed by GridBoost solely to provide the Service.
We automatically collect information about how you interact with the Service, including:
When you access the Service, we automatically collect technical information from your device, including:
We use cookies and similar technologies as described in Section 10 of this Privacy Policy. In summary:
Payment processing is handled by our third-party payment processor, Stripe. When you provide payment information, it is transmitted directly to Stripe's secure infrastructure. We do not store credit card numbers, CVVs, or full payment card details on our systems. We receive and retain only a limited record from Stripe, including the last four digits of your card, card type, billing address, and transaction history, for the purpose of account management and billing support.
We use the information we collect for the following purposes:
GridBoost uses artificial intelligence to process customer documents and deliver core platform functionality. This section describes how Customer Data is handled in connection with AI processing.
Customer documents submitted for AI analysis are sent to third-party AI model providers for processing in real time. Documents are transmitted to the model provider, processed, and the results are returned to the GridBoost platform. Customer Data is not persistently stored by AI model providers beyond the duration of the API request.
We explicitly prohibit the use of Customer Data for training, fine-tuning, or improving any AI model, whether operated by GridBoost or by a third-party model provider. Our agreements with AI model providers include contractual provisions ensuring that Customer Data submitted via API is not used for model training.
We retain logs of AI processing interactions (including input metadata, output summaries, token usage, latency, and error information) for a period of 90 days for the purposes of quality assurance, debugging, and service reliability monitoring. After 90 days, these logs are automatically deleted. These logs do not contain the full text of Customer Data; they contain operational metadata necessary for service management.
All outputs generated by AI agents in connection with the processing of Customer Data are owned by the customer. GridBoost retains no proprietary interest in AI outputs derived from Customer Data.
The following third-party AI model providers are used to deliver the Service:
Both providers process data within the United States. Their respective privacy and data processing policies are available on their websites.
We implement comprehensive technical and organizational measures to protect information processed through the Service:
No system can guarantee absolute security. While we implement industry-standard safeguards, you are responsible for maintaining the confidentiality of your account credentials and for promptly reporting any suspected unauthorized access to your account.
We do not sell, rent, or trade your personal information to third parties for their marketing or advertising purposes. We have never sold personal information and have no plans to do so.
We use the following sub-processors to deliver the Service. Each sub-processor processes data only as necessary to perform its designated function and is bound by contractual obligations regarding data protection:
| Sub-Processor | Function | Location | |---|---|---| | Anthropic | AI model processing (Claude) — document analysis, deficiency identification, report generation, agent interactions | San Francisco, CA, USA | | Google Cloud / Gemini | AI model processing and document digitization (OCR, PDF-to-text) | United States (various regions) | | Supabase | Database hosting, authentication, and real-time data services | US-East | | Vercel | Application hosting, serverless compute, and content delivery | United States (various regions) | | Stripe | Payment processing, subscription management, and billing | United States | | PostHog | Product analytics and usage tracking (opt-out available) | United States |
We may update this sub-processor list from time to time. Material changes to sub-processors that handle Customer Data will be communicated to customers in advance.
We may disclose your information if required to do so by law, regulation, legal process, or governmental request, including in response to:
We will make reasonable efforts to notify you of such disclosures unless prohibited by law or court order.
In the event of a merger, acquisition, reorganization, bankruptcy, or sale of all or a portion of our assets, your information may be transferred as part of that transaction. We will provide notice to affected customers before their information is transferred and becomes subject to a different privacy policy. Any successor entity will be bound by the terms of this Privacy Policy with respect to information collected prior to the transfer.
We retain information for the periods described below, after which it is securely deleted or anonymized:
| Data Category | Retention Period | |---|---| | Account data (name, email, role, organization) | Duration of active account plus 30 days after account closure | | Uploaded documents (Customer Data) | Per the customer's configured retention settings; deleted within 30 days of account termination if no other retention period is specified | | AI processing logs (operational metadata) | 90 days from the date of processing | | Usage analytics (aggregated platform usage) | 24 months, in aggregated and de-identified form | | Billing records (invoices, payment history) | 7 years, as required by applicable tax and financial record-keeping laws | | Audit logs (administrative actions, authentication events) | 3 years |
Customers may request earlier deletion of their data subject to applicable legal retention requirements. Upon account termination, we initiate the deletion process for all associated data in accordance with the retention periods above.
Depending on your jurisdiction, you may have the following rights with respect to your personal information:
To exercise any of the rights described above, please contact us at privacy@gridboost.io with a description of your request. We will verify your identity before processing your request and will respond within 30 days of receiving a verifiable request. If we require additional time (up to an additional 60 days), we will notify you of the extension and the reason for it.
There is no fee for exercising your rights. If requests are manifestly unfounded or excessive, we reserve the right to charge a reasonable fee or decline the request, with an explanation provided to you.
If you are an authorized user within a customer organization, certain requests (such as deletion of organizational data) may need to be submitted by the organization's administrator. We will direct you accordingly.
If you are a California resident, you have additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"):
You have the right to request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources from which personal information is collected, the business or commercial purpose for collecting the information, and the categories of third parties with whom we share personal information.
You have the right to request the deletion of personal information we have collected from you, subject to certain exceptions permitted by law (such as legal retention requirements or the completion of a transaction for which the information was collected).
You have the right to opt out of the "sale" or "sharing" of your personal information as those terms are defined under the CCPA/CPRA. We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. This disclosure is provided for transparency and compliance purposes.
We will not discriminate against you for exercising any of your CCPA/CPRA rights. You will not receive different pricing, a different quality of service, or be denied access to the Service for exercising your rights.
Under the CCPA/CPRA framework, we collect the following categories of personal information:
We do not collect sensitive personal information as defined by the CCPA/CPRA (such as Social Security numbers, precise geolocation, racial or ethnic origin, or biometric data).
We have not sold or shared (as defined by CCPA/CPRA) any personal information in the preceding 12 months, and we have no intention of doing so.
You may designate an authorized agent to submit a request on your behalf. The authorized agent must provide written authorization signed by you, and we may require you to verify your identity directly with us before processing the request. Organizational administrators may submit requests on behalf of their authorized users where the organization has established that authority.
To exercise any CCPA/CPRA rights, contact us at privacy@gridboost.io.
This section describes our use of cookies and similar tracking technologies.
These cookies are strictly necessary for the operation of the Service and cannot be disabled:
These cookies remember your preferences and settings to provide a more personalized experience:
We use PostHog for product analytics to understand how the Service is used and to identify opportunities for improvement:
We do not use third-party advertising cookies. We do not serve targeted advertisements. No advertising networks or ad exchanges receive data from our platform.
You can manage cookies through the following mechanisms:
The Service is primarily operated from and designed for use within the United States. All primary data storage and processing occurs in US-based data centers operated by our sub-processors (Supabase US-East, Vercel US regions, and US-based AI model providers).
If you access the Service from outside the United States, your information will be transferred to and processed in the United States. The United States may not provide the same level of data protection as your home jurisdiction.
While GridBoost does not currently maintain an establishment in the European Union and is not directly subject to the General Data Protection Regulation (GDPR), we adopt GDPR-aligned data protection practices as a matter of best practice and to support customers who may have their own GDPR obligations. Standard Contractual Clauses (SCCs) for international data transfers are available upon request for customers who require them for their own compliance purposes.
All Customer Data is stored and processed within the United States. We do not transfer Customer Data to data centers outside the United States unless explicitly requested and authorized by the customer.
In the event of a confirmed security breach that affects your personal information or Customer Data, we will notify affected customers within 72 hours of confirmation of the breach.
Breach notifications will include:
We will cooperate with affected customers in connection with their own breach notification obligations to their end users, regulators, or other parties. We will provide reasonable assistance, including access to relevant information and coordination on public communications.
We will report data breaches to relevant regulatory authorities as required by applicable law, including state data breach notification statutes and any applicable federal requirements.
The Service is a B2B platform designed for use by professionals in the energy industry. It is not intended for use by individuals under the age of 18. We do not knowingly collect personal information from children under 18 years of age.
If we become aware that we have collected personal information from a child under 18, we will take prompt steps to delete that information. If you believe that we may have collected information from a child under 18, please contact us at privacy@gridboost.io.
Certain information processed through the Service may constitute Critical Energy/Electric Infrastructure Information (CEII) as defined by the Federal Energy Regulatory Commission (FERC) under 18 CFR 388.113. We implement enhanced safeguards for such information, including:
Customers are responsible for identifying and flagging documents that contain CEII. GridBoost will apply appropriate handling controls upon notification.
Documents containing sensitive infrastructure information (including substation specifications, protection system configurations, and detailed interconnection facility designs) are subject to additional access controls beyond standard RBAC, including multi-organization isolation and restricted sharing permissions.
GridBoost has received funding from the U.S. Department of Energy (DOE). In connection with this funding, we may be required to report certain aggregate, de-identified data to the DOE regarding platform usage, performance metrics, and outcomes achieved through the Service. Such reporting:
We will provide at least 30 days' advance notice of material changes to this Privacy Policy. Notice will be delivered via email to the address associated with your account and through a prominent notice on the Service. Material changes include, but are not limited to, changes in the categories of information collected, new purposes for data processing, changes to data sharing practices, or modifications to your rights.
Non-material changes (such as formatting updates, clarifications that do not alter the substance of the policy, or updates to contact information) will be posted on our website and noted with an updated effective date.
Your continued use of the Service after the effective date of a revised Privacy Policy constitutes your acceptance of the revised terms. If you do not agree with the changes, you must discontinue use of the Service before the effective date.
Previous versions of this Privacy Policy are available upon request. Contact privacy@gridboost.io to request a copy of any prior version.
If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us through the following channels:
Privacy Inquiries: Email: privacy@gridboost.io
General Inquiries: Email: contact@gridboost.io
Mailing Address: GridBoost, Inc. A Delaware Corporation
We aim to respond to all privacy-related inquiries within 30 days of receipt.