Privacy Policy

Last updated: April 27, 2026

Who we are

[LEGAL_ENTITY_NAME] (“we”, “our”, “us”) operates Graniite (“the Service”). Questions about this policy or your data: [CONTACT_EMAIL].

What we collect

From you directly:

• Email address, used to authenticate you and to send service-related emails.
• URLs you submit for analysis (YouTube videos, podcast feeds, Substack posts, audio files).
• Transcripts you paste manually.
• Source channels you subscribe to and your scheduled poll times.
• Custom prompts you provide for AI processing.

Automatically:

• IP address (for rate limiting and abuse prevention).
• Authentication cookies (essential — see “Cookies” below).
• Server logs containing request paths, timing, and error details. We do not log transcripts or generated content into our application logs.
• Job metadata used to track in-flight transcription jobs (provider job IDs, timestamps, status).

Generated by the Service for you:

• Transcripts of audio/video content you’ve submitted.
• AI-generated outputs (summaries, frameworks, claims, etc.).
• Weekly digests.

How we use it

• To operate the Service: ingest your sources, transcribe content, generate outputs, deliver digests.
• To secure the Service: detect abuse, enforce per-user rate limits, prevent unauthorized access.
• To debug issues and improve reliability.
• To send you account-related emails (sign-in links, important service updates).

We do not:

• Sell your data.
• Share your data with advertisers.
• Use your content to train AI models. The AI providers we use operate under zero-data-retention or limited-retention agreements (see “Sub-processors”).

Sub-processors

We rely on the following third-party services to operate Graniite. Each has its own privacy policy, linked below.

• Supabase — database, authentication
• Vercel — application hosting
• Inngest — background job orchestration
• Anthropic — AI generation and classification (Claude)
• AssemblyAI — audio transcription
• Gladia — YouTube transcription
• Google Cloud — audio extraction worker

When you submit a YouTube URL or podcast feed, we share that URL with the relevant transcription provider (Gladia or AssemblyAI) for processing. We do not share your email or identity with them; only the URL.

Data retention

• Account data: retained until you delete your account.
• Transcripts and generated content: retained until you delete the corresponding item, or your account.
• Server logs: retained for 30 days.
• Database backups: our database provider retains backups for up to 30 days as part of disaster-recovery practice.

When you delete an item or your account, the data is removed from our active systems. Data may persist in backups for the periods above before expiring.

Your rights

Depending on your location, you may have rights including:

• Access — request a copy of your data.
• Correction — ask us to fix incorrect data.
• Deletion — delete individual items via the in-app delete button, or request full account deletion by emailing us.
• Portability — receive your data in a machine-readable format.
• Objection — object to specific processing.
• Lodging a complaint with your local data-protection authority.

To exercise any of these rights, email [CONTACT_EMAIL].

Cookies

We use only essential cookies needed for authentication. We do not use analytics or advertising cookies as of April 27, 2026. If we add analytics in the future, we will update this policy and notify you.

International transfers

Our infrastructure is hosted in the United States. By using the Service you consent to your data being processed there. For users in regions with stricter data-protection laws (e.g. the EU), we rely on standard contractual clauses with our sub-processors for cross-border transfers.

Children

Graniite is not intended for users under 13. We do not knowingly collect data from children. If you believe a child has provided data to us, please contact [CONTACT_EMAIL] and we will delete it.

Security

We use industry-standard practices: encrypted connections (HTTPS), encrypted storage at rest, row-level access controls, rate limiting, and timing-safe secret comparisons on webhook endpoints. No system is perfectly secure; we’ll notify affected users promptly if a breach exposes their data.

Changes

We may update this policy. Material changes will be communicated by email to the address on your account at least 14 days before they take effect. Minor corrections will be reflected in the “Last updated” date above.

Contact

Questions, requests, or complaints: [CONTACT_EMAIL].
Operating entity: [LEGAL_ENTITY_NAME], [JURISDICTION].