Privacy Policy

Last updated: April 10, 2026

1. Data Controller

GrabProof ("we", "us", "the Service") is responsible for your personal data. Contact us at privacy@grabproof.com.

2. Data We Collect

Category	Data	Purpose
Account	Email, full name, hashed password	Authentication, service delivery
Billing	PayPal subscription ID, transaction IDs, amounts	Payment processing, invoicing
Testimonial	Author name, email, title, company, avatar, content, rating	Core service functionality
Usage	IP address, user agent, timestamps, pages visited	Security, rate limiting, analytics
Technical	Session cookies	Authentication session management

3. Legal Basis for Processing (GDPR)

• Contract: Processing necessary to deliver the service you signed up for
• Legitimate interest: Security monitoring, fraud prevention, service improvement
• Consent: Where specifically requested (e.g., marketing communications)
• Legal obligation: Tax and billing record retention

4. Third-Party Services

PayPal

We use PayPal for payment processing. When you subscribe to Pro, PayPal receives your payment information directly. We do not store your credit card or bank account details. See PayPal's Privacy Policy.

5. Data Retention

• Account data: Retained until account deletion, plus 30 days for recovery
• Billing records: Retained for 7 years per tax and legal obligations
• Testimonial data: Retained until the project owner deletes them
• Security logs: Retained for 90 days
• Rate limiting data: Automatically purged after 24 hours

6. Your Rights

Under GDPR and applicable privacy laws, you have the right to:

• Access: Request a copy of your personal data
• Rectification: Correct inaccurate data via your account settings
• Erasure: Delete your account and associated data
• Portability: Export your data (testimonials, projects) via CSV export
• Object: Object to processing based on legitimate interest
• Withdraw consent: Where processing is based on consent

To exercise these rights, email privacy@grabproof.com. We respond within 30 days.

7. Cookies

GrabProof uses only one essential session cookie (PHP session ID) required for authentication. We do not use tracking cookies, analytics cookies, or advertising cookies. No cookie consent banner is required as the cookie is strictly necessary for the service.

8. Security

We implement industry-standard security measures:

• Passwords hashed with bcrypt
• CSRF protection on all forms and API endpoints
• Rate limiting to prevent brute-force attacks
• Secure, HttpOnly session cookies with SameSite attribute
• Input validation and output escaping to prevent XSS
• Prepared statements to prevent SQL injection

9. International Transfers

Your data is stored on servers located in the region where you deploy GrabProof. If data is transferred outside the EEA/UK, we ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses).

10. Children's Privacy

GrabProof is not intended for children under 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this policy periodically. Material changes will be communicated via email at least 30 days in advance. The "Last updated" date reflects the latest revision.

12. Contact

For privacy inquiries or data requests:
Email: privacy@grabproof.com