GrataQ
CSEN
Back to home Legal

Privacy Policy

GrataQ is built to know as little about you as possible. Our server never sees the contents of your files, the data resides in the EU, and the website tracks no one. Here is a clear overview of what data we process and why.

Effective from: June 5, 2026 · Version: 1.0

In brief

The content that people send you is encrypted already at the sender, and our server is unable to read it. We do not store senders' e-mail addresses or telephone numbers. This website runs no analytics and no tracking cookies. All data is kept within the European Union.

1. Who is the data controller

The controller of personal data is Grata Luma, s.r.o., company ID 29492599, with its registered office at Příčná 1892/4, Nové Město, 110 00 Prague 1, Czech Republic, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, File 446685 (hereinafter the "operator" or "we").

For matters concerning the protection of personal data, please contact us at privacy@grataq.com; for all other matters, at hello@grataq.com.

2. Who is affected by the processing

We distinguish three situations, because in each we process a different (and very limited) scope of data:

  • Website visitor of www.grataq.com — anyone who browses these pages.
  • Application user (recipient) — someone who installs the GrataQ application and receives files through it.
  • Sender — someone who uploads a file in their browser via your link.

3. What data we process and why

3.1 Website visitor

The website deliberately contains no tracking tools, no advertising or analytics cookies, and no embedded third-party content. We do not create profiles of visitors.

  • Browser settings (your chosen light/dark mode and pricing currency) are stored in the so-called local storage directly within your browser. This data does not leave your device and we have no access to it.
  • Server operational records — our hosting provider may, for the strictly necessary period, keep technical logs (IP address, time of the request, browser type) for security and operational purposes. The legal basis is the legitimate interest in secure operation (Article 6(1)(f) GDPR).

3.2 Application user (recipient)

A GrataQ account is based on a cryptographic key generated within your application — not on an e-mail address or password. On the server we therefore keep only the following about you:

  • Public key and account identifier — these enable others to securely send you files. Legal basis: performance of a contract (Article 6(1)(b) GDPR).
  • Your branding data (optional) — the name, logo and verified domain shown to the sender. You fill these in yourself.
  • Contact e-mail for notifications (optional, paid plans) — only if you enable e-mail notifications about a new file. Without enabling this feature, we do not store the e-mail address.
  • Subscription purchase via Microsoft Store — subscriptions are purchased exclusively through the Microsoft Store. Payment data (card details, etc.) are processed by Microsoft, not by us — we have no access to them. On our side, we process only the data necessary for accounting and tax documents relating to payouts received from Microsoft. Legal basis: performance of a contract and legal obligation (Article 6(1)(b) and (c) GDPR).

3.3 Sender

  • The file content is always encrypted already within your browser, before it ever leaves the device. Our server stores only an unreadable (encrypted) package and is unable to display its contents. Once collected by the recipient or after expiry, the package is deleted.
  • Sender details that you fill in yourself (e.g. a name or note, if the recipient requests them) form part of the encrypted package — these too are visible to our server only in unreadable form and are read only by the recipient in their application. They help the recipient identify whom the delivery is from.
  • We do not require the sender to register, and we do not store the sender's e-mail address or telephone number. During upload, we process only the technically necessary data (IP address, time, size of the encrypted package) for secure operation and protection against misuse. Legal basis: legitimate interest (Article 6(1)(f) GDPR).

Special categories of data

Sensitive data (medical reports, identity documents) may also flow through GrataQ. Because the content is encrypted at the sender and the server does not see it, we do not process such data in readable form — we act solely as a processor transmitting unreadable data. Responsibility for the content and its further processing rests with the recipient as the controller.

4. How long we retain data

  • Encrypted files — depending on the recipient's plan, 7, 30, 90 (Enterprise up to 180) days from upload, or until collection and manual deletion. They are then irreversibly deleted. See the pricing.
  • Account data (public key, branding) — for the duration of the account; upon its cancellation we remove it.
  • Billing data — for the period prescribed by tax and accounting regulations.
  • Operational logs — for the strictly necessary period required for secure operation.

5. With whom we share data

We do not sell personal data and do not share it for advertising purposes. We use only the necessary processors:

  • Hosting provider (servers in the European Union) — operation of the application and storage.
  • Microsoft (Microsoft Store) — as the merchant of record, it handles the subscription purchase, payment and VAT. The processing of payment data is governed by Microsoft's terms and privacy policy.

Transfer outside the EU/EEA: we process the file contents and service data (public keys, encrypted packages, operational records) within the European Union. Subscription purchases via the Microsoft Store are handled by Microsoft under its own terms, which may include the processing of payment data outside the EU/EEA — this takes place under Microsoft's control and subject to safeguards in accordance with the GDPR (Chapter V).

6. Your rights

Under the GDPR you have the right of access to your data, and the right to rectification, erasure, restriction of processing, data portability, and the right to object. Where processing is based on consent, you may withdraw it at any time. We will handle requests at privacy@grataq.com.

You also have the right to lodge a complaint with the supervisory authority, which in the Czech Republic is the Czech supervisory authority (ÚOOÚ) (uoou.cz).

7. Cookies and tracking

This website does not use tracking or advertising cookies and contains no third-party analytics. We store only your appearance and currency settings in the browser's local storage (this is not a cookie shared with the server). You can delete these settings at any time by clearing the website's data in your browser.

8. Security

File contents are protected by encryption resistant even to future (quantum) computers, and every file has its own key. Technical details for security teams can be found in the For security teams section and in the document What the server stores and logs.

9. Changes to this policy

We may update this policy. The current version is always available on this page, stating the effective date and version number. We will inform users of any material changes.