Privacy & Trust

Secure privacy-first analytics. GDPR and CCPA compliant by design.

Data Storage & Residency

Analytics and configuration data is stored in EU data centers by default.

Data Center Locations

EU WestEU_WEST_1

Frankfurt, Germany

AzureActive Now

US EastUS_EAST_1

Virginia, USA

AzureJan 2026

Xreos (dba. Grain): US-based company with EU-first infrastructure. All new tenants created in EU West by default. Encrypted at rest (AES-256) and in transit (TLS 1.3).

Built for Privacy

Six principles that guide every decision we make

Cookieless by Default

Ephemeral session IDs in memory only. No persistent tracking until consent granted.

Consent Management

Opt-in and opt-out modes with automatic upgrade flow and full audit trail.

Data Minimization

Minimal data before consent. Query params stripped to prevent PII leakage.

IP Anonymization

Optional IP masking removes the last octet before storage. All data encrypted in transit with TLS 1.3.

Retention Control

30-365 days configurable retention. Automatic deletion with export option.

User Rights

Export, delete, anonymize via API or dashboard. Complete audit logs.

How It Works

Progressive tracking that respects user choice

Before Consent

Ephemeral session ID (memory-only)

Page path (no query params)

Timestamp only

✗No cookies or persistent IDs

✗No personal information

After Consent

Persistent user ID (localStorage/cookie)

Full page URL, referrer, title

Event counts, durations, properties

All analytics features unlocked

A _grain_consent_granted event maps ephemeral to persistent IDs

Regulatory Compliance

Ready for GDPR and CCPA out of the box

GDPR

EU Ready

Full GDPR compliance with data minimization, consent management, and user rights.

Right to access & data portability

Right to erasure & rectification

Consent audit trail & management

CCPA

California Compliant

CCPA compliance with opt-out mechanisms and data disclosure.

Right to know & delete

Opt-out & "Do Not Sell" support

Non-discrimination guarantee

Multi-Tenant Isolation

Complete data separation at every layer

Database-Level Separation

UUID-based tenant partitioning in Cassandra ensures complete isolation. Each tenant's data is stored in separate partitions with no shared access.

Event Storage Isolation

ClickHouse enforces tenant_id filtering on all queries. Cross-tenant data access is architecturally impossible.

Authentication Contexts

Separate authentication contexts per tenant with JWT validation. Auth0 integration ensures identity isolation.

Encryption & Data Protection

End-to-end encryption for data in transit and at rest

In Transit

TLS 1.3 for all communications

OAuth2 JWT authentication

HTTPS enforced on all endpoints

At Rest

Azure-managed encryption for all storage

SHA-256 hashing for secrets

Encrypted backups in Azure Blob Storage

Backup & Disaster Recovery

Automated backups with guaranteed recovery objectives

Tenant Database

Tenants, teams, remote config data, user properties, and settings.

Hourly automated immutable backups

Point-in-time recovery capability

Cross-region replication across 6 physical nodes

Analytics Database

All events and metadata.

Daily automated immutable backups for all events

Point-in-time recovery capability

Cross-region replication across 6 physical nodes

24 hours

Recovery Point Objective (RPO)

4 hours

Recovery Time Objective (RTO)

Infrastructure

Trusted partners for specific services

Auth0

Authentication & authorization

Region: EU

Compliance: SOC 2, GDPR

Azure

Workloads, storage, and networking

Region: Germany

Compliance: ISO 27001, GDPR

Cloudflare

CDN, DDoS protection, SSL

Region: Global

Compliance: GDPR, Privacy Shield

AWS

Transactional email delivery

Region: Ireland

Compliance: GDPR

Stripe

Payment processing

Region: US/EU

Compliance: PCI DSS Level 1

Intercom

Customer support

Region: US/EU

Compliance: GDPR, Privacy Shield

Security Contact

Report security vulnerabilities or concerns to our dedicated security team.

security@grainql.com

• Initial triage: 48 hours

• Critical vulnerabilities: 24-hour escalation

View Responsible Disclosure Policy

System Status & Uptime

Real-time monitoring of all services with historical uptime data and incident reports.

Visit Status Page

Subscribe to status updates and incident notifications

Legal Agreements

Data Processing Agreement Service Level Agreement Terms & Conditions Privacy Policy

Incident Response Commitments

Transparent communication during security incidents

GDPR Compliance

72-hour notification to data controllers for personal data breaches (GDPR Article 33)

Tenant Notification

Direct email notification to affected tenants with detailed incident reports

Public Disclosure

Transparent public incident disclosure for major security events

Start Building with Privacy

Track user journeys without compromising on privacy or compliance.

Get Started Free View Plans

Free forever • 15,000 active users per month • No credit card required