Privacy Policy
This Privacy Policy explains how Graft handles personal data when you use the Graft mobile and web applications, the public marketing site at graftassistant.co.uk, and any directly connected services (together, "the Service"). It is written to comply with the UK GDPR, the Data Protection Act 2018, and applicable Meta Platform Terms.
1. Who we are
Graft is operated by Morgan & Co Enterprise Ltd ("Graft", "we", "us"), a company registered in England and Wales under company number 17171213. Our current registered office is published on the Companies House register at find-and-update.company-information.service.gov.uk.
We are the data controller for personal data we process about Graft account holders (tradespeople and their teams) and end-users (their customers) whose messages flow through Graft.
For privacy questions, data subject rights requests, or any concern about how we handle your data, contact: hello@graftassistant.co.uk
2. Data we collect
2.1 Account data
When you sign up for Graft we collect: name, business name, email address, phone number, the trade(s) you offer, and the password you choose.
2.2 Connected platform data
When you connect a third-party platform — Instagram, Facebook Messenger, WhatsApp, Gmail, Outlook, X, TikTok, YouTube — to Graft, we receive: - A long-lived access token issued by that platform. - The handle/username of the connected account. - The conversation threads, messages, and basic sender profile metadata that the platform's API exposes for the purpose of unified inbox functionality.
We only request the minimum scopes needed to operate the unified inbox.
For Instagram and Facebook Messenger specifically, we use the following permissions:
- instagram_business_basic — to identify the connected Instagram Business account.
- instagram_business_manage_messages / pages_messaging — to read incoming DMs and send replies on your behalf.
- instagram_manage_comments — to read and respond to comments on your posts (where enabled).
- pages_show_list — to list which Facebook Pages you administer.
2.3 Message content
The substance of messages received on connected platforms (text, image references, sender ID) is processed by Graft to: - Display the message in your unified inbox. - Classify the message by intent (sales enquiry, support, spam, etc.). - Draft a suggested reply for your review.
2.4 Usage data
We collect basic product analytics: the screens you view, actions you take, error events, device type, OS version, and approximate location at country level (derived from IP address). We do not collect precise location.
2.5 Payment data
If you take a paid plan, payment is processed by Stripe. Graft never sees, stores, or transmits your full card number; we receive only the last four digits and a Stripe customer reference.
3. How we use your data, and our legal bases
| Purpose | Data used | Legal basis (UK GDPR Art. 6) |
|---|---|---|
| Provide and operate the Service | Account data, connected platform data, message content | Performance of contract |
| Classify messages and draft replies | Message content (sent to our LLM provider with no training opt-in) | Performance of contract |
| Email account-related notices | Account data | Performance of contract |
| Detect fraud and abuse | Usage data, account data | Legitimate interest |
| Improve the product (aggregate metrics, no message content) | Usage data | Legitimate interest |
| Send marketing emails about Graft features | Email address | Consent — you can withdraw at any time |
| Comply with legal obligations | Whatever is needed | Legal obligation |
We do not sell your personal data. We do not use the content of your customer messages to train AI models.
4. Sub-processors
We share personal data only with carefully selected sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (Supabase Inc.) | Database and auth | EU |
| Anthropic (Anthropic PBC) | LLM-based message classification and drafting | US (with SCCs and the UK addendum) |
| OpenAI (OpenAI, L.L.C.) | LLM-based message classification and drafting | US (with SCCs and the UK addendum) |
| Brevo (Sendinblue SAS) | Transactional and marketing email | EU |
| Stripe (Stripe Payments UK Ltd) | Payment processing | UK / US |
| Meta Platforms (Meta Platforms Ireland Ltd) | Source of Instagram / Facebook messages | EU |
| Sentry / similar | Crash reporting | EU |
A current sub-processor list is available on request from hello@graftassistant.co.uk.
5. International transfers
Where data is transferred outside the UK or EEA (typically to US-based sub-processors listed above), we rely on the European Commission's Standard Contractual Clauses with the UK Addendum, plus supplementary measures including encryption in transit and at rest.
6. Retention
- Account data: retained for the life of your account, then deleted within 30 days of account closure.
- Connected platform tokens: deleted immediately when you disconnect a platform or close your account.
- Message content: retained for as long as the connected account remains active. You can request deletion of any individual message thread at any time (see Section 8).
- Usage data: retained in identifiable form for 12 months, then aggregated.
- Billing records: retained for 7 years to meet HMRC requirements.
7. Security
We use industry-standard security: TLS in transit, encryption at rest, role-based access controls, audit logs, and least-privilege principles for our team. Connected platform access tokens are stored encrypted. Authentication uses secure password hashing (bcrypt or argon2id) and supports SSO where available. We will notify you and the ICO without undue delay if we ever experience a personal data breach that affects you.
8. Your rights
Under the UK GDPR you have the right to:
- Access the personal data we hold about you (Article 15).
- Rectification of inaccurate data (Article 16).
- Erasure ("right to be forgotten") — see also our Data Deletion page (Article 17).
- Restriction of processing in certain circumstances (Article 18).
- Data portability — receive your data in a machine-readable format (Article 20).
- Object to processing based on legitimate interest (Article 21).
- Withdraw consent for any processing that relies on consent.
- Complain to the Information Commissioner's Office (ICO) at ico.org.uk or 0303 123 1113. We'd appreciate the chance to address any concern first by emailing hello@graftassistant.co.uk.
We respond to rights requests within one calendar month.
9. Cookies and similar technologies
The Graft web app uses cookies for authentication and basic analytics only. No third-party advertising cookies are set. You can clear or block cookies in your browser; doing so may stop you from staying signed in.
10. Children
Graft is not directed at people under 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact hello@graftassistant.co.uk and we will delete it.
11. Changes to this policy
We will post any material change to this policy at the same URL and email account holders at least 14 days before the change takes effect.
12. Contact
Email: hello@graftassistant.co.uk Postal: if you need to write to us by post, email first at the address above and we'll provide the relevant address. Our Companies House registered office is also published at find-and-update.company-information.service.gov.uk under company № 17171213.
If you are an Instagram or Facebook user whose data may be processed by Graft because a tradesperson you contacted uses our service, you can reach us at the same address. You can also revoke our access to your messages at any time from Instagram → Settings → Apps and websites.