1. Scope
This Privacy Policy explains how Grella collects, uses, shares, and protects information when law firms, legal teams, and other business users use Grella.
Business Name: Grella Entity Details: Available upon request at support@grella.ai Location: Sydney, New South Wales, Australia Contact: support@grella.ai
This policy applies to Grella's website, application, APIs, support channels, and related services. It covers personal information and customer content processed through Grella.
This policy is not legal advice. Your organization remains responsible for deciding whether Grella is appropriate for its professional, regulatory, and client-confidentiality obligations.
2. Information We Collect
2.1 Account and Organization Information
When you create or use an account, we may collect:
- Name
- Email address
- Organization name
- Role, permissions, and organization membership
- Authentication identifiers and login events
- Support and administrative contact details
2.2 Customer Content
"Customer content" means the files, data, text, and outputs that you or your users upload, create, or process in Grella. This may include:
- Uploaded documents and files
- Document text, OCR text, extracted content, and document chunks
- Chat messages, prompts, questions, and AI responses
- Generated work product, summaries, facts, chronologies, citations, and notes
- Matter, project, workspace, and permission data
- Metadata needed to provide search, retrieval, citation, and collaboration features
2.3 Usage and Technical Information
We may collect technical and usage information such as:
- Browser, device, and operating system information
- IP address and approximate location derived from it
- Login timestamps and session information
- Feature usage and product events
- Error reports, diagnostics, and performance data
- Security, authentication, and system logs
2.4 Billing Information
Payment details may be processed by a payment provider. Grella does not store full credit card numbers on its own servers.
3. How We Use Information
We use information to:
- Create and administer accounts and organizations
- Authenticate users and manage access permissions
- Provide document upload, processing, search, chat, citation, and work-product features
- Process customer content through AI, OCR, embedding, reranking, and related services
- Store, retrieve, display, and export customer content at your direction
- Provide support and respond to customer requests
- Process billing and subscriptions
- Improve service reliability, performance, and product quality
- Detect, investigate, and prevent misuse, security issues, and service abuse
- Comply with legal obligations and enforce our agreements
4. Customer Content and AI Processing
4.1 How Grella Processes Customer Content
Grella processes customer content to provide the service to your organization. This includes ingesting and indexing documents, running search and retrieval, generating summaries and answers, creating draft work product, extracting facts, surfacing citations, and maintaining relevant matter context.
Grella does not use customer content to train Grella-owned foundation models or to build models for other customers.
4.2 Use of AI and Document-Processing Providers
Grella uses third-party providers to deliver AI and document-processing features, including large language model APIs, OCR and file extraction, embeddings, reranking, and related processing.
AI providers process your document text and queries to provide Grella's AI features. We use business API providers that state they do not train models on customer API data.
These providers may process customer content only as needed to provide their services to Grella, subject to their applicable business API terms and safeguards.
4.3 Human Review and Access
Grella personnel do not routinely review customer content. Access to customer content is limited to what is necessary to operate the service, resolve support issues that you raise, investigate security or abuse issues, comply with legal obligations, or maintain service reliability.
Where feasible, access is controlled through role-based permissions, least-privilege practices, and logging.
4.4 Legal Review Responsibility
Grella's AI features assist legal professionals by searching, summarizing, extracting, and drafting from customer-provided material. Your organization remains responsible for reviewing outputs and making legal judgments.
5. Service Providers
We use third-party service providers to help deliver, support, secure, and improve Grella. These providers may process personal information and customer content on our behalf where needed for their role.
The types of service providers we use include:
| Provider Category | Purpose | Data They May Process |
|---|---|---|
| Hosting and infrastructure | Application hosting, databases, storage, networking | Account data, customer content, logs, metadata |
| AI and document processing | Language models, OCR, embeddings, reranking, file conversion | Document text, extracted content, prompts, queries, outputs |
| Authentication and identity | Login, user identity, organization membership | Name, email, authentication identifiers, login events |
| Email, support, and communications | Transactional email, customer support, service notices | Contact details, support messages, notification content |
| Analytics and telemetry | Product performance, reliability, usage analysis | Usage events, device data, diagnostics |
| Billing and payment | Subscriptions, invoices, payment processing | Billing contacts, payment metadata, transaction data |
Service providers are permitted to process information only as needed to provide their services to Grella or as otherwise allowed by applicable law and their agreements with us.
6. Security and Access Controls
6.1 Encryption and Key Management
Customer content is encrypted in transit using TLS and encrypted at rest using strong encryption controls.
Grella uses Google Cloud Key Management Service (Cloud KMS) to manage encryption keys. Cloud KMS provides centralized key management, access control, rotation support, and auditability for key operations.
Where required, firms may request advanced key-management or isolation configurations, including Cloud HSM-backed keys where technically and commercially available.
6.2 Organization Isolation and Access Control
Grella separates customer data by organization and uses access controls to limit who can view or manage organization content. Organization administrators control membership and access within their organization.
6.3 Optional Enclave or TEE Processing
Grella's standard service uses cloud infrastructure with encryption, access controls, and provider processing as described in this policy.
For firms that require additional isolation, Grella can discuss deployments that use trusted execution environments, secure enclave-style processing, or dedicated isolated infrastructure for specific workloads. These options are advanced configurations and are not enabled by default.
6.4 Logging
Grella logs certain product and system actions for security, reliability, and operations. This includes selected account, authentication, administrative, and work-product events.
Grella does not currently claim full logging of every file access or every search event. Broader file and search access logging is planned as the platform matures.
6.5 Testing and Security Program
Grella uses internal testing and security review practices for security-relevant components. We plan to conduct independent penetration testing as often as practical as the platform matures.
We do not currently claim SOC 2 or ISO 27001 certification. If certifications become available, we will describe their scope accurately.
7. Data Sharing
We may share information:
- With service providers described in this policy
- With your organization and authorized organization users
- When you direct us to share or export information
- To provide support or respond to requests you initiate
- To comply with valid legal process, court orders, subpoenas, government requests, or applicable law
- To protect Grella, our users, customers, or the public from fraud, abuse, security threats, or legal harm
- In connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate notice or safeguards where required
We do not sell customer content.
8. Data Retention and Deletion
We retain information for as long as needed to provide Grella, comply with legal obligations, resolve disputes, enforce agreements, maintain security, and support business records.
8.1 Customer Content
Customer content is generally retained while your organization maintains an active account or as otherwise agreed with your organization.
Organization administrators may request export or deletion of organization content, subject to legal, security, backup, billing, and operational retention requirements.
8.2 User Accounts
If an individual user account is removed, related organization content may remain available to the organization for legal, regulatory, business, or continuity reasons.
8.3 Backups and Logs
Deleted information may persist in backups, logs, and security records for a limited period before being overwritten or deleted according to our operational processes.
9. International Processing
Grella is based in Australia. We and our service providers may process information in Australia, the United States, and other jurisdictions where we or our providers operate.
Where applicable law requires transfer safeguards, we will rely on appropriate contractual or legal mechanisms available through our customer agreements or service provider arrangements.
10. Cookies and Tracking
We use cookies and similar technologies for:
- Essential functionality, including login and session management
- Preferences and user settings
- Analytics, diagnostics, and product improvement
You can control cookies through your browser settings. Disabling essential cookies may prevent parts of Grella from working correctly.
11. Your Privacy Rights
Depending on your location and applicable law, you may have rights to:
- Access personal information we hold about you
- Correct inaccurate or outdated personal information
- Request deletion of personal information
- Object to or restrict certain processing
- Request portability of certain information
- Opt out of marketing communications
- Lodge a complaint with a privacy or data protection authority
To exercise privacy rights, contact us at support@grella.ai. We may need to verify your identity and, for organization-managed accounts, coordinate with your organization administrator.
12. Children's Privacy
Grella is a business service and is not directed to children. We do not knowingly collect personal information from children.
If you believe a child has provided personal information to Grella, contact us at support@grella.ai.
13. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, security practices, or business operations.
When we make material changes, we will update the "Last Updated" date and provide notice where required by law or our customer agreements.
14. Contact Us
For privacy questions, data requests, or GDPR-related inquiries, contact us at:
Email: support@grella.ai
We aim to respond to privacy inquiries within 30 days, unless a different timeframe is required by applicable law.
You may also have the right to contact your local privacy or data protection authority, including:
Australia: Office of the Australian Information Commissioner (OAIC) Website: https://www.oaic.gov.au Phone: 1300 363 992
EU: Your local data protection authority Directory: https://edpb.europa.eu/about-edpb/board/members_en
15. Definitions
Customer content: Documents, files, text, prompts, queries, messages, outputs, metadata, and other content uploaded, created, or processed by your organization in Grella.
Organization: A company, firm, or entity that creates or manages a Grella workspace.
Organization administrator: A user authorized to manage an organization's Grella account, users, permissions, and settings.
Personal information / personal data: Information relating to an identified or identifiable individual.
Service provider: A third party that processes information to help Grella provide, support, secure, or improve the service.
By using Grella, you acknowledge that you have read this Privacy Policy.