Legal

Privacy Policy

Last updated: 8 May 2026

Plain English summary:We collect the minimum data needed to run Graftloop for you. We never sell your data. Your customers' data is yours. You can request deletion at any time.

This Privacy Policy explains how Graftloop (“we”, “us”, “our”) handles personal data when you use the Graftloop service. We act as a data processor for the contacts and messages handled inside your Graftloop account on behalf of your business, and as a data controller for your own account and billing data.

1. Who we are

Graftloop is owned and operated by Codefolio Limited, a company registered in England & Wales, with its registered office at 128 City Road, London, United Kingdom, EC1V 2NX. Where required by law, we maintain the relevant data-protection registrations for the jurisdictions in which we process personal data.

For questions about this policy or your data, contact us at support@graftloop.com.

2. What we collect

To provide the service, we collect:

Account information — your name, business name, email address, phone number, password, and any profile photo you upload.
Business records — the customers, jobs, quotes, invoices, receipts, schedules, and payment records you create inside your account. You remain the controller of this data.
WhatsApp messages — the messages exchanged between your business and your customers via WhatsApp once you connect a WhatsApp Business Account. Meta operates the WhatsApp Business Platform and is a separate controller of WhatsApp message data; their WhatsApp Business Policy applies in addition to this one.
Subscription data — billing details handled by our payment providers. We do not store card numbers or CVV codes.
Operational data — minimal technical information needed to run the service, secure accounts, and diagnose issues.

3. How we use your data

To provide and operate the Graftloop service.
To authenticate users and prevent unauthorised access.
To send messages on behalf of your business through the WhatsApp Business Platform.
To generate AI-assisted replies, summaries, and reports at your request.
To process payments and manage your subscription.
To respond to support requests.
To comply with legal obligations, including tax-record retention requirements.
To investigate fraud, abuse, and violations of our Terms of Service.

4. Lawful bases for processing

Where applicable data-protection law (such as the UK GDPR, EU GDPR, or comparable regimes) requires a lawful basis, we rely on:

Performance of a contract — to deliver the service to account holders.
Legitimate interests — to keep the service secure and improve product quality.
Consent — for optional marketing communications. You can withdraw at any time.
Legal obligation — to retain records required by tax law and respond to lawful regulatory requests.

5. Sharing and sub-processors

We share personal data only with sub-processors who help us run the service, and only to the extent necessary. Each is bound by a written data-processing agreement.

Graftloop integrates directly with Meta's WhatsApp Business Cloud API. We do not route messages through a third-party Business Solution Provider; the only parties handling WhatsApp message content on the messaging path are Graftloop and Meta.

For AI-assisted features, we use Anthropic, PBC for model inference. We do not share user data with Anthropic. The information we send to Anthropic is pre-processed and stripped of identifiers — it cannot be tied back to a specific user, customer, or business. We do not transmit raw customer messages, contact details, or other personally identifiable information to Anthropic.

We additionally rely on a small set of operational sub-processors for cloud hosting, transactional email delivery, error monitoring, and payment processing. We do not disclose specific vendor names on this public page for security reasons; the current list is provided on request and is included in our Data Processing Agreement for business customers who need it.

We do not sell personal data, and we do not share it with advertisers.

6. International transfers

Where personal data crosses borders, we rely on the appropriate safeguard for the route in question — for example, the UK International Data Transfer Agreement, the EU Standard Contractual Clauses (with the UK Addendum where relevant), Adequacy Decisions, or comparable mechanisms recognised under the destination country's law.

7. How long we keep data

We retain data only as long as it's needed for the purposes set out in this policy:

Account and operational data — for the lifetime of your account, with a short grace period after deletion to allow recovery from accidental loss.
Financial records — for the period required by tax law in the jurisdictions where we operate. For UK records, the statutory minimum is six years.
Diagnostic logs and backups — retained for a limited period and then expired automatically.

8. Your rights

Depending on where you live, you may have some or all of the following rights under your local data-protection law:

Access the personal data we hold about you.
Have inaccurate data corrected.
Request deletion of your data (see our data deletion page).
Restrict or object to certain processing.
Receive a copy of your data in a portable format.
Withdraw consent where processing is based on consent.
Lodge a complaint with your local data-protection authority — for UK residents, the Information Commissioner's Office (ico.org.uk).

To exercise these rights, email support@graftloop.com. We respond within the timeframe required by your local law (typically one calendar month).

9. Cookies

Graftloop uses strictly necessary cookies to keep you signed in and remember session preferences. We do not use advertising cookies, third-party analytics, or share data with ad networks.

10. Security

We use technical and organisational measures appropriate to the data we handle, including encryption in transit, encrypted storage of sensitive fields, audit logging, and access controls limiting who on our team can see production data. No system is perfectly secure; if you suspect your account has been compromised, contact us immediately at support@graftloop.com.

11. Children

Graftloop is a B2B service intended for adults legally able to operate a business in their country. We do not knowingly collect data from anyone below the age of majority in their jurisdiction. If you believe we have, please contact us so we can delete it.

12. Changes to this policy

We may update this policy from time to time. The version shown here is always the current one. We'll flag material changes by email or in-app notice at least 30 days before they take effect.

13. Contact

Questions, complaints, or rights requests: support@graftloop.com
Postal: 128 City Road, London, United Kingdom, EC1V 2NX