graven.ai

Privacy Policy

Last updated: March 27, 2026

1. What we collect

Account data. When you sign up we store your email address, display name, and authentication provider identifiers (Google, GitHub).

Knowledge entities. Decisions, assumptions, constraints, open questions, and lessons learned that you or your AI agent record via the MCP protocol or REST API. This is the core data you choose to store.

Usage metadata. Timestamps, entity counts, API call counts, and operational logs. We do not log the content of your entities in operational logs.

2. How we use it

Your data is used exclusively to provide and improve the Graven service:

  • Store and retrieve your knowledge entities
  • Run enrichment (relationship extraction, semantic search indexing)
  • Enforce plan limits and billing
  • Debug errors and improve reliability

We do not sell your data. We do not use your knowledge entities to train AI models.

3. AI enrichment

When enrichment is enabled, entity content is sent to a third-party LLM provider (currently via OpenRouter) to extract relationships and generate embeddings. This processing is ephemeral — the provider does not retain your data beyond the API call. You can see which model was used via the enrichmentModel field on each entity.

4. Data storage & security

All data is stored in PostgreSQL databases hosted on Supabase (AWS infrastructure, eu-west region). Data is encrypted at rest (AES-256) and in transit (TLS 1.3). API keys are hashed with SHA-256 before storage.

5. Data retention

Your knowledge entities are retained for as long as your account is active. When you delete an entity, it is soft-deleted (status set to “invalidated”). Hard deletion of all account data is available upon request.

6. Your rights

You can:

  • Export all your data via the API at any time
  • Delete your account and all associated data
  • Revoke API keys immediately
  • Request a copy of all data we hold about you

7. Cookies & Analytics

We use essential cookies for authentication sessions. With your consent, we also use Google Analytics 4 to understand how Graven is used — page views, feature adoption, and error rates. Analytics data is anonymized (IP anonymization enabled) and not sold to third parties.

You can accept or decline analytics cookies via the banner shown on first visit. You can change your preference at any time by clearing your browser’s local storage for graven.ai.

Cookies used:

  • graven_session — authentication (essential, httpOnly)
  • _ga, _ga_* — Google Analytics (optional, only with consent)

8. Contact

For privacy-related questions: privacy@graven.ai