Privacy Policy

Last updated: 13 May 2026. This policy applies to greatVibe accounts and workspaces.

Who we are

greatVibe is a product of Gravient Systems Ltd (incorporated in Auckland, New Zealand) and Gravient Pty Ltd (incorporated in Australia). This policy applies to both entities and explains what personal information we collect, how we use it, and what rights you have.

Questions about this policy can be sent to privacy@gravient.ai.

What we collect

When you create an account, we collect:

  • Your name and email address
  • Your workspace name and organisation name
  • Payment information, handled directly by Stripe, our payment processor. We do not store card numbers.
  • Server logs including IP address, browser type, timestamps, and request paths. Retained for 90 days for security and debugging.

We also collect anonymised usage metrics such as feature usage counts and error rates. These do not contain personal information and help us improve the product.

Information we receive from others

Sometimes we receive personal information about you from someone other than you. This can happen when a workspace admin invites you, when Stripe confirms billing status, when Google confirms sign-in details, or when a connected service sends account metadata needed to complete work you direct.

We use that information only to provide the service, secure your account, manage billing, and support your workspace. We do not use it for advertising.

What we do not collect

Your API keys never reach our servers. greatVibe uses a bring-your-own-key model. Keys are stored encrypted on your own infrastructure and are never transmitted to Gravient.

We do not collect or see:

  • The content of your AI sessions. Work you direct through greatVibe runs on nodes you control.
  • Your files, code, or documents. These stay on your infrastructure.
  • Your API keys or credentials. These are encrypted at rest on your nodes and never leave them.

Your infrastructure

greatVibe runs on nodes you own and operate. Your data, your credentials, and your session history live on machines you control. We provide the software. You own the environment.

The greatvibe.ai website serves the marketing site and account management. Session payloads are processed on your own nodes. We don't store or retain the content of your sessions.

Enterprise customers have access to dedicated infrastructure options and full audit logs covering all credential access and session activity.

Security

Credentials stored on your nodes are encrypted with AES-256-GCM. All traffic between nodes uses mutual TLS (mTLS) with ECDH P-256 key exchange. Credentials never travel in plaintext.

Enterprise accounts get access to audit logs. Self-serve accounts have session history on their own nodes.

Third parties

Stripe processes your subscription payments. We share only the information Stripe needs to do that.

Google may process your email address and basic profile information if you choose Google sign-in. The public website also loads Inter from Google Fonts.

AI providers are services you choose to connect. greatVibe is a platform. We are not party to your conversations with those providers, and we do not control how they handle data you send to them. Refer to each provider's own privacy policy.

We do not sell your data. We do not share it with advertisers or analytics platforms.

Overseas disclosures

We operate from New Zealand and Australia. The service providers named in this policy may process personal information in other countries where they or their subprocessors operate. We take reasonable steps to use providers with privacy and security commitments appropriate for the information they handle.

Where transfers of personal information from the European Economic Area, the United Kingdom, or Switzerland occur, we rely on the European Commission's Standard Contractual Clauses or applicable adequacy decisions.

Cookies

We use only essential cookies. These are required for the service to work and cannot be disabled. They keep you signed in and maintain your session. We do not use advertising cookies, analytics cookies, or any third-party tracking cookies.

Because we use only essential cookies, no consent banner is required under GDPR or the ePrivacy Directive.

Your rights

If you are in the European Economic Area, you have rights under the General Data Protection Regulation (GDPR). These include the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (right to erasure)
  • Receive your data in a portable format (right to portability)
  • Object to certain uses of your data

If you are in New Zealand, you have rights under the Privacy Act 2020, including the right to access and correct information we hold about you. We will respond to access requests within 20 working days, as required by law.

If you are in Australia, you have rights under the Privacy Act 1988 (Cth), including the right to access and correct information we hold about you. If you are not satisfied with how we handle your personal information, contact us first so we can investigate. We will respond within a reasonable time. You may also make a complaint to the Office of the Australian Information Commissioner (OAIC).

Regardless of where you are based, we will respect your rights under your local law. To exercise any of these rights, email privacy@gravient.ai.

We do not make decisions about you based solely on automated processing.

Data breach notification

If we become aware of a privacy breach that is reasonably likely to cause serious harm, we will notify affected individuals and the relevant regulator (Office of the Privacy Commissioner in New Zealand, Office of the Australian Information Commissioner in Australia) as required by law.

Children

greatVibe is intended for users aged 16 or older. We do not knowingly collect information from anyone under 16. If you believe we have, contact privacy@gravient.ai and we will delete it.

Data retention

We keep your account information for 30 days after you cancel your subscription, then delete it. Enterprise audit logs are retained for the period you configure in your account settings.

You can request deletion of your data at any time by emailing privacy@gravient.ai.

Changes to this policy

We will post any changes to this page and update the date at the top. If changes are significant, we will notify you by email.

Lawful basis for processing

For users in the European Economic Area, we process your personal data on the following lawful bases:

  • Contract: processing your name, email, and payment details to provide the subscription you signed up for
  • Legitimate interest: collecting anonymised usage metrics to improve the product. These contain no personal data.
  • Legal obligation: retaining billing records as required by law

We do not process any personal data based on consent.

EU representative

Gravient Systems Ltd is based in New Zealand and Gravient Pty Ltd is based in Australia. Neither entity has an establishment in the European Union. If you are an EU resident with a question or complaint, contact us at privacy@gravient.ai. We will respond within 20 working days.

We have not appointed an EU representative at this stage. If our processing changes in a way that requires a representative under GDPR Article 27, we will appoint one and update this policy.

Contact

Privacy Officer: David Jenkinson

Privacy questions: privacy@gravient.ai

Gravient Systems Ltd
Auckland, New Zealand

Gravient Pty Ltd
Australia