Privacy Policy

1. Introduction

This Privacy Policy describes how Udathveer Singh Pasricha, a sole trader based in Melbourne, Victoria, Australia (ABN 23 612 369 411), trading as Gri9d (“Gri9d”, “we”, “us”, or “our”), collects, uses, stores, discloses and protects personal information in connection with the Gri9d web platform at www.gri9d.it.com and its two products:

• The Forge — an AI-assisted job application tool that parses resumes, generates tailored cover letters and resumes, and can send application emails from a user’s own email address via SMTP with the user’s authorization; and
• Campus Connect — a peer-to-peer services marketplace for students.

This policy applies to all users of gri9d.it.com regardless of location, and takes effect on 21 April 2026.

We are bound by the Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs) set out in Schedule 1 of that Act. Where users in the European Economic Area, the United Kingdom, or California access the service, we also provide the additional rights and disclosures described in this policy.

By creating an account or using Gri9d, you acknowledge that you have read this policy and understand how we handle your personal information. If you do not agree with this policy, please do not use the service.

“Personal information” has the meaning given in section 6 of the Privacy Act — information or an opinion about an identified individual, or an individual who is reasonably identifiable.

2. The Kinds of Personal Information We Collect

We collect only what we need to operate Gri9d. We group personal information into three categories based on how it reaches us.

2.1 Information you provide directly

• Account data: email address, password (stored only as a salted hash via Supabase Auth — we never see or store your plaintext password), display name, hero name, segment preference, and a profile avatar (either uploaded by you or generated).
• Resume data: resume files you upload (typically PDF), and the structured data extracted from them — name, email, phone number, skills, work experience, education, certifications, and any other content present in the resume you provide.
• Campus Connect listings and bookings: the content of listings you post (titles, descriptions, pricing, availability), bookings you make or receive, messages you send to other users, and reviews you give or receive.
• Communications with us: the content of any email, support ticket, or message you send to us directly.
• Payment information: billing name and country (card numbers are handled exclusively by Stripe — see Section 7).
• Forge email authorization: when you connect your email account to The Forge, the credentials or OAuth tokens required to send mail on your behalf via SMTP (stored encrypted), and the recipient addresses, subject lines and body content of emails you choose to send.

2.2 Information collected automatically

• Usage data: experience points (XP), levels, streaks, achievements, checkpoint / journey progress, feature usage events, and timestamps of key actions.
• Session and device data: login timestamps, IP address (used for rate limiting, fraud detection and security), approximate location derived from IP, browser user-agent, device type, operating system, screen size, language, and the referring URL.
• Cookies: first-party session cookies issued by Supabase Auth to keep you logged in, and a small number of first-party functional cookies (e.g. theme preference). See Section 11.
• Logs: server and application logs containing request paths, response codes, error traces and the IP/device metadata above.

2.3 Information received from third parties

• From Stripe: your Stripe customer ID, subscription status, plan, invoice history metadata, and the last four digits and brand of the card used (for your own reference in-product) — we do not receive full card numbers.
• From Supabase: authentication events (successful / failed login attempts, password reset events) that originate from the auth service we use.
• From OpenAI: the generated text returned in response to our API calls on your behalf (cover letter drafts, parsed resume JSON, match suggestions).
• From your email provider: delivery / bounce / error responses when Forge sends a message from your address.

3. Sensitive Information

“Sensitive information” under APP 3 includes information about health, racial or ethnic origin, political opinions, religious beliefs, sexual orientation, union membership, criminal record, and biometric data.

We do not intentionally collect sensitive information. We do not ask for it in any form. However, because resumes are free-form documents, you may voluntarily include sensitive information in a resume you upload (for example, a health disclosure, a language that implies ethnicity, or a religious organisation you volunteered with).

Where this happens:

• We treat any sensitive information you upload as having been provided with your consent, limited to the purposes of running The Forge (parsing your resume and generating tailored application materials).
• We do not extract sensitive information into a structured field, profile you based on it, or disclose it except as part of application materials you explicitly choose to send.
• You can remove sensitive information at any time by editing or deleting your uploaded resume.

We ask that you do not include sensitive information in Campus Connect listings, messages, or reviews.

4. How We Collect Personal Information

We collect personal information through the following channels:

• Forms and inputs you complete on gri9d.it.com — sign-up, profile editing, listing creation, messaging, reviews.
• File uploads — resumes you upload to The Forge, avatar images.
• Automated collection — cookies, log files, and analytics events fired by your browser or device when you use the site.
• API calls to third parties on your behalf — for example, when The Forge sends a portion of your resume and a job description to OpenAI to generate a cover letter, or when Stripe processes your payment.
• Communications between users — messages and reviews exchanged inside Campus Connect.
• Email delivery systems — metadata returned by Resend (for our transactional email) and by your own email provider (when Forge sends on your behalf).

Wherever practical we collect personal information directly from you. Where we collect it from a third party (such as Stripe or Supabase Auth), we do so only to operate a feature you have chosen to use.

5. Why We Collect Personal Information and How We Use It

Consistent with APP 6, we collect and use your personal information only for the following purposes:

1. Service delivery — creating and authenticating your account; storing your resume; running The Forge pipeline (parse → match → generate → send); running Campus Connect (listings, bookings, messages, reviews); tracking your progress, XP, streaks and achievements.
2. Personalization — tailoring generated cover letters and resumes to specific jobs, recommending listings, surfacing relevant content.
3. AI generation — sending the necessary inputs (resume text, job description) to OpenAI to produce your outputs. See Section 9.
4. Billing and payments — creating Stripe customers, managing subscriptions, issuing receipts, handling refunds and chargebacks.
5. Security, fraud prevention and abuse handling — rate limiting, detecting suspicious logins, blocking bots, investigating misuse of Campus Connect (e.g. scam listings, harassment).
6. Product improvement — understanding which features are used, fixing bugs, improving quality. Where practical, we work on de-identified or aggregated data for this purpose.
7. Communications — transactional emails (account verification, password reset, purchase receipts, booking confirmations, Forge send confirmations) and, where you have opted in, product updates and marketing.
8. Legal compliance — meeting obligations under Australian tax, consumer and privacy law, and responding to lawful requests from regulators and courts.

We will not use your personal information for a materially different, unrelated purpose without first seeking your consent, except where permitted under APP 6.2 (for example, where required by law or to address a serious threat to safety).

6. Legal Bases for Processing (GDPR Users)

If you are located in the European Economic Area or the United Kingdom, we rely on the following legal bases under the GDPR:

• Performance of a contract (Art. 6(1)(b)) — to create and operate your account, run The Forge, run Campus Connect, process payments, and deliver the bookings and services you have contracted for.
• Legitimate interests (Art. 6(1)(f)) — for security, fraud prevention, rate limiting, de-identified product analytics, and direct communication with our existing users about the service they use. We balance these interests against your rights.
• Consent (Art. 6(1)(a)) — for optional marketing communications, for sending emails from your address via The Forge, and for any optional analytics or cookies beyond what is strictly necessary. You can withdraw consent at any time.
• Legal obligation (Art. 6(1)(c)) — for retention of tax, accounting and payment records, and for responding to lawful regulator requests.

Where sensitive (special category) information is processed, we rely on your explicit consent under Art. 9(2)(a), limited to the purposes you uploaded the information for.

7. Disclosure to Third Parties

We do not sell your personal information. We disclose it only to the processors and service providers listed below, only to the extent necessary, and only under contracts that oblige them to handle your data consistently with this policy and applicable law.

We have reviewed the privacy and security practices of each of the above processors and taken reasonable steps to ensure they handle personal information consistently with the APPs or equivalent protections.

We may also disclose personal information:

• to professional advisers (lawyers, accountants, auditors) bound by duties of confidentiality;
• to law enforcement, regulators or courts where required by law, or where reasonably necessary to protect the rights, property or safety of Gri9d, our users, or the public;
• to a successor entity in the event of a sale, merger, restructure or bankruptcy, in which case we will require the recipient to honour this policy.

We do not disclose personal information to advertisers or data brokers, and we do not permit our processors to use your information for their own marketing.

8. Cross-Border Disclosure

Some of our processors are located outside Australia. By using Gri9d, you acknowledge and consent to your personal information being disclosed to, and processed in, the following jurisdictions:

• United States — OpenAI, Vercel, Resend, and (depending on configuration) Supabase / AWS and Stripe.
• Ireland / European Economic Area — Stripe EU operations and OpenAI Ireland for some EU-routed traffic.
• Australia — Supabase on AWS Sydney (primary storage region where configured) and Stripe Payments Australia.

Consistent with APP 8, we take reasonable steps to ensure that overseas recipients handle your personal information in accordance with the APPs, principally by:

• contracting with each processor on terms that require them to protect personal information to a standard equivalent to the APPs;
• relying on Standard Contractual Clauses (SCCs) or equivalent transfer mechanisms where personal information is transferred outside the EEA / UK; and
• selecting processors who maintain recognised security certifications (e.g. SOC 2, ISO 27001, PCI-DSS).

If an overseas recipient mishandles your personal information, we remain accountable for that handling under APP 8.1, except where a limited exception applies.

9. The Forge — AI Processing Disclosure

The Forge uses third-party AI to help you apply for jobs. This section explains exactly what happens with your data.

9.1 What we send to OpenAI

When you use The Forge, we send the following to OpenAI’s API:

• the text extracted from your uploaded resume (or portions of it relevant to the task);
• the job description / listing you are applying to;
• any additional instructions you provide (tone, emphasis, target company notes);
• system prompts that configure the model.

We do not send your password, payment details, messages from Campus Connect, or any data unrelated to the job application task.

9.2 What OpenAI does with it

OpenAI processes your inputs to generate outputs (parsed resume JSON, a tailored cover letter, a tailored resume, or match suggestions) and returns those outputs to us, which we then store in your account and display to you.

Based on OpenAI’s API data usage policies as in effect on the date of this policy, data submitted to the OpenAI API is not used by OpenAI to train or improve its models. OpenAI retains API inputs and outputs for a limited period for abuse monitoring, after which they are deleted in accordance with OpenAI’s policies. OpenAI’s own privacy policy governs their handling of that data: openai.com/policies/privacy-policy.

9.3 Ownership and accuracy of outputs

The cover letters, resumes and other materials that The Forge generates are your content. You are responsible for reviewing them for accuracy before sending. AI-generated content can contain mistakes, fabrications (“hallucinations”), or phrasing that does not fit your circumstances. Review every generated document before sending it. Gri9d is not responsible for inaccuracies in AI-generated content, and providing false information to a prospective employer is your responsibility.

9.4 Model changes

We may change the underlying model or provider to improve quality, reduce cost, or address reliability issues. Where a change involves a materially different data-handling posture (for example, a provider that uses data for training), we will update this policy and notify you before the change takes effect.

10. Sending Emails on Your Behalf

The Forge includes a feature that sends job application emails from your own email address (e.g. your Gmail) via SMTP or an equivalent provider API. This section explains how that works.

10.1 Your authorization

Before we can send any email from your address, you must explicitly connect your email account to The Forge. Depending on your provider, this is done via:

• OAuth (recommended, e.g. Gmail, Microsoft 365) — you are redirected to your provider, you review the requested scopes (which include sending mail), and you grant Gri9d permission. We store the resulting tokens, encrypted, and refresh them as needed.
• App password or SMTP credentials — where OAuth is unavailable, you may choose to provide an app-specific password. We store it encrypted and use it only to send mail you instruct us to send.

By connecting your account you authorize Gri9d to transmit emails you have composed, reviewed, or generated (and approved) through your email provider.

10.2 What we send and log

We send only the emails you trigger — we do not send mail automatically from your address without your action. For each send, we log:

• the recipient address(es);
• the subject line;
• the send timestamp and delivery status returned by your provider;
• a copy of the generated body and any attachments (so you have a record in The Forge).

We do not read, scan, or index messages in your inbox. We do not access mail you have received. We do not send messages to contacts other than those you specify.

10.3 Revoking access

You can revoke The Forge’s access at any time by:

• disconnecting the email integration inside your Gri9d account settings; and/or
• revoking the OAuth grant or app password from your email provider’s security dashboard.

Revocation is effective immediately. Historical send logs remain in your account until deleted (see Section 12).

10.4 Compliance responsibility

You are the sender of any email transmitted through this feature. You are responsible for ensuring that your emails comply with applicable law, including the Spam Act 2003 (Cth) — in particular, that messages are sent with the recipient’s consent (express or inferred), identify you as the sender, and contain a functional unsubscribe facility where required.

11. Cookies and Tracking

Gri9d uses a minimal cookie footprint. We use:

• Strictly necessary cookies — set by Supabase Auth to keep you signed in; set by the application framework for session management and CSRF protection.
• Functional cookies — small first-party cookies that store preferences such as theme, segment, or onboarding progress.
• Analytics — where enabled, we use first-party, privacy-preserving analytics to count page views and feature usage. We do not use Google Analytics, Facebook Pixel, or similar third-party advertising trackers. We do not build advertising profiles.

We do not use cross-site advertising cookies, and we do not sell or share your browsing behaviour with ad networks.

You can disable cookies through your browser settings. Disabling strictly necessary cookies will prevent you from signing in to Gri9d. Where applicable law requires a consent banner (e.g. for EEA users), we present one and honour your choice.

We honour the Global Privacy Control (GPC) signal where your browser sends one.

12. Data Retention

We keep personal information only for as long as we need it. Our retention schedule is:

After these periods, we delete, de-identify, or securely destroy the personal information, unless we are required by law to retain it for longer (for example, in response to a legal hold).

13. Security

We take reasonable steps, as required by APP 11, to protect personal information from misuse, interference, loss, and unauthorised access, modification, or disclosure. Our security measures include:

• Encryption in transit — all traffic between your device and Gri9d is served over HTTPS/TLS. Traffic to our processors is likewise TLS-encrypted.
• Encryption at rest — databases and object storage are encrypted at rest by default (Supabase / AWS KMS).
• Password security — passwords are hashed using Supabase Auth’s bcrypt-family hashing; plaintext passwords are never stored or logged.
• Access control — production access is limited to the sole operator; we use the principle of least privilege and require strong, unique credentials.
• Row Level Security (RLS) — database access is restricted by RLS policies so that users can only read and write their own records.
• Two-factor authentication (2FA) — available on your account; we strongly recommend enabling it.
• Secure handling of email credentials — OAuth tokens and SMTP credentials used by The Forge are stored encrypted.
• Incident response — we monitor for anomalies and have an incident response process; see Section 19 for breach notification.

No online service can guarantee absolute security. You are responsible for keeping your password confidential, using a strong unique password, and enabling 2FA.

14. Your Rights Under Australian Privacy Law

Under the Australian Privacy Principles you have the following rights:

• Access (APP 12) — you may request a copy of the personal information we hold about you. We will respond within a reasonable time (generally 30 days) and, where required, in the form you request. We may charge a reasonable cost-recovery fee for complex requests, but will not charge to lodge the request.
• Correction (APP 13) — you may ask us to correct personal information that is inaccurate, out of date, incomplete, irrelevant, or misleading. Much of your information can be corrected directly in your account settings.
• Anonymity or pseudonymity (APP 2) — where lawful and practicable; note that most Gri9d features require an identified account.
• Withdrawing consent — where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing before withdrawal.
• Complaints — see Section 20.

To exercise any of these rights, email privacy@gri9d.it.com. We may need to verify your identity before acting on your request, to protect your information from unauthorized access.

15. Your Rights Under the GDPR

If you are located in the European Economic Area or the United Kingdom, in addition to the rights above, you have the right to:

• Access your personal data and receive a copy (Art. 15).
• Rectification of inaccurate or incomplete data (Art. 16).
• Erasure (“right to be forgotten”) (Art. 17), subject to our legal retention obligations.
• Restriction of processing in certain circumstances (Art. 18).
• Data portability — receive your data in a structured, commonly used, machine-readable format (Art. 20).
• Object to processing based on legitimate interests, including profiling (Art. 21).
• Withdraw consent at any time, where processing is based on consent (Art. 7(3)).
• Lodge a complaint with your local data protection supervisory authority.

We will respond to verified requests within one month (extendable to three months for complex requests under Art. 12(3)). To exercise these rights, email privacy@gri9d.it.com.

We do not engage in automated decision-making that produces legal or similarly significant effects about you. The Forge generates drafts for you to review; it does not make employment decisions.

16. Your Rights as a California Resident

If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the CPRA gives you the right to:

• Know what personal information we collect, the sources, the purposes, and the categories of third parties with whom we share it — all of which is set out in this policy.
• Access a copy of the specific personal information we have collected about you.
• Delete personal information we have collected, subject to statutory exceptions.
• Correct inaccurate personal information.
• Opt out of sale or sharing — Gri9d does not sell personal information, and does not share personal information for cross-context behavioural advertising, so there is nothing to opt out of. We honour Global Privacy Control signals in any event.
• Non-discrimination — we will not deny service, charge different prices, or provide a different level of service because you exercised a CCPA right.

To exercise these rights, email privacy@gri9d.it.com from the address associated with your account, or state another means by which we can verify your identity.

17. Children

Gri9d is intended for users aged 16 and over. It is not directed at children under 16, and we do not knowingly collect personal information from them. If you are under 16, please do not create an account or submit any personal information.

If we become aware that we have collected personal information from a person under 16 without appropriate consent, we will delete that information promptly. If you believe a child has provided us personal information, please contact privacy@gri9d.it.com.

Some services (for example, Campus Connect bookings that involve payment) may have a higher minimum age under our Terms of Service.

18. Marketing Communications

We send two types of email:

• Transactional email — account verification, password reset, purchase receipts, booking confirmations, send confirmations, security alerts, and policy updates. These are necessary to operate the service and you cannot opt out while your account is active.
• Marketing email — product news, tips, feature announcements. We send these only where you have opted in, or where consent is inferred under the Spam Act 2003 (Cth) and its accompanying regulations.

Every marketing email contains a functional unsubscribe link and our sender identity, as required by the Spam Act. You can opt out at any time by clicking unsubscribe or emailing privacy@gri9d.it.com. Unsubscribe requests are honoured within five business days.

19. Data Breach Notification

We comply with the Notifiable Data Breaches (NDB) scheme under Part IIIC of the Privacy Act 1988 (Cth).

If we suffer a data breach that is likely to result in serious harm to one or more individuals and we are unable to prevent that harm through remedial action, we will, as soon as practicable:

• notify affected individuals of the breach, the kinds of information involved, and recommended steps they can take; and
• notify the Office of the Australian Information Commissioner (OAIC).

For users covered by the GDPR, we will also notify the relevant supervisory authority within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons (Art. 33), and affected individuals without undue delay where the risk is high (Art. 34).

We maintain an internal incident response process to detect, contain, investigate and report incidents.

20. Complaints and Contact

If you have a privacy concern or complaint, please follow this two-step process:

Step 1 — Contact us. Email privacy@gri9d.it.com with details of your complaint. Please include enough information for us to investigate (your account email, a description of the issue, and any relevant dates). We will acknowledge your complaint within 7 days and aim to resolve it within 30 days.

Step 2 — Escalate to the regulator. If you are not satisfied with our response, or we have not responded within 30 days, you may lodge a complaint with:

• Office of the Australian Information Commissioner (OAIC) — www.oaic.gov.au · 1300 363 992.
• If you are in the EEA/UK: your local data protection supervisory authority (e.g. the Irish Data Protection Commission, dataprotection.ie).
• If you are in California: the California Privacy Protection Agency, cppa.ca.gov.

21. Changes to This Policy

We may update this policy from time to time — for example, to reflect new features, new processors, or changes in the law.

When we make changes:

• Material changes (changes to the categories of personal information collected, new processors handling your data, expanded purposes, or reduced user rights) will be notified to you by email and by an in-product notice at least 14 days before the changes take effect.
• Non-material changes (typos, clarifications, updated contact details) will be reflected by updating the “Last updated” date at the top of this policy.

Previous versions of this policy are retained and available on request from privacy@gri9d.it.com.

Continued use of Gri9d after changes take effect constitutes acceptance of the updated policy.

22. Contact Information

For privacy requests, please include “Privacy request” in the subject line and email from the address associated with your Gri9d account where possible, so we can verify your identity.

This Privacy Policy is provided in English. Where we provide a translation, the English version prevails in case of conflict.