Privacy Policy
Last updated: April 2026
This policy covers all services operated under ginnung.tech, grab.technology, and lite-step.org.
Data controller: ginnung.tech. Contact: privacy@ginnung.tech.
Our services are not intended for users under 16 years of age.
Visitors who have not signed up
We don't track you. We only serve cookies and store data on your device to help the performance and security of the site (bot and spam protection). We do not store your IP address except in temporary server logs, which are retained for up to 7 days and then deleted automatically.
Cookies that may be set by our infrastructure:
| Cookie | Set by | Purpose |
|---|---|---|
__cf_bm | Cloudflare | Bot and spam protection (strictly necessary) |
We extract the following anonymous data from your visit:
| Data | How | Purpose |
|---|---|---|
| Country | IP → country lookup (Cloudflare edge, IP not stored by us) | Regional usage statistics |
| Device type | mobile / tablet / desktop | Layout and compatibility |
| Device orientation | portrait / landscape | Layout |
| Approximate screen size | Bucketed (e.g. "lg", "<1000"), not exact pixels | Layout |
| Page visited | Page name (e.g. "taxonomy"), not the full URL | Understand which features are used |
This data is anonymous. No unique visitor ID is generated. No cross-page session is tracked. Each page view is an independent event sent to Sentry (EU region) for aggregation. We cannot identify you from this data.
Our infrastructure providers (Cloudflare, Fly.io) may retain their own access logs independently under their respective retention policies.
Legal basis: legitimate interest (GDPR Article 6(1)(f)) — understanding product usage and protecting our services.
Users who have signed up
To sign up you must agree to our Terms of Service. Among other things, this allows us to store session data (cookies and other data) on your device. This is necessary for our service to work.
Data stored in your browser
| What | Purpose | Duration |
|---|---|---|
grab_session (httpOnly) | WorkOS session JWT — authenticates your requests | 24 hours |
grab_session_refresh (httpOnly) | WorkOS refresh token — renews your session | 30 days |
gn_telemetry | Your telemetry preference (readable by JavaScript) | 1 year |
gn_auth_handoff (httpOnly) | Short-lived handoff used by the TOS gate (deleted after you accept or cancel) | 5 minutes |
| IndexedDB / localStorage | Your project data and preferences (offline cache) | Until you clear browser data |
Data stored on our servers
WorkOS — your authentication data and social login tokens (e.g. Google). See WorkOS Privacy Policy.
Sentry — anonymous page-view statistics (same as for anonymous visitors, described above). These are not linked to your user session.
AI assistant (Claude by Anthropic)
When you use AI features, your project data (building geometry, site parameters, and instructions you provide) is sent to Anthropic's Claude API for processing. Anthropic processes this data to generate responses and does not use data sent via the API to train its models. See Anthropic's Privacy Policy.
Session tracking (optional, consent-based)
If you accept session tracking with Sentry during signup, you help us improve the product and we may be able to help you better in support cases. What may be stored:
- Usage logs — retained for a maximum of 30 days, then deleted automatically.
- Session replays — screen recordings of your interactions (clicks, scrolls, navigation). Replays may be reviewed by our team when diagnosing issues you report via support. Replays are automatically deleted after 30 days.
You can withdraw telemetry consent at any time in your user settings. When disabled, no session data is collected or recorded.
Legal basis: consent (GDPR Article 6(1)(a)).
Data we may store about you
By using our services, the following data may be stored:
- Account data — name, email address, social login token (e.g. Google)
- Server logs — IP address in temporary logs, retained for up to 7 days
- Anonymous usage data — same page-view statistics as described above
- Sentry tracking — if you opted in (see above)
- Project data — data related to your home or building project that you create in the application
- Public data — data gathered from open public services (e.g. terrain, building footprints, utility maps) related to your project
- Private data you provide — data you upload or send to us (e.g. floor plans, GML files, project documents)
Legal basis: contract performance (GDPR Article 6(1)(b)) — processing is necessary to provide the service you signed up for.
Data storage and international transfers
Ginnung is an international service. Your data may be replicated, processed, and stored in datacenters close to your location.
Where your data is processed
| Service | Purpose | Region | Transfer mechanism | Policy |
|---|---|---|---|---|
| Fly.io | API hosting | EU (Amsterdam) | EU processing | Link |
| Tigris | Object storage | EU primary, global replication | EU processing | Link |
| Upstash | Redis cache and queues | EU primary, global replication | EU processing | Link |
| Sentry | Error monitoring, analytics | EU | EU processing | Link |
| Cloudflare | CDN, bot protection, edge routing | Global | DPA with SCCs | Link |
| Authentication (OAuth) and Maps | Global | DPA with SCCs | Link | |
| WorkOS | Authentication | US | DPA with SCCs | Link |
| Anthropic (Claude) | AI assistant | US | DPA with SCCs | Link |
US-based services (WorkOS, Anthropic) and globally distributed services (Cloudflare, Google) each publish a Data Processing Addendum (DPA) that relies on Standard Contractual Clauses (SCCs) for transfers of personal data from the EEA/Switzerland/UK to the US, using Module Two (controller-to-processor) and Module Three (processor-to-processor).
Google Maps and 3D map tiles
We use Google Maps products, including 3D map tiles, under an international license. When you interact with maps in the application, Google processes your request data (IP address, viewport coordinates) according to Google's Privacy Policy and the Google Maps Platform Terms of Service. Maps are only loaded for authenticated users who have an active project with a site location.
Data deletion
If you request deletion of your account, all data that we can identify as belonging to you will be deleted. This includes your WorkOS account, project data in Tigris, session metadata in Upstash, and any Sentry data linked to your session. Deletion is completed within 30 days of your request.
Anonymous usage data (page-view statistics) cannot be deleted because it contains no personal identifiers and cannot be traced back to you.
Your rights
Under GDPR, you have the right to access, correct, delete, or export your data. For anonymous visitors, we hold no personal data to act upon. For signed-up users, contact us to exercise these rights.
Contact
For privacy questions, contact: privacy@ginnung.tech