Privacy policy

Last updated: 13 May 2026

We are committed to respecting your privacy and protecting your data. This Privacy Policy describes how we handle and protect your data in connection with our Site and the SOFTWARE PRODUCT (as defined in our Terms and Conditions).

Data collection summary

As a provider of software to professionals — including banks, consultancies and other businesses that routinely work with sensitive and private data — we take data protection seriously. We limit the data we transfer to what is needed to operate the features you use, to validate your license and account, and to diagnose and improve our software.

For our usage tracking and error reporting systems, we record what actions you perform, not what you are working on. Our telemetry does not gather information that could reveal the contents of your presentations and spreadsheets, including file names, file paths, text, numbers, data, or external data sources. Telemetry is strictly limited to which actions you perform and how often you do so. For example, if you connect to an Excel workbook, we may be informed that such an action has been performed, but we will not be told the name of the workbook, the path to it, or its contents.

By contrast, certain product features — such as AI functionality and content distribution — necessarily process the content you provide when you choose to use them. These features are opt-in and are described separately in Customer content processed by product features below.

See our Data Management Policy for further details on how we classify, retain, and dispose of data.

License validation

When you use Grunt, we transmit a minimal amount of data in order to validate your license. This consists of a fingerprint (machine identification) used to identify your computer, which we correlate with the email address registered as your license key.

Metrics tracking

Our metrics tracking system records actions you perform. This allows us to understand which features are used by our customers. When you perform an action, a message containing an identifier associated with that action is sent to our servers. Not all actions trigger such an event. The identifier is global, meaning it is the same for all users. This identifier is the only information sent to our servers in connection with the action; no other data regarding the action is transmitted. Metrics tracking occurs in the background and does not produce a notification.

Customer content processed by product features

Some Grunt features process content you provide in order to carry out the task you have requested. Unlike our telemetry, these features necessarily transmit the content you submit to them.

  • AI functionality. When you use AI features, the slide, spreadsheet, text, or other content you submit to the feature is transmitted to Grunt and, where applicable, to the AI service providers we use, in order to generate the requested output.
  • Content distribution. When you use features that distribute or share content on your behalf, the content you choose to distribute is transmitted to Grunt and delivered to the recipients or destinations you select.

The description of Content distribution above reflects our default hosting, Grunt Cloud, in which content is processed in a shared multi-tenant environment operated by Grunt. On Grunt Managed, content distribution takes place in a single-tenant Azure subscription that Grunt operates exclusively for your organization. On Grunt Self-Hosted, content distribution runs entirely within your own Azure tenant, operated by you; Grunt does not receive the content distributed through this feature.

Content submitted to these features is processed only to deliver the requested functionality and is handled in accordance with this Privacy Policy and our agreements with sub-processors (listed at trust.grunt.pro). We do not use the content you submit to these features to train AI models, and our AI sub-processors are contractually prohibited from doing so.

Submitted content is retained only for as long as necessary to deliver the requested output and is then deleted from Grunt's systems. Content delivered through content-distribution features is, by its nature, transmitted to the recipients or destinations you select; once delivered, those recipients retain whatever copies they receive.

These features are opt-in: no customer content is sent to Grunt unless you choose to use a feature that requires it.

Microsoft 365 integration

Grunt offers an optional integration with Microsoft 365 that allows you to import files from SharePoint and OneDrive into the Service. The integration uses the Microsoft Graph API and requires you (or your Microsoft 365 administrator) to grant Grunt permission to read files on your behalf. The permission Grunt requests is broad by design — it covers the same set of files you yourself can access in SharePoint and OneDrive — because Microsoft Graph does not offer a narrower scope that would let you pre-select individual files at the consent stage.

What Grunt actually does with this access. Grunt accesses SharePoint and OneDrive content only in response to your actions in the app — for example, when you select a file to import. Grunt does not browse, index, scan, or otherwise read files on a background or scheduled basis. The files you choose to import are then processed by the Service in the same way as any other content you submit, as described above.

Persistent access and token storage. To avoid requiring you to sign in every time you use the integration, Microsoft issues Grunt refresh tokens, which Grunt stores securely. These tokens give Grunt the technical ability to access — on your behalf — the files you have access to, even when you are not actively using the app. Grunt uses that ability only as described in the preceding paragraph. Tokens are protected with the same security controls Grunt applies to other authentication credentials.

Revoking access. You can revoke Grunt's access at any time. The fastest method is your Microsoft 365 account at myaccount.microsoft.com under "Apps and services with access." Your Microsoft 365 administrator can also remove consent for your tenant. You can additionally email support@grunt.pro to request that we delete the refresh tokens we hold for your account.

Error reporting

When the software encounters an unexpected error, a diagnostic message may be sent to Grunt for the purposes of diagnosis and product improvement. Error messages are sanitized on your device before transmission: raw strings — which may include data, file paths, or file names — are removed. Sensitive content is not transmitted as part of an error report.

Personal information we collect

  • When you interact with Grunt AS through our website ("Site") to purchase a Grunt AS product, download our software, register for or participate in a demo or training session, take part in an online forum or survey, or for any other reason, we may collect a variety of information such as your name and surname, email address, mailing address, phone number, company, job position, country, contact preferences, and credit card information.
  • When you use Grunt AS software, we may collect your email address, IP address, and device identifiers such as your computer name and Windows username, which may contain personal information or, when combined with other information, may be used to identify you.
  • When you invite others to participate in Grunt products or services, we may collect information you provide about those people, such as names, email addresses, mailing addresses, and phone numbers.
  • When you use features that process customer-provided content (such as AI functionality or content distribution), the content you submit to those features may itself contain personal data. We process that content on your behalf solely to deliver the feature you have requested, and we do not extract or separately retain personal data contained in that content.
  • We retain the email addresses and personal information provided to us by users who download or purchase Grunt AS products.
  • When purchasing our software by credit card, we require your credit card information, address, and billing address. Credit card information is stored with our payment provider, not with Grunt. This information is used only to complete your purchase and is not shared with any party outside Grunt or used for any purpose other than the purchase you agreed to. Customers paying by invoice are not asked to provide credit card information; we collect only the billing details needed to issue and process the invoice.

Non-personal information

We collect a variety of data in a form that, on its own, does not permit the identification of a specific individual. We may collect, use, transfer, and disclose non-personal information for any purpose. The following are examples of non-personal information — except where such information is considered personal under local law — that we collect and how we may use it:

  • We may collect information regarding the field of work, language, region, time zone, or type of business in which our software is used. This information is used to understand customer behavior in order to improve our products and advertising.
  • We may collect information regarding activity on our websites, social media profiles, surveys, or through our services. This information is analyzed to help us understand which aspects of our sites, products, and services are most useful to our customers.
  • We may collect and store details of how you use our services, including activity logs. This information may be used to improve our products and services.

If personal and non-personal information are combined, all data will be treated as personal. If a user uses the Site to publish or otherwise share personal data with third parties, that user assumes full responsibility, confirms that they have the right to communicate or disclose such personal data, and confirms that the data subjects have received prior notice. This relieves the Site of all responsibility for any improper use of such data following its disclosure or dissemination.

Legal basis for processing

Grunt AS processes personal data on the following legal bases under the GDPR:

  • Performance of a contract: to provide the SOFTWARE PRODUCT, validate licenses, handle billing, and respond to support requests.
  • Legitimate interests: to operate and secure our Site and software, to record telemetry and error reports needed to maintain and improve the product, and to communicate with customers about service-related matters. Our legitimate interests are balanced against your rights and freedoms as a data subject.
  • Legal obligation: to comply with tax, accounting, and other statutory obligations applicable to Grunt AS.
  • Consent: where processing is based on consent (for example, optional marketing communications), you may withdraw that consent at any time.

Method of processing

Grunt AS processes personal data lawfully and in accordance with this Privacy Policy. Personal data is processed at Grunt AS's premises in Norway and in cloud infrastructure operated by our hosting and sub-processor providers. Access is limited to personnel and sub-processors who need it to operate the Site, deliver the SOFTWARE PRODUCT, or support our customers. An up-to-date list of sub-processors is published on our Trust Center at trust.grunt.pro.

Where personal data is transferred outside the European Economic Area (EEA), Grunt AS relies on transfer mechanisms recognized under the GDPR, such as European Commission adequacy decisions or Standard Contractual Clauses. Personal data is retained only for as long as necessary to provide the service or to meet legal and accounting obligations.

Protection of personal information

Grunt AS takes appropriate measures to protect your personal information against loss, theft, unauthorized access, alteration, and disclosure. Information exchanged with our website and services is encrypted in transit using TLS.

Your rights

Under the GDPR and applicable Norwegian law, data subjects have the right to request confirmation of whether their personal data is processed by Grunt AS and to access that data; to request correction of inaccurate or incomplete data; to request erasure of their data, subject to the limits set out in the GDPR; to request restriction of processing, or to object to processing carried out on the basis of Grunt's legitimate interests; to receive their personal data in a structured, commonly used, machine-readable format and to transmit it to another controller (data portability); and to withdraw consent at any time, where processing is based on consent.

To exercise these rights, contact Grunt AS at support@grunt.pro or at the postal address listed at the end of this Privacy Policy. You also have the right to lodge a complaint with the Norwegian Data Protection Authority (Datatilsynet) if you believe your personal data is being processed in violation of applicable law.

Privacy questions

If you have any questions or concerns about Grunt's Privacy Policy, please contact us at support@grunt.pro.

Grunt AS may update its Privacy Policy from time to time. When we change the policy in a material way, a notice will be posted on our website along with the updated Privacy Policy.

Grunt AS
Lilleakerveien 2D
0283 Oslo
Norway