Privacy Policy

1 January 2026
info@joingrasp.com
joingrasp.com

1. Who We Are

Traece B.V., operating as **Grasp** ("Grasp," "we," "our," "us"), respects your privacy and is committed to protecting the personal data of our customers, their users, and visitors to our website. This Privacy Policy explains how we collect, process, store, and protect personal data, and outlines your rights under the **EU General Data Protection Regulation (GDPR)**.

Grasp is a **B2B AI Governance platform** that helps organizations discover, govern, and manage AI tools and software — including shadow AI detection, continuous compliance monitoring against frameworks such as the EU AI Act, NIS2, and ISO 27001, and risk management across the full application landscape.

We act as a:

  • **Data Processor** — when processing customer data on behalf of our clients (who are the data controllers)
  • **Data Controller** — when collecting data from website visitors, trial signups, or marketing contacts

Our Data Protection Officer can be reached at **info@joingrasp.com** for any privacy-related questions or requests.

Our commitment is to **data protection, transparency, and security** at all times.

2. Types of Data We Collect

A. Customer & User Data (Processed on Behalf of Customers)

When providing our platform, we process personal data from several sources. Each source is described below with what we collect and, where relevant, what we explicitly do **not** collect.

Identity Provider (SSO) Data

Grasp connects to your organization's Identity Provider (Google Workspace or Microsoft Entra ID) to build a complete view of your application landscape. We collect:

  • Organizational structure (departments, teams, reporting lines)
  • Connected applications visible in the SSO directory
  • Role and permission metadata

Desktop Agent Data

Grasp deploys a lightweight desktop agent (distributed via your organization's MDM solution) to detect all software in use — including shadow IT and shadow AI tools. The agent collects:

  • Application names and categories (browser-based and desktop applications)
  • Active window titles (used to identify which applications are in use)
  • Application usage timestamps and duration
  • Browser domain visits (top-level domain only, used for SaaS detection)
The desktop agent does NOT collect: Keystrokes or keyboard input, Screen content, screenshots, or screen recordings, File contents or file names on the user's device, Personal browsing history beyond top-level domain detection, Passwords, form inputs, or any typed content, Microphone, camera, or other sensor data. The agent is designed to identify *which applications are in use* — not to monitor *what employees do inside those applications*.

Email Integration Data

Grasp integrates with Gmail and Outlook (via direct API integration or a forwarding address) to automatically detect and enrich software invoices. We collect:

  • Email metadata for messages identified as software invoices (sender address, subject line, date)
  • Invoice attachments (PDF invoices, receipts, and order confirmations related to software purchases)
  • Extracted invoice data (vendor name, amount, billing period, license count)
The email integration does NOT: Read, store, or process the body content of non-invoice emails, Access personal emails, internal communications, or email threads, Store full email archives or mailbox contents, Monitor email sending behavior or communication patterns.

Platform Activity Data

  • Login and activity data within the Grasp platform itself
  • Role, permissions, and departmental information within Grasp
  • Governance decisions and their recorded reasons (approve, block, dismiss actions are logged with user attribution for compliance and audit purposes)
  • Support tickets or correspondence with our support team

This data is never used for AI model training outside of delivering our services.

B. Website & Marketing Data

When interacting with our website, newsletter, or trial signup forms, we may collect:

  • Name, business email, company name, job title
  • IP address, browser type, device information
  • Cookies or similar technologies for marketing, analytics, and performance (subject to your consent via our cookie consent banner)

3. How We Use Personal Data

We only process personal data for legitimate and necessary purposes:

1. **Delivering Our Services** — Operate, maintain, and improve the Grasp platform; provide application discovery, shadow AI detection, compliance monitoring, governance dashboards, AI-powered insights, and agent recommendations.

2. **Security and Compliance** — Monitor access, detect anomalies, and prevent unauthorized activity; protect against fraud, abuse, or data breaches; support our customers' compliance obligations under frameworks including the EU AI Act, NIS2, ISO 27001, ISO 42001, and SOC 2.

3. **Customer Support & Communication** — Respond to inquiries and provide technical support; communicate product updates, release notes, and relevant announcements.

4. **Legal & Regulatory Obligations** — Comply with applicable laws, regulations, or court orders.

**Note:** Personal data is not used for AI model training or sold to third parties.

4. Legal Basis for Processing

Under GDPR, Traece processes personal data based on one or more legal grounds:

  • **Contractual necessity** — to fulfill our SaaS service obligations to customers
  • **Legitimate interests** — security, platform improvement, fraud prevention, and providing governance insights to our customers. Where we rely on legitimate interests, we conduct balancing tests to ensure our interests do not override the rights of data subjects.
  • **Consent** — only when explicitly requested (e.g., marketing communications, cookie consent)

5. Automated Decision-Making

Grasp uses AI-powered features to assist our customers with governance decisions, including agent recommendations (e.g., suggesting whether to approve, block, or investigate an application) and risk scoring.

These features are **advisory only**. All governance decisions are made by authorized human users (typically CISOs or IT administrators) within the customer's organization. Grasp does not make automated decisions that produce legal or similarly significant effects on individuals without human review.

Confidence scores and recommendations are generated based on the customer's own precedent data and configurable rules — not on profiling of individual employees.

6. Sharing Personal Data

We **do not sell personal data**. We share personal data only in limited contexts:

1. **Subprocessors** — we use a limited number of subprocessors to deliver our services. The current list includes:

Subprocessor | Purpose | Data Location Google Cloud Platform | Infrastructure hosting, compute, and storage | EU (Netherlands) OpenAI | AI-powered governance recommendations and insights | US (SCCs in place) Cloudflare | CDN, DDoS protection, and edge security | Global (EU processing) Resend | Transactional and marketing email delivery (notifications, alerts, newsletters, product updates) | US (SCCs in place) PostHog | Product analytics (anonymized usage data) | EU

7. International Data Transfers

Some subprocessors (e.g., OpenAI, Resend) may transfer personal data outside the EU/EEA.

  • All international transfers comply with GDPR Chapter V
  • Safeguards include **Standard Contractual Clauses (SCCs)** adopted by the European Commission
  • Where applicable, we assess the data protection laws of the recipient country and implement supplementary measures as recommended by the EDPB

8. Data Retention

  • **Customer & User Data** — retained only for the duration of the customer's contract. Upon contract termination, all customer data is deleted within **90 days** unless a longer retention period is required by law or explicitly requested by the customer.
  • **Governance Audit Trail** — governance decisions (approve, block, dismiss) and their associated metadata are retained for the duration of the contract to support compliance and audit requirements. These are deleted together with customer data upon termination.
  • **Desktop Agent Data** — application usage metadata is retained for a rolling **12-month window** to support trend analysis and compliance reporting. Older data is automatically purged.
  • **Website & Marketing Data** — retained for analytics and marketing purposes for up to **36 months**, unless otherwise required by law or withdrawn by consent.

9. Data Security Measures

Traece implements **industry-standard technical and organizational measures** to protect personal data:

  • Encryption at rest (AES-256) and in transit (TLS 1.2+)
  • Multi-factor authentication (MFA) for all administrative and platform access
  • Role-based access control and least-privilege principles
  • Daily encrypted backups and disaster recovery procedures
  • Security monitoring, logging, and a documented incident response plan
  • Regular vulnerability assessments and penetration testing
  • Employee security awareness training

We conduct **Data Protection Impact Assessments (DPIAs)** for high-risk processing activities, including desktop agent deployment and email integration processing, in accordance with GDPR Article 35.

Security practices are reviewed regularly to meet regulatory expectations and customer requirements.

10. Data Subject Rights (GDPR)

Data subjects have the following rights under GDPR:

1. **Access** — request a copy of your personal data

2. **Correction** — correct inaccurate or incomplete data

3. **Erasure** — request deletion of personal data (subject to contractual or legal limits)

4. **Restriction** — limit the processing of your personal data in specific contexts

5. **Objection** — object to processing based on legitimate interests

6. **Data Portability** — request a machine-readable copy of your data for transfer

7. **Withdraw Consent** — where processing is based on consent, you may withdraw it at any time

**For employees of Grasp customers:** your employer is the data controller. Please direct data subject requests to your organization's IT or privacy team in the first instance. We will assist your employer in fulfilling these requests in accordance with our Data Processing Agreement.

**For website visitors and direct contacts:** contact us directly at **info@joingrasp.com**.

We respond to all data subject requests within **30 days** as required by GDPR.

11. Data Breach Notification

If a personal data breach occurs:

  • We will notify affected customers (controllers) **without undue delay** and no later than **72 hours** after becoming aware of the breach, in accordance with GDPR Article 33
  • We will provide all information necessary for customers to assess the impact and fulfill their own notification obligations
  • We will provide assistance to mitigate potential harm and document all breaches in our internal breach register

12. Cookies and Tracking

Grasp uses cookies and similar technologies on our website for analytics, performance, and marketing purposes.

  • **Strictly necessary cookies** are used without consent (session management, security)
  • **Analytics and marketing cookies** are only placed after you provide consent via our cookie consent banner
  • You can manage or withdraw cookie consent at any time via the cookie settings on our website
  • Cookie data is **not sold** and only shared with authorized subprocessors listed in Section 6

For full details, see our [Cookie Policy](https://joingrasp.com/legal/cookies).

13. Our Own Use of AI

Grasp uses AI (including large language models provided by OpenAI) to power governance features such as agent recommendations, risk analysis, and compliance insights within our platform.

  • Customer data sent to AI subprocessors is processed under our Data Processing Agreement with those providers
  • We use **API-only access** — customer data is not used to train third-party AI models
  • AI outputs within Grasp (recommendations, risk scores) are advisory and always subject to human decision-making by the customer's authorized users

We are committed to responsible AI use and monitor our own compliance with the EU AI Act as it applies to our platform.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. Significant updates will be communicated through our platform, website, or email at least **30 days** before they take effect. The "Effective Date" at the top of this page reflects the most recent revision.

15. Contact Us

For questions, data subject requests, or GDPR inquiries:

**Traece B.V., operating as Grasp**

General inquiries: info@joingrasp.com

Website: joingrasp.com

Registered in Amsterdam, the Netherlands

KVK (Chamber of Commerce) number: 98464604

If you are unsatisfied with our response, you have the right to lodge a complaint with the **Autoriteit Persoonsgegevens** (Dutch Data Protection Authority) at [autoriteitpersoonsgegevens.nl](https://www.autoriteitpersoonsgegevens.nl).

Made in the

Netherlands

Platform
Discover
Govern
Accelerate
Solutions
Shadow AI Discovery
AI Risk Management
ISO 27001 & AI
EU AI Act
Automated Vendor Assessments
Resources
Blog
Help Center
Changelog
Company
About
Contact
Careers
Sitemap
Grasp
© 2026 Grasp — All rights reserved.