Last updated: June 30, 2026 · Effective: June 30, 2026
The short version
ServeGrace provides an AI customer-support assistant named Grace that businesses embed on their websites. This notice explains what personal information we handle, why, who we share it with, how long we keep it, and the choices you have.
We serve two groups of people, and your rights differ slightly depending on which you are:
- Part A — People who chat with Grace on a business’s website (the business is our customer; you are their customer or visitor).
- Part B — Account holders — the businesses and their staff who sign up for and use ServeGrace.
In plain terms: we collect what’s needed to run the chat and the service, we don’t sell your personal information, we honor Global Privacy Control and other opt-out signals, and you can ask us to access or delete your data through the tools described below.
1. Who we are and our role
ServeGrace is operated by Pure Grace AI LLC (“ServeGrace,” “we,” “us”). Contact: privacy@servegrace.com.
Our role under data-protection law depends on the context:
- For chat data (Part A): the business that deploys Grace is the data controller — they decide why Grace is on their site and what it collects. ServeGrace acts as their data processor, handling that data on their behalf and under their instructions (governed by our Data Processing Agreement).
- For account data (Part B): ServeGrace is the data controller.
ServeGrace has not appointed a Data Protection Officer, an EU or UK Article 27 representative, or a Brazilian encarregado, because it does not currently meet the legal thresholds that require those appointments. We monitor this as our operations and the markets we serve change.
Part A — If you chat with Grace
This section is for people who interact with the Grace assistant on a business’s website or messaging channel. The business operating that site is the controller of your data; the section below describes how ServeGrace handles it on their behalf.
A1. You are talking to an AI
Grace is an automated AI assistant, not a human. Grace tells you this at the start of every conversation and shows an “automated assistant” label throughout. You can ask to speak to a human at any time, and Grace will connect you with the business’s team.
A2. What we collect, and why
| Category | Examples | Why |
|---|---|---|
| Information you provide in chat | Your messages, and any name, email, or phone you enter in a pre-chat form or share with Grace | To answer your questions, route you to a human, and let the business follow up |
| Conversation records | Transcript of the chat, timestamps, the page you were on (URL and title), detected language | To provide and improve the support conversation |
| Files & recordings | Files you upload; screen recordings only if you explicitly consent | To help resolve your request |
| Messaging consent | If you opt in to SMS/WhatsApp, your number and a record of consent (incl. IP and time) | To text you only when permitted, and to honor STOP/HELP |
| Technical/derived data | IP address (recorded as consent evidence); automated, inferred signals derived from the conversation, such as sentiment and AI-response-quality scores (some are stored on the message/customer record) | Security, consent proof, and service quality |
We collect only what’s needed for the support interaction and what you choose to provide.
A3. Is my chat used to train AI models?
No. We do not use your conversations to train AI models. Grace uses AI to understand your message and generate a reply in real time, and to power features like knowledge-base search, sentiment signals, and short summaries. ServeGrace does not build or train its own models on your conversations. When Grace uses commercial AI providers to generate replies and search results, those providers are — under our current configuration — set so that data submitted through their API is not used to train their models, consistent with their commercial/enterprise terms (under which such API data is not used for training by default). This representation depends on those providers’ terms and on our configuration of them (e.g., model-improvement/data-sharing settings turned off), and would change only if we changed that configuration.
How this works in practice: when you chat with Grace, the relevant message text and supporting context are sent to our AI sub-processors (see Section 5) solely to produce a response or a search result for that interaction. We store your conversation to operate and support the service (see A5 for retention), but we do not repurpose it as model training data.
A4. Who we share it with (sub-processors & recipients)
We share chat data only as needed to run the service:
- Service sub-processors that process data on our behalf — see the Sub-processor list in Section 5 below (also maintained as a dated, versioned page at servegrace.com/legal/subprocessors). The most relevant for chat are our AI provider (to generate Grace’s replies), cloud hosting/storage, and, if you use them, SMS/WhatsApp and email providers.
- The business operating Grace — your conversation is shared with the business whose site you’re using (they are the controller).
- The business’s connected tools, at their direction — if the business has connected a CRM (e.g., HubSpot, Salesforce, Pipedrive) or similar, the contact details you provide may be sent there. If you signal a universal opt-out (see A6), we suppress the external CRM push — your details are kept only in the business’s own ServeGrace records and are not sent on to the connected CRM.
We do not “sell” or “share” your personal information as those terms are defined under the CPRA — including, for “share,” any disclosure for cross-context behavioral advertising.
A5. How long we keep it
Retention is configurable by the business, with these defaults:
- Chat transcripts & messages: 365 days, then automatically deleted.
- Screen recordings: 90 days, then automatically deleted.
- Session linkage: 30 days.
A daily automated job is designed to enforce these windows. These are the standard defaults; a business may configure shorter or longer windows for its own deployment, so the exact period that applies to your data is set by the business operating Grace. You can also request earlier deletion (Section A6). Records we must keep for legal reasons (e.g., proof of a messaging opt-out) may be retained longer as required.
A6. Your choices and rights
Depending on where you live, you may have the right to access, correct, delete, or receive a copy of your data, and to opt out of “sale”/“sharing.” Here’s how to exercise them with ServeGrace:
- Access, export, or delete your data: email privacy@servegrace.com, or use the self-service privacy request portal made available by the business operating Grace. You provide your email, we send a verification link to confirm your identity, and on confirmation we provide a copy of your data or delete it.
- Global Privacy Control / universal opt-out: if your browser sends a GPC signal, we automatically treat it as your opt-out of sale/sharing — we suppress sending your data to the business’s CRM and turn off proactive engagement, and the widget confirms your opt-out was honored. No account needed.
- SMS/WhatsApp: reply STOP to opt out or HELP for help at any time.
- Withdraw chat consent: where a consent banner is shown, you can decline or withdraw, which stops the widget from operating.
We respond to verified rights requests within 45 days, or sooner where your local law requires (for example, within 15 days under Brazil’s LGPD). If a request is complex, we may extend this and will tell you why.
Who decides your request: for chat data, the business operating Grace is the data controller and decides the outcome of your request; ServeGrace provides the technical portal and carries out the controller’s documented instructions (GDPR Art. 28(3)). If you contact ServeGrace directly, we will route your request to that business and facilitate the response. The business operating Grace identifies itself and provides a rights-request contact in its own notice.
Part B — If you have a ServeGrace account
This section is for the businesses and individuals who sign up for and administer ServeGrace. Here, ServeGrace is the controller.
B1. What we collect, and why
| Category | Examples | Why |
|---|---|---|
| Account & identity | Name, work email, organization, role; authentication handled via our auth provider | To create and secure your account |
| Billing | Plan, subscription status, and payment data processed by our payment provider (we do not store full card numbers) | To bill you and manage your subscription |
| Usage & content | Your settings, knowledge-base content, conversations handled by your agents, product usage and AI-usage metering | To provide, meter, and improve the service |
| Support & communications | Messages you send us, emails we send you (account, billing, and renewal notices) | To support you and meet legal notice obligations |
B2. Legal basis (EU/UK)
Under GDPR Articles 13(1)(c)/14(1)(c), we map a legal basis to each processing purpose:
| Purpose | Legal basis |
|---|---|
| Create, authenticate, and secure your account | Performance of a contract (Art. 6(1)(b)) |
| Provide, meter, and bill the service | Performance of a contract (Art. 6(1)(b)) |
| Auto-renewal, billing, and tax recordkeeping | Legal obligation (Art. 6(1)(c)) |
| Securing, monitoring, and improving the service | Legitimate interests (Art. 6(1)(f)) |
| Contractual account & billing notices | Performance of a contract (Art. 6(1)(b)) |
| Statutory notices (e.g., automatic-renewal notices) | Legal obligation (Art. 6(1)(c)) |
| Non-essential marketing communications | Consent (Art. 6(1)(a)), where required |
For chat data (Part A), ServeGrace acts as a processor; the business that deploys Grace is the controller and determines the legal basis for that processing (GDPR Arts. 4(7), 4(8), 28(3)). ServeGrace processes Part A data only on the controller’s documented instructions.
B3. Sharing, retention, and rights
- Sharing: with the sub-processors in Section 5 (hosting, auth, payments, email, error monitoring). We don’t sell your data.
- Retention (per GDPR Arts. 5(1)(e), 13(2)(a)). Account-holder data does not currently have an automated post-termination deletion window, so we disclose the governing criteria rather than a fixed period:
Account-holder data Retention Account & profile data Retained for the life of the account. On cancellation or termination the account is deactivated and records are retained for as long as needed for legal, tax, dispute-resolution, and recordkeeping purposes. Knowledge-base content & settings Retained for the life of the account; you may export it or request deletion. Billing & payment records Retained as long as required by applicable tax, accounting, and recordkeeping law (card payments are processed and stored by Stripe). Auto-renewal / subscription consent records Retained for three years, or one year after the subscription terminates, whichever is longer — the period required by California’s automatic-renewal law (AB 2863). In-app support messages The in-app help assistant is ephemeral; these messages are not stored. You can request deletion of your account data at any time (see “Your rights” below), subject to records we are required to keep for legal reasons.
- Your rights: access, correction, deletion, portability, and objection, subject to our legal obligations. Contact privacy@servegrace.com.
Common sections (apply to everyone)
5. Sub-processors
We use the following sub-processors. The current, dated list is also published at servegrace.com/legal/subprocessors.
| Sub-processor | Purpose | Processing location |
|---|---|---|
| Anthropic, PBC | AI model that generates Grace’s replies | United States |
| OpenAI OpCo, LLC | Text embeddings for knowledge search (only when enabled) | United States |
| Amazon Web Services, Inc. | Cloud hosting & file/attachment storage | United States (us-east-1) |
| Clerk, Inc. | Account authentication for account holders | United States |
| Stripe, LLC | Subscription billing & payment processing | United States |
| Twilio Inc. | SMS / WhatsApp messaging (when enabled) | United States |
| Resend (Plus Five Five, Inc.) | Transactional & notification email | United States |
| Functional Software, Inc. (d/b/a Sentry) | Application error monitoring | United States |
| Railway Corporation | Application hosting infrastructure | United States |
Processing is primarily in the United States; some providers may also process in additional regions (e.g., redundancy or support access) — see each provider’s own documentation (GDPR Art. 13(1)(f)). Any such processing remains subject to the transfer safeguards described in Section 7, as applicable to each provider and processing scenario.
In addition, at a business customer’s direction, chat/contact data may be sent to third-party tools the customer connects (e.g., HubSpot, Salesforce, Pipedrive, Shopify, Cal.com). Those tools act under the customer’s own privacy terms.
6. Cookies, local storage, and tracking
The Grace widget uses minimal first-party browser storage, and only after the applicable consent gate: a session identifier (browser sessionStorage, cleared when the tab closes), plus accessibility preferences and a record of your consent choice (browser localStorage). It does not set first-party tracking cookies, does not use IndexedDB, and does not use third-party advertising or cross-site tracking cookies. We honor Global Privacy Control as a valid opt-out signal.
The servegrace.com marketing site does not currently use analytics or advertising/tracking cookies.
7. International data transfers
We process personal data in the United States. If you are in the EEA, UK, Switzerland, or another region with transfer restrictions, your data is transferred to the US under an appropriate transfer mechanism, applied as relevant to each processing scenario (see the legs below).
- EEA/UK/Swiss → ServeGrace (the restricted leg under GDPR Chapter V). For Part A chat data this transfer runs from the business (the EEA/UK controller) to ServeGrace (a US processor) and is papered in the Data Processing Agreement the business signs with us — using the EU Standard Contractual Clauses (Module 2, or Module 3 where the business is itself a processor), the UK IDTA/Addendum, and the Swiss addendum; or, for any recipient certified under the EU–US Data Privacy Framework and its UK Extension, that adequacy route. Where SCCs are relied on, a Transfer Impact Assessment is completed (Schrems II / SCC Clause 14).
- ServeGrace → US sub-processors (onward, US-to-US). Onward flows to the Section 5 sub-processors are governed by onward-transfer terms (SCC Clause 8.8) and Article 28(4) back-to-back terms in our sub-processor DPAs — not by fresh SCCs between two US entities — and remain subject to the safeguards of the original (upstream) EEA/UK/Swiss → US transfer.
8. Security
We protect personal information with administrative, technical, and organizational measures, including encryption in transit (TLS), access controls, and audit logging. Stored third-party integration credentials are encrypted at the application layer using AES-256-GCM. Data in our primary database and file storage is encrypted at rest by our infrastructure providers — file/attachment storage in Amazon S3 (us-east-1) under AWS default bucket encryption (AES-256), and the database on our hosting platform’s encrypted infrastructure, including database backups. No method is perfectly secure. In the event of a personal-data breach, we notify the appropriate parties as required by law — for example, under the GDPR a qualifying breach is reported to the supervisory authority within 72 hours, with affected individuals notified separately where the law requires; US state breach-notification timelines vary, and we comply with the applicable deadlines.
9. Children
ServeGrace is a business service that is not directed to, or intended for use by, anyone under the age of 18. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal information from someone under 18, we will delete it. If a business deploys Grace on a service that is directed to children, that use is governed by the business’s own obligations (e.g., COPPA, GDPR Article 8).
10. Region-specific disclosures
- California (CCPA/CPRA): the categories of personal information we collect and the purposes are listed above. We do not “sell” or “share” personal information as those terms are defined under the CPRA (including any disclosure for cross-context behavioral advertising). You have the rights to know, delete, and correct. You may have the right to limit the use of sensitive personal information where we use or disclose it beyond the CPRA’s permitted business purposes. We honor opt-out preference signals (GPC) and will not discriminate against you for exercising your rights.
- Other US states. Where applicable based on your state of residency, residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Oregon (OCPA), Texas (TDPSA), and other states with comprehensive privacy laws have rights to access, correct, delete, and obtain a copy of their data, and to opt out of targeted advertising, “sale,” and certain profiling. While these rights broadly overlap, the statutes differ in ways we honor:
- Appeals. Nearly every state with a comprehensive privacy law gives you the right to appeal if we decline your request (including Virginia, Colorado, Connecticut, Oregon, Texas, and others). If we deny your request, you may appeal by contacting privacy@servegrace.com; we will respond within the period your state’s law requires and tell you how to contact your state attorney general if you remain unsatisfied.
- Universal opt-out signals. Colorado, Connecticut, Oregon, Texas, and others require honoring browser-level universal opt-out mechanisms. We recognize Global Privacy Control (GPC) as a valid opt-out of sale/targeted advertising (see A6).
- Sensitive data. Where a state requires opt-in consent before processing sensitive data (e.g., Colorado, Connecticut, Virginia, Oregon), we obtain it. Texas likewise requires consent to process sensitive data, but additionally mandates specific notice language where applicable. We process sensitive data only as needed to provide the service.
- EU/UK (GDPR): legal bases, data-subject rights, and the right to lodge a complaint with a supervisory authority.
- Brazil (LGPD): rights mirror the above; requests answered within 15 days.
11. Changes to this notice
We’ll update this notice as the service or the law changes and revise the “Last updated” date. Material changes will be communicated as required.
12. Contact
Questions or requests: privacy@servegrace.com. For data handled on behalf of a business you interacted with, you may also contact that business directly.