Last updated: April 9, 2026
1. Data Controller
Caugia SASU, registered in France, is the data controller for personal data processed through GRIP OS. Contact: legal@caugia.com.
2. Data We Collect
Account data: Name, email address, company name, and role when you create an account. Assessment data: Answers to GRIP assessment questions, company metrics (ARR, headcount, churn rates), and GTM configuration details. Usage data: Pages visited, features used, and interaction patterns for service improvement. Payment data: Processed by Stripe. We store only subscription status and plan type — never full card numbers.
3. How We Use Your Data
We process your data to: deliver GRIP scores, financial impact analysis, and action recommendations; generate GTM Intelligence Reports and module assessments; send Monday Brief emails and notifications; process payments and manage subscriptions; improve the Service through aggregated analytics.
4. Legal Basis (GDPR)
We process data based on: Contract performance (delivering the Service you subscribed to); Legitimate interest (service improvement, fraud prevention); Consent (marketing communications, optional analytics). You may withdraw consent at any time by contacting us.
5. Data Sharing and Third Parties
We share data only with service providers necessary to operate GRIP OS: Stripe (payment processing, PCI-DSS compliant); Supabase (database infrastructure, EU-hosted); Vercel (application hosting); PostHog / analytics (anonymized usage metrics). We do not sell personal data to third parties. Connector integrations (CRM, analytics tools) only access data you explicitly authorize.
6. Cookies
GRIP OS uses essential cookies for authentication and session management. We use analytics cookies (PostHog) only with your consent. You can manage cookie preferences in your browser settings. The Service functions without analytics cookies.
7. Data Retention
Account and assessment data is retained for the duration of your subscription plus 90 days. Payment records are retained for 10 years per French tax law. You may request earlier deletion of non-required data. Aggregated, anonymized data may be retained indefinitely for benchmarking.
8. Data Security
We implement industry-standard security measures including: encryption in transit (TLS 1.3) and at rest; row-level security on all database tables; regular security audits; access controls with role-based permissions. All infrastructure providers are SOC 2 compliant.
9. Your Rights (GDPR)
Under GDPR, you have the right to: Access your personal data; Rectify inaccurate data; Erase your data (right to be forgotten); Restrict processing; Port your data to another service; Object to processing based on legitimate interest. To exercise these rights, email legal@caugia.com. We respond within 30 days.
10. International Transfers
Your data is primarily stored in the EU (Supabase EU region). Where data is processed outside the EU (e.g., Vercel edge functions), we ensure adequate protection through Standard Contractual Clauses or equivalent safeguards.
11. Children
GRIP OS is a B2B service not directed at individuals under 16. We do not knowingly collect data from children.
12. Changes to This Policy
We will notify you of material changes via email or in-app notification at least 30 days before they take effect. Minor clarifications may be made without notice.
13. Contact and Complaints
For privacy inquiries: legal@caugia.com. You also have the right to lodge a complaint with the French Data Protection Authority (CNIL) at cnil.fr.