Privacy Policy

Last updated: March 2026

1. Who we are

GrantFlow (“we”, “us”, “our”) is a web application that helps research teams manage grant budgets, work package allocations, and timesheet generation. GrantFlow is operated by GrantFlow, Lda, reachable at simaoferreirato@gmail.com.

We are the data controller for personal data processed through this service, as defined under Regulation (EU) 2016/679 (GDPR).

2. What data we collect

We collect and process the following categories of personal data:

  • Account data: your email address and encrypted password, used to create and authenticate your account.
  • Researcher data: names, job profiles, and annual salary figures you enter to calculate personnel costs in your grant projects. This data is entered by you and relates to members of your research team.
  • Project data: project names, funding programmes, work packages, FTE allocations, and timesheet records you create within the application.
  • Uploaded files: Excel template files you upload for budget or timesheet exports.
  • Technical data: IP address, browser type, and standard server access logs, retained for security and operational purposes.

We do not collect any special categories of personal data.

3. How we use your data

We use your personal data to:

  • Provide, maintain, and improve the GrantFlow service.
  • Authenticate you and keep your account secure.
  • Generate budget tables, timesheets, and exports on your behalf.
  • Send transactional emails (account confirmation, password reset).
  • Comply with legal obligations.

4. Legal basis for processing

We process your personal data under the following legal bases:

  • Performance of a contract (Art. 6(1)(b) GDPR): processing your account data and project data is necessary to provide the service you signed up for.
  • Legitimate interests (Art. 6(1)(f) GDPR): processing technical data for security monitoring and service reliability.
  • Legal obligation (Art. 6(1)(c) GDPR): retaining records where required by applicable law.

5. Data processors and transfers

We use the following third-party processors to operate the service:

  • Supabase, Inc. (United States) — database, authentication, and file storage. Data is stored in EU-region servers. Supabase is GDPR-compliant and processes data under Standard Contractual Clauses (SCCs).
  • Vercel, Inc. (United States) — application hosting and infrastructure. Vercel is GDPR-compliant and processes data under SCCs.

No personal data is sold, rented, or shared with third parties for marketing purposes.

6. Data retention

We retain your personal data for as long as your account is active. If you delete your account, all associated data is permanently deleted within 30 days. Technical logs are retained for up to 90 days.

7. Your rights under GDPR

You have the right to:

  • Access the personal data we hold about you.
  • Rectify inaccurate or incomplete data.
  • Erase your personal data (“right to be forgotten”).
  • Restrict processing in certain circumstances.
  • Data portability — receive your data in a machine-readable format.
  • Object to processing based on legitimate interests.
  • Withdraw consent at any time where processing is based on consent.

To exercise any of these rights, contact us at simaoferreirato@gmail.com. We will respond within 30 days.

8. Supervisory authority

You have the right to lodge a complaint with the Portuguese data protection authority:

CNPD — Comissão Nacional de Proteção de Dados
Rua de São Bento, 148–3º, 1200-821 Lisboa
www.cnpd.pt

9. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice in the application. Continued use of GrantFlow after changes constitutes acceptance of the updated policy.

10. Contact

For any questions about this Privacy Policy or your personal data, contact us at simaoferreirato@gmail.com.