Privacy Policy

Last updated: 27 April 2026

1. Who We Are

ZenGrants is operated by SCS Ventures, LLC, operating as ZenGrants ("we", "us", or "our"). We are the data controller responsible for your personal data under UK data protection law.

Contact: hello@zengrants.co
Data protection enquiries: sam@zengrants.co

We do not currently have a formally designated Data Protection Officer. For all data protection enquiries, please contact us at the addresses above.

2. What Personal Data We Collect

Account Information

Name, email address, and password (stored as a secure hash) when you create an account. If you sign up using Google, we receive your name and email address from Google's authentication service.

Project and Grant Content

Documents, grant applications, project descriptions, research notes, and other materials you upload or create within the platform ("Your Content"). This may include commercially sensitive information, innovations, and proprietary research. We treat all such content as strictly confidential.

Usage Data

Information about how you interact with the service — features used, pages visited, and actions taken. This is used in aggregate, anonymised form only, to understand how we can improve the platform.

Device and Log Data

IP address, browser type, operating system, and referring URLs, collected automatically when you access the service. Used for security monitoring and troubleshooting.

Communications

Messages you send to our support team, feedback you provide, and survey responses.

Cookies

We use cookies to keep you logged in and, with your consent, to collect analytics data. See Section 9 (Cookies) for full details.

3. How We Use Your Data

We process your personal data for the following purposes, each grounded in a lawful basis under UK GDPR:

4. How ZenGrants Uses AI

Our AI-powered features are provided using the Google Gemini API. When you use AI features, relevant portions of your content are transmitted to Google to generate a response.

We will never use your content to train AI models. This is a core commitment. Google's enterprise API terms contractually prohibit the use of customer data for model training. AI-generated outputs (grant drafts, research plans, question answers) remain your intellectual property.

Please note: AI-generated content may contain inaccuracies. You are responsible for reviewing and verifying all outputs before submitting grant applications to funders.

5. Your Data, Your Intellectual Property

You retain full ownership of all content you upload to ZenGrants, including documents, project descriptions, and any commercially sensitive information. You also own all AI-generated grant drafts and outputs created from your inputs.

We will never reproduce, redistribute, sell, licence, or otherwise exploit Your Content outside of operating the service for you. The limited licence you grant us is strictly for delivering the service — nothing more.

6. How We Protect Your Data

We implement technical, physical, and organisational safeguards to protect your personal data:

• Encryption in transit: TLS 1.3 for all data in motion
• Encryption at rest: AES-256 via Google Cloud Platform
• Access controls: Role-based access and least-privilege principles
• Authentication: Secure session management via Firebase Authentication
• Monitoring: Security event logging and anomaly detection

No method of transmission or storage is completely secure. We cannot guarantee absolute security, but we are committed to addressing any security issues promptly. In the event of a confirmed breach affecting your personal data, we will notify you without undue delay and within 72 hours of becoming aware of it.

7. International Data Transfers

We use the following service providers, some of whom operate outside the UK and European Economic Area (EEA):

• Firebase / Google Cloud (Database & Authentication): User data is stored in our UK-region Firestore database (europe-west2, London). Firebase Authentication operates on Google's global infrastructure and may process data internationally. Google is subject to the EU–US Data Privacy Framework and Standard Contractual Clauses.
• Google Gemini API (AI Processing): When you use AI-powered features, content is processed via the Google Gemini API. Standard Gemini API calls may be processed on Google infrastructure outside the UK/EEA. Google's enterprise API terms prohibit use of your data for model training. We are investigating Vertex AI regional endpoints to restrict processing to the EU where possible.
• Vercel (Hosting): Our application is hosted on Vercel with server functions configured to the UK region. Vercel's global edge network may serve static assets from other regions.
• Zoho ZeptoMail (Transactional Email): We use Zoho's EU hosting. Email delivery may involve routing through global infrastructure. Zoho is subject to GDPR and maintains Standard Contractual Clauses.

All transfers are protected by appropriate safeguards including Google's and Zoho's Standard Contractual Clauses and their respective GDPR-compliant data processing terms.

8. Data Retention

We retain your data for the following periods:

• Account data: Retained for the life of your account. Deleted within 90 days of account closure.
• Your Content (documents, grant drafts, project data): Retained while your account is active. Upon account deletion, your data is immediately deleted from production systems. After this, content is deleted from backups within a further 90 days.
• Usage and log data: Retained for up to 12 months for security purposes, then deleted or anonymised.
• Payment records: Retained for 7 years as required by UK tax and accounting law.

You may request deletion of your data at any time by contacting hello@zengrants.co.

9. Cookies and Tracking Technologies

We use the following categories of cookies:

• Essential cookies: Required for the service to function. These keep you logged in and maintain your session. They cannot be disabled without breaking the service.
• Analytics cookies (optional): Google Analytics and Vercel Analytics help us understand how the service is used so we can improve it. These are loaded only if you accept cookies via our consent banner. You can withdraw consent at any time by clearing your browser's local storage or cookies.

10. Who We Share Data With

We do not sell or share your personal data with third parties for marketing purposes. We share data only with the following sub-processors, solely to operate the service:

• Google (Firebase, Gemini API): Database, authentication, and AI features
• Vercel: Application hosting and edge delivery
• Zoho (ZeptoMail): Transactional email delivery

All sub-processors are bound by data processing agreements and may only use your data to provide services on our behalf.

We may also disclose data where required by law, regulation, or a valid court order, or in connection with a merger, acquisition, or sale of substantially all our assets (with notice provided to you).

11. Your Rights (UK GDPR)

Under UK data protection law, you have the right to:

• Access — Request a copy of the personal data we hold about you
• Rectification — Correct inaccurate or incomplete data
• Erasure — Request deletion of your data ("right to be forgotten")
• Restriction — Limit how we process your data in certain circumstances
• Data portability — Receive your data in a structured, machine-readable format
• Object — Object to processing based on legitimate interests
• Withdraw consent — Withdraw consent for marketing or analytics cookies at any time, without affecting previous lawful processing
• Automated decisions — Not be subject to solely automated decision-making that significantly affects you

To exercise any of these rights, contact us at hello@zengrants.co. We will respond within 30 days. There is no charge for reasonable requests.

12. Children's Privacy

ZenGrants is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children under 16. If you believe we have inadvertently collected such data, please contact us immediately.

13. Changes to This Policy

We may update this Privacy Policy from time to time. For material changes, we will notify you by email or a prominent notice within the service at least 30 days before the changes take effect. The "Last updated" date at the top indicates when this policy was most recently revised.

14. Supervisory Authority

You have the right to lodge a complaint with the UK Information Commissioner's Office (ICO) if you believe your data protection rights have been violated:

• Website: ico.org.uk
• Phone: 0303 123 1113

15. Contact Us

These terms were last reviewed in April 2026. This policy applies to the ZenGrants application at zengrants.co, operated by SCS Ventures, LLC operating as ZenGrants.