Private preview. Groundwork SRL is in the process of being incorporated in Italy; during this preview the Service is operated by its founder. Company registration details (VAT / registration number) are added at public launch.

Groundwork Privacy Policy

Last updated: July 17, 2026

Welcome to Groundwork, an AI-powered structured thinking partner built to help founders think clearly and move faster. Groundwork is operated by Groundwork SRL ("Groundwork," "we," "us," or "our"), a società a responsabilità limitata incorporated in Italy with its registered office in Bologna.

This Privacy Policy explains what personal information we collect when you use Groundwork, why we collect it, how we use and protect it, and what rights you have over it. We have written it in plain language because we believe you deserve to understand what is happening with your data — not just check a legal box.

If you have any questions after reading this policy, please contact us at hello@dogroundwork.ai (full contact details in Section 12).


1. Introduction and Scope

This Privacy Policy applies to all users of the Groundwork web application and any related services we make available (collectively, the "Service"). It covers data we collect directly from you, data generated automatically when you use the Service, and data we receive from third-party services you connect to Groundwork.

Who this policy applies to. This policy applies to anyone who accesses or uses the Service, regardless of where they are located. Because we serve users in the United States (approximately 50% of users), the European Union and European Economic Area (approximately 40% of users), and globally, we have designed this policy to comply with both the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). Specific rights for EU and California residents are set out in Section 7.

Our EU establishment. Groundwork's founder and sole operator is based in Italy. This gives Groundwork an establishment in the European Union within the meaning of GDPR Article 3(1). The Garante per la protezione dei dati personali (the Italian data protection authority) is our lead supervisory authority under the GDPR. Because we are EU-established, we do not need a separate Article 27 representative.

Data controller. For the purposes of the GDPR, Groundwork SRL is the data controller for personal data processed through the Service.

Pre-launch notice. Groundwork is currently in a pre-launch prototype stage. No real user accounts exist yet. This policy will be in effect from the moment we begin onboarding users.


2. Information We Collect

We collect information in three ways: information you give us directly, information generated automatically when you use the Service, and information we receive from third-party services you connect to Groundwork.

2.1 Information You Provide Directly

CategoryExamplesSource
Identity dataFirst name, last name, display nameYou, at registration
Contact dataEmail addressYou, at registration
Payment dataCredit or debit card details, billing address, transaction historyYou, via Stripe (see Section 5)
Content dataResponses you give during AI-guided question sessions, documents and artifacts you generate or upload within the ServiceYou, during use
Support dataMessages and attachments you send to our support teamYou, via our support tool Fin
Communications preferencesMarketing opt-in/opt-out choicesYou, at registration or in account settings

Payment data note. We do not store full payment card details on our own servers. Your card information is transmitted directly to and stored by Stripe, our payment processor. We receive only a tokenized reference and high-level transaction metadata (amount, date, status). See Section 5.

2.2 Information Collected Automatically

When you use the Service, we and our service providers automatically collect:

CategoryExamplesCollected via
Device & session dataBrowser type, operating system, device identifiers, IP address, session timestampsClerk, PostHog
Usage & behavioral dataPages visited, features used, clicks, navigation paths, session duration, error events, session replays (with all typed input masked and your project conversations excluded — see Section 8.1)PostHog, Sentry
Authentication dataSession tokens, login timestamps, multi-factor authentication statusClerk
Error & performance dataCrash reports, stack traces, performance metricsSentry
Cookie and tracking dataFirst-party cookies, local storage identifiersSee Section 8

2.3 Information from Third-Party Integrations You Connect

Groundwork allows you to connect third-party tools — currently including Google Drive, Balsamiq Cloud, and Mobbin — using OAuth authentication. When you connect an integration:

  • You authenticate directly with that third-party service using your existing credentials for that service.
  • We receive and store an OAuth token and associated MCP (Model Context Protocol) connection metadata that allows Groundwork to read from or write to that service on your behalf.
  • We access only the data within that service that is necessary to carry out the specific Groundwork task you have initiated.
  • We do not use data from your connected integrations for any purpose other than providing the Service to you.

You can revoke an integration at any time by disconnecting it within Groundwork or by revoking access directly within the third-party service. When you revoke an integration, we delete the associated OAuth token and MCP connection metadata from our systems immediately upon disconnection.

2.4 Information We Do Not Collect

  • We do not collect precise geolocation data.
  • We do not collect biometric data.
  • We do not purchase data from data brokers.
  • We do not collect data from social media profiles unless you explicitly connect a social account as an integration.
  • We do not sell your personal information.

3. How We Use Your Information

We use your personal information only for the purposes listed below. We do not use it for advertising, we do not sell it, and we do not use your content to train AI models.

PurposeWhat we useWhy
Providing the ServiceIdentity, contact, content, and integration dataTo operate your account, run AI-guided sessions, generate artifacts, and sync outputs to connected tools
Processing paymentsPayment data (via Stripe)To process project activations, credit purchases, and subscriptions
Customer supportSupport data, contact data, relevant account contextTo answer your questions and resolve problems
Service communicationsContact dataTo send transactional emails: receipts, account notices, security alerts, changes to terms or this policy
Product communicationsContact data, communications preferencesTo send product updates and feature announcements relevant to your use of the Service; you can opt out at any time
Improving the productUsage and behavioral data (aggregate)To understand which features work, where users get stuck, and what to build next
Security and reliabilityDevice, session, authentication, and error dataTo detect abuse, prevent fraud, debug errors, and keep the Service stable
Legal complianceTransaction records, consent recordsTo meet tax, accounting, and other legal obligations

AI processing. The content of your AI-guided sessions is processed by Anthropic, our AI provider, solely to generate responses and artifacts for you. Under Anthropic's standard API terms, this content is not used to train Anthropic's models. See Section 4.1.

No automated decisions with legal effect. We do not use your personal data to make automated decisions that produce legal or similarly significant effects on you.


3A. GDPR Lawful Bases for Processing

This section is directed at users in the EU and EEA. If you are based in the EU/EEA, every time we process your personal data we must have a lawful basis under Article 6(1) of the GDPR. The table below maps each processing activity to its legal basis and, where we rely on legitimate interests, summarises the balancing assessment we have carried out.

Processing activityData involvedLegal basisNotes
Account creation and managementName, email addressContract performance — Art. 6(1)(b)Processing is necessary to create your account, authenticate you, and manage your relationship with us.
AI-guided session deliveryContent you submit during question sessionsContract performance — Art. 6(1)(b)Transmitting your session content to our AI provider (Anthropic) is the core mechanism by which we deliver the Service.
Third-party integration accessOAuth tokens, MCP connection metadata, data accessed within connected servicesContract performance — Art. 6(1)(b)Accessing your connected integrations is necessary to carry out the specific Groundwork tasks you initiate.
Payment processingPayment card data, billing address, transaction historyContract performance — Art. 6(1)(b) and Legal obligation — Art. 6(1)(c)Processing is necessary to fulfil our contract with you. Retention of transaction records is additionally required by tax and accounting laws applicable in Italy.
Analytics cookies and behavioral tracking (PostHog)Usage data, device data, session identifiersConsent — Art. 6(1)(a)For users in the EU/EEA (and the UK and Switzerland), we activate PostHog only after you have given explicit, granular consent via the cookie consent banner. You may withdraw consent at any time through the Cookie Preference Center (Section 8). Outside these regions, analytics operates on an opt-out basis as described in Section 8.2.
Error monitoring and performance tracking (Sentry)Crash reports, stack traces, device data, partial session contextLegitimate interests — Art. 6(1)(f)Security and stability monitoring is necessary to protect the integrity of the Service and the personal data it holds. Our interest in maintaining a secure, functioning product is not overridden by your interests, given that Sentry data is used only for debugging and not for profiling or advertising.
Marketing and feature announcement emails to existing usersEmail address, name, email engagement dataLegitimate interests — Art. 6(1)(f)Communications are limited to product-related updates relevant to your use of the Service; we do not send unrelated third-party marketing. You can unsubscribe at any time, and we honour opt-outs promptly.
Customer supportSupport conversations, email address, nameLegitimate interests — Art. 6(1)(f)Handling your requests and retaining a record of interactions is necessary to resolve disputes and improve the Service. Retention is limited to 2 years after ticket closure or account closure (whichever is later), as set out in Section 6.4.

4. Information Sharing & Disclosure

We do not sell your personal information. We do not share your data with advertisers or data resellers. We share your data only in the following circumstances.

4.1 Service Providers (Processors)

We use the following third-party companies to help us operate the Service. Each has access only to the data necessary to perform their specific function and is contractually required to protect your data and use it only as we direct.

ProviderFunctionData sharedLocation
ClerkAuthentication, session management, identityName, email, device/session dataUSA
AnthropicAI language model processingContent you submit during question sessions (session-ID-linked only)USA
VercelWeb hosting and infrastructureAll data transiting through the applicationUSA
Neon (a Databricks company)Database hosting (Postgres)All data stored by the Service: account records, project content, chat history, generated artifacts, encrypted integration tokensEU (Frankfurt, Germany)
StripePayment processingPayment card data, billing address, transaction historyUSA
PostHogProduct analytics and behavioral trackingUsage data, device data, session identifiersEU (Frankfurt, Germany — AWS EU-West)
Fin (Intercom)Customer supportSupport conversations, email, nameUSA
ResendTransactional and marketing email deliveryEmail address, name, email contentUSA
Sentry (Functional Software, Inc.)Error monitoring and performance trackingError/crash data, device data, partial session contextEU (Frankfurt, Germany — Sentry EU data region)

A note on Anthropic. When you engage in an AI-guided question session, the content of your session — including your responses and any context you provide — is transmitted to Anthropic for processing. Under Anthropic's standard API terms of service, content submitted via the API is not used to train Anthropic's models by default. We do not send Anthropic your name, email, or payment information; sessions are associated with an internal session identifier only. Anthropic offers a Data Processing Agreement (DPA) for API customers. We will execute Anthropic's DPA before any EU users are onboarded, in order to provide the contractual protections required for EU personal data transferred to Anthropic for processing. We will update this section to confirm executed DPA status before we begin onboarding users.

A note on PostHog. We use PostHog's EU Cloud instance. Behavioral and usage data collected through PostHog is stored in Frankfurt, Germany (AWS EU-West). Because data remains within the EU, no cross-border transfer of EU user behavioral data to a third country occurs in connection with PostHog.

A note on Sentry. We use Sentry's EU data region. Error and crash data collected through Sentry is stored in Frankfurt, Germany. Because data remains within the EU, no cross-border transfer of EU user error data to a third country occurs in connection with Sentry.

EU data transfers. Several of the providers above are based in the United States. When we transfer personal data from the EU/EEA to these providers, we rely on appropriate safeguards, which currently include Standard Contractual Clauses (SCCs) approved by the European Commission. We will confirm and execute SCCs with all US-based processors — including Clerk, Vercel, Stripe, Resend, and Fin (Intercom) — before any EU users are onboarded, and we will update this processor table to reflect the confirmed transfer mechanism for each provider at launch. We will also execute Anthropic's DPA before EU users are onboarded. Our database (Neon) is hosted in an EU region (Frankfurt, Germany), so the application data stored by the Service — your account records, project content, chat history, and generated artifacts — remains within the EU at rest, for all users worldwide. As with PostHog, no cross-border transfer of this stored data to a third country occurs in connection with database hosting.

4.2 Authorized Contractors

From time to time we may engage individual contractors (for example, a developer, designer, or support specialist) to help build or operate the Service. Any contractor who may access personal data in the course of their work is required to sign a confidentiality agreement, receives access only to the minimum data needed for their task, and is prohibited from using your data for any other purpose. Access is revoked when the engagement ends.

At this stage of the product, production system access is restricted to the sole founder and operator of Groundwork.

4.3 User-Connected Third-Party Integrations

When you connect a third-party tool (Google Drive, Balsamiq Cloud, Mobbin) and initiate a task that uses it, Groundwork transmits the data needed for that task to that service — for example, writing a generated document into your Google Drive, or creating wireframes in your Balsamiq project. Data you send to a connected service is then governed by that service's own privacy policy and terms, not this one. We encourage you to review the privacy practices of any service you connect. We never connect an integration on your behalf without your explicit OAuth authorization.

We do not transmit data from your connected integrations to any party other than Anthropic (for AI processing as described above) and Vercel (as the infrastructure layer hosting the Service). OAuth tokens and integration metadata are deleted immediately upon disconnection (see Section 6.5).

4.4 Legal Requirements

We may disclose your personal information if we believe in good faith that disclosure is required by law — for example, in response to a subpoena, court order, or other binding request from a competent authority. We interpret such requests narrowly, disclose only what we are legally required to disclose, and — unless we are legally prohibited from doing so — we will notify you before disclosing your data so you have an opportunity to object.

4.5 Business Transfers

If Groundwork is involved in a merger, acquisition, financing, reorganization, or sale of some or all of its assets, your personal information may be transferred as part of that transaction. If that happens, we will notify you by email and/or a prominent notice in the Service before your data becomes subject to a different privacy policy, and we will require the receiving party to honor the commitments made in this policy for data collected under it.

4.6 What We Will Never Do

  • We will never sell your personal information.
  • We will never share your data with advertisers, ad networks, or data brokers.
  • We will never use your session content, documents, or artifacts to train AI models, and we do not permit our AI provider to do so.
  • We will never read your session content for any purpose other than operating the Service, debugging a problem you have reported, or complying with a legal obligation.
  • We will never make your projects or artifacts public unless you explicitly create a share link.

5. Payment Processing

All payments — project activations, credit pack purchases, and subscriptions — are processed by Stripe, Inc., a PCI-DSS Level 1 certified payment processor.

  • What Stripe receives: your card details, billing address, and transaction information. You provide these directly to Stripe through their secure checkout; your full card number never touches our servers.
  • What we receive and store: a tokenized customer reference, the payment method's last four digits and brand (for display in your billing settings), and transaction metadata (amount, currency, date, status).
  • Subscriptions: recurring billing is managed by Stripe. You can update your payment method or cancel through the Stripe customer portal, accessible from your billing page.

Stripe acts as an independent controller for some of the data it processes (for example, for fraud prevention). Stripe's privacy policy is available at https://stripe.com/privacy.


6. Data Retention

We retain your personal information only as long as necessary for the purposes described in this policy, or as required by law.

6.1 Active Account Data

While your account is active, we retain your account data, project content, chat history, and generated artifacts so the Service can function — your projects and their full context are the product. You can delete individual projects (including their chat history and artifacts) at any time from within the Service, and you can request deletion of your entire account at any time (see Section 7).

6.2 Post-Deletion Recovery Window

When you delete your account, it is immediately deactivated and scheduled for deletion. For 30 days your data is retained in a suspended state so we can restore it if you deleted by mistake or your account was compromised. After 30 days, your personal data is permanently deleted from our production systems, and it is purged from encrypted backups on a rolling basis within a further 60 days. Data we must keep longer (Sections 6.3, 6.4, 6.6) is retained only for those specific purposes.

6.3 Payment Data

Transaction records (what was purchased, when, for how much, and the associated billing identity) are retained for up to 10 years after the transaction, as required by tax and accounting laws applicable in Italy. Card details are held by Stripe under its own retention rules; we never hold them.

6.4 Support Data

We retain support conversation data — including messages, attachments, and associated metadata — for 2 years from the date a support ticket is closed or the date your account is closed, whichever is later. This retention period is justified by the need to resolve disputes that may arise in connection with the Service. Two years reflects the standard contractual dispute limitation periods applicable in Italy (where the company is incorporated), ensuring we can respond to any claim that falls within the ordinary limitation window. After this period, support data is permanently deleted or irreversibly anonymised.

6.5 OAuth Tokens and Integration Metadata

OAuth tokens and MCP connection metadata are deleted immediately upon disconnection — whether you disconnect an integration within Groundwork or revoke access directly within the third-party service. If your account is closed, all remaining OAuth tokens and integration metadata are deleted as part of the account deletion process described in Section 6.1.

6.6 Marketing Consent Records

We keep a record of when and how you gave or withdrew consent to marketing communications (timestamp, method, and the choice you made) for as long as we send you marketing plus 3 years after your last consent change, so we can demonstrate compliance with consent requirements. This record contains only the consent event itself, not the content of any communications. If you unsubscribe, we retain a suppression record to ensure we do not contact you again.

6.7 Anonymized and Aggregated Data

We may retain data that has been irreversibly anonymized or aggregated (for example, "X% of projects reach the artifact stage") indefinitely. This data no longer identifies you and is not personal information.


7. Your Rights & Choices

You have meaningful control over your personal data, wherever you live. We extend the core rights below to all users; certain rights are additionally guaranteed by law for EU/EEA and California residents. Many of these rights will be exercisable directly within the product as self-service features — we are building these in as core functionality, not an afterthought. In the meantime, you can exercise any of the rights below by emailing hello@dogroundwork.ai (see Section 7.4).

7.1 Rights Available to Everyone

  • Access — ask for a copy of the personal data we hold about you.
  • Correction — fix inaccurate account data (name and email can be updated directly in account settings).
  • Deletion — delete individual projects in-app, or request full account deletion.
  • Export — download your artifacts from within the Service, and request an export of your data in a portable format.
  • Marketing opt-out — unsubscribe from marketing emails via the link in any email or in account settings. Transactional emails (receipts, security notices) are sent regardless, as they are part of operating the Service.

7.2 Additional Rights for EU/EEA Users (GDPR)

If you are in the EU/EEA, you also have the right to:

  • Restriction of processing (Art. 18) — require us to limit how we use your data while a dispute about it is resolved.
  • Object (Art. 21) — object to processing based on legitimate interests, including marketing; for marketing we will stop without requiring any justification.
  • Data portability (Art. 20) — receive data you provided to us in a structured, commonly used, machine-readable format.
  • Withdraw consent (Art. 7(3)) — at any time, for processing based on consent (e.g. analytics cookies), without affecting prior processing.
  • Lodge a complaint — with the Garante or your local supervisory authority (see Section 12).

We will respond to GDPR requests within one month, extendable by two further months for complex requests (we will tell you if we need the extension).

7.3 Additional Rights for California Residents (CCPA/CPRA)

If you are a California resident, you have the right to:

  • Know what categories of personal information we collect, the purposes, and the categories of third parties we disclose it to (all described in this policy).
  • Access the specific pieces of personal information we hold about you.
  • Delete your personal information, subject to legal exceptions.
  • Correct inaccurate personal information.
  • Opt out of sale or sharing — we do not sell or share personal information as defined by the CCPA, so there is nothing to opt out of.
  • Limit use of sensitive personal information — we do not use sensitive personal information for purposes requiring a limitation right.
  • Non-discrimination — we will never penalize you for exercising your privacy rights.

We will acknowledge CCPA requests within 10 business days and respond within 45 days, extendable once by a further 45 days.

7.4 How to Exercise Your Rights

Email hello@dogroundwork.ai from the address associated with your account, or use the in-app account settings where available. We will verify your identity before acting on a request — normally by confirming control of your account email. You may use an authorized agent (California) or a legal representative (EU); we will verify their authority. Exercising your rights is free of charge, unless requests are manifestly unfounded or excessive.


8. Cookies & Tracking Technologies

8.1 What We Use

Groundwork uses cookies and similar technologies (local storage, session storage, pixel tags) to operate the Service and understand how it is used.

TypePurposeCan you opt out?
Strictly necessaryAuthentication (Clerk), security, session management — the Service cannot function without theseNo — these are essential
AnalyticsUsage tracking (PostHog)Yes — see below
Error monitoring & performanceCrash and error reporting (Sentry)No — runs under legitimate interests; see below
Marketing / communicationsEmail open tracking (Resend)Yes — unsubscribe from emails

Strictly necessary cookies are set by Clerk to manage your authenticated session and are deleted when you log out or when the session expires. They contain no advertising identifiers and are never shared with third parties for marketing purposes. We also set two small first-party cookies of our own in this category: gw_cookie_consent, which records the cookie choices you make so we can respect them (kept for 12 months), and gw_region, which remembers whether opt-in consent rules apply in your region (kept for 24 hours). Recording your consent choice is itself strictly necessary — it is how we honor it.

Analytics cookies set by PostHog allow us to understand how the product is used at an aggregate level — for example, which features are used most, where errors occur, and how sessions flow. This includes session replay: a reconstruction of how you move through the interface. Replays are heavily redacted at the source — everything you type is masked before it leaves your browser, and your project conversations (the chat where you discuss your business) are excluded from recording entirely. PostHog data is not used for advertising.

Error monitoring and performance tracking is carried out by Sentry, which sets identifiers to associate error reports with sessions for debugging. Sentry operates under our legitimate interests in maintaining a secure, stable, and functioning service (see Section 3A). Because it is not used for advertising or behavioral profiling, we do not gate Sentry behind the consent banner; however, we disclose its presence here so you are fully informed. Sentry data is used exclusively for diagnosing and resolving technical issues.

Email tracking through Resend involves pixel-based open tracking in marketing emails. You can prevent this by unsubscribing from marketing emails or by configuring your email client to block remote images.

8.2 Managing Your Cookie Preferences

When you first visit Groundwork, you will be presented with a cookie consent banner that describes the categories of non-essential cookies in use and allows you to accept or reject each category individually. Strictly necessary cookies are enabled by default and cannot be declined. The default for the analytics category — currently PostHog — depends on where you are:

  • If you are in the EU/EEA, the United Kingdom, or Switzerland (or if we cannot determine your location), analytics is off by default and is activated only after you give explicit consent in the banner or the preference center. If you decline or have not yet made a choice, PostHog remains inactive for your session — not even its code is loaded.
  • Everywhere else, analytics is on by default, and you can turn it off at any time using the same banner and preference center. Declining takes effect immediately and also removes PostHog's stored identifiers from your browser.

We determine your region from the country your connection originates from. The controls are identical everywhere — only the starting position differs.

After making your initial choice, you can update your preferences at any time through the Cookie Preference Center, accessible from the footer of the Service and from your account settings. Your choice is stored in a first-party cookie and respected across sessions for 12 months, after which the banner will ask again. If we add a new cookie category or materially change an existing one, we will also re-prompt you rather than assume your earlier choice covers it.

Sentry error monitoring is not subject to the consent banner in any region, as it is operated under our legitimate interests (see Section 3A) and is limited strictly to security and stability purposes; it does not profile users or serve advertising.

You can also manage cookies through your browser settings. Note that blocking strictly necessary cookies will prevent you from using the Service.

8.3 Do Not Track

Some browsers send a "Do Not Track" (DNT) signal. There is no accepted standard for how to respond to DNT, and we do not respond to it. However, we honor the Global Privacy Control (GPC) signal: if your browser sends GPC, analytics stays off by default in every region — including regions where it would otherwise be on by default — and the banner tells you so. An explicit choice you make in the banner or the Cookie Preference Center takes precedence over the GPC signal, in either direction: you can still enable analytics deliberately, and an explicit decline is honored regardless. Since we do not sell or share personal information, this analytics opt-out is the practical effect of GPC on Groundwork.


9. Security Measures

We take the security of your data seriously and apply safeguards appropriate to the sensitivity of what you entrust to us:

  • Encryption in transit. All traffic between your browser and the Service, and between the Service and our providers, is encrypted with TLS.
  • Encryption at rest. Our database is encrypted at rest by our database provider (Neon). OAuth tokens for your connected integrations receive an additional layer of application-level encryption (AES-256-GCM) — a database leak alone would not expose usable tokens.
  • No card data. Payment card details are handled exclusively by Stripe and never stored on our systems.
  • Authentication. Account access is managed by Clerk, with support for multi-factor authentication. We encourage you to enable it.
  • Least-privilege access. Access to production systems is currently restricted to the sole founder and operator of Groundwork. No third party has standing access to production data, and administrative access is logged.
  • Sandboxed user content. Interactive artifacts (e.g. HTML prototypes) are executed in sandboxed, isolated contexts so they cannot access your session or data.
  • Breach notification. If a personal data breach occurs that is likely to result in a risk to your rights, we will notify the competent supervisory authority within 72 hours as required by GDPR Article 33, and notify you directly without undue delay where the risk is high.

We do not currently hold a SOC 2 certification or equivalent third-party security audit certification. We are a small, early-stage product, and we want to be transparent about that. We will update this section as our security posture develops.

No system is perfectly secure. If you believe you have found a security vulnerability in Groundwork, please report it to hello@dogroundwork.ai and we will respond promptly.


10. Children's Privacy

Groundwork is a professional tool for founders and is not directed at children. You must be at least 18 years old to create an account. We do not knowingly collect personal information from anyone under 18. If we learn that we have collected personal data from a person under 18, we will delete it promptly. If you believe a minor has provided us personal data, please contact us at hello@dogroundwork.ai.

In particular, the Service is not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information as promptly as possible.

For users in the EU, the applicable age of digital consent may vary by member state (ranging from 13 to 16). We do not knowingly collect data from minors below the applicable digital consent age in their jurisdiction.


11. Changes to This Policy

We may update this Privacy Policy as the Service, the law, or our providers change. When we do:

  • We will update the "Last updated" date at the top of this page.
  • For material changes — anything that expands how we collect, use, or share your personal data — we will notify you at least 30 days before the change takes effect, by email and/or a prominent in-app notice, so you can review the change and, if you wish, close your account before it applies.
  • Minor clarifications and editorial changes may take effect immediately upon posting.

Your continued use of the Service after a change takes effect constitutes acceptance of the updated policy. Prior versions are available on request.


12. Contact Information

If you have questions about this Privacy Policy, want to exercise your privacy rights, or have a concern about how we handle your data, please contact:

Privacy Contact Groundwork SRL

Email: hello@dogroundwork.ai

For EU residents: Groundwork SRL is the data controller for personal data processed through the Service. As a company established in Italy, Groundwork falls under GDPR Article 3(1), and the Garante per la protezione dei dati personali (the Italian data protection authority) is the lead supervisory authority. If you are not satisfied with our response to a privacy concern, you have the right to lodge a complaint with the Garante or with the supervisory authority in the EU member state where you live or work. Contact information for the Garante is available at https://www.garanteprivacy.it. A directory of all EU supervisory authorities is available at https://edpb.europa.eu.

For California residents: You may also contact the California Privacy Protection Agency (CPPA) at https://cppa.ca.gov.

We aim to acknowledge all privacy requests within 5 business days and resolve them within the timelines stated in Section 7.


Groundwork SRL · hello@dogroundwork.ai

© 2026 Groundwork