Privacy Policy

Last updated 17 April 2026

This policy explains what personal data Graden collects, why, what we do with it, and the rights you have. We follow the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

1. Who we are

Graden Ltd is the data controller for personal data about company users (your team) and the data processor for personal data about candidates that your company uploads or invites into the platform. You can reach us at hello@gradenhq.com.

2. What we collect

From company users: name, email address, password (hashed), organisation name, role, login activity, IP address, and acceptance of these terms.

From candidates: name and email address as supplied by the hiring company; whatever the candidate submits as their take-home deliverable (text, files, link, GitHub repository); answers to any questionnaire the company attaches; and basic technical data needed to deliver the portal.

Billing: we don't store full card details. Payments are handled by Stripe, who hold the card number; we hold a customer reference and invoice metadata.

Technical: server logs, error reports, and usage events used to keep the service running and secure.

3. Lawful bases for processing

We rely on the following lawful bases under UK GDPR Article 6:

  • Contract — to provide the service to your organisation
  • Legitimate interests — to keep the service secure, prevent abuse, debug errors, and improve the product
  • Legal obligation — to comply with tax, accounting and other regulatory requirements
  • Consent — for any optional emails or features you opt into

4. How we use it

  • To deliver the service: send assessments, accept submissions, generate AI reviews, notify reviewers, manage billing
  • To support you: answer questions, investigate issues
  • To keep the service safe: detect abuse, prevent fraud, respond to security incidents
  • To improve the product: aggregate usage analysis (no candidate content used to train AI models)

5. AI processing

Submissions are sent to Anthropic (the maker of Claude) for the AI review step. We have a data processing agreement in place. Anthropic does not use Graden traffic to train its models. The submission, the rubric, and the resulting review are stored in Graden's database; the prompt and response are not stored permanently by Anthropic beyond their retention window.

6. Sub-processors

We use the following sub-processors to deliver the service:

  • Anthropic — AI review (United States, under SCCs)
  • Stripe — payments (United States, under SCCs)
  • Postmark — transactional email (United States, under SCCs)
  • Cloudflare R2 — file storage (United Kingdom)
  • Hetzner — application hosting (Germany)
  • GitHub — repository read access for code submissions, scoped per-repo and revocable by the candidate (United States, under SCCs)
  • Sentry — error tracking (Germany)

7. Retention

Customer Data is kept for as long as your account is active. If you cancel, we'll delete it within 30 days unless we're required to keep it by law (for example, billing records for tax purposes). You can request earlier deletion at any time.

8. International transfers

Some sub-processors are based outside the UK. Where data leaves the UK, we use UK-approved Standard Contractual Clauses (or equivalent safeguards) so that your data remains protected to UK GDPR standards.

9. Your rights

Under UK GDPR you have the right to:

  • Access the personal data we hold about you
  • Correct it if it's wrong
  • Have it deleted (subject to lawful retention)
  • Restrict or object to certain processing
  • Receive it in a portable format
  • Withdraw consent for anything you consented to

To exercise any of these rights, email hello@gradenhq.com from the address on your Graden account. We respond within 30 days and, for export or deletion requests, confirm in writing once the work is done. Deletion covers your account, organisation, team members, challenges, assignments, submissions, and reviews; billing records we're required to retain for tax purposes are kept for the statutory period and deleted after. You also have the right to complain to the Information Commissioner's Office (ICO) at ico.org.uk.

10. Security

We protect data in transit with TLS, encrypt sensitive data at rest, run on hardened infrastructure, restrict employee access on a need-to-know basis, and review our security posture regularly. No system is perfectly secure, but we take this seriously.

11. Cookies

See our Cookie Policy for details on the cookies we set.

12. Changes to this policy

We'll update this policy as the service evolves. If a change materially affects you we'll let you know by email.

13. Contact

Questions, requests or complaints: hello@gradenhq.com.