Privacy Policy

Last Updated: 21 March 2026

1. Introduction

Grantmaker is developed, maintained and owned by Deerleap Innovations Ltd. ("we", "us", "our", or "the Company"). We are committed to protecting your personal data and respecting your privacy.

This Privacy Policy explains how we collect, use, process, and protect your personal information when you use our SaaS platform at https://grantmaker.co.uk (the "Service"). This policy applies to all users of our Service, including grant makers managing funding opportunities and organisations applying for funding.

Deerleap Innovations Ltd. is a limited company registered in England and Wales (Company Number: 16542670) with our registered office at 3 The Bramleys, Whiteparish, Salisbury, England, SP5 2TA.

We are the data controller responsible for your personal data. This means we determine how and why your personal data is processed.

2. Legal Basis for Processing

We process your personal data in compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. We only process your personal data when we have a legal basis to do so:

• Contract Performance: Processing necessary to provide our Service to you
• Consent: You have given clear consent for specific processing activities
• Legitimate Interests: Processing necessary for our legitimate business interests
• Legal Obligation: Processing required to comply with the law

3. Information We Collect

3.1 Information You Provide to Us

Account Information:

• Full name
• Email address
• Company name (if applicable)

Content and Usage Data:

• Files, documents, and data you upload to the Service
• Content you create, store, or share through the Service
• Messages and communications sent through the Service
• Settings and preferences

3.2 Information We Collect Automatically

Technical Information:

• IP address
• Browser type and version
• Device type and operating system
• Time zone setting and location
• Browser plug-in types and versions
• Pages visited and features used
• Time and date of your visit
• Referral source

Analytics Data:

• Usage patterns and interactions with the Service
• Session recordings and heatmaps
• Performance metrics
• Error logs and diagnostic data

3.3 Information from Third Parties

We may receive information from:

• Authentication services if you sign up using third-party accounts
• Public registries such as the Charity Commission, to verify and enrich information about organisations linked to applications
• Publicly available websites, which may be retrieved and processed to support application assessments

4. How We Use Your Information

We use your personal data for the following purposes:

4.1 To Provide and Maintain Our Service

• Create and manage your account
• Provide customer support
• Deliver the core functionality of our platform
• Send service-related communications (updates, security alerts, etc.)

Legal Basis: Contract Performance

4.2 To Improve and Develop Our Service

• Analyse usage patterns and user behaviour
• Conduct research and development
• Test new features and functionality
• Monitor and improve performance
• Fix bugs and technical issues

Legal Basis: Legitimate Interests

4.3 To Communicate With You

• Send you updates about the Service
• Respond to your inquiries and support requests
• Send marketing communications (with your consent)
• Provide information about new features
• Send administrative information

Legal Basis: Contract Performance, Consent (for marketing)

4.4 For Security and Fraud Prevention

• Detect and prevent fraud
• Monitor for security threats
• Protect against malicious activity
• Enforce our Terms of Service

Legal Basis: Legitimate Interests, Legal Obligation

4.5 To Comply With Legal Obligations

• Respond to legal requests
• Comply with applicable laws and regulations
• Exercise or defend legal claims
• Meet tax and accounting requirements

Legal Basis: Legal Obligation

5. AI and Large Language Model Processing

Our Service uses artificial intelligence and large language models (LLMs) to provide the functionality of the Service. We use Anthropic (Claude), delivered via AWS Bedrock, for AI-powered analysis and assessments, and Mistral for document processing and text extraction.

5.1 How AI Processes Your Data

When you use AI-powered features:

• Your inputs and content will be processed by third-party LLM providers
• Processing occurs to generate responses, suggestions, or insights
• Data is processed according to our agreements with these providers

5.2 AI Provider Data Practices

Anthropic (Claude), via AWS Bedrock:

• Used for AI-powered analysis, assessments, and insights
• Accessed through AWS Bedrock, meaning your data is processed within our existing AWS infrastructure
• When accessed through AWS Bedrock, your data is not shared with Anthropic and is not used to train models
• Data may be temporarily retained by AWS for abuse monitoring (30 days maximum)

Mistral:

• Used for document processing and text extraction (OCR)
• Mistral does not train models on customer data

Legal Basis: Contract Performance (when necessary for Service functionality), Consent (for optional AI features)

6. How We Share Your Information

We do not sell your personal data. We share your information only in the following circumstances:

6.1 Service Providers

We share data with trusted third-party service providers who process data on our behalf:

Amazon Web Services (AWS) (Cloud Hosting, Storage, Authentication, AI, and Email)

• Purpose: Host our platform, manage user authentication and accounts, deliver AI models via AWS Bedrock, and send transactional emails
• Data Shared: All data stored on our platform
• Location: EU
• Legal Basis: Contract Performance

Microsoft Clarity (Analytics)

• Purpose: Website analytics and user experience optimisation (session recordings, heatmaps, and behavioural insights)
• Data Shared: User interactions such as mouse movements, clicks, scrolls, and page rendering data
• Data Retention: Up to 30 days
• Location: USA (via Microsoft Ireland Operations Limited; Standard Contractual Clauses apply)
• Legal Basis: Consent

Mistral (Document Processing)

• Purpose: Document processing and text extraction (OCR)
• Data Shared: Documents uploaded to the Service and content retrieved from publicly available websites
• Location: EU
• Legal Basis: Contract Performance

Firecrawl (Web Scraping)

• Purpose: Retrieve publicly available web content to support application assessments
• Data Shared: URLs submitted for retrieval
• Location: USA (Standard Contractual Clauses apply)
• Legal Basis: Legitimate Interests

Microsoft Azure (Backup Storage)

• Purpose: Offsite backup storage
• Data Shared: All data stored on our platform
• Location: EU
• Legal Basis: Contract Performance

HubSpot (CRM and Marketing)

• Purpose: Manage sign-ups and marketing communications
• Data Shared: Name, email address, and marketing preferences
• Location: EU
• Legal Basis: Consent

All service providers are contractually required to:

• Keep your data secure
• Use data only for specified purposes
• Comply with data protection laws
• Delete or return data when no longer needed

6.2 Legal Requirements

We may disclose your information:

• To comply with legal obligations
• To respond to valid legal requests from authorities
• To protect our rights, property, or safety
• To enforce our Terms of Service
• In connection with legal proceedings

6.3 Business Transfers

If we are involved in a merger, acquisition, or sale of assets, your personal data may be transferred. We will notify you before your data is transferred and becomes subject to a different privacy policy.

6.4 With Your Consent

We may share your information for other purposes with your explicit consent.

7. Data Retention

We retain your personal data only for as long as necessary to fulfil the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law.

Account Data: Retained while your account is active and for 30 days after account deletion (to allow for account recovery)

Usage Data: Retained for up to 2 years for analytics and service improvement

AI Processing Data: Processed in real-time; temporary retention by AI providers for up to 30 days for abuse monitoring only

Marketing Data: Retained until you withdraw consent or for 2 years of inactivity

After the retention period, we securely delete or anonymise your personal data.

8. Data Security

We implement appropriate technical and organisational measures to protect your personal data:

Technical Measures:

• Encryption in transit (TLS/SSL)
• Encryption at rest
• Secure password management via third-party authentication provider
• Regular security testing and audits
• Firewalls
• Secure backup systems

Organizational Measures:

• Access controls and authentication
• Data protection policies and procedures
• Regular security reviews
• Incident response procedures

9. International Data Transfers

All our primary servers are located in the European Union, and we do not routinely transfer data outside the EU/EEA.

However, some of our service providers are located in the United States. When we transfer data to these providers, we ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): Approved by the European Commission
• Data Processing Agreements: Ensuring GDPR-compliant data processing
• Additional Security Measures: As required by GDPR

You have the right to request information about these safeguards by contacting us.

10. Your Rights

Under UK GDPR and Data Protection Act 2018, you have the following rights:

10.1 Right of Access

You can request a copy of your personal data we hold about you.

10.2 Right to Rectification

You can correct inaccurate or incomplete personal data.

10.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data in certain circumstances.

10.4 Right to Restrict Processing

You can request that we limit how we use your personal data.

10.5 Right to Data Portability

You can receive your personal data in a structured, commonly used format and transfer it to another service.

10.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes.

10.7 Right to Withdraw Consent

Where we rely on consent, you can withdraw it at any time.

10.8 Right Not to Be Subject to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing that significantly affects you. Our Service uses AI to assist with eligibility assessments, scoring, and risk analysis of funding applications. These AI-generated assessments are advisory only, final decisions on funding are always made by a human reviewer.

10.9 How to Exercise Your Rights

You can exercise these rights through your account settings or by contacting us at hello@grantmaker.co.uk.

Account Settings Allow You To:

• Update your account information
• Change your email preferences
• Delete your account
• Export your data
• Manage cookie preferences

We will respond to your request within one month. In complex cases, we may extend this by two additional months.

11. Children's Privacy

Our Service is not intended for children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided us with personal data, please contact us, and we will delete such information.

12. Marketing Communications

With your consent, we may send you marketing communications about our Service, features, promotions, and updates.

You can opt out at any time by:

• Clicking "unsubscribe" in any marketing email
• Updating preferences in your account settings
• Contacting us at hello@grantmaker.co.uk

We will always send you essential service-related communications regardless of marketing preferences.

13. Cookies

We use cookies and similar tracking technologies. For detailed information, please see our Cookies Policy.

14. Third-Party Links

Our Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies.

15. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.

When we make material changes, we will:

• Update the "Last Updated" date
• Notify you by email or through a prominent notice on our Service
• Obtain your consent if required by law

We encourage you to review this Privacy Policy periodically.

16. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Deerleap Innovations Ltd.
Email: hello@grantmaker.co.uk
Address: 3 The Bramleys, Whiteparish, Salisbury, England, SP5 2TA

17. Complaints

You have the right to lodge a complaint with the UK supervisory authority:

Information Commissioner's Office (ICO)
Website: https://ico.org.uk/
Telephone: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF

We would appreciate the opportunity to address your concerns before you contact the ICO, so please contact us first.

---

© 2026 Deerleap Innovations Ltd.. All rights reserved.