Grafta always sets a couple of essential cookies (HttpOnly access & refresh tokens) to keep you signed in — these never need consent. With your permission we'd also like to use Microsoft Clarity (masked session replays and heatmaps, so we can improve the site) and Google & Meta measurement (an anonymous signal that an ad led to a sign-up — never your business data). No selling of your data, and it's entirely optional. Privacy Policy

Founding offer — €9.99/mo for your first year (50% off). Start free →

Your business runs on this data. We treat it that way.

Plain English, no security theatre — here's exactly how Grafta handles what you put in it.

Your data lives in the EU

The Grafta database runs in Railway's EU region, and uploaded files (receipts, logos) are stored in Cloudflare R2 with EU jurisdiction. Where a sub-processor is US-based (Stripe, OpenAI, Sentry), transfers are covered by Standard Contractual Clauses — every one of them is disclosed in our privacy policy.

Encrypted at rest and in transit

Everything travels over TLS, and the most sensitive fields — like bank details for your invoice footers — are additionally encrypted at the field level with AES-256-GCM before they touch the database.

We never see your card

Subscriptions are handled entirely by Stripe. Card numbers never touch Grafta's servers — we couldn't store them if we wanted to.

Voice recordings are not kept

When you record a voice note, the audio is transcribed and then deleted. We keep the text and the actions you approve — never the recording. Recordings are never used to train AI models.

Your data is yours

Export everything as a machine-readable archive from Settings at any time (GDPR Article 20), or delete your account and all its data in one action (Article 17). No email to support, no waiting period — the buttons are in the app.

Sessions that can't be skimmed

Sign-in uses HttpOnly, Secure cookies that JavaScript can't read, short-lived access tokens, and role-based access on every request. Team members only see what their role allows.

Found a security issue?

We take reports seriously and respond fast. Email security@grafta.ie or see our security.txt. For the full detail on what we collect and who processes it, read the privacy policy.

€9.99/mo founding offer

Built in Ireland. Run with care.

Start free — no card needed, and your data stays yours.

No card required. Cancel anytime.