Grapevines

Privacy policy

Last updated: February 20, 2026

Grapevines AI LLC ("we," "us," or "our") operates the Grapevines platform at grapevines.ai. This privacy policy explains how we collect, use, store, and protect your information when you use our platform, whether you're a job seeker using Grapevines directly, a career coach or resume writer managing client accounts, or a client accessing the platform through your coach's account.

We take your privacy seriously — especially because our platform handles career-sensitive information like resumes, work history, and job search activity.

Information we collect

Information you provide directly

Account information: Name, email address, and password when you create an account. If you sign up as a coach or firm, we also collect your business name and professional credentials.

Career profile data: Resume content, work history, skills, career goals, job preferences, and other details you enter into your profile or upload to the platform. This may include sensitive professional information such as salary expectations, reasons for leaving previous roles, and career transition goals.

Client data (professional accounts): If you are a career coach, resume writer, or outplacement firm, you may upload or enter information about your clients. This includes their resumes, career profiles, and related materials. You are responsible for obtaining appropriate consent from your clients before entering their data into Grapevines.

Communications: Messages you send to us through support channels, feedback forms, or email.

Payment information: If you subscribe to a paid plan, our payment processor collects billing details. We do not store credit card numbers on our servers.

Information collected automatically

Usage data: How you interact with the platform — features used, pages visited, actions taken, and timestamps.

Device and browser data: IP address, browser type, operating system, and device identifiers. We use this for security, troubleshooting, and basic analytics.

Cookies and similar technologies: We use essential cookies to keep you logged in and functional cookies to remember your preferences. See the Cookies section below for details.

Information from third-party sources

People data enrichment: When you use our company research or contact discovery features, we may retrieve publicly available professional information from third-party data providers (EnrichLayer) to enhance your results.

How we use your information

We use the information we collect to:

Provide the core service: Generate personalized career deliverables (resumes, cover letters, LinkedIn content, job fit analyses, company research) using AI models. Your career profile data is sent to AI providers to generate these outputs.

Operate professional accounts: Enable coaches and firms to manage client profiles, generate deliverables on their clients' behalf, and track client engagement.

Improve the platform: Analyze usage patterns to improve features, fix issues, and develop new capabilities. We may use anonymized and aggregated data for this purpose.

Communicate with you: Send transactional emails (account confirmations, password resets), product updates, and — only if you opt in — marketing communications.

Maintain security: Detect fraud, prevent abuse, and protect the integrity of the platform and its users.

AI processing and third-party services

Grapevines uses artificial intelligence to generate career deliverables. This means your data is processed by the following third-party AI providers:

Anthropic (Claude): Used for resume generation, cover letter writing, career analysis, and other text generation tasks. Data sent to Anthropic is processed according to their API data usage policy and is not used to train their models.

OpenAI (GPT-4o): Used for specific generation tasks. Data sent to OpenAI's API is processed according to their API data usage policy and is not used to train their models.

Exa AI: Used for neural web search to power company research and job discovery features. Search queries (not full profiles) are sent to Exa.

EnrichLayer: Used for people data enrichment when you use contact discovery features. Queries are limited to professional context.

Supabase: Provides our database infrastructure. Your data is stored in Supabase-hosted PostgreSQL databases with encryption at rest.

We select AI providers that commit to not training on API customer data. However, we recommend reviewing each provider's current data policies, which may change over time. Links to their policies are available on request.

Ownership of AI-generated content

You own the deliverables generated by Grapevines. Resumes, cover letters, LinkedIn posts, and other outputs created through the platform belong to you (or to your client, if you generated them on a client's behalf as a coach or firm). We do not claim intellectual property rights over AI-generated outputs.

We retain a limited license to use anonymized, aggregated patterns from generated content to improve our AI prompts and platform quality. This does not include retaining or sharing your specific documents.

Data for professional accounts

If you operate a professional account (career coach, resume writer, or outplacement firm), the following applies:

You are the data controller for your clients' information. You are responsible for obtaining consent from your clients before uploading their data to Grapevines, informing them about how their data will be processed, and responding to their data access or deletion requests.

We are a data processor acting on your behalf. We process your clients' data only to provide the services you've requested (generating deliverables, storing profiles, etc.) and do not use client data for our own marketing or unrelated purposes.

Client data isolation: Each professional account's client data is logically separated. Professional account holders cannot access other accounts' client data. We do not aggregate client data across professional accounts for marketing or sales purposes.

Client data deletion: When you delete a client profile from your account, we delete the associated data from our active systems within 30 days. Backup copies may persist for up to 90 days before automatic deletion.

Data Processing Agreement (DPA): This privacy policy outlines our core data processing commitments. If your organization requires a formal, standalone DPA for compliance or procurement purposes, contact us at hello@grapevines.ai and we will work with you to put one in place.

Data retention

Active accounts: We retain your data for as long as your account is active and you continue using the service.

Inactive accounts: If your account is inactive for 12 consecutive months, we may send you a notice before archiving or deleting your data.

Deleted accounts: When you delete your account, we remove your personal data from active systems within 30 days. Backup copies are purged within 90 days. Some anonymized, aggregated data may be retained indefinitely for analytics.

Generated deliverables: Documents you generate are stored in your account until you delete them or close your account.

Coach client data: Follows the same retention schedule. Coaches can delete individual client profiles at any time, triggering the deletion timeline above.

Your rights

Depending on your location, you may have the following rights regarding your personal data:

Access: Request a copy of the personal data we hold about you.

Correction: Request that we correct inaccurate or incomplete data.

Deletion: Request that we delete your personal data, subject to legitimate retention needs (legal obligations, dispute resolution).

Portability: Request your data in a structured, machine-readable format.

Opt out of marketing: Unsubscribe from marketing emails at any time using the link in any marketing email or by contacting us.

Object to processing: Object to certain types of data processing where we rely on legitimate interest as the legal basis.

To exercise any of these rights, contact us at hello@grapevines.ai with the subject line "Privacy request." We will respond within 30 days.

California residents

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), including the right to know what personal information we collect, the right to request deletion, and the right to opt out of the sale of personal information. We do not sell personal information.

Data security

We implement reasonable technical and organizational measures to protect your data, including:

  • Encryption in transit (TLS/HTTPS) and at rest
  • Access controls limiting employee access to personal data on a need-to-know basis
  • Secure authentication with hashed passwords
  • Regular review of security practices

No system is perfectly secure. If we discover a data breach that affects your personal information, we will notify you and relevant authorities as required by applicable law.

Cookies

Essential cookies: Required for the platform to function (authentication, session management). These cannot be disabled.

Functional cookies: Remember your preferences and settings to improve your experience.

Analytics cookies: Help us understand how the platform is used so we can improve it. We use privacy-respecting analytics that do not track you across other websites.

We do not use advertising cookies or share cookie data with ad networks.

Children's privacy

Grapevines is designed for working professionals and is not intended for use by anyone under 16 years of age. We do not knowingly collect data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.

International data transfers

Grapevines is based in the United States. If you access the platform from outside the US, your data will be transferred to and processed in the United States. By using the platform, you consent to this transfer. We work with service providers who maintain appropriate safeguards for international data transfers.

Changes to this policy

We may update this privacy policy from time to time. When we make material changes, we will notify you by posting the updated policy on this page with a new "last updated" date. For significant changes, we may also notify you by email or through an in-app notification.

We encourage you to review this policy periodically.

Contact us

If you have questions about this privacy policy or how we handle your data:

Email: hello@grapevines.ai

Website: grapevines.ai

If you have an unresolved privacy concern that we have not addressed satisfactorily, you may have the right to contact your local data protection authority.