Privacy Policy

This policy explains what data Graphory collects, how we store it, and what rights you have over it. Last updated: April 12, 2026.

1. Who we are

Graphory (operated by Groundstone Group) provides a graph-native data infrastructure layer. We connect to the business tools you choose, extract structured data from them, and store the result as a knowledge graph scoped to your organization. You query that graph through our API or MCP server using whatever AI model you prefer. We are the data layer, not the reasoning layer.

2. Data we collect

• Account data - your name, email address, organization name, and role, provided during signup via WorkOS.
• Connection metadata - which data sources you have connected, their connection status, and sync timestamps.
• Credentials - OAuth tokens and API keys for the sources you connect. Stored encrypted per organization.
• Collected content - the data Graphory pulls from the sources you authorize (for example: emails, invoices, documents, messages). This data is written to disk as markdown files and indexed into your organization's graph.
• API usage logs - request timestamps, endpoint, organization ID, and status codes. Used for rate limiting, debugging, and billing.

We never collect data from sources you have not authorized. We do not sell your data. We do not use your data to train any model.

3. How credentials are stored

OAuth tokens and API keys are stored encrypted per organization in WorkOS Vault. Credentials are scoped to a single organization and are only accessible to collectors running on behalf of that organization. Credentials never appear in logs, never leave our infrastructure, and are revoked immediately when you disconnect a source.

4. Where your data lives

Raw markdown files and per-organization graphs are stored on our production server (Hostinger VPS, EU region). Each organization gets its own named FalkorDB graph. Graphs are isolated at the database level - queries from one organization cannot read data from another.

5. Third parties

• WorkOS - authentication, single sign-on, organization management, and encrypted credential vault.
• FalkorDB - graph database engine (self-hosted on our infrastructure).
• Hostinger - infrastructure provider for the production server.
• Source platforms - the tools you explicitly connect (Gmail, QuickBooks, Slack, and so on). We only access data you have authorized through their OAuth flows.

Graphory does not call any LLM API in its production extraction pipeline. No OpenAI, Anthropic, or other model provider has access to your data through us. When you query your graph, you bring your own AI - the model you use and its provider terms are your choice.

6. Data retention

Your data is retained for as long as you keep your account active. You can request deletion of any source, any graph, or your entire account at any time. On deletion we remove the markdown files, drop the graph, and revoke all associated credentials. Backups are retained for 30 days and then permanently deleted.

7. Your rights

• Access - you can view all data in your graph via the dashboard or API at any time.
• Export - the full markdown corpus and graph can be exported on request.
• Correction - you can correct or annotate any node or edge; corrections are recorded with full provenance.
• Deletion - you can delete any source, entity, or your full account on request.
• Portability - your data is yours. Export formats are open (markdown, JSON, Cypher dump).

To exercise any of these rights, email support@graphory.io. We respond within 7 business days.

8. Security

All traffic is served over HTTPS. API keys use the gs_ak_ prefix and are scoped per organization. OAuth tokens are encrypted at rest. We follow the principle of least privilege for internal access and log every administrative action.

9. Children

Graphory is a business tool and is not directed at children under 13. We do not knowingly collect data from children.

10. Changes to this policy

We may update this policy as the product evolves. Material changes will be announced via email to account owners at least 14 days before taking effect. The "last updated" date at the top of this page always reflects the most recent revision.

11. Contact

Questions about this policy or about your data: support@graphory.io