Privacy Policy

Last updated: June 9, 2026

Graph is a shared workspace for student project groups — chat, video, files, notes, tasks, and calendars in one room. This policy explains what we collect, how we use it, who we share it with, and the control you have over your information.

This Privacy Policy applies to the Graph website, our mobile applications for iOS and Android, and our desktop application (together, the “Service”), all operated by Graph (“Graph,” “we,” “us,” or “our”). By creating an account or using the Service, you agree to the practices described here. If you do not agree, please do not use the Service.

01Information we collect

We collect information in three ways: information you give us, information you create while using the Service, and information collected automatically.

Information you provide

  • Account information. When you sign up, we collect your email address and a password (stored only in hashed form by our authentication provider). You may also add a display name and a profile photo.
  • Verification codes. To confirm your email or reset your password, we send and process one-time verification codes.
  • Support communications. If you contact us, we keep the messages you send and our replies.

Content you create in the Service

Graph is a workspace, so much of what we store is content you and your group choose to put there:

  • Chat and group messages
  • Notes and documents (including text, images, and other media you add)
  • Tasks and project progress
  • Files you upload
  • Calendar entries and personal events
  • Project room details, membership, and invitations you send

This content is visible to other members of the rooms you belong to. Please be mindful of what you share.

Information collected automatically

  • Usage and analytics data. We use analytics to understand how the Service is used — which features are opened, how often groups meet, and aggregate activity within rooms. This helps us improve the product.
  • Device and technical data. Device type, operating system, app version, language, approximate region inferred from your IP address, and log data such as access times and error reports.
  • Push notification tokens. If you enable notifications, we store a device token so we can send you alerts.
  • Cookies and local storage (web). On the web app we use essential cookies and browser storage to keep you signed in and remember your preferences. We do not use advertising cookies.

02How we use information

We use the information described above to:

  • Provide, operate, and maintain the Service and your account
  • Authenticate you and keep your account secure
  • Store and sync your content across your devices and your group
  • Enable real-time features such as chat, collaborative notes, and video and audio calls
  • Send you notifications you have asked for, and essential service emails such as verification and password-reset codes
  • Understand and improve how the Service is used, and develop new features
  • Detect, prevent, and address abuse, fraud, security incidents, and technical problems
  • Comply with legal obligations and enforce our terms

We do not sell your personal information, and we do not use your content to serve advertising.

03Legal bases for processing (EEA/UK)

If you are in the European Economic Area or the United Kingdom, we process your personal data under the following legal bases:

  • Performance of a contract — to provide the Service you signed up for.
  • Legitimate interests — to secure, maintain, and improve the Service, and to prevent abuse.
  • Consent — where you have given it, for example to receive optional notifications. You can withdraw consent at any time.
  • Legal obligation — where we must process data to comply with the law.

04How we share information

We share information only in the limited circumstances below.

With other members of your rooms

Content you create in a project room — messages, notes, tasks, files, calendar entries, your display name and avatar — is visible to the other members of that room.

With service providers (sub-processors)

We rely on a small number of trusted providers to run the Service. They process data only on our instructions:

  • Supabase — database, authentication, and file storage
  • Daily — real-time video and audio calls
  • PostHog — product analytics and usage measurement
  • Vercel — website and application hosting
  • Apple & Google — app distribution and push-notification delivery (APNs / FCM)

For legal and safety reasons

We may disclose information if we believe it is reasonably necessary to comply with a law, legal process, or governmental request; to enforce our terms; or to protect the rights, property, or safety of Graph, our users, or the public.

In a business transfer

If Graph is involved in a merger, acquisition, financing, or sale of assets, your information may be transferred as part of that transaction. We will notify you of any change in ownership or use of your personal information.

We do not sell your personal information and we do not share it with third parties for their own advertising or marketing.

05Video and audio calls

Video and audio calls are powered by Daily. During a call, your audio and video streams are transmitted in real time to the other participants in your room. By default, calls are not recorded.

If a participant chooses to start a recording, a file of that call may be created and stored, and other participants are able to see that a recording is taking place. Only start or share recordings with the awareness and agreement of the people on the call, and follow any laws in your area about recording conversations.

06Data retention

We keep your information for as long as your account is active and as needed to provide the Service. Content you create remains available to you and your group until you or your group deletes it.

When you delete your account, we delete your personal information and the content you own. We may retain limited information where required to comply with legal obligations, resolve disputes, or enforce our agreements, and we may keep aggregated or de-identified data that can no longer be linked to you.

07Data security

We take reasonable measures to protect your information, including encryption of data in transit, encryption of stored data at our hosting and storage providers, access controls, and row-level security rules that restrict each user's data to that user and the rooms they belong to.

No method of transmission or storage is completely secure, so we cannot guarantee absolute security. If we become aware of a breach that affects your personal information, we will notify you and the relevant authorities as required by law.

08Your rights and choices

Depending on where you live, you may have some or all of the following rights regarding your personal information:

  • Access — request a copy of the personal information we hold about you.
  • Correction — update or correct inaccurate information; you can edit much of your profile directly in the app.
  • Deletion — delete your account and personal information.
  • Objection and restriction — object to or ask us to limit certain processing.
  • Portability — receive certain information in a portable format.
  • Withdraw consent — where we rely on consent, withdraw it at any time.

You can manage notification preferences in your device settings and in the app. To exercise any other right, contact us through our contact form.

09Deleting your account

You can delete your account at any time directly within the app: go to Settings → Delete my account and confirm.

Account deletion is permanent and cannot be undone. When you delete your account we remove your login and the personal content you own — including your notes, tasks, files, messages, calendar entries, and profile. Rooms you own are either handed to another member or, if you are the only member, deleted along with their content.

10International data transfers

Graph and our service providers may store and process information in the United States and other countries that may have data-protection laws different from those in your country. Where we transfer personal data out of the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses.

11Children's privacy

The Service is intended for students in higher education and is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe a child under 13 has provided us personal information, please contact us and we will delete it.

12Third-party services

The Service may contain links to third-party websites or let you open content hosted elsewhere. We are not responsible for the privacy practices of those third parties, and this policy does not apply to them.

13Changes to this policy

We may update this Privacy Policy from time to time. When we do, we will revise the “Last updated” date at the top of this page, and for material changes we will provide a more prominent notice. Your continued use of the Service after an update means you accept the revised policy.

14Contact us

If you have questions about this Privacy Policy or how we handle your information, contact us through our contact form.

© 2026 Graph · Connect. Collab. Create.Terms of Service · ← Back to Graph