Effective Date: 6 December 2025
Last Updated: 6 December 2025
Graph Research Labs Limited (“GRL”, “we”, “us”, “our”) is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your personal information when you:
(a) Use our website at www.graphresearchlabs.com;
(b) Purchase, license, or use our GRL Generators software (“Software”);
(c) Create an account with us;
(d) Communicate with us for sales, support, or other purposes;
(e) Participate in trials, events, or surveys.
IMPORTANT DISTINCTION: This Privacy Policy covers personal information that WE collect and control as a data controller (e.g., your account information, payment details, support communications). For information about how we process customer data within our SaaS Service as a data processor on your behalf, please see our Data Processing Addendum (DPA).
1.1 Company Information
1.2 Scope by Deployment Model
(a) Account Registration Information:
(b) Payment and Billing Information:
(c) Licensing and Deployment Information:
(d) Communications and Support:
(a) Website Usage Data:
(b) Software Telemetry (if enabled – see Section 2.3):
(c) Cookies and Similar Technologies:
You can control cookies through your browser settings. Disabling cookies may affect website functionality.
For On-Premise and Customer VPC deployments, telemetry collection is OPTIONAL and can be disabled. Telemetry helps us improve the Software, provide proactive support, and ensure compatibility.
What telemetry includes:
What telemetry does NOT include:
How to disable telemetry: contact support@graphresearchlabs.com for assistance
If telemetry is enabled, we use it only as permitted by EULA Section 10.4 (System Data Usage Restrictions).
We collect only the minimum personal information necessary to:
We do not collect personal information “just in case” we might need it later.
We process your personal information based on the following legal grounds:
(a) Contract Performance (GDPR Article 6(1)(b)): To fulfill our contract with you, including:
(b) Legitimate Interests (GDPR Article 6(1)(f)): For our legitimate business interests, including:
(c) Legal Obligation (GDPR Article 6(1)(c)): To comply with applicable laws, including:
(d) Consent (GDPR Article 6(1)(a)): Where we have obtained your explicit consent, including:
(a) Account Management and Authentication:
(b) Payment Processing:
(c) Service Delivery and Support:
(d) Product Improvement and Development:
Important: We do NOT use telemetry for competitive intelligence or to target development based on your specific competitors (prohibited by EULA Section 10.4).
(e) Marketing and Communications:
You can opt out of marketing emails at any time by clicking the unsubscribe link or emailing privacy@graphresearchlabs.com.
(f) Security and Fraud Prevention:
(g) Legal Compliance and Enforcement:
GRL does not make decisions based solely on automated processing (including profiling) that produce legal effects or similarly significantly affect you. All decisions regarding account approval, subscription management, access to features, or billing disputes involve human review and are not made by automated systems alone.
We do NOT sell your personal information to third parties. We share your information only in the following limited circumstances:
4.1 Service Providers (Sub-processors): We share information with the following trusted third-party service providers who assist us in operating our business:
All service providers are contractually obligated to:
4.2 Business Transfers: If GRL is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred to the successor entity. We will notify you via email and/or prominent notice on our website before your information is transferred and becomes subject to a different privacy policy.
4.3 Legal Requirements: We may disclose your information if required by law or if we believe in good faith that such disclosure is necessary to:
(a) Comply with legal obligations (court orders, subpoenas, regulatory requests);
(b) Protect and defend GRL’s rights or property;
(c) Prevent or investigate possible wrongdoing in connection with the Software;
(d) Protect the personal safety of users or the public;
(e) Protect against legal liability.
4.4 Aggregated or Anonymised Data: We may share aggregated, anonymized, or de-identified data that cannot reasonably be used to identify you. For example:
This anonymized data is NOT considered personal information and may be used or shared without restriction.
4.5 With Your Consent: We may share your information for other purposes with your explicit consent, such as:
5.1 Data Location: Your personal information is primarily stored and processed in New Zealand (our headquarters and primary operations).
5.2 Transfers from the EEA or UK: New Zealand has been recognised as providing adequate data protection by:
This means transfers from the EEA and UK to New Zealand do not require additional safeguards beyond this adequacy recognition.
For transfers to service providers in countries without adequacy decisions (e.g., United States), we use:
(a) EU Standard Contractual Clauses (SCCs); or
(b) Other approved transfer mechanisms under GDPR Chapter V.
You may request a copy of the safeguards we use by contacting privacy@graphresearchlabs.com.
5.3 Transfers from Other Jurisdictions: For customers in other jurisdictions (California, Canada, Australia, etc.), we comply with applicable data transfer requirements and implement appropriate safeguards.
We retain your personal information only for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.
6.1 Retention Periods by Data Type:
(a) Account Information:
(b) Payment and Billing Records:
(c) License Keys and Activation Records:
(d) Support Communications:
(e) Telemetry Data:
(f) Website Logs and Analytics:
(g) Marketing Communications:
6.2 Deletion and Anonymisation: When retention periods expire, we:
6.3 Legal Holds: We may retain personal information beyond the standard retention period if required for:
Such data is retained only for the duration necessary and is subject to heightened security measures.
Depending on your jurisdiction, you may have the following rights regarding your personal information:
7.1 GDPR Rights (EEA and UK Residents):
(a) Right of Access (Article 15): Request a copy of your personal information we hold.
(b) Right to Rectification (Article 16): Correct inaccurate or incomplete data.
(c) Right to Erasure / “Right to be Forgotten” (Article 17): Request deletion of your data, subject to legal retention requirements.
(d) Right to Restriction of Processing (Article 18): Limit how we use your data.
(e) Right to Data Portability (Article 20): Receive your data in a machine-readable format.
(f) Right to Object (Article 21): Object to processing based on legitimate interests or for direct marketing.
(g) Right to Withdraw Consent (Article 7(3)): Where processing is based on consent, you can withdraw consent at any time.
(h) Right to Lodge a Complaint: You may complain to your local data protection authority (supervisory authority).
7.2 CCPA Rights (California Residents):
(a) Right to Know: Request disclosure of categories and specific pieces of personal information collected.
(b) Right to Delete: Request deletion of your personal information (subject to exceptions).
(c) Right to Correct: Request correction of inaccurate personal information.
(d) Right to Opt-Out of Sale/Sharing: We do NOT sell or share your personal information, so this right does not apply.
(e) Right to Limit Use of Sensitive Personal Information: Not applicable – we do not use sensitive PI for purposes beyond providing services.
(f) Right to Non-Discrimination: You will not be discriminated against for exercising your CCPA rights.
7.3 New Zealand Privacy Act Rights:
(a) Right to access your personal information (Principle 6)
(b) Right to request correction of inaccurate information (Principle 7)
(c) Right to complain to the Privacy Commissioner if you believe we’ve breached the Privacy Act
7.4 How to Exercise Your Rights: To exercise any of these rights, please contact us at:
• Email: privacy@graphresearchlabs.com
• Subject line: “Data Subject Request” or “Privacy Rights Request”
• Include: Your name, email address, type of request, and any relevant details
We will respond to verified requests within:
7.5 Verification: To protect your privacy, we will verify your identity before fulfilling requests. We may ask you to:
• Confirm your email address or account details
• Provide additional identification for sensitive requests (e.g., deletion)
7.6 Authorised Agents: You may designate an authorized agent to make requests on your behalf. We will require:
• Written authorization signed by you
• Verification of the agent’s identity
• Verification of your identity
We implement appropriate technical and organizational measures to protect your personal information against unauthorized access, alteration, disclosure, or destruction.
8.1 Security Measures Include:
8.2 Payment Security: We use Stripe (PCI DSS Level 1 compliant) for payment processing. We do NOT store full credit card numbers or CVV codes. Only tokenized payment references are stored in our systems.
8.3 Your Responsibility: You are responsible for:
8.4 No Guarantee: While we implement industry-standard security measures, no system is 100% secure. We cannot guarantee absolute security of your information. You transmit information at your own risk.
Our Software and services are not directed to individuals under the age of 18 (or under the age of majority in your jurisdiction – under 16 in the EU).
We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@graphresearchlabs.com and we will delete such information.
If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information as soon as possible.
10.1 What Are Cookies?
Cookies are small text files placed on your device by websites you visit. They help websites remember your preferences and improve your experience.
10.2 Types of Cookies We May Use
(a) Essential Cookies (Always Active):
(b) Analytics Cookies:
(c) Marketing Cookies (Requires Consent):
10.3 How to Control Cookies: You can control cookies through:
Disabling cookies may affect website functionality (e.g., you may need to log in repeatedly).
10.4 Do Not Track: Some browsers support “Do Not Track” (DNT) signals. We do not currently respond to DNT signals, but you can disable tracking through the opt-out tools mentioned above.
We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors.
11.1 Notice of Changes: We will notify you of material changes by:
11.2 Effective Date: Changes are effective on the “Effective Date” shown at the top of the Privacy Policy. Your continued use of our services after the effective date constitutes acceptance of the updated Privacy Policy.
If you do not agree to the updated Privacy Policy, you may:
For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:
Graph Research Labs Limited
NZBN: 94-29050041305
Location: Auckland, New Zealand
Privacy Inquiries:
Email: privacy@graphresearchlabs.com
Subject Line: “Privacy Policy Inquiry”
Data Subject Requests:
Email: privacy@graphresearchlabs.com
Subject Line: “Data Subject Request” or “Privacy Rights Request”
General Support:
Email: support@graphresearchlabs.com
Website:
https://www.graphresearchlabs.com/privacy
12.1 Supervisory Authorities
If you are in the EEA or UK and have concerns about our data practices, you have the right to lodge a complaint with your local data protection authority:
Effective Date: 6 December 2025
For purposes of this DPA:
(a) “Personal Data” means any information relating to an identified or identifiable natural person that Customer uploads to, or processes using, the SaaS Service.
(b) “Data Protection Laws” means all applicable laws and regulations relating to the processing of Personal Data, including GDPR, UK GDPR, CCPA, New Zealand Privacy Act 2020, and Australian Privacy Act 1988.
(c) “Controller”, “Processor”, “Data Subject”, “Processing”, “Personal Data Breach” have the meanings given in applicable Data Protection Laws.
(d) “Customer Data” means all Personal Data and other data that Customer uploads to or processes using the SaaS Service.
(e) “Sub-processor” means any third party engaged by GRL to process Personal Data on Customer’s behalf.
(a) This DPA applies only to SaaS deployments where GRL processes Personal Data on Customer’s behalf.
(b) For On-Premise and Customer VPC deployments, Customer is the sole Controller and GRL is not a Processor (this DPA does not apply).
(c) The subject matter, nature, purpose, and duration of processing, and types of Personal Data and Data Subjects are as described in Annex 1 (Details of Processing).
(a) GRL shall process Personal Data only on Customer’s documented instructions, unless required by applicable law.
(b) Customer’s instructions are:
(i) Use of the SaaS Service as provided under the EULA,
(ii) Customer’s configuration settings and actions within the SaaS Service,
(iii) Written instructions provided via email to: support@graphresearchlabs.com
(c) GRL will inform Customer if, in GRL’s opinion, any instruction violates applicable Data Protection Laws.
(d) GRL will not process Personal Data for any purpose other than providing the SaaS Service as instructed by Customer.
(a) GRL ensures that all personnel authorized to process Personal Data are subject to confidentiality obligations (contractual or statutory).
(b) GRL personnel will process Personal Data only as necessary to provide the SaaS Service and fulfill GRL’s obligations under this DPA.
(a) GRL implements appropriate technical and organisational measures to protect Personal Data as described in Privacy Policy Section 8 and Annex 2 (Security Measures).
(b) GRL’s security measures include:
(c) Customer acknowledges that security measures may be updated from time to time, provided the overall level of security is not materially decreased.
(a) Customer consents to GRL’s use of the Sub-processors listed in Privacy Policy Section 4.1.
(b) GRL will:
(i) Impose data protection obligations on Sub-processors substantially similar to this DPA,
(ii) Remain liable for Sub-processor acts and omissions to the same extent as if GRL performed the services directly
(c) Changes to Sub-processors:
(i) GRL will provide at least 30 days’ advance notice of new or replacement Sub-processors via:
(ii) Customer may object to new Sub-processor on reasonable data protection grounds by notifying GRL within 30 days of notice
(iii) If Customer objects and GRL cannot accommodate the objection, either party may terminate the affected SaaS Subscription with 30 days’ notice and receive a pro-rata refund
(d) Current Sub-processors are listed in Privacy Policy Section 4.1.
(a) Taking into account the nature of processing, GRL will assist Customer (at Customer’s cost) in fulfilling Customer’s obligations to respond to Data Subject requests, including:
(b) If GRL receives a Data Subject request directly:
(i) GRL will promptly forward the request to Customer (within 2 business days)
(ii) GRL will not respond directly unless required by law
(c) Assistance Timeline: GRL will provide reasonably requested assistance within 15 business days of Customer’s written request.
(d) GRL will provide the following technical assistance:
(a) GRL will notify Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Data.
(b) Notification will include (to the extent known):
(i) Description of the breach and categories/approximate number of Data Subjects and records affected,
(ii) Name and contact details of GRL’s data protection contact,
(iii) Likely consequences of the breach,
(iv) Measures taken or proposed to address the breach and mitigate harm
(c) GRL will provide reasonable cooperation and assistance to Customer in:
(i) Investigating the breach,
(ii) Notifying supervisory authorities (if required),
(iii) Notifying Data Subjects (if required),
(iv) Mitigating the breach
(d) Customer is responsible for notifying supervisory authorities and Data Subjects as required by applicable law.
(e) GRL’s notification does not constitute acknowledgment of fault or liability.
If Customer is required to conduct a Data Protection Impact Assessment (DPIA) or prior consultation with supervisory authorities, GRL will provide reasonable information and assistance (at Customer’s cost) to enable Customer to comply, including information about GRL’s processing activities and security measures.
(a) GRL will make available to Customer information necessary to demonstrate compliance with this DPA and applicable Data Protection Laws, including:
(i) This DPA and Privacy Policy,
(ii) Security measures documentation (Annex 2),
(iii) Sub-processor list (Annex 3 and Privacy Policy Section 4.1),
(iv) SOC 2 reports, ISO 27001 certificates, or similar (if available)
(b) Customer Audit Rights:
(i) Customer may audit GRL’s compliance once per year,
(ii) Customer must provide 30 days’ written notice,
(iii) Audits must be conducted during business hours and minimally disruptive,
(iv) Customer may use an independent third-party auditor (subject to confidentiality),
(v) Customer bears all audit costs unless audit reveals material non-compliance
(vi) If audit reveals material non-compliance by GRL:
(c) In lieu of Customer audit, Customer may accept:
(i) GRL’s SOC 2 Type II report (if available), or
(ii) Third-party audit or certification reports
(d) Audit rights do not permit access to GRL’s confidential information or other customers’ data.
(a) GRL processes Personal Data primarily in New Zealand.
(b) For transfers from the EEA:
(i) New Zealand is recognized by the European Commission as providing adequate data protection (Commission Decision 2013/65/EU)
(ii) No additional safeguards required for NZ-based processing
(c) For transfers from the UK:
(i) New Zealand is recognized by the UK as providing adequate data protection
(ii) No additional safeguards required for NZ-based processing
(d) For Sub-processors located in countries without adequacy decisions:
(i) GRL uses EU Standard Contractual Clauses (2021) – Module 2 (Controller-to-Processor) and Module 3 (Processor-to-Processor)
(ii) GRL uses UK International Data Transfer Agreement (IDTA) or UK Addendum to EU SCCs
(iii) Copies available upon request
(e) The EU SCCs and UK IDTA/Addendum are incorporated by reference and form part of this DPA.
(f) In case of conflict, the order of precedence is:
(a) Upon termination or expiry of the EULA:
(i) Customer has 30 days to export Customer Data using the SaaS Service export functionality,
(ii) After 30 days, GRL will delete all Customer Data unless legally required to retain,
(iii) Deletion is performed using secure deletion methods (crypto-shredding or overwriting)
(b) Upon Customer’s written request, GRL will:
(i) Return Customer Data in a commonly used machine-readable format (JSON, CSV), and/or
(ii) Delete all Customer Data and provide written certification of deletion
(c) GRL may retain Customer Data only to the extent and for the period required by applicable law (e.g., financial records for tax compliance).
(d) Backup Retention: Customer Data in backups will be deleted within 180 days after backup rotation cycle completion.
(a) Each party’s liability under this DPA is subject to the limitations and exclusions in EULA Sections 12 and 13.
(b) GDPR Article 82 Allocation:
(i) If GRL is held liable under GDPR Article 82 for damages caused by processing in violation of GDPR, and the violation was caused by GRL not following lawful Customer instructions, GRL is liable,
(ii) If the violation was caused by Customer’s unlawful instructions or Customer’s failure to comply with GDPR, Customer is liable,
(iii) Where both parties contributed to the damage, liability is allocated in proportion to contribution
(c) Indemnification: Customer will indemnify GRL against third-party claims arising from:
(i) Customer’s unlawful processing instructions,
(ii) Customer Data that violates third-party rights or laws,
(iii) Customer’s failure to comply with Data Protection Laws
(a) This DPA is effective as of the EULA effective date and continues for the duration of the EULA.
(b) This DPA automatically terminates upon EULA termination.
(c) Sections DPA-4, DPA-10, DPA-12, and DPA-13 survive termination.
(a) GRL may amend this DPA to comply with applicable Data Protection Laws by providing 30 days’ written notice.
(b) Material changes reducing Customer’s data protection rights require Customer’s consent.
(c) If Customer does not consent, Customer may terminate the SaaS Subscription per EULA Section 9.
(a) Subject Matter: Provision of GRL Generators SaaS service for knowledge graph creation, management, and analysis.
(b) Nature and Purpose: Processing of Personal Data uploaded by Customer to create, store, query, and analyse knowledge graphs and related data structures.
(c) Duration: For the term of the SaaS Subscription.
(d) Types of Personal Data: Determined by Customer. May include: names, contact information, identifiers, professional information, or any other data Customer chooses to upload.
(e) Categories of Data Subjects: Determined by Customer. May include: Customer’s employees, customers, suppliers, partners, or other individuals.
(f) Processing Activities:
See Privacy Policy Section 8 (Security Measures) for complete details. Summary of Technical and Organisational Measures:
See Privacy Policy Section 4.1 for complete list.
Current Sub-processors:
Updated list maintained in Section 4.1 of Privacy Policy).
END OF DATA PROCESSING ADDENDUM