Gradion Dispact Gradion Dispact

Privacy Policy

Applies to: the Gradion Dispact service, used through our web app and our mobile apps (iOS and Android).
Effective date: 17 June 2026 · Last updated: 17 June 2026

1. Introduction

This Privacy Policy explains how NFQ Asia Pte. Ltd. (Singapore) and NFQ Solutions GmbH (Germany) — together "Gradion", "we", "us" — collect, use, share, and protect your personal data when you use Gradion Dispact (the "Service"), our workspace messaging product for teams.

It covers the Service however you access it — through the web app in a browser or the mobile apps on iOS and Android. It is separate from, and supplements, the privacy policy for our marketing website at gradion.com. Where a practice applies to only one platform, we say so.

2. Information we collect

2.1 Account information

Your email address, password, and display name, and optionally your full name, profile photo, job title, and timezone. If you sign in with Google, we receive your Google account email, name, and profile image.

2.2 Messages and content

The messages, replies, threads, reactions, and files you create within your workspaces and channels.

2.3 Photos and files

Uploaded photos and files are stored to deliver them within your messages. We do not access your camera, microphone, or media library at any other time.

2.4 Technical and log data

When you use the Service, our servers automatically record standard log data for security and reliability: your IP address, browser/device user-agent, the request path and method, response status, and timestamps. We do not use this data for advertising or profiling.

2.5 Cookies and on-device storage

Both versions of the Service keep some data on your device so it works smoothly. This data stays on your device, is used only to run the Service, and is cleared when you log out. We do not use advertising or third-party tracking cookies.

2.6 Notifications

To deliver the notifications you enable, we collect a device push-notification token and your device platform. On mobile this token is handled by the Expo push service; on web it is a standard browser web-push subscription. Notifications contain a short preview and identifiers, never your full message content.

2.7 Audit records

For security and compliance, we keep an audit log of significant account and workspace actions — such as sign-in, role changes, channel creation, and file uploads — recording who performed the action, when, the outcome, and the originating IP address. Audit records intentionally exclude message content and device tokens.

2.8 Preferences

Your notification and profile settings.

3. Information we do NOT collect

We do not collect your location, contacts, or microphone data. We do not fingerprint your device or geolocate your IP address. The Service contains no advertising, no product analytics, and no third-party tracking SDKs, and we do not use any external error-tracking service. (This differs from our marketing website, which does use analytics and marketing tools.)

4. We do not track you

We do not track you across apps or websites owned by other companies. We do not link your data with third-party data for advertising, and we do not share your data with data brokers. The information we collect is linked to your account solely to operate the Service.

5. How we use your information

We use your data only to operate Gradion Dispact — to authenticate you, deliver your messages and shared files across your channels and threads, send the notifications you enable, keep the Service secure and prevent abuse, and manage your account. We do not use your data for advertising and we do not sell it.

6. Legal bases for processing (EU/EEA/UK users)

Where the GDPR applies, we process your data on these legal bases:

7. How we share and disclose information

We do not sell your data and do not share it with third parties for their own purposes. We disclose data only:

8. Sub-processors

We use a limited set of providers strictly to operate the Service. They process data only on our instructions and are contractually required to provide the same or equal protection of your data as set out in this policy. They do not use your data for their own purposes.

ProviderPurposeData it receives
Amazon Web Services (S3)File and photo storageUploaded files and photos, filename, type
Expo Push ServiceMobile push notification deliveryDevice push token, notification title/preview, message identifiers
Email provider (SMTP / SendGrid)Transactional email (invites, password resets)Your email address, email subject and body
GoogleSign-in with Google (optional)One-time identity token; email, name, Google ID
KLIPYGIF search, only if you use the GIF featureYour GIF search text
SlackWorkspace import, only if you import from SlackThe Slack workspace data you choose to import
Google MeetVideo calls, only if you start a Meet callThe meeting link you create and share

9. Who controls your data

If you use Gradion Dispact through an organization or employer that administers your workspace, that organization may act as the controller of the messages and content in that workspace, and we process that data on its behalf under its instructions. For accounts you create and control yourself, Gradion is the controller. Questions about an organization-administered workspace should be directed to that organization.

10. How your data is stored and protected

All data is transmitted over encrypted HTTPS. Account, message, and audit data is stored on Gradion-controlled servers; uploaded files and photos are stored in our private cloud storage (Amazon S3). No method of transmission or storage is completely secure, but we maintain administrative, technical, and physical safeguards appropriate to the data we hold.

11. Data retention

We retain your account, message, and uploaded content while your account is active, and for as long as required by applicable law. Server and audit logs are retained for a limited period for security and compliance. When you delete your account, we delete the associated data except where we are required to retain certain records by law.

12. Deleting your account

Gradion Dispact workspaces are administered by the organization that invited you. You can request deletion of your account and its associated personal data at any time — from within the app or by emailing us at the address in Section 19. Your request is carried out by your workspace administrator or by us, and is a deletion, not a temporary deactivation: it permanently removes your account, messages, and uploaded content, except where we are required to retain certain records by law.

13. Your rights

Depending on your location, you have rights under the GDPR (EU/Germany), Singapore PDPA, Thailand PDPA, and Vietnam Decree 13/2023 — including access, rectification, erasure, portability, restriction, and objection.

To exercise any right, email us at the address in Section 19. We will verify your identity and respond within the timeframe required by applicable law (within one month under the GDPR). There is no charge for a reasonable request.

If you are in the EU/EEA or UK and believe we have not handled your data properly, you also have the right to lodge a complaint with your local data protection authority (in Germany, your state supervisory authority).

14. California residents (CCPA/CPRA)

If you are a California resident, you have the right to know what personal information we collect, to access it, and to request its deletion or correction. We do not sell or share your personal information, and we do not use it for cross-context behavioral advertising. We will not discriminate against you for exercising these rights.

15. International data transfers

Gradion operates across Singapore, Vietnam, Thailand, Germany, and other locations, so your data may be processed in countries other than your own. Where required, we rely on appropriate safeguards — such as the EU Standard Contractual Clauses — to protect your data when it is transferred internationally.

16. Automated decision-making

We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.

17. Children's privacy

The Service is not directed to children under 13, and we do not knowingly collect their personal data.

18. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you within the Service. Your continued use after an update constitutes acceptance of the revised policy.

19. Contact

Privacy questions and data-deletion requests: privacy@gradion.com