Privacy Policy
Applies to: the Gradion Dispact service, used through our web app and our mobile apps (iOS and Android).
Effective date: 17 June 2026 · Last updated: 17 June 2026
1. Introduction
This Privacy Policy explains how NFQ Asia Pte. Ltd. (Singapore) and NFQ Solutions GmbH (Germany) — together "Gradion", "we", "us" — collect, use, share, and protect your personal data when you use Gradion Dispact (the "Service"), our workspace messaging product for teams.
It covers the Service however you access it — through the web app in a browser or the mobile apps on iOS and Android. It is separate from, and supplements, the privacy policy for our marketing website at gradion.com. Where a practice applies to only one platform, we say so.
2. Information we collect
2.1 Account information
Your email address, password, and display name, and optionally your full name, profile photo, job title, and timezone. If you sign in with Google, we receive your Google account email, name, and profile image.
2.2 Messages and content
The messages, replies, threads, reactions, and files you create within your workspaces and channels.
2.3 Photos and files
- Mobile: when you choose to take a photo or attach an image, we access your camera and/or photo library to capture the image you send. We access them only while you are actively using this feature.
- Web: when you attach a file, you select it through your browser's file picker.
Uploaded photos and files are stored to deliver them within your messages. We do not access your camera, microphone, or media library at any other time.
2.4 Technical and log data
When you use the Service, our servers automatically record standard log data for security and reliability: your IP address, browser/device user-agent, the request path and method, response status, and timestamps. We do not use this data for advertising or profiling.
2.5 Cookies and on-device storage
Both versions of the Service keep some data on your device so it works smoothly. This data stays on your device, is used only to run the Service, and is cleared when you log out. We do not use advertising or third-party tracking cookies.
- Web app: a session cookie keeps you signed in, and your browser's local storage and IndexedDB remember your preferences (such as theme and layout), hold unsent message drafts, and cache data so the app loads faster.
- Mobile apps: your sign-in token is kept in the device's secure storage (iOS Keychain / Android encrypted storage), and your preferences, unsent drafts, and cached data are kept in the app's local storage. The mobile apps do not use cookies.
2.6 Notifications
To deliver the notifications you enable, we collect a device push-notification token and your device platform. On mobile this token is handled by the Expo push service; on web it is a standard browser web-push subscription. Notifications contain a short preview and identifiers, never your full message content.
2.7 Audit records
For security and compliance, we keep an audit log of significant account and workspace actions — such as sign-in, role changes, channel creation, and file uploads — recording who performed the action, when, the outcome, and the originating IP address. Audit records intentionally exclude message content and device tokens.
2.8 Preferences
Your notification and profile settings.
3. Information we do NOT collect
We do not collect your location, contacts, or microphone data. We do not fingerprint your device or geolocate your IP address. The Service contains no advertising, no product analytics, and no third-party tracking SDKs, and we do not use any external error-tracking service. (This differs from our marketing website, which does use analytics and marketing tools.)
4. We do not track you
We do not track you across apps or websites owned by other companies. We do not link your data with third-party data for advertising, and we do not share your data with data brokers. The information we collect is linked to your account solely to operate the Service.
5. How we use your information
We use your data only to operate Gradion Dispact — to authenticate you, deliver your messages and shared files across your channels and threads, send the notifications you enable, keep the Service secure and prevent abuse, and manage your account. We do not use your data for advertising and we do not sell it.
6. Legal bases for processing (EU/EEA/UK users)
Where the GDPR applies, we process your data on these legal bases:
- Performance of our contract with you — operating the Service, authentication, and delivering your messages and notifications.
- Our legitimate interests — keeping the Service secure and preventing fraud and abuse (including the technical and audit logs in Sections 2.4 and 2.7).
- Compliance with a legal obligation.
- Your consent — for example, enabling push notifications or accessing your camera or photo library. You may withdraw consent at any time.
7. How we share and disclose information
We do not sell your data and do not share it with third parties for their own purposes. We disclose data only:
- 7.1 to the sub-processors listed in Section 8, who operate the Service on our behalf;
- 7.2 where required to comply with law, a court order, or a lawful government request;
- 7.3 to protect the rights, safety, and security of our users, the public, or Gradion;
- 7.4 in connection with a merger, acquisition, or sale of assets — in which case we will notify you, and any successor will remain bound by this policy.
8. Sub-processors
We use a limited set of providers strictly to operate the Service. They process data only on our instructions and are contractually required to provide the same or equal protection of your data as set out in this policy. They do not use your data for their own purposes.
| Provider | Purpose | Data it receives |
|---|---|---|
| Amazon Web Services (S3) | File and photo storage | Uploaded files and photos, filename, type |
| Expo Push Service | Mobile push notification delivery | Device push token, notification title/preview, message identifiers |
| Email provider (SMTP / SendGrid) | Transactional email (invites, password resets) | Your email address, email subject and body |
| Sign-in with Google (optional) | One-time identity token; email, name, Google ID | |
| KLIPY | GIF search, only if you use the GIF feature | Your GIF search text |
| Slack | Workspace import, only if you import from Slack | The Slack workspace data you choose to import |
| Google Meet | Video calls, only if you start a Meet call | The meeting link you create and share |
9. Who controls your data
If you use Gradion Dispact through an organization or employer that administers your workspace, that organization may act as the controller of the messages and content in that workspace, and we process that data on its behalf under its instructions. For accounts you create and control yourself, Gradion is the controller. Questions about an organization-administered workspace should be directed to that organization.
10. How your data is stored and protected
All data is transmitted over encrypted HTTPS. Account, message, and audit data is stored on Gradion-controlled servers; uploaded files and photos are stored in our private cloud storage (Amazon S3). No method of transmission or storage is completely secure, but we maintain administrative, technical, and physical safeguards appropriate to the data we hold.
11. Data retention
We retain your account, message, and uploaded content while your account is active, and for as long as required by applicable law. Server and audit logs are retained for a limited period for security and compliance. When you delete your account, we delete the associated data except where we are required to retain certain records by law.
12. Deleting your account
Gradion Dispact workspaces are administered by the organization that invited you. You can request deletion of your account and its associated personal data at any time — from within the app or by emailing us at the address in Section 19. Your request is carried out by your workspace administrator or by us, and is a deletion, not a temporary deactivation: it permanently removes your account, messages, and uploaded content, except where we are required to retain certain records by law.
13. Your rights
Depending on your location, you have rights under the GDPR (EU/Germany), Singapore PDPA, Thailand PDPA, and Vietnam Decree 13/2023 — including access, rectification, erasure, portability, restriction, and objection.
To exercise any right, email us at the address in Section 19. We will verify your identity and respond within the timeframe required by applicable law (within one month under the GDPR). There is no charge for a reasonable request.
If you are in the EU/EEA or UK and believe we have not handled your data properly, you also have the right to lodge a complaint with your local data protection authority (in Germany, your state supervisory authority).
14. California residents (CCPA/CPRA)
If you are a California resident, you have the right to know what personal information we collect, to access it, and to request its deletion or correction. We do not sell or share your personal information, and we do not use it for cross-context behavioral advertising. We will not discriminate against you for exercising these rights.
15. International data transfers
Gradion operates across Singapore, Vietnam, Thailand, Germany, and other locations, so your data may be processed in countries other than your own. Where required, we rely on appropriate safeguards — such as the EU Standard Contractual Clauses — to protect your data when it is transferred internationally.
16. Automated decision-making
We do not use your data for automated decision-making or profiling that produces legal or similarly significant effects.
17. Children's privacy
The Service is not directed to children under 13, and we do not knowingly collect their personal data.
18. Changes to this policy
We may update this Privacy Policy from time to time. When we make material changes, we will update the "Last updated" date above and, where appropriate, notify you within the Service. Your continued use after an update constitutes acceptance of the revised policy.
19. Contact
Privacy questions and data-deletion requests: privacy@gradion.com