privacy policy

last updated: may 2026

1. information we collect

when you use grove, we collect:

  • account information: email address and authentication data provided through our identity provider (Clerk).
  • conversation data: messages you send and responses generated by AI models.
  • memories: information grove learns about you during conversations to personalise your experience.
  • usage data: interaction patterns, model preferences, and feature usage for service improvement.
  • payment data: billing information processed securely through Stripe. we do not store your full card details.
  • connected services: if you connect Gmail, Google Calendar, or Google Tasks, Composio manages the provider credentials. Grove stores the connected-account reference, privacy settings, and limited normalised metadata needed to power integrations.

2. how we use your data

your data is used to:

  • provide and maintain the grove service.
  • personalise your experience through learned memories and preferences.
  • process payments and manage your subscription.
  • improve service quality, reliability, and safety.
  • communicate important service updates.

3. third-party AI models

grove routes your messages to third-party AI model providers (such as Anthropic, AWS Bedrock, Mistral, and others) to generate responses. your conversation data is sent to these providers as necessary to deliver the service. each provider has their own data processing policies. we select providers that offer enterprise-grade data handling and do not use your data to train their models.

4. data storage and security

your data is stored securely using industry-standard encryption. conversation data and memories are stored in our database infrastructure. we implement appropriate technical and organisational measures to protect your data against unauthorised access, alteration, or destruction.

for Composio managed accounts, Grove does not store raw Google refresh tokens. Composio handles credential storage and token refresh; Grove uses connected-account IDs to execute approved tools.

5. your rights

you have the right to:

  • access: view all memories and data grove has stored about you via the memory section.
  • delete: remove individual memories or request deletion of your account and Grove app data from account settings.
  • export: request a copy of your conversation history and stored data.
  • rectify: correct inaccurate memories through the memory management interface.
  • withdraw consent: delete your account and all Grove-controlled app data at any time.

6. cookies and tracking

grove uses essential cookies required for authentication and service functionality. we use Vercel Analytics for anonymous, aggregated usage statistics. we do not use advertising trackers or sell your data to third parties.

7. data retention

we retain your Grove app data for as long as your account is active. when you use self-serve account deletion in account settings, Grove deletes conversations, messages, memories, profile data, custom instructions, personas, connected-service rows, integration cache, uploaded chat attachments, notification data, push subscriptions, usage rows, and local subscription state tied to your account.

if you have an active paid plan or trial, Grove attempts to cancel the Stripe subscription before deleting your account data. Stripe may retain customer, invoice, payment, tax, dispute, and legal records under Stripe's own retention requirements; Grove does not keep the local subscription row after deletion completes.

Grove asks Composio to delete managed connected accounts where supported and deletes Grove's local connected-account references, privacy settings, tool approvals, execution logs, and cached integration data. Composio and the external services you connected may retain their own logs under their policies.

Grove anonymizes existing security audit rows by replacing your user identifier with a deletion pseudonym, clearing IP address and detail fields, and keeping only timestamp, action, resource, and severity. Grove also keeps one final non-identifying account deletion audit event. previously processed AI, analytics, observability, and infrastructure telemetry remains subject to the relevant provider retention policies; Grove does not sell that data or use it for model training.

8. children's privacy

grove is not intended for use by individuals under the age of 16. we do not knowingly collect data from children. if you believe a child has provided us with personal data, please contact us for removal.

9. changes to this policy

we may update this privacy policy from time to time. we will notify you of significant changes through the service or via email.

10. contact

for privacy-related inquiries, contact our data protection team at privacy@maiself.io.