PRIVACY POLICY
Last Updated: January 2, 2026
Effective Date: January 2, 2026
1. Introduction and Scope
Welcome to MatchGrant (“we,” “our,” or “us”). We provide a software service designed to connect organizations with relevant grant opportunities and provide comprehensive grant lifecycle management support (the “Service”). We recognize that to provide this Service, we must access some of your most personal information—your time, your schedule, and your plans. We take this responsibility seriously.
This Privacy Policy describes how MatchGrant, acting as a Controller, collects, uses, processes, and shares your Personal Data. It is designed to comply with applicable data protection laws, including the Colorado Privacy Act (CPA).
By accessing or using our Service, interacting with our website, or connecting your Google Calendar, you acknowledge that you have read this Policy and understand our data practices.
1.1 Google User Data and Limited Use Disclosure
Our Service’s ability to manage your schedule relies on integration with Google API Services. We are transparent about this usage.
MatchGrant’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
We strictly prohibit the use of Google User Data for advertising purposes. We do not sell your Google Calendar data to data brokers, and we do not allow human access to this data unless required for security purposes, to comply with applicable law, or where you have explicitly consented to such access for troubleshooting.
2. Definitions
To ensure clarity and alignment with the Colorado Privacy Act (CPA), we use the following definitions:
- “Personal Data” means information that is linked or reasonably linkable to an identified or identifiable individual. It does not include de-identified data or publicly available information.
- “Sensitive Data” means Personal Data that reveals racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or sexual orientation, or citizenship status. Due to the nature of calendar events, we treat your Calendar Data with the protocols reserved for Sensitive Data.
- “Controller” means the entity that determines the purposes and means of processing personal data. MatchGrant is the Controller of your account data.
- “Processor” means an entity that processes personal data on behalf of a Controller. Our infrastructure providers (such as Amazon Web Services) and AI partners (such as OpenAI) act as Processors.
- “Sale” means the exchange of Personal Data for monetary or other valuable consideration by a Controller to a Third Party.
- “Consent” means a clear, affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement.
3. Data Collection
We collect information in three primary ways: (1) Information you provide directly; (2) Information collected automatically via technology; and (3) Information received from third-party integrations.
When you register for an account or use our Service, you may provide:
- Account Credentials: Name, email address, and secure password authentication credentials.
- User Content: Notes, preferences, task lists, or specific instructions you input into the Service to generate AI summaries or organize your schedule.
- Support Communications: Information provided when you contact our support team.
We access Personal Data from your Google Account only pursuant to the specific Scopes you authorize during the OAuth authentication process. We practice data minimization and request only the permissions necessary for our features.
We access your calendar to schedule grant deadlines.
| Scope Category | Specific Scope | Data Collected and Purpose |
|---|
| Event Modification | calendar.events.owned | Data: We access the title, description, time, location, and attendees of events on calendars you own. Purpose: To create new events you request, edit existing events (e.g., rescheduling), and delete events upon your instruction. |
| Calendar Metadata | calendar.calendarlist | Data: We access the list of calendars associated with your account (Calendar IDs, names, colors, and time zones). Purpose: To allow you to select which specific calendars you wish to manage or sync within our Service. |
When you use our Services, we automatically collect certain technical data using cookies and log files hosted on Amazon Web Services (AWS).
- Device and Usage Data: IP address, browser type, operating system, and interaction logs (pages visited, features used).
- Referral Data (Manual Process): To grow our user base, we work with partners who may refer potential customers to us. When a partner puts you in contact with MatchGrant, we collect the Personal Data you provide during your direct communication with us (e.g., name, contact information, business needs). This is a manual process and involves no automated tracking or data transfer with the referring partner.
We use the Personal Data we collect for specific, defined purposes. We do not use your data for purposes incompatible with those listed below without your consent.
4.1 Service Operation and Improvement
We use your Account Credentials and User Content to:
- Authenticate your identity and secure your account.
- Provide Core Matching Services: We analyze your funding need descriptions, budget constraints, target geographic areas, and demographic focus to identify and recommend relevant grant opportunities.
- Schedule Management: We use your Calendar Data to schedule deadlines and reminders as explicitly requested by you.
- Customer Support: We use your communications to resolve technical issues and answer your questions.
4.2 Google User Data Processing (Limited Use Disclosure)
To provide seamless scheduling features, our Service integrates with Google API Services.
MatchGrant’s use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically, regarding your Google Data:
- Calendar Access: We use the
calendar.events.owned scope solely to add grant deadlines and reminders to your calendar at your explicit direction. We do not access, read, or analyze the content of your other personal meetings or events.
- No Advertising: We will never use your Google User Data for serving advertisements, including retargeting, personalized, or interest-based advertising.
- Human Access Restriction: We do not allow humans to read your Google Calendar data unless:
- We have obtained your affirmative agreement for specific events (e.g., to investigate a support ticket you submitted);
- It is necessary for security purposes (such as investigating a bug or abuse);
- It is necessary to comply with applicable law; or
- The use is limited to internal operations where the data has been aggregated and anonymized.
4.3 Artificial Intelligence and Automated Processing
We use artificial intelligence technologies, including AWS Bedrock and OpenAI, to process your data and generate content.
- How it Works (The Logic): When you request a grant recommendation or a rewrite of a funding description, our system sends your specific inputs (Funding Description, Budget, Geography, Target Demographics, and Current Date) to our AI processors. The AI analyzes these factors to generate relevant text or recommendations.
- No Training on Your Data: We value your intellectual property. We have configured our agreements with our AI providers (OpenAI and AWS) to ensure that your data is NOT used to train their foundation models. Your data is processed solely to generate the response you requested and is not retained by our processors for model improvements.
- Automated Suggestions, Not Decisions: Our AI provides recommendations only (e.g., “Top 5 Grant Matches”). We do not use fully automated decision-making to legally disqualify you from opportunities without human intervention. You always have the ability to review and modify any content generated by the AI before it is finalized.
We do not sell your Personal Data to data brokers or marketing agencies for monetary value. However, we share specific categories of data to operate our Service, process payments, and manage our partner relationships.
5.1 Service Providers (Processors)
We engage trusted third-party vendors (“Service Providers”) to perform functions on our behalf. These vendors are legally and contractually bound to protect your data and are prohibited from using it for their own purposes (such as training their own AI models).
- Cloud Infrastructure: We use Amazon Web Services (AWS) (us-east-1) to host our application and securely store your data.
- AI Processing: We use OpenAI and AWS Bedrock to generate grant recommendations and content. Data sent to these providers is ephemeral or strictly isolated; it is not used to train their public models.
- Payment Processing: We use Stripe to process subscription payments. We do not store your full credit card details on our servers. Their Privacy Policy can be viewed at: https://stripe.com/us/privacy.
5.2 Affiliate and Referral Partners
MatchGrant operates a referral program where third-party partners (such as associations or consultants) recommend our Service.
- What We Share: If you sign up through a partner’s link or referral code, we may share limited attribution data (such as your organization name, sign-up date, and subscription status) with that partner.
- Why We Share: This sharing is strictly necessary to calculate and pay the referral commissions owed to the partner.
- Google Data Restriction: We never share your Google Calendar data, grant strategies, or proprietary budget files with referral partners.
5.3 Google API “Limited Use” Transfer Restrictions
In compliance with the Google API Services User Data Policy, we place strict limits on how your Google User Data (specifically from calendar.events.owned) is transferred:
- No Transfers to Data Brokers: We do not transfer Google User Data to third parties for advertising, market research, or data brokering.
- Permitted Transfers: We only transfer Google User Data to third parties (like our AI processors or cloud host) when:
- It is necessary to provide the features you requested (e.g., sending calendar details to the AI to schedule a deadline); AND
- The third party is bound by strict confidentiality and data protection obligations.
5.4 Legal Obligations and Safety
We may disclose your Personal Data if required to do so by law or in the good-faith belief that such action is necessary to:
- Comply with a valid legal process (e.g., a subpoena or court order).
- Protect and defend the rights, property, or safety of MatchGrant, our users, or the public.
- Prevent fraud or abuse of our Service.
6. Your Privacy Rights
We believe you should have control over your data. Regardless of where you are located, MatchGrant provides the following rights to all users:
6.1 Your Rights
6.5 Communications Preferences
- Marketing Emails: You can opt-out of marketing emails by clicking the “Unsubscribe” link at the bottom of any promotional email.
- Transactional Emails: You cannot opt-out of critical service emails (e.g., password resets, billing confirmations, or changes to this Privacy Policy).
7. Data Retention and Security
7.1 Security Measures
We take the security of your data seriously. We use industry-standard physical, technical, and administrative safeguards to protect your information, including:
- Encryption: All data, including your Google Calendar tokens and grant strategies, is encrypted in transit (using TLS 1.2+) and at rest (using AES-256 encryption) on our servers hosted by Amazon Web Services (AWS).
- Access Controls: Access to your personal data is restricted to authorized employees who need it to perform their job functions (e.g., customer support). We use multi-factor authentication (MFA) for all internal systems.
- Vendor Vetting: We vet all third-party service providers (such as OpenAI) to ensure they maintain security standards comparable to our own.
7.2 Data Retention Policy
We retain your Personal Data only for as long as necessary to fulfill the purposes outlined in this Privacy Policy, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).
- Account Information: We retain your profile and account data for the duration of your active subscription plus a period of 4 years after cancellation to handle potential re-activation or disputes.
- Google Calendar Data: We practice data minimization with Google data. We retain the specific calendar events and tokens only as long as you maintain an active connection to the Google Calendar integration. If you disconnect your calendar or delete your account, this data is permanently removed from our active databases within 7 days.
- Grant & Financial Documents: Documents you upload (budgets, narratives) are retained until you delete them or your account is terminated.
7.3 Children’s Privacy
Our Service is intended for professionals and nonprofit organizations. We do not knowingly collect or solicit Personal Data from anyone under the age of 18. If you are a parent or guardian and believe we have collected Personal Data from a child, please contact us immediately, and we will delete that information.
8. Changes to This Policy
We may update this Privacy Policy from time to time to reflect changes in our technology, law, or business operations.
- Notification: If we make material changes (especially concerning how we use your Google Data), we will notify you by email or through a prominent notice in the application.
- Effective Date: The “Last Updated” date at the top of this policy indicates when the latest changes went into effect.
If you have questions about this Privacy Policy, your rights, or our data practices, please contact our Privacy Team: