This Privacy Policy explains how ELSKA Flow Consulting AB (“ELSKA”, “we”, “us”) collects, uses, shares and protects personal data when you visit the GrantGenix website (grantgenix.com) or use the GrantGenix evaluation platform (evaluate.grantgenix.com), together the “Platform”. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (Regulation 2016/679, “GDPR”) and Swedish data-protection law (Dataskyddslagen, SFS 2018:218).
Contents
- Data controller
- Personal data we collect
- How and why we use personal data
- Confidential proposal content
- Processors and sub-processors
- International data transfers
- Sharing and disclosure
- Data retention
- Data security
- Your rights under the GDPR
- Automated decision-making and profiling
- Cookies and browser storage
- Children
- Changes to this Policy
- Contact and complaints
1. Data controller
The data controller responsible for the personal data described in this Policy is:
- ELSKA Flow Consulting AB
- Swedish company registration number: 559357-5144
- Registered office: Sweden
- Contact for privacy matters: info@grantgenix.com
ELSKA has not appointed a statutory Data Protection Officer (DPO) under Article 37 GDPR because the core activity of the Platform does not meet the threshold for mandatory appointment. The contact above handles all privacy enquiries.
2. Personal data we collect
We collect only the personal data we need to operate the Platform. Categories and sources are summarised below.
| Category | Examples | Source |
|---|---|---|
| Account & identity | Username, email address, organisation, role, account-creation timestamp, last-login timestamp | You, when an admin creates your account or you request access |
| Authentication credentials | Password stored as a PBKDF2-SHA-256 hash (600,000 iterations, per-user salt). The plaintext password is never stored. | You, at account creation or password change |
| Session metadata | Session token (UUID), session creation time, last-active time, session expiry time, IP address, user-agent string | Automatically captured at each login and page render |
| Audit log | Records of login events, role changes, deactivations, key assignments and other administrative actions, with timestamps and the actor's IP | Automatically captured by the Platform |
| API key (optional) | Personal Anthropic API key, if assigned to you by an administrator, so your evaluations bill to your own Anthropic account | An administrator, on your behalf |
| Proposal content | Title, description, full text and uploaded files (PDF / DOCX) of proposals you submit for evaluation, version notes, version metadata | You, when you upload or save a proposal |
| Evaluation output | Scores, ranks, comments, qualitative analyses and downloadable DOCX/PDF reports generated by the Platform | The Platform, derived from your proposal content |
| Communications | The content of emails and messages you send us | You |
We do not knowingly collect special categories of personal data (Article 9 GDPR), nor do we collect data relating to criminal convictions (Article 10 GDPR). If your proposal content unavoidably includes such categories — for example, in health-research consortium descriptions — you are responsible for ensuring you have the appropriate legal basis to share that content with us.
3. How and why we use personal data
For each purpose below, we identify the legal basis under Article 6 GDPR.
- To provide the Services. Creating and managing your account, accepting your proposal content, running AI-assisted evaluations, generating reports and making them available to you and (where applicable) your organisation. Legal basis: performance of a contract (Art. 6(1)(b)).
- To authenticate you and protect your account. Verifying credentials, maintaining single-active-session enforcement, expiring sessions after 30 days of inactivity, and revoking sessions when an administrator deactivates an account. Legal basis: performance of a contract and our legitimate interests in protecting your account (Art. 6(1)(b) and 6(1)(f)).
- To secure the Platform and prevent abuse. Audit logging, IP tracking, anomaly detection (e.g. flagging unusually many distinct IPs per user), per-proposal version cap enforcement, and incident investigation. Legal basis: legitimate interests in operating a secure service (Art. 6(1)(f)).
- To communicate with you. Responding to enquiries, sending service-related notifications (e.g. password changes, account status), and onboarding new users. Legal basis: performance of a contract and/or legitimate interests (Art. 6(1)(b) and 6(1)(f)).
- To comply with our legal obligations. Accounting, tax records, response to lawful requests from competent authorities. Legal basis: compliance with a legal obligation (Art. 6(1)(c)).
- To improve the Platform. Reviewing aggregated, de-identified usage metrics (e.g. evaluation duration, error rates) to plan engineering work. Legal basis: legitimate interests (Art. 6(1)(f)). We do not use the substantive content of your proposals to train AI models or to inform development decisions about other users' work.
Where we rely on legitimate interests, you have the right to object on grounds relating to your particular situation (see Section 10).
4. Confidential proposal content
We treat the proposals you upload as strictly confidential. The Platform is engineered so that:
- Each user can only see their own proposals and evaluations. Other users with the same role cannot see your work.
- Superusers with elevated privileges are scoped to their own data exactly like ordinary users: they cannot see other users' proposals or evaluations.
- Only administrators (a small number of trusted ELSKA personnel) can see all proposals and evaluations, strictly for support, troubleshooting, billing and security purposes. Administrator access is audit-logged.
- Proposal content is never sold, never published, and is not used to train third-party AI models (see Section 5).
- Proposal content is not used to inform recommendations to other users. The Platform's evaluation logic is driven by the official EU award criteria of each funding programme, not by other users' submissions.
5. Processors and sub-processors
To operate the Platform, we use the following processors. Each acts only on our documented instructions, under a written data-processing agreement compliant with Article 28 GDPR.
| Processor | Role | Data processed | Location |
|---|---|---|---|
| Anthropic, PBC | AI-evaluation engine (Claude models) | Proposal text and prompts, transient during each evaluation | United States (with EU regional processing where available) |
| Railway Corp. | Hosting of the evaluation platform (evaluate.grantgenix.com) and persistent storage (SQLite + Volume) | All categories listed in Section 2 | United States / EU regions depending on project assignment |
| Netlify, Inc. | Hosting of the marketing website (grantgenix.com) | Server logs (IP, user-agent) for site visitors only; no account data | United States with global edge CDN |
| one.com Group AB | Domain registration and DNS for grantgenix.com | Domain WHOIS data only; no application data | European Union (Denmark / Sweden) |
About Anthropic's handling of proposal data, which we have verified against Anthropic's published policies as of the effective date above:
- Anthropic does not use API inputs or outputs to train its models by default. See Anthropic's Privacy Policy and Usage Policy.
- Anthropic retains API inputs and outputs for up to 30 days for trust-and-safety purposes only, after which they are deleted.
- API calls are encrypted in transit using TLS.
- For institutional customers, Anthropic offers a Data Processing Addendum and zero-retention options. If your organisation requires these, contact us at info@grantgenix.com.
An up-to-date list of sub-processors is available on request at the contact address above. We will notify customers in advance of material changes to this list, where practicable.
6. International data transfers
Some of our processors (notably Anthropic and Railway) are established in, or process data in, the United States. Where personal data is transferred outside the European Economic Area (EEA), we rely on appropriate safeguards recognised under Chapter V of the GDPR, primarily:
- The EU–US Data Privacy Framework where the recipient is self-certified;
- The European Commission's Standard Contractual Clauses (SCCs), 2021/914, as supplemented by transfer impact assessments where required; and
- Technical measures including encryption in transit (TLS 1.2+) and at rest where supported by the processor.
A copy of the safeguards we rely on, or a summary thereof, is available on request.
7. Sharing and disclosure
We do not sell personal data. We share personal data only with:
- Our processors (Section 5), strictly for the purpose of providing the Services on our behalf;
- Your own organisation's administrator, if you use the Platform as part of an organisation that subscribes through ELSKA;
- Professional advisers (lawyers, auditors, accountants) bound by confidentiality, where necessary for ELSKA's business operations;
- Public authorities, courts or regulators, where required by law or to defend our legal rights;
- An acquirer or merger counterparty, in the event of a corporate transaction, in which case we will notify affected users in advance where required.
8. Data retention
We keep personal data only as long as we need it for the purposes set out in Section 3, then delete or anonymise it. Specific retention periods are:
| Data category | Retention period |
|---|---|
| Account & identity data | For the lifetime of your account, plus up to 12 months after account closure for dispute-resolution and audit purposes |
| Authentication credentials (password hashes) | Deleted within 30 days of account closure |
| Session metadata | Sessions auto-expire after 30 days of inactivity; expired session rows are pruned weekly |
| Audit log | Kept for up to 24 months for security and accountability; longer where required by law |
| Personal API key (if assigned) | Deleted immediately on revocation by an administrator or on account closure |
| Proposal content & evaluation reports | For the lifetime of your account; you can request deletion at any time |
| Communications with us | Up to 36 months, unless longer is required by law |
| Accounting and tax records | 7 years (Swedish Bokföringslagen, SFS 1999:1078) |
When you delete a proposal or version through the Platform, the database row is removed and the cache is invalidated within seconds. Encrypted off-site backups may retain a copy for up to 35 days before they cycle.
9. Data security
We implement technical and organisational measures appropriate to the risk, in line with Article 32 GDPR. These include:
- Transport encryption. All connections to the Platform use TLS 1.2 or higher; HTTP traffic is automatically redirected to HTTPS.
- Password hashing. Passwords are hashed with PBKDF2-SHA-256 (600,000 iterations) with a per-user salt. Plaintext passwords are never stored or logged.
- Timing-safe credential comparison. Password verification uses constant-time comparison (
hmac.compare_digest) to prevent timing-side-channel attacks. - Session security. Each session has an explicit 30-day expiry, is bound to a single device per user, and is immediately revoked when an administrator deactivates the account.
- Role-based access control. Users see only their own data; superusers see only their own data; administrators see all data and are audit-logged.
- Audit logging. Logins, role changes, deactivations, key assignments and other administrative actions are recorded with timestamp, actor and IP.
- Per-proposal version cap. Each proposal is limited to five versions per non-admin user to prevent abuse.
- Database backups. The application database is backed up weekly to encrypted storage; backups are kept for 35 days.
- Vendor security. All processors listed in Section 5 maintain industry-standard security programmes (SOC 2 Type II, ISO 27001 or equivalent).
No system can be guaranteed completely secure. In the event of a personal-data breach likely to result in a risk to your rights and freedoms, we will notify the Swedish supervisory authority within 72 hours and notify affected users without undue delay, in accordance with Articles 33 and 34 GDPR.
10. Your rights under the GDPR
You have the following rights regarding your personal data:
- Right of access (Art. 15) — obtain confirmation that we process your personal data, a copy of that data, and information about the processing;
- Right to rectification (Art. 16) — correct inaccurate or complete incomplete personal data;
- Right to erasure (“right to be forgotten”, Art. 17) — have your personal data deleted, subject to legal retention obligations;
- Right to restriction (Art. 18) — restrict our processing in specified circumstances;
- Right to data portability (Art. 20) — receive your personal data in a structured, commonly used, machine-readable format and transmit it to another controller;
- Right to object (Art. 21) — object to processing based on legitimate interests, on grounds relating to your particular situation;
- Right to withdraw consent (Art. 7(3)) — where processing is based on consent, withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal;
- Right not to be subject to a decision based solely on automated processing (Art. 22) — see Section 11 below.
To exercise any of these rights, send a request to info@grantgenix.com from the email address associated with your account, or from another address along with reasonable proof of identity. We will respond within one month, with a possible extension of up to two further months for complex requests, as permitted by Article 12(3) GDPR. There is no charge for reasonable requests.
11. Automated decision-making and profiling
The GrantGenix evaluation engine uses large language models to score, rank and comment on the proposals you submit. The output of these evaluations is advisory: it is intended to inform your judgement and the judgement of your proposal team, and is reviewed by human experts where necessary. The Platform does not use automated processing to make decisions producing legal effects concerning you or similarly significantly affecting you within the meaning of Article 22 GDPR (for example, no automated decisions about granting or denying funding). You retain full control over whether to act on any recommendation produced by the Platform.
12. Cookies and browser storage
The Platform uses only the minimum browser storage necessary to operate, specifically:
- A session token stored in your browser's local storage, so that you remain signed in across page reloads;
- UI preferences (for example, the funding family you last selected) stored locally to improve your experience.
The Platform does not use advertising cookies, cross-site tracking, marketing pixels, third-party analytics or fingerprinting. The marketing website (grantgenix.com) and Anthropic's API may set their own minimal operational cookies, which are limited to the strictly necessary category and do not require consent under the EU ePrivacy Directive. If we introduce any non-essential cookies in future (for example, optional analytics), we will update this Policy and obtain prior consent through a cookie banner.
13. Children
The Platform is intended exclusively for professional use by individuals aged 18 or over. We do not knowingly collect personal data of individuals under 18. If you believe we have inadvertently collected personal data of a minor, please contact us so we can delete it.
14. Changes to this Policy
We may update this Privacy Policy from time to time, for example to reflect changes in our Services, our processors, or applicable law. The “Effective from” date at the top of the page indicates the version in force. Material changes will be notified to active users through the Platform or by email at least 30 days before they take effect, unless the change must take effect sooner for legal or security reasons.
15. Contact and complaints
For any privacy question, or to exercise your rights under Section 10, contact us at:
- Email: info@grantgenix.com
- Postal address: ELSKA Flow Consulting AB, Sweden
If you consider that our processing of your personal data infringes the GDPR or Swedish data-protection law, you have the right to lodge a complaint with the Swedish supervisory authority:
- Integritetsskyddsmyndigheten (IMY)
- Box 8114, 104 20 Stockholm, Sweden
- Website: www.imy.se/en/
You also have the right to lodge a complaint with the supervisory authority of the EU Member State of your habitual residence or place of work.
GrantGenix is a service of ELSKA Flow Consulting AB, a Swedish Aktiebolag (company registration number 559357-5144). This Policy has been prepared to align with the GDPR, the Swedish Dataskyddslagen (SFS 2018:218) and how the Platform is technically engineered as of the effective date. We recommend that institutional customers review this Policy alongside the Terms of Service and, where relevant, request our Data Processing Addendum (DPA).