Privacy Policy

Last updated: March 29, 2026

What Grains is

Grains is a subscription-funded photo sharing service. We do not sell advertising. We do not sell your data. Our business model is simple: you pay for the service, and the service works for you.

Information we collect

Account information. When you create an account, we collect your email address and, if you sign in through Google, Apple, or Facebook, the name associated with that account. We do not access your contacts, calendar, or any other data from those services.

Photographs. Photographs you upload are stored encrypted. Each photograph is encrypted with a unique key derived from your credentials. Grains servers store only ciphertext. We cannot view your photographs.

C2PA provenance data. Each photograph taken in the Grains app is signed with a cryptographic manifest that records when and on what device the photograph was made. This manifest is embedded in the photograph file and is part of the photograph itself.

Device information. We collect device attestation data (Apple DeviceCheck or Android Play Integrity) to verify that photographs originate from genuine devices. We do not collect device identifiers for advertising purposes.

Payment information. Subscription payments are processed by Stripe. We do not store your credit card number, bank account number, or other payment credentials on our servers. Stripe's privacy policy governs their handling of your payment data.

How we use your information

We use the information we collect to:

  • Operate your account and deliver the service
  • Verify the authenticity of photographs
  • Process your subscription payments
  • Send transactional emails (receipts, security alerts)
  • Respond to your support requests

We do not use your photographs to train machine learning models. We do not use your data for targeted advertising. We do not have advertising.

What we do not collect

We do not use third-party analytics services. We do not embed tracking pixels. We do not share data with data brokers. We do not build advertising profiles. We do not track you across other websites or applications.

Circles and shared photographs

When you share a photograph to a Circle, the photograph is re-encrypted with a Circle Encryption Key that is shared with Circle members. If a member is removed from a Circle, the Circle Encryption Key is rotated and the removed member loses access.

Data storage and security

Your data is stored on Amazon Web Services infrastructure in the United States. Photographs are encrypted client-side before upload using AES-256-GCM. Server-side, data at rest is encrypted with AWS KMS. Data in transit is encrypted with TLS.

Data retention

Your account data and photographs are retained for as long as your account is active. If you delete your account, we delete your data within 30 days. Cryptographic provenance records on the public verification ledger are retained indefinitely, as they contain no personal information beyond the fact that a photograph exists.

Your rights

You may request a copy of your data, request deletion of your account, or withdraw consent at any time by contacting privacy@grainsapp.com.

Children

Grains is not intended for anyone under the age of 13. We do not knowingly collect personal information from children.

Changes to this policy

If we make material changes to this policy, we will notify you by email before the changes take effect. We will not reduce your rights under this policy without your explicit consent.

Contact

Questions about this policy may be directed to privacy@grainsapp.com.