Privacy Policy

Last updated: April 23, 2026

Griz ("Griz," "we," "our," or "us") is developed by GOOSEBUMPS LLC. This Privacy Policy explains what information we handle when you use the Griz iOS app, its keyboard extension, its iMessage extension, and the related website and services (together, the "Service").

1. What we collect

Content you send for AI suggestions

When you tap Generate, Griz sends the following to our backend to produce reply suggestions:

• Screenshot image data — the chat or profile screenshot you picked or the one you took before opening Griz. Sent only when you explicitly trigger a generation.
• Text around your cursor — when you use the Griz keyboard extension, we read up to 500 characters before and 500 characters after your typing cursor from the active text field, so the AI can see the conversation you're replying to.
• Tone selection — which of the five tones (Flirty, Funny, Deep, Casual, Witty) you chose.
• Free-form situation text — if you use the "Describe your situation" feature, the text you type.

We forward this content to our AI provider, Anthropic, which runs the Claude model that generates the suggestions. Once the response comes back, the screenshot and the context text are discarded from our servers. We do not log message content and we do not use your content to train any AI model.

Device identifier

On first launch we generate a random UUID and store it on your device. We send this ID in the X-User-Id header so our backend can enforce the free-tier daily generation limit. The ID is not tied to your Apple ID, your email, or any account — it is a device-local random string. You can reset it at any time by deleting and reinstalling the app.

Subscription data

If you purchase a Griz subscription, the payment is processed entirely by Apple through the App Store. We use RevenueCat to verify your subscription status. RevenueCat receives an anonymous app user ID (the same device UUID described above) and Apple's receipt data. We and RevenueCat do not receive your name, email address, or payment details. See RevenueCat's privacy policy at revenuecat.com/privacy.

Local device data

The following data is stored only on your device and never transmitted to our servers:

• Your onboarding intention (e.g., "more dates," "better first messages") and settings.
• The history of generated suggestions and attached screenshots shown in the Messages tab, saved via Apple's SwiftData framework.
• Preferences, sound, and notification toggles.

2. What we do not collect

• We do not collect your name, email address, phone number, or location.
• We do not use advertising SDKs, marketing trackers, or analytics SDKs that identify you. Griz is ad-free by design.
• We do not store, log, or retain the content of your screenshots or conversations after the AI response has been returned.
• We do not share or sell data to advertisers, data brokers, or any third party.
• We do not access your camera, microphone, contacts, or health data.

3. Permissions we request

Photos access

The Griz app and iMessage extension request access to your Photos library so you can pick a screenshot, or so the app can surface the most recent screenshot on the home screen. When permission is granted, we only load the specific image you pick or the latest screenshot you requested. We do not index your library, we do not read image metadata beyond what's needed to identify screenshots, and we do not upload anything until you explicitly tap Generate.

Keyboard Full Access

iOS requires a custom keyboard to be granted "Full Access" in order to make any network request — including sending the text around your cursor to our AI. Without Full Access, the Griz keyboard runs in a sandbox that cannot reach the internet, so suggestions cannot be generated. We only read the text surrounding your cursor in the active field (up to 500 characters before and after), and only when you explicitly tap the Generate button. The Griz keyboard does not log keystrokes, does not silently exfiltrate data, and does not read fields you have not interacted with.

Local notifications

Griz may ask permission to send local reminders (for example, a heads-up before a trial ends). These notifications are scheduled on your device and are not pushed from our servers.

4. How screenshots and chat text are processed

Anthropic processes the image and context text to generate suggestions. Under Anthropic's commercial terms, API content is not used to train Anthropic's models and is retained only transiently to provide the service. Learn more at anthropic.com/legal/privacy.

5. Third parties we share data with

We only share content and metadata with service providers strictly required to deliver the product:

• Anthropic, PBC — processes the screenshots and text you submit to produce AI replies. See anthropic.com/legal/privacy.
• RevenueCat, Inc. — verifies your subscription status using an anonymous device ID. See revenuecat.com/privacy.
• Apple, Inc. — handles App Store purchases, delivers the app and its extensions, and provides platform services (Photos picker, Sign in with Apple if enabled). See apple.com/legal/privacy.
• Fly.io, Inc. — hosts our backend servers. Fly.io receives network traffic and standard server logs. See fly.io/legal/privacy-policy.

We do not share data with advertisers, data brokers, or any party beyond the providers listed above.

6. Data retention

• Screenshot and chat content: held in memory on our server for the duration of the AI call, then discarded. Not logged, not persisted.
• Device UUID + daily generation count: held in memory on our server and reset at 00:00 UTC each day. The UUID is stored on your device until you delete the app.
• Subscription status: retained by RevenueCat and Apple for as long as your subscription is active, per their retention policies.
• Local app data (history, preferences): stored on your device for as long as the app is installed. Removed when you delete the app.

7. Children's privacy

Griz is intended for users 17 years of age or older. The App Store age rating reflects this. We do not knowingly collect any information from children under 17. If you believe a minor has used the Service, contact us and we will promptly delete any associated data.

8. Your rights

Because Griz does not maintain user accounts, we do not have a profile to retrieve on request. You can exercise the following controls directly from the app:

• Stop future processing: delete the Griz app. The device UUID is removed and no further requests are sent.
• Clear local history: delete individual conversations from the Messages tab, or delete the app.
• Revoke permissions: turn off Photos, Full Access, or notifications at any time in Settings → Privacy & Security or Settings → General → Keyboard on your device.

Residents of the EU, UK, and California have additional rights under the GDPR, UK GDPR, and CCPA including access, deletion, and the right to object to processing. To exercise these rights, contact us at the email below. Because our records are minimal and not tied to an identity, we may ask you to verify your device UUID to process a request.

9. Security

All traffic between the app and our backend is encrypted with TLS. The backend stores the Anthropic API key in environment variables on the server only — it is never shipped in the app binary. We review and update our infrastructure periodically. That said, no system is 100% secure; if we become aware of a breach that affects you, we will notify you in accordance with applicable law.

10. International transfers

Griz's backend runs on infrastructure located in the United States. If you use the Service from outside the U.S., your content will be transferred to and processed in the U.S. by us, Anthropic, RevenueCat, and Apple, each of which maintains standard safeguards for international data transfers.

11. Changes to this policy

We may update this Privacy Policy from time to time. We will post the revised policy on this page with an updated "Last updated" date. Material changes will be surfaced in the app on first launch after the change.

12. Contact us

If you have questions about this policy, want to exercise a privacy right, or want to report a security concern, reach us at: