This Privacy Policy explains how Healthdev OÜ (trading as WinGrants AI; the legal entity operating WinGrants.ai — “WinGrants”, “we”, “us”, “our”) collects, uses, shares, and protects personal data in connection with our website, platform, applications, APIs, and related services (the “Service”). It is designed to comply with Regulation (EU) 2016/679 (GDPR), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and the ePrivacy Directive 2002/58/EC as implemented in EU Member States.
We are ISO/IEC 27001:2022 certified under certificate GCAI-ISMS-LP84, issued on 23 March 2026 by GCAI Certification Services LLP (IAS-accredited) and valid until 22 March 2029. Our Information Security Management System provides the technical and organisational backbone for the data-protection controls described below.
Controller & contact
Data Controller
Healthdev OÜ (t/a WinGrants AI)
Männimäe/1, Pudisoo küla, Kuusalu vald
Harju maakond, 74626, Estonia
Registry code: 14588534
General, privacy & security contact
You also have the right to lodge a complaint with your local data protection authority. In Estonia, this is the Andmekaitse Inspektsioon — https://www.aki.ee.
Scope
This Policy applies to:
- visitors to wingrants.ai and our marketing pages;
- registered users and their Authorised Users;
- prospects, leads, and event attendees;
- partners, vendors, and applicants.
It does not apply to third-party websites linked from our Service (see their own policies) or to data we process as a Processor on behalf of a Customer (governed by our Data Processing Agreement).
Categories of personal data we process
We do not intentionally collect special categories of personal data (Article 9 GDPR). Do not upload such data to the Service unless you have a separate written agreement with us authorising it.
We do not knowingly collect data from children under 16. The Service is for professional use.
Purposes & legal bases
We process personal data on the following bases (Art. 6 GDPR):
We do not sell personal data, and we do not train any AI models on Customer Data — neither third-party foundation models nor our own evaluator models.
AI-specific processing
When you use AI features:
- Your prompt and the relevant context are routed through OpenRouter (our LLM API gateway) to large language model providers operated as further sub-processors (listed in §10).
- OpenRouter is configured with Zero Data Retention (ZDR) enabled on our account. This restricts routing to model providers that do not store prompts or completions beyond the volatile, in-memory window strictly required to return a response, and that do not train on customer inputs. Providers that do not meet ZDR requirements are excluded from routing.
- This is reinforced contractually: OpenRouter’s terms (https://openrouter.ai/terms) and the underlying providers’ enterprise/API terms prohibit retention or training on inputs sent under the ZDR policy.
- Output is logged within WinGrants for debugging and abuse-prevention only. Logs are retained per §11, encrypted at rest, and access is restricted under our ISO 27001:2022 controls.
- We do not train any AI models on Customer Data — neither third-party foundation models nor our own evaluator models. We may run longitudinal, aggregated analyses of evaluation outcomes (e.g. ESR-style scores and reviewer-comment patterns) on de-identified, aggregated signals to identify product improvements, but these analyses are never used to train, fine-tune, or update model weights.
- Enterprise customers may request additional restrictions, including EU-only inference regions where supported by the underlying provider.
International transfers
Our infrastructure is hosted in the European Union. Where personal data is transferred to a third country (e.g., support tooling or LLM provider regions outside the EEA), we rely on:
- Adequacy decisions under Art. 45 GDPR where they exist (e.g., UK, Switzerland, EU–US Data Privacy Framework for certified recipients);
- Standard Contractual Clauses (2021/914) plus a Transfer Impact Assessment and supplementary technical and organisational measures (encryption, pseudonymisation, access controls);
- Derogations under Art. 49 only in narrow cases (your explicit consent, performance of a contract).
A current list of cross-border transfers and safeguards is available in our DPA.
Retention
We retain personal data only as long as necessary for the purposes set out above:
We may retain data longer where required by law or to defend legal claims.
Sub-processors
We use carefully selected sub-processors. The current list (with location, role, and transfer safeguards) is published at wingrants-ai.eu.trust.site and includes:
- Cloud infrastructure: Amazon Web Services EMEA SARL — AWS Frankfurt region (eu-central-1), Germany
- Transactional email delivery: Resend (Resend, Inc.)
- Product & web analytics: PostHog (EU region)
- Billing & payment processing: Stripe Payments Europe, Ltd. (Ireland)
- LLM API gateway: OpenRouter, Inc. — operates with Zero Data Retention (ZDR) enabled, routing only to model providers that do not retain prompts/completions and do not train on inputs (https://openrouter.ai/terms). Underlying ZDR-compliant providers are treated as further sub-processors.
Customers receive at least 30 days’ notice of any new sub-processor and may object on reasonable, data-protection grounds.
Security
We implement appropriate technical and organisational measures under our ISO/IEC 27001:2022 ISMS, including:
- TLS 1.2+ in transit; AES-256 at rest;
- Role-based access control with least-privilege and MFA for all administrative access;
- Audit logging and SIEM-based monitoring;
- Vulnerability management, dependency scanning, and annual penetration testing;
- Documented incident-response plan with breach-notification procedures aligned to Art. 33–34 GDPR (72-hour authority notification);
- Vendor security assessment for sub-processors;
- Periodic backups with tested restore procedures;
- Employee security training and confidentiality undertakings.
A summary of controls and our certificate is available on request.
Your rights
Subject to the conditions in the GDPR, you have the right to:
- Access your personal data (Art. 15);
- Rectify inaccurate data (Art. 16);
- Erasure (“right to be forgotten”, Art. 17);
- Restrict processing (Art. 18);
- Data portability (Art. 20) — in a structured, commonly used, machine-readable format;
- Object to processing based on legitimate interests, including profiling (Art. 21);
- Withdraw consent at any time, without affecting the lawfulness of past processing (Art. 7(3));
- Not be subject to fully automated decisions producing legal or similarly significant effects on you (Art. 22). WinGrants does not make such decisions about you.
To exercise these rights, contact aj@wingrants.ai. We will respond within one month (extendable by two months for complex requests, with notice). We may need to verify your identity.
You also have the right to complain to a supervisory authority — in Estonia, the Andmekaitse Inspektsioon (https://www.aki.ee), or the authority where you reside or where the alleged infringement occurred.
Automated decision-making
We do not use automated decision-making, including profiling, to make decisions producing legal or similarly significant effects on you. AI-generated drafts and scoring are decision-support tools requiring human review (see Legal Disclaimer).
Marketing
We send marketing emails only to:
- existing customers, about features and similar services (with one-click unsubscribe in every message), or
- prospects who have given explicit consent (e.g., signed up for our newsletter or downloaded content).
You can opt out at any time using the link in any marketing email or by emailing aj@wingrants.ai.
Changes to this Policy
We may update this Policy. The “Last updated” date reflects the latest version. Material changes will be notified via email or in-product banner at least 30 days before they take effect, where the change is to your detriment.