Home  /  Legal  /  Privacy Policy
Legal · effective 28 April 2026

Privacy Policy

How Healthdev OÜ (trading as WinGrants AI) collects, uses, shares and protects personal data — under the GDPR, the Estonian Personal Data Protection Act, and the ePrivacy Directive.

Effective date28 April 2026
Last updated28 April 2026
ControllerHealthdev OÜ (t/a WinGrants AI)
Registry code14588534
Contactaj@wingrants.ai
Privacy Terms of Service Cookies Policy Disclaimer Trust & Security ↗
On this page
Overview 1. Controller & contact 2. Scope 3. Categories of personal data 4. Purposes & legal bases 5. AI-specific processing 6. Cookies & tracking 7. How we share personal data 8. International transfers 9. Retention 10. Sub-processors 11. Security 12. Your rights 13. Automated decision-making 14. Marketing 15. Changes to this Policy 16. Document history

This Privacy Policy explains how Healthdev OÜ (trading as WinGrants AI; the legal entity operating WinGrants.ai — “WinGrants”, “we”, “us”, “our”) collects, uses, shares, and protects personal data in connection with our website, platform, applications, APIs, and related services (the “Service”). It is designed to comply with Regulation (EU) 2016/679 (GDPR), the Estonian Personal Data Protection Act (Isikuandmete kaitse seadus), and the ePrivacy Directive 2002/58/EC as implemented in EU Member States.

We are ISO/IEC 27001:2022 certified under certificate GCAI-ISMS-LP84, issued on 23 March 2026 by GCAI Certification Services LLP (IAS-accredited) and valid until 22 March 2029. Our Information Security Management System provides the technical and organisational backbone for the data-protection controls described below.

§1

Controller & contact

Data Controller

Healthdev OÜ (t/a WinGrants AI)
Männimäe/1, Pudisoo küla, Kuusalu vald
Harju maakond, 74626, Estonia
Registry code: 14588534

General, privacy & security contact

aj@wingrants.ai

You also have the right to lodge a complaint with your local data protection authority. In Estonia, this is the Andmekaitse Inspektsioon — https://www.aki.ee.

§2

Scope

This Policy applies to:

  • visitors to wingrants.ai and our marketing pages;
  • registered users and their Authorised Users;
  • prospects, leads, and event attendees;
  • partners, vendors, and applicants.

It does not apply to third-party websites linked from our Service (see their own policies) or to data we process as a Processor on behalf of a Customer (governed by our Data Processing Agreement).

§3

Categories of personal data we process

CategoryExamplesWhen collected
Identity & contactName, email, phone, organisation, role, countrySign-up, contact form, demo request
Account & billingUsername, password hash, billing address, VAT ID, invoicesAccount creation and Subscription
Usage & technicalIP address, device, browser, OS, language, referrer, session logs, pages viewed, feature interactionsAutomatically when you use the Service
Customer Data inputsProject descriptions, partner info, CVs, draft proposals you upload or generateYour active use of the platform
AI interaction logsPrompts, completions, evaluator scores, editsYour use of AI features
CommunicationsEmails, support tickets, chat transcriptsInbound/outbound communications
Marketing preferencesNewsletter status, event RSVPs, lead-source attributionOpt-in or legitimate interest
Cookies & similar techSee Cookies PolicyWhen you visit the website

We do not intentionally collect special categories of personal data (Article 9 GDPR). Do not upload such data to the Service unless you have a separate written agreement with us authorising it.

We do not knowingly collect data from children under 16. The Service is for professional use.

§4

Purposes & legal bases

We process personal data on the following bases (Art. 6 GDPR):

PurposeLegal basis
Provide and operate the ServiceContract (Art. 6(1)(b))
Bill, invoice, and collect paymentContract / Legal obligation (Art. 6(1)(b), (c))
Authenticate, secure, and prevent abuseLegitimate interests (Art. 6(1)(f)) — securing the platform
Improve features, debug, develop new functionalityLegitimate interests — product improvement on de-identified data
Marketing emails to existing customers about similar servicesLegitimate interests + soft opt-in (with opt-out)
Marketing to prospects who registered, downloaded content, or attended eventsConsent (Art. 6(1)(a))
Legal compliance (tax, accounting, AML, court orders)Legal obligation (Art. 6(1)(c))
Enforce our rights, defend claimsLegitimate interests
Longitudinal, aggregated analysis of evaluation outcomes for product improvementLegitimate interests, on de-identified/aggregated data only; never used to train AI models

We do not sell personal data, and we do not train any AI models on Customer Data — neither third-party foundation models nor our own evaluator models.

§5

AI-specific processing

When you use AI features:

  • Your prompt and the relevant context are routed through OpenRouter (our LLM API gateway) to large language model providers operated as further sub-processors (listed in §10).
  • OpenRouter is configured with Zero Data Retention (ZDR) enabled on our account. This restricts routing to model providers that do not store prompts or completions beyond the volatile, in-memory window strictly required to return a response, and that do not train on customer inputs. Providers that do not meet ZDR requirements are excluded from routing.
  • This is reinforced contractually: OpenRouter’s terms (https://openrouter.ai/terms) and the underlying providers’ enterprise/API terms prohibit retention or training on inputs sent under the ZDR policy.
  • Output is logged within WinGrants for debugging and abuse-prevention only. Logs are retained per §11, encrypted at rest, and access is restricted under our ISO 27001:2022 controls.
  • We do not train any AI models on Customer Data — neither third-party foundation models nor our own evaluator models. We may run longitudinal, aggregated analyses of evaluation outcomes (e.g. ESR-style scores and reviewer-comment patterns) on de-identified, aggregated signals to identify product improvements, but these analyses are never used to train, fine-tune, or update model weights.
  • Enterprise customers may request additional restrictions, including EU-only inference regions where supported by the underlying provider.
§6

Cookies & tracking

See our separate Cookies Policy. Non-essential cookies are set only after you give consent via our cookie banner, in line with Article 5(3) of the ePrivacy Directive and EDPB Guidelines 03/2022.

§7

How we share personal data

We share personal data only with the following categories of recipient and on documented legal grounds:

  • Service providers (Processors) — cloud hosting, email delivery, customer support, billing, analytics, LLM providers — under Art. 28 GDPR Data Processing Agreements.
  • Professional advisers — accountants, auditors, lawyers — bound by confidentiality.
  • Authorities — where required by court order, law, or to defend our rights.
  • Corporate transactions — successors in a merger, acquisition, or asset sale, subject to equivalent protections.
  • With your consent — for any other purpose disclosed to you.

We do not share Customer Data inputs with anyone other than the sub-processors required to operate the Service.

§8

International transfers

Our infrastructure is hosted in the European Union. Where personal data is transferred to a third country (e.g., support tooling or LLM provider regions outside the EEA), we rely on:

  • Adequacy decisions under Art. 45 GDPR where they exist (e.g., UK, Switzerland, EU–US Data Privacy Framework for certified recipients);
  • Standard Contractual Clauses (2021/914) plus a Transfer Impact Assessment and supplementary technical and organisational measures (encryption, pseudonymisation, access controls);
  • Derogations under Art. 49 only in narrow cases (your explicit consent, performance of a contract).

A current list of cross-border transfers and safeguards is available in our DPA.

§9

Retention

We retain personal data only as long as necessary for the purposes set out above:

DataRetention
Account dataDuration of Subscription + 6 years (statutory limitation period)
Customer Data inputs & OutputDuration of Subscription; 30-day export window after termination; deletion or anonymisation within 90 days thereafter
Billing records7 years (Estonian Accounting Act §12)
Marketing dataUntil you unsubscribe / withdraw consent + 12 months for suppression list
Security & audit logs12 months by default; longer where required for incident response or legal obligation
Support tickets3 years

We may retain data longer where required by law or to defend legal claims.

§10

Sub-processors

We use carefully selected sub-processors. The current list (with location, role, and transfer safeguards) is published at wingrants-ai.eu.trust.site and includes:

  • Cloud infrastructure: Amazon Web Services EMEA SARL — AWS Frankfurt region (eu-central-1), Germany
  • Transactional email delivery: Resend (Resend, Inc.)
  • Product & web analytics: PostHog (EU region)
  • Billing & payment processing: Stripe Payments Europe, Ltd. (Ireland)
  • LLM API gateway: OpenRouter, Inc. — operates with Zero Data Retention (ZDR) enabled, routing only to model providers that do not retain prompts/completions and do not train on inputs (https://openrouter.ai/terms). Underlying ZDR-compliant providers are treated as further sub-processors.

Customers receive at least 30 days’ notice of any new sub-processor and may object on reasonable, data-protection grounds.

§11

Security

We implement appropriate technical and organisational measures under our ISO/IEC 27001:2022 ISMS, including:

  • TLS 1.2+ in transit; AES-256 at rest;
  • Role-based access control with least-privilege and MFA for all administrative access;
  • Audit logging and SIEM-based monitoring;
  • Vulnerability management, dependency scanning, and annual penetration testing;
  • Documented incident-response plan with breach-notification procedures aligned to Art. 33–34 GDPR (72-hour authority notification);
  • Vendor security assessment for sub-processors;
  • Periodic backups with tested restore procedures;
  • Employee security training and confidentiality undertakings.

A summary of controls and our certificate is available on request.

§12

Your rights

Subject to the conditions in the GDPR, you have the right to:

  • Access your personal data (Art. 15);
  • Rectify inaccurate data (Art. 16);
  • Erasure (“right to be forgotten”, Art. 17);
  • Restrict processing (Art. 18);
  • Data portability (Art. 20) — in a structured, commonly used, machine-readable format;
  • Object to processing based on legitimate interests, including profiling (Art. 21);
  • Withdraw consent at any time, without affecting the lawfulness of past processing (Art. 7(3));
  • Not be subject to fully automated decisions producing legal or similarly significant effects on you (Art. 22). WinGrants does not make such decisions about you.

To exercise these rights, contact aj@wingrants.ai. We will respond within one month (extendable by two months for complex requests, with notice). We may need to verify your identity.

You also have the right to complain to a supervisory authority — in Estonia, the Andmekaitse Inspektsioon (https://www.aki.ee), or the authority where you reside or where the alleged infringement occurred.

§13

Automated decision-making

We do not use automated decision-making, including profiling, to make decisions producing legal or similarly significant effects on you. AI-generated drafts and scoring are decision-support tools requiring human review (see Legal Disclaimer).

§14

Marketing

We send marketing emails only to:

  • existing customers, about features and similar services (with one-click unsubscribe in every message), or
  • prospects who have given explicit consent (e.g., signed up for our newsletter or downloaded content).

You can opt out at any time using the link in any marketing email or by emailing aj@wingrants.ai.

§15

Changes to this Policy

We may update this Policy. The “Last updated” date reflects the latest version. Material changes will be notified via email or in-product banner at least 30 days before they take effect, where the change is to your detriment.

§16

Document history

VersionDateSummary
1.02026-04-28Initial publication
Terms of Service → Cookies Policy → Disclaimer → Trust & Security ↗