Privacy Policy
Last updated: April 27, 2026. We don't sell your data or train on it.
1. Overview
We are deeply transparent about what we collect, how we use it, and who we share it with.
Poppies Studios ("we," "us," "our") operates Griz, an iOS app that helps you draft dating messages using AI. This Privacy Policy explains what information we collect, how we use it, and your rights. By using Griz, you consent to this Privacy Policy.
2. What We Collect
We collect very little — device ID, your screenshots/text, subscription status, and basic logs.
Device ID
A unique, auto-generated UUID is created on first app launch and stored in the iOS app group shared by all three targets (main app, keyboard extension, iMessage extension). This ID is used to track your daily generation quota (3 free, unlimited with subscription), store your subscription status reported by Apple's StoreKit (relayed through our paywall provider Superwall), and associate your generation history in the local database. The device ID is not tied to your identity — it is not your name, email, phone number, or Apple ID.
Screenshot & Text Content
When you tap "Generate," any screenshot or message context you submit is sent to our backend via HTTPS, immediately forwarded to Anthropic's Claude model, NOT stored to disk, NOT logged as content, and discarded after the API response is returned to your device. We use Anthropic's commercial API, which does not train on your data by default. When using the Griz keyboard extension, up to 500 characters of text surrounding your cursor — which may include messages from other people — is transmitted to Anthropic for processing. See the Terms of Service (Section 3A) for your responsibilities regarding third-party messages.
Subscription & Billing
Your subscription status is managed by Apple via In-App Purchase. Our paywall provider, Superwall, observes the on-device receipt and reports to us whether you have an active subscription, your subscription plan, and renewal dates. We do NOT receive your credit card number or payment details — Apple handles those.
API Logs & Metadata
Our backend logs minimal metadata: device UUID, timestamp, selected tone, request/response size, and latency. Logs do NOT include the actual content of screenshots or messages.
3. What We Do NOT Collect
We deliberately avoid collecting many things that other apps grab.
- Your name, email address, or phone number
- Your Apple ID or sign-in credentials
- Your location or GPS data
- Contact list, photos library (except what you explicitly upload), or calendar
- Device identifiers like IDFA or IDFV
- Browsing history or app usage
- Keystroke logs or background monitoring
4. Third-Party Processors
We rely on a few trusted services to operate Griz.
Anthropic (Claude API)
Screenshots and text you submit are sent to Anthropic's API for analysis. Under their API terms, Anthropic does not train on your submitted content by default. Read their Terms of Service.
Data Processing Agreement — Anthropic
By using Griz, you authorize Poppies Studios to share your screenshots and message context with Anthropic, Inc., as a data processor. Anthropic's API Terms of Service and Privacy Policy govern their processing of this data. For EU/UK users (GDPR), Poppies Studios has a Data Processing Addendum (DPA) in place with Anthropic covering EU data transfers. You may request a copy at [email protected].
Superwall
Paywall presentation, in-app purchase orchestration, and subscription analytics are handled by Superwall, a U.S.-based platform. Superwall receives your device UUID and subscription status (whether your subscription is active, plan type, renewal date) from Apple's StoreKit. Superwall does not receive any screenshot or message content. Superwall's Privacy Policy is available at https://superwall.com/privacy. Poppies Studios has a standard Data Processing Addendum in place with Superwall for GDPR/CCPA compliance.
Apple
Apple processes all In-App Purchases and subscription billing. We do not handle your payment information directly.
Fly.io (Backend Hosting)
Griz's backend (griz-api) is hosted on Fly.io, a U.S.-based container platform. Your screenshot/message content is not stored persistently, so Fly does not store it either.
Cloudflare Pages (Legal Pages)
These legal pages are hosted on Cloudflare Pages. Cloudflare may log access patterns. No personal or message data is stored here.
5. Data Retention
We don't keep your content longer than necessary.
- Screenshots & messages: Processed in-flight and discarded immediately. Not written to disk.
- API logs: Retained for 30 days for debugging, then deleted.
- Device UUID & quota counters: Retained indefinitely to enforce rate-limiting.
- Subscription status: Retained as long as your account is active, then deleted 90 days after last login.
- Local app history: Stored on your device. You can delete it by uninstalling Griz.
6. Your Privacy Rights
You have the right to access, delete, or correct your information.
Right to Access
You can request a copy of the data we hold about you. Email [email protected] with the subject "Data Subject Access Request" and include your device UUID. We will respond within 30 days.
Right to Deletion
You can request that we delete your device UUID and associated quota data. Email us with the subject "Data Deletion Request" and include your device UUID. We will delete the data within 30 days.
CCPA Rights (California Residents)
If you are a California resident, you have rights under the California Consumer Privacy Act (CCPA): right to know, right to delete, right to opt-out of sale/sharing (we do not sell or share data), and right to non-discrimination. To exercise any CCPA right, email [email protected] with "CCPA Request" in the subject line and your device UUID. We will respond within 45 days.
GDPR Rights (EU/UK Residents)
If you are located in the EU or UK, you have rights under GDPR: right to access, right to rectification, right to erasure, right to restrict processing, right to data portability, and right to object. To exercise any GDPR right, email [email protected] with "GDPR Request" in the subject line and your device UUID. We will respond within 30 days.
7. Children & COPPA Compliance
Griz is not for children under 18.
Griz is designed for individuals 18 years or older and is not intended for children under 13. We comply with the Children's Online Privacy Protection Act (COPPA). We do not knowingly collect personal information from anyone under 18. If we become aware that a user is under 18, we will delete their device UUID and associated data immediately. If you are a parent or guardian and believe your child has created a Griz account, please contact us immediately at [email protected].
8. Data Transfers
Your data is processed in the United States.
Poppies Studios and our third-party processors are based in the United States. By using Griz, you consent to the transfer of your information to the United States and processing in accordance with U.S. law.
9. Security
We use industry-standard protections, though no system is perfectly secure.
All communication between your device and our backend is encrypted via HTTPS/TLS 1.2 or higher. We do not store screenshots or message content to disk, which minimizes the risk of a data breach. If you believe your device UUID has been compromised, email us immediately.
10. Changes to This Policy
We may update this policy. We'll let you know if anything material changes.
We reserve the right to modify this Privacy Policy at any time. If we make material changes, we will update the "Last updated" date at the top of this page. Continued use of Griz after a change constitutes your acceptance of the updated Privacy Policy.
11. Contact Us
Questions or concerns? Get in touch.
If you have any questions or concerns about this Privacy Policy or our privacy practices, please contact us:
Poppies Studios
[email protected]
We aim to resolve any concerns within 30 days.