This Privacy Policy explains how Grovi ("Grovi," "we," "us," or "our") collects, uses, and protects your information when you use the Grovi mobile, desktop, and web applications and related services (the "Service"). We've tried to write it in plain language. If anything is unclear, please reach out.
In short: we collect only what we need to run Grovi for you, we store it securely on Google's infrastructure, our AI features run on your device, we never sell your data, and you can erase it at any time.
Some data never leaves your device. It is kept in local app storage and is not synced to our servers:
We do not connect to your bank, and we do not collect bank logins, card numbers, or payment-account credentials. Any spending figures come only from amounts you type in yourself.
Grovi's AI features are designed to run on your device:
The text you capture is not sent to a third-party AI service for categorization or processing.
Reminders (such as the daily ritual reminder) are local notifications, scheduled by the app on your own device. We do not operate a push-notification server and cannot send remote push messages to your device. You can turn reminders off at any time in the app or in your device settings.
We use your information to:
We do not use your personal content to serve advertising, and we do not sell or rent your personal information.
Grovi is built on Google Firebase. Your account and content are stored using Firebase Authentication and Cloud Firestore, hosted on Google Cloud servers, and protected by security rules that restrict each user's data to their own account. Google processes this data on our behalf as a service provider under its own security and privacy commitments.
| Provider | Purpose | Data involved | Where it applies |
|---|---|---|---|
| Firebase Authentication (Google) | Account sign-in (email and password) | Email address, display name, hashed credentials, authentication tokens | All platforms |
| Cloud Firestore (Google) | Storing and syncing Your Content under your own account | Your Content (tasks, transactions, budgets, focus sessions, check-ins) | All platforms |
| Firebase Hosting (Google) | Serving the web app and these policy pages | Limited technical request data (such as IP address and timestamps) | Web |
| Firebase Crashlytics (Google) | Crash reporting, so we can find and fix bugs | Crash traces, device model, and operating-system version | Native apps only (not web) |
| Firebase Performance Monitoring (Google) | App performance diagnostics (such as startup and network timing) | Performance timings and basic device information | Native apps only (not web) |
| Firebase App Check (Google) | Verifying that requests come from a genuine copy of the app | Device-integrity attestation tokens | Native apps only (not web) |
| Google Fonts | Rendering the app's typography | Limited technical request data | All platforms |
| Hugging Face (model host) | One-time download of the optional on-device AI model file | Limited technical request data only — none of Your Content | Native apps only, and only if you enable on-device AI |
We may also disclose information if required by law, to protect the rights, safety, or property of Grovi or others, or in connection with a merger, acquisition, or sale of assets (in which case we will notify you of any change in ownership or use of your personal information).
We retain your account information and Your Content for as long as your account is active. When you delete an item, or use "Reset all data," the associated data is removed from our active databases. Residual copies may persist briefly in backups before being overwritten in the ordinary course of operations.
Depending on where you live, you may have rights to access, correct, export, restrict, or delete your personal information. Within Grovi you can:
If you are in the European Economic Area, the United Kingdom, or a similar jurisdiction, you have rights under the GDPR (including access, rectification, erasure, portability, and objection). If you are a California resident, you have rights under the CCPA/CPRA, including the right to know and the right to delete; we do not sell your personal information. To exercise any of these rights, contact us at privacy@grovi.app.
We use industry-standard safeguards, including encryption in transit, authenticated access, and database security rules that restrict each user's data to their own account. No method of transmission or storage is completely secure, so we cannot guarantee absolute security, but we work to protect your information and to address vulnerabilities promptly.
Grovi is not directed to children under 16, and we do not knowingly collect personal information from children under 16. If you believe a child has provided us with personal information, please contact us and we will delete it.
Your information may be processed and stored on servers located in the United States or other countries where our service providers operate. By using the Service, you understand that your information may be transferred to facilities outside your country of residence, which may have different data-protection rules. Where required, we rely on appropriate safeguards for such transfers.
We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice, such as by posting the updated policy in the app or on this page and updating the "Last updated" date. Your continued use of the Service after the changes take effect constitutes acceptance of the revised policy.
If you have questions, requests, or concerns about this Privacy Policy or your data, contact us at privacy@grovi.app.