Legal

Privacy Policy

GraniteMind AI is committed to protecting the privacy and personal information of all users who interact with our websites, web applications, and mobile apps. This policy explains what data we collect, how we use it, and your rights as a data subject. We operate in accordance with applicable Zimbabwean data protection principles and international best practices.

Effective date
1 June 2026
Last updated
21 June 2026
Controller
GraniteMind AI, Harare, Zimbabwe

1. Introduction & Scope

GraniteMind AI ("we", "us", or "our") operates as an AI-powered web and mobile application development agency based in Harare, Zimbabwe. This Privacy Policy applies to:

  • The GraniteMind AI agency website at granitemind.ai
  • All client websites and web applications built and hosted by GraniteMind AI
  • All mobile applications developed and maintained by GraniteMind AI
  • Our client portal, project management tools, and communication channels
  • Any interactions with GraniteMind AI via WhatsApp, email, or social media

This policy governs how we collect, use, store, protect, and share personal information from:

  • Prospective clients who contact us or submit enquiries
  • Paying clients whose projects we build and maintain
  • End-users of the websites and applications we develop for our clients
  • Visitors to any website or app hosted on our infrastructure

By using any GraniteMind AI product or service, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use and contact us to arrange data deletion.

2. Data Controller Information

The data controller responsible for your personal information is GraniteMind AI, an AI-powered web and app development agency:

  • Address: Harare, Zimbabwe
  • Email: privacy@granitemind.ai
  • Website: granitemind.ai
  • WhatsApp: +263 78 943 7015

For all privacy-related requests, questions, or complaints, please contact us at the email above. We aim to respond within 5 business days.

3. Information We Collect

3.1 Information You Provide Directly

When you engage our services or interact with any GraniteMind AI platform, we may collect:

  • Full name and business name
  • Email address and phone number (including WhatsApp number)
  • Physical or postal address
  • Payment information (processed through third-party payment providers; we do not store raw card data)
  • Business details including industry, social media handles, and website requirements
  • Logos, photos, videos, and other brand assets you supply for website development
  • Written content, pricing information, and product/service descriptions you provide
  • Communications and correspondence with our team
  • Contact-form submissions (your name, email, phone, business, and message)
  • Messages you send to our website's AI assistant

3.2 Information Collected Automatically

When users interact with websites or applications hosted by GraniteMind AI, we and our hosting partners may automatically collect:

  • IP address and approximate geographic location
  • Browser type, version, and operating system
  • Device type and screen resolution
  • Pages visited, time on page, and navigation paths
  • Referring website or source (e.g., Facebook, Google)
  • Date and time of access
  • Cookies and similar tracking technologies (see Section 8)

3.3 Information from Third Parties

We may receive information about you from:

  • Facebook, Instagram, LinkedIn, and other social media platforms when you engage with our advertising
  • Meta Pixel data from users who visit GraniteMind AI or client websites
  • Referral partners and business associations
  • Payment processors (EcoCash, Paynow, Innbucks, and card processors)

3.4 Sensitive Information

GraniteMind AI does not intentionally collect sensitive personal information such as national identification numbers, health data, or financial account credentials. If you share such information inadvertently, please notify us immediately at privacy@granitemind.ai and we will delete it promptly.

4. How We Use Your Information

We process personal information only for the purposes described below, on the following legal bases:

PurposeData UsedLegal Basis
Providing web & app development servicesName, contact, business info, assetsContract performance
Processing payments and issuing invoicesName, contact, payment detailsContract performance
Client communication and project updatesName, email, WhatsApp numberContract performance
Responding to enquiries via our contact formName, email, phone, messageLegitimate interest
Operating our website's AI assistantMessages you send to the assistantLegitimate interest
Hosting and maintaining client websitesTechnical and usage dataContract performance
Sending marketing and promotional contentEmail, WhatsApp, social media handlesLegitimate interest / Consent
Running targeted advertising on Meta, LinkedInBehavioral data via Pixel and ad platformsLegitimate interest
Improving our services and toolsAggregated usage and performance dataLegitimate interest
Legal and regulatory complianceAll relevant data as requiredLegal obligation
Fraud prevention and securityIP address, device, access logsLegitimate interest

5. How We Share Your Information

GraniteMind AI does not sell your personal data. We share information only in the following limited circumstances:

5.1 Service Providers & Technology Partners

We use the following third-party services to deliver our products. Each operates under its own privacy policy:

  • Vercel — hosting and global delivery of the GraniteMind AI website
  • Google Workspace — our business email (receiving)
  • Resend — outbound and transactional email, including contact-form submissions
  • Google (Gemini AI) — powers our website's AI assistant; messages you send to the assistant are processed to generate replies
  • ElevenLabs — text-to-speech for the assistant's optional voice playback
  • Supabase — secure backend and database infrastructure for the applications we build
  • Base44 — AI application builder used for some budget website builds (Launch track)
  • Apple Inc. — App Store publishing and distribution for iOS applications
  • Google LLC — Google Play Store publishing; Google Analytics for usage tracking
  • Meta Platforms (Facebook/Instagram) — advertising platform and Meta Pixel
  • EcoCash / Paynow / Innbucks — local Zimbabwean payment processing
  • WhatsApp (Meta) — primary client communication channel
  • Trello / Notion — internal project management tools

5.2 Client Websites & End-Users

When we build a website or application for a client, the client becomes the data controller for their end-users' data. GraniteMind AI acts as a data processor on behalf of the client. Clients are responsible for maintaining their own privacy policies governing their end-users. We provide clients with guidance on their obligations upon project handover.

5.3 Legal Requirements

We may disclose personal information where required by law, court order, or lawful request from a regulatory authority in Zimbabwe or another applicable jurisdiction.

5.4 Business Transfers

In the event of a merger, acquisition, or sale of all or part of our business assets, personal data may be transferred to the acquiring entity, subject to equivalent privacy protections.

6. Data Retention

We retain personal data only for as long as necessary to fulfil the purposes for which it was collected. Our retention schedule is as follows:

Data TypeRetention PeriodReason
Client contracts and project records7 yearsLegal/tax compliance
Payment and invoice records7 yearsFinancial regulations
Client contact information (active)Duration of relationship + 2 yearsBusiness continuity
Client brand assets (logos, photos, etc.)Duration of hosting + 6 monthsWebsite maintenance
Website usage and analytics data26 months (Google Analytics default)Performance analysis
Marketing inquiries (non-converting leads)12 monthsSales follow-up
WhatsApp communications2 yearsCustomer service records
Security and access logs90 daysSecurity monitoring

7. Your Rights

As a data subject, you have the following rights in relation to your personal information held by GraniteMind AI:

  • Right of AccessYou may request a copy of the personal data we hold about you.
  • Right to RectificationYou may ask us to correct inaccurate or incomplete information.
  • Right to ErasureYou may request deletion of your personal data, subject to our legal retention obligations.
  • Right to Restrict ProcessingYou may ask us to pause processing of your data in certain circumstances.
  • Right to Data PortabilityYou may request your data in a structured, commonly used format.
  • Right to ObjectYou may object to processing based on legitimate interest, including direct marketing.
  • Right to Withdraw ConsentWhere processing is based on consent, you may withdraw it at any time without affecting prior processing.

To exercise any of these rights, please contact us at privacy@granitemind.ai with the subject line "Data Rights Request". We will respond within 30 days. There is no charge for reasonable requests.

Please note: some rights may be limited where we have a legal obligation to retain data (e.g., financial records required by Zimbabwean tax law).

8. Cookies & Tracking Technologies

GraniteMind AI and the websites we host for clients use cookies and similar technologies to improve functionality and measure performance. The categories of cookies used are:

CategoryPurposeExamples
EssentialRequired for the website to function. Cannot be disabled.Session management, security tokens, login state
PerformanceTrack how visitors use the site to improve user experience.Google Analytics, page load metrics, error tracking
MarketingEnable targeted advertising and measure campaign effectiveness.Meta Pixel, Facebook Conversion API, ad attribution
FunctionalRemember user preferences and improve personalisation.Language settings, previously viewed products, region

You can manage your cookie preferences through your browser settings. Most browsers allow you to refuse or delete cookies. Note that disabling certain cookies may affect website functionality. For client websites, specific cookie consent mechanisms are implemented as part of each project.

9. Data Security

GraniteMind AI implements appropriate technical and organisational measures to protect your personal data against unauthorised access, loss, alteration, or disclosure. Our security practices include:

  • All websites hosted on our infrastructure use HTTPS/SSL encryption as standard
  • Access to client data and project files is restricted to authorised personnel only
  • Payment processing is handled exclusively by PCI-DSS compliant third-party providers
  • Our website and applications run on managed, redundant cloud infrastructure (Vercel and Supabase) with version control and automated backups
  • WhatsApp Business and client communication channels use end-to-end encryption
  • Two-factor authentication is enforced on all publishing accounts (Apple Developer, Google Play Console)
  • Project management tools (Trello/Notion) are access-controlled per project

Despite these measures, no system is entirely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify affected individuals and relevant authorities promptly in accordance with applicable law.

10. International Data Transfers

GraniteMind AI is based in Zimbabwe. Some of our third-party service providers operate outside Zimbabwe — primarily in the United States and the European Union — including Vercel, Google (Workspace, Analytics, and Gemini AI), Meta Platforms, Apple Inc., Resend, ElevenLabs, Supabase, and Base44. When we transfer your data to these providers, we ensure appropriate safeguards are in place through:

  • Standard contractual clauses or data processing agreements with each provider
  • Use of services that have undergone recognised international privacy certifications
  • Compliance with the privacy terms of each provider as set out in Section 5.1

By using our services, you acknowledge that your data may be transferred to and processed in countries outside Zimbabwe, including countries with different data protection standards.

11. Children's Privacy

Our services are not directed at children under the age of 13, and we do not knowingly collect personal information from children under 13. If we become aware that we have inadvertently collected data from a child under 13, we will delete it immediately.

For client websites that serve audiences including minors (e.g., schools, children's retailers), we require the client to implement age-appropriate privacy notices and obtain necessary parental consent as part of their own data controller obligations.

12. Third-Party Links & Embedded Services

Websites and applications built by GraniteMind AI may include links to third-party websites, social media platforms, or embedded services (such as Google Maps, WhatsApp chat buttons, or payment gateways). Once you leave a GraniteMind AI hosted site via such a link, this Privacy Policy no longer applies. We recommend reviewing the privacy policies of any third-party service you use.

Common third-party integrations in our client sites include:

  • WhatsApp Business API — for click-to-chat functionality
  • Google Maps — for business location display (governed by Google's Privacy Policy)
  • EcoCash / Paynow / Innbucks — for online payments (governed by each provider's policy)
  • Facebook/Instagram social sharing buttons — subject to Meta's Data Policy

13. Marketing Communications

With your consent or where we have a legitimate interest, we may send you:

  • Updates about new GraniteMind AI services and pricing
  • Portfolio showcases and case studies
  • Industry tips and digital marketing resources
  • Promotional offers and seasonal campaigns

We primarily communicate via WhatsApp Business and email. You may opt out of marketing communications at any time by:

  • Replying "STOP" to any WhatsApp broadcast message
  • Clicking the unsubscribe link in any email
  • Contacting us directly at privacy@granitemind.ai

Opting out of marketing will not affect your receipt of service-related communications (e.g., project updates, invoices, hosting notifications).

14. Client Responsibilities as Data Controllers

When GraniteMind AI builds a website or application for a client, the client assumes the role of independent data controller for their end-users' personal information. Clients are responsible for:

  • Publishing and maintaining a privacy policy on their own website
  • Obtaining necessary consents from their users for data collection activities
  • Complying with applicable laws regarding the data they collect through their site
  • Notifying GraniteMind AI of any data subject requests related to hosted sites
  • Ensuring contact forms, booking systems, and e-commerce checkouts comply with applicable regulations

GraniteMind AI provides template privacy policy guidance to all clients upon project completion. We recommend clients seek independent legal advice tailored to their specific business and industry.

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or other factors. When we make material changes, we will:

  • Update the "Last Updated" date at the top of this document
  • Post the updated policy on granitemind.ai/privacy
  • Notify active clients via WhatsApp or email where the changes materially affect their rights

Your continued use of our services after any update constitutes acceptance of the revised policy. We encourage you to review this policy periodically.

16. Governing Law & Dispute Resolution

This Privacy Policy is governed by the laws of Zimbabwe. Any disputes arising from this policy or our data processing practices will be subject to the jurisdiction of the courts of Zimbabwe.

If you have a complaint about how we handle your personal data, you should first contact us directly at privacy@granitemind.ai. If your complaint is not resolved to your satisfaction, you may escalate it to the relevant Zimbabwean data protection or consumer protection authority.

17. Contact Us

For all privacy-related matters, please contact our Privacy Officer:

Response time: within 5 business days for general enquiries; within 30 days for formal data rights requests.