Graze
    MarketplaceHelpBlogAboutLogin
    What are you waiting for?
    Let's get
    building.
    Join 5,000+ curators
    Start building free
    Stay in the know
    Follow on BlueSkyJoin the Discorddiscord_fillSubscribe to the newsletter
    Company
    AboutBlogPressContact
    Support
    Community GuidelinesDocsSite StatusHelp CenterFeature Requests
    Legal
    Privacy PolicyTerms & Conditions
    © 2025 Graze.social. All rights reserved.

    Privacy Policy

    This Privacy Notice explains how Graze Social PBC (“Graze”) collects and treats information through the Graze platform, our website graze.social, and the products and services we offer (collectively, our “Services”). This Privacy Notice is governed by and part of our Terms of Service. Any terms defined in the Terms of Service have the same meaning when used in this Privacy Notice.

    You consent to our privacy practices described in this Privacy Notice by accessing the Services or allowing us to process Personal Data following receipt of a notice from Graze that your Personal Data is included in our records. If you do not agree with this Privacy Notice, do not access or use our Services.

    PRIVACY SUMMARY:

    Our Services provide Users and their companies (“Feed Curators”) with tools to create and monetize custom content feeds (“Feeds”) from publicly available usage and content data on Bluesky (“Bluesky Content”). Our Services are sophisticated, but we aim to keep our privacy practices simple. We offer this summary of our privacy practices to give you a quick overview of how we treat your data:

    • Publicly Available Data. Our Services primarily use publicly available data that has been posted to Bluesky to create Feeds and provide other Services to our Users. We collect Bluesky Content via Bluesky’s AT Protocol. Graze will never collect or disclose Personal Data that was meant to remain private.
    • Notice of Processing. If you post Personal Data to Bluesky, Graze processes your data as Bluesky Content. To opt-out of Graze processing your Personal Data, email legal@graze.social to delete your Personal Data from Graze datasets or to opt-out of future processing by Graze.
    • Graze as Processor. When we process data on behalf of Feed Curators, we act as a processor or service provider to Feed Curator.
    • Graze as Controller. When we process Personal Data for our own purposes, we do so as a data controller. This Privacy Notice primarily describes this type of processing.
    • Your Privacy Rights. Graze welcomes your requests to restrict our use or processing of your Personal Data as provided under your privacy rights (see Section 6).
    • Users and Personal Data. This Privacy Notice applies to the processing of Personal Data by Graze only. Graze contractually obligates all Users to use the Services in compliance with applicable laws, including privacy laws and the exercise of privacy rights by consumers. However, Graze cannot control how a User ultimately uses the Feeds or other data produced from the Services. Please direct any questions relating to a User’s use of Services to that User.
    • Children’s Privacy. Our Services are designed for adults, not children. Graze does not knowingly collect Personal Data from children under 16, and we will delete that information if we learn we have collected it. If you believe we have received information from a child under 16 or other unauthorized information, please contact legal@graze.social.
    • Updates. We may update this Privacy Notice from time to time. All changes are effective immediately when posted and apply to all access to and use of our Services. Your continued use of our Services following the posting of changes constitutes your acceptance of such changes.

    • If you have questions about this Privacy Notice or any of our Services, please contact us at legal@graze.social.

    1. PERSONAL DATA

      As used in this Privacy Notice, “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. Personal Data falls within certain categories, for example:

      • Identifiers (e.g., name, email, telephone number, address, username);

      • Sensitive Personal Data (e.g., government identification number; precise geolocation; racial or ethnic origin; religious beliefs; health data; contents messages when Graze is not the recipient);

      • Legally protected information (e.g., race, citizenship, marital status, sex);

      • Employment-related information (e.g., current or past employment);

      • Non-public educational information, including information protected under the Family Educational Rights and Privacy Act (20 U.S.C. § 1232g, 34 C.F.R. Part 99);

      • Biometrics (e.g., DNA, face/voice prints, health data) and audio, electronic, visual, thermal, or olfactory information;

      • Commercial information (e.g., products or services purchased, obtained, or considered, or other purchasing or consuming histories or tendencies);

      • Internet or other similar activity (e.g., browsing history; content interactions); and

      • Inferences drawn from Personal Data to create a profile about preferences, characteristics, trends, predispositions, behavior, attitudes, intelligence, and aptitudes.

      Not all information is protected as Personal Data under privacy laws. Information may not be covered by the privacy laws applicable to you if it is: (a) publicly available; (b) aggregated information, meaning data summaries or reports with the Personal Data removed; or (c) anonymized or de-identified.

    2. COLLECTION AND USE OF PERSONAL DATA

      Graze may collect Personal Data with your consent, with a legitimate interest, or as authorized or required by law. We only collect, use, retain, and disclose Personal Data as is adequate and relevant to the specific, express purposes described below or as reasonably necessary and proportionate to provide our Services or for other purposes that we disclose to you and are compatible with the context of how we collected your Personal Data.

      Categories of Personal Data: Over the last 12 months, we have collected identifiers, commercial information, internet or similar activity, and inferences.

      Sources of Collection: Graze collects Personal Data through our website, your Graze account, and your use of our Services, as detailed below:

      • Bluesky. Graze collects Bluesky Content, including any Personal Data users of Bluesky may post. Graze then processes the Bluesky Content to derive patterns, produce datasets, and to produce Feeds and related Services for our Users. Bluesky makes the Bluesky Content available to Graze via Bluesky’s AT Protocol system under Bluesky’s privacy practices.
      • Your Bluesky Account. Users sign up and sign into the Services using their Bluesky logins. This allows Graze to access the User’s profile information, Bluesky feeds, and engagement metrics in accordance with Bluesky’s terms and your privacy settings. By signing in with your Bluesky login, you consent to link your Bluesky account to the Services and to Graze automatically collecting your Personal Data from your Bluesky account. We collect this information with your consent, and we use it to provide you with the Services you request, run analytics, and produce derivative datasets and content.
      • Your Use of Editor. When a User interacts with the Editor, Graze collects commercial history, internet activity, and inferences in the form of the User’s content selections, filters, and campaign objectives. In addition to your consent provided as a User of the Services, Graze collects this information to achieve our legitimate interests of providing you with the Services and improving our technology and delivery of the Services to Users. If the User opts in to our marketing communications, we may also use this data to market our Services to the User in a manner that reflects their stated preferences.
      • Your Use of Paid Services. If you are a User of Paid Services, Graze will collect the data you submit or disclose via the Services and will process it as necessary to provide you with the customized Services you have selected. Graze provides Paid Services as a service provider or data processor to the User. The data collected for Paid Services is typically technical data and publicly available data only. If and to the extent that Graze agrees to process Personal Data on behalf of a User, Graze does so as a service provider or processor to the User. Please direct any questions about use of Personal Data in a Campaign or related Services to the applicable User.
      • Payment Processing. Graze works with a secure third-party payment processor to collect and process User billing address, payment card details, and other financial information. This information is used by the payment processor to process payments and to comply with applicable fraud prevention requirements. This information is processed with the User’s consent, and we use it to provide the requested Services.

      • Your interactions with Graze. If you request information about our Services or contact us for customer support, we will collect your contact information and other details you provide, and we will use it to respond to your inquiry. If you register as a User, we will also collect information about your Bluesky account and company (if applicable). If you complete a survey, we will collect your responses with your consent and we will use the information you provide in your responses to improve our Services. By including Personal Data in your communication to Graze, you consent to this processing. If you do not want us to process your Personal Data, please omit it from your communication to Graze.

        If you opt-in to receive marketing communications from Graze, we may use the Personal Information in these communications to send you marketing messages about Graze and the Services we offer. If you opt out of Graze marketing, we will not use your Personal Information for marketing purposes.

      • Technical Data and Cookie Use. Graze automatically collects technical data from your use of the website and our Services, such as your IP address, browser type, operating system, device details, and pages visited. We may also collect data about your interactions with content on the Services, Feeds created, or Campaigns launched.
        Graze uses essential cookies and related technology to collect and process this data, including:

        • auth-cookie and user-id for User identification
        • sidebar:state to determine if the sidebar of the User interface is collapsed or expanded
        • stripe_mid and stripe_sid for our third-party payment processor

        Graze does not use any non-essential cookies.

      Graze will not collect additional categories of Personal Data or use already collected Personal Data for purposes that are materially different, unrelated, or not reasonably necessary or compatible with the original purpose without notice and consent to you as required by law. Graze might also use your Personal Data to:

      • Monitor your compliance with any of your agreements with us

      • Protect your privacy and enforce this Privacy Notice

      • If we believe it is necessary, to identify, contact, or bring legal action against persons or entities who may be causing injury to you, to us, or to others

      • Comply with a law, regulation, legal process, or court order

      • Fulfill any other purpose to which you consent

    3. DATA DISCLOSURES

      Graze will only disclose Personal Data to third parties as described in this section, with permission, or as required by law. In the preceding 12 months, Graze has disclosed Personal Data for business purposes to the following recipients:

      • Graze Users. Users can use Graze to produce Bluesky Feeds from processed and curated Bluesky Content. Feeds produced for Users by Graze may include Personal Data within the Bluesky Content that was posted and made publicly available for collection and processing by Graze via the Bluesky API and Bluesky’s privacy practices.
      • Service Providers. Graze’s third-party service providers (e.g., data hosting companies, analytics services, fraud prevention vendors, and payment processors) may have access to your Personal Data to perform their contractual obligations to us. The type of information that we disclose to a service provider will depend on the service that they provide to us. Our service providers are subject to contractual agreements that protect your Personal Data, and we require all service providers to maintain confidentiality standards and organizational measures to ensure the security of your Personal Data. Our service providers are prohibited from selling or disclosing the Personal Data we provide.
      • Affiliates. Graze may disclose the information we collect from you to our affiliates or subsidiaries following applicable privacy laws.

      • Other Third Parties, as permitted by applicable law. For example: if we go through a business transition (e.g., merger, acquisition, or sale of a portion of our assets); to comply with a legal requirement or a court order; when we believe it is appropriate to take action regarding illegal activities or prevent fraud or harm to any person; to exercise or defend our legal claims; or for any other reason with your consent.

      • Law enforcement, and other governmental agencies, at our sole discretion in connection with an investigation of any matter that is illegal or that could expose Graze or our affiliates or subsidiaries to liability.

      Graze reserves the right to disclose aggregated, anonymized, or de-identified information about any individuals with non-affiliated entities for research, product development, marketing, or other purposes, without restriction.

    4. DATA RETENTION

      The data we collect and process is retained as an essential asset to our provision of Services as long as it serves a legitimate interest. If we learn that any data is inaccurate or stored or used unlawfully, we will correct or delete that data as required by law and our company policies. Personal Data associated with a User’s account is retained while that account remains active and is deleted within 90 days after account closure. We retain data collected from cookies and similar technologies for trends analysis and data security purposes for up to 24 months or according to the cookie hosting entity’s policies. We reserve the right to retain data, including Personal Data, for longer periods if it is critical to our business and securely stores that retained data. We regularly review and delete or deidentify unnecessary data.

    5. YOUR PRIVACY CONTROLS

      Graze provides the following methods and to directly control how we collect and use your Personal Data, including but not limited to:

      • Bluesky User Opt-Outs. If you post Personal Data to Bluesky, Graze will process it as Bluesky Content unless and until you ask us to delete your Personal Data or filter it from future processing. To request that Graze delete your Personal Data from our datasets and/or opt-out of future processing of your Personal Data, email your request to legal@graze.social.
      • Your Graze Account. Users can access, correct or update the Personal Data associated with their account at any time through the Services. If you need assistance, please contact legal@graze.social.
      • Emails. If you inquire about our Services, we may use your contact information to send you marketing emails in compliance with applicable law. You can opt-out of receiving these communications at any time by clicking the “Unsubscribe” button contained in any email or by sending a request to legal@graze.social.
      • Device Settings. You can control the data we collect through automated means by adjusting your device settings, such as blocking cookies or installing a third-party plugin to control how cookies interact with your device. If you block essential cookies, the Services may not function.
      • Do Not Track. Do Not Track signals are signals sent through a browser informing us that you do not want to be tracked. Currently, our systems do not recognize browser “do-not-track” requests. You may, however, disable certain tracking as discussed below.
      • Submit a Privacy Request. To exercise your privacy rights, express concerns, lodge a complaint, or request information, please contact Graze at legal@graze.social. Graze can only fulfill a Privacy Request where we are the controller of the Personal Data and when we have sufficient information to verify that the requester is the person or an authorized representative of the person about whom we have collected Personal Data, and to properly understand, evaluate, and respond to the request. We do not charge a fee to process or respond to a request unless we have legal grounds to do so. We endeavor to respond to Privacy Requests following the requirements of the law applicable to your jurisdiction. Graze will fulfill privacy requests as required by applicable law.
        To exercise privacy rights related to Personal Data about you that Graze processes as a processor to a User, please direct your request to the User.
    6. NOTICE OF PRIVACY RIGHTS
      1. United States Consumer Privacy Rights

        In the United States, consumer privacy is governed by federal privacy laws covering specific industries or data uses and state privacy laws providing general consumer privacy rights. This section provides a notice of privacy rights under the privacy laws of U.S. states that provide consumer privacy protections. Residents of states offering privacy protections (each a “Consumer”) may have some or all the following rights over their Personal Data:

        • Right to Correct. If you become aware that the Personal Data that we hold about you is incorrect, or if your information changes, please inform us and we will update our records.
        • Right to Deletion. You may request that we delete the Personal Data that we collected and retained, with certain exceptions. Graze may permanently delete, deidentify, or aggregate Personal Data in response to a request for deletion.
        • Right to Access. You may request confirmation that we have collected Personal Data about you and that we provide you with access to that Personal Data. If you submit an access request, we will provide you with copies of the requested pieces of Personal Data in a portable and readily usable format. Please note that Graze may be prohibited by law from disclosing certain pieces of Personal Data, and we may be limited in the number or frequency of requests we must fulfill.
        • Right to Disclosure. You may have the right to request that we disclose information to you about our collection and use of your Personal Data, such as: (i) the categories of Personal Data we have collected about you; (ii) the categories of sources for the Personal Data we have collected about you; (iii) our business purpose for collecting, using, processing, sharing or selling that Personal Data, as applicable; (iv) the categories of third parties with whom we share that Personal Data; and (v) if we sold or shared your Personal Data under applicable law, two separate lists stating: (y) sales or sharing, identifying the Personal Data categories that each category of recipient purchased; and (z) disclosures for a business purpose, identifying the Personal Data categories that each category of recipient obtained. Certain laws may limit the number or frequency of requests we must fulfill.
        • Limited Use and Disclosure of Sensitive Personal Data. You may have the right to opt out or limit our use of your sensitive Personal Data. Please note that Graze does not purposely collect Personal Data that qualifies as “sensitive” under privacy laws and in no case would Graze disclose sensitive Personal Data for the purpose of inferring characteristics about you.
        • Selling or Sharing Personal Data. Some states entitle consumers to opt out of the sale or sharing of Personal Data or targeted advertising practices. Graze does not sell your Personal Data or share your Personal Data with third parties for cross-contextual behavioral advertising purposes. However, the inclusion of Personal Data in the Bluesky Content we process to provide our Services may qualify as a “sale” under certain privacy laws. To opt-out of Graze processing your Personal Data, please email an opt-out request to legal@graze.social.
        • Right to Opt-Out of Profiling. You have the right to opt-out of automated profiling. Graze builds profiles from publicly available Personal Data contained in Bluesky Content to evaluate, analyze, or predict your interests and preferences in order to produce curated Feeds, perform analytics, produce datasets, or for related purposes. You can opt-out of your Personal Data being processed in this manner by emailing legal@graze.social with a message that you wish to opt-out of profiling.

        • Right to Nondiscrimination. We will not discriminate against you for exercising your privacy rights. For example, unless permitted by law we will not: (i) deny you goods or services; (ii) charge you different prices or rates for goods or services; (iii) provide you a different level or quality of goods or services; (iv) retaliate against you as an employee, applicant for employment, or independent contractor for exercising your privacy rights; or (v) suggest that you may receive a different price or rate for goods or services or a different level or quality of goods or services, because you exercised a right under applicable privacy laws.

        • Health Data Rights. Some state laws entitle consumers to certain details about health data collected about them, including (i) confirmation of whether the entity collects, shares, or sells the consumer’s health data and access that data, including a list of all third parties and affiliates with whom the entity has shared or sold the health data and a method to contact those third parties, (ii) a method to withdraw consent related to use of health data, and (iii) the right to have their health data be deleted. Graze does not intend to collect any health data. However, if a Bluesky user includes health data in a public post on Bluesky, that health data may be collected and processed as Bluesky Content and may be included in the Feeds generated through our Services. A Bluesky user can request that Graze delete the health data and/or filter it out of future processing by emailing a request to legal@graze.social.

        • Right to Disclosure of Marketing Information. California’s Shine the Light Act (Civil Code sections 1798.83-1798.84) entitles California residents to request certain disclosures regarding Personal Data sharing with affiliates and/or third parties for marketing purposes.

        Consumers may exercise these rights by submitting a verifiable privacy request to legal@graze.social. We will respond within the legally required timeline to the extent the applicable law applies to you and our business activities. If your Privacy Request is not addressed in a timely manner, you can appeal it by contacting legal@graze.social.

      2. Canadian Privacy Rights

        This notice of Canadian Privacy Rights relates to Canada’s Personal Data Protection and Electronic Documents Act (“PIPEDA”). This section applies solely to residents of Canada where PIPEDA applies. PIPEDA grants specific rights regarding Personal Data offering details on an identifiable person without the inclusion of name, title, telephone number, and business address of an employee of a business or organization. The following paragraphs describe PIPEDA rights and explain how to exercise those rights.

        • Right to know why we collect, use, and distribute the Personal Data we process. We have set the required notices in this Privacy Notice. We may provide you with additional notices about other ways we process your Personal Data, such as by sending you a notice via email or by other means of communication.

        • Right to expect us to collect, use, or disclose Personal Data responsibly and not for any other purpose other than which you consented. We set your expectations in this Privacy Notice and collect express or implied consent at various stages of collection or processing. If we collect or use your Personal Data based on your consent, we will also notify you of any changes and will request your further consent as needed. You may withdraw your consent at any time with reasonable notice by contacting us at legal@graze.social.

        • Right to accuracy of your Personal Data. Please notify us if your Personal Data on our systems is not current, complete, and accurate. We will reasonably assist you to ensure that your Personal Data is accurate in our systems and with our service providers.

        • Right to access your Personal Data. Upon written request and identity authentication, we will provide you with copies of your Personal Data under our control, information about the ways in which that information is being used and a description of the individuals and organizations to whom that information has been disclosed. Some Personal Data may be unavailable if we are limited by law or determine there is a potential for infringement on another’s privacy rights. If we must refuse an access request, we will notify you in writing, document the reasons for refusal, and outline further steps that are available to you.

      3. European and United Kingdom Privacy Rights

        We adopted this section to comply with the General Data Protection Regulations (“GDPR”) and its counterpart regulation applicable to residents of the United Kingdom. This section applies solely to residents of the European Economic Area and the United Kingdom. If you are subject to GDPR protections, you have the following privacy rights:

        • Right to know how we process your Personal Data. We have set the required notices in this Privacy Notice, and we may provide you with additional notices about other ways we process your Personal Data.

        • Right to rectify your Personal Data. Please notify us if you become aware that the Personal Data that we hold about you is incorrect or if your information changes and we will update our records.

        • Right to restrict processing of your Personal Data. You can request that we restrict the processing of your Personal Data if: (i) the data is inaccurate; (ii) the processing is unlawful; (iii) we no longer need the Personal Data; or (iv) you exercise your right to object.

        • Right to access your Personal Data. You can request to access your Personal Data. Upon request, we will provide you with a copy of your Personal Data, along with details about the types of Personal Data we process, why we process it, and any third parties we work with to collect Personal Data on our behalf. We may have one or more legally valid reasons to refuse your request in whole or in part, for example, to protect the rights of other individuals.

        • Right to erasure (a.k.a. the “right to be forgotten”). Upon request, we will delete your Personal Data under certain circumstances and where required by law. This right is not absolute, and we may be entitled to retain and process your Personal Data despite your request. If you make this request, we balance certain legal, contractual, and business interests against your right to request the deletion of your Personal Data.

        • Right to data portability. In some circumstances, we are required to provide your Personal Data to another organization at your request and in a structured, commonly used machine-readable format, so that the other organization can read and use it.

        • Right to object to certain processing of your Personal Data. Upon your request, and in certain circumstances and where we are required to do so by law, we will limit our processing of your Personal Data as you request.

        • Right to not be subject to Automated Decision-Making (“ADM”). Graze does not use ADM in a manner that produces legal effects concerning or significantly affecting any individual.

        If you are subject to GDPR protections and you believe we are unlawfully processing your Personal Data, you have the right to complain to your local data protection supervisory authority. If you are a resident in Switzerland, you have the right to complain to the Swiss data protection authorities.

      4. Supplemental Notices

        In addition to the above notices of privacy rights and details about our privacy practices described in this Privacy Notice, Graze provides the following supplemental notices of privacy practices for the jurisdictions listed below:

        • France. In addition to the European Union Privacy Rights listed above, you have the right to provide us with general or specific instructions for the retention, deletion, and communication of your Personal Data after your death. The specific instructions are only valid for the processing activities mentioned therein and the processing of these instructions is subject to your specific consent. You may amend or revoke your instructions at any time. You may designate a person responsible for the implementation of your instructions. This person will be informed of your instructions in the event of your death and be entitled to request their implementation from us. In the absence of designation or, unless otherwise provided for, in the event of the death of the designated person, their heirs will have the right to be informed of your instructions and to request their implementation from us. To issue instructions, contact legal@graze.social.
        • Mexico. This Personal Notice is available in Spanish upon request. In case of dispute, the Spanish version of this Personal Notice shall prevail. The type of Personal Data we use, purpose of processing, and cookie information is listed above in this Personal Notice. In general, we do not require your consent to transfer your Personal Data. By using the Services and providing us with your Personal Data, you agree to the data transfers detailed in this Personal Notice that require your consent. The above descriptions of privacy rights to access, rectification, erasure, and object apply to residents of Mexico, as does the right to restrict processing to storage only (which includes the limitation to the use and disclosure of your Personal Data), and advertising. You also have the right to revoke the consent that you have provided us to process your Personal Data. To exercise any of your rights, contact legal@graze.social.
        • Hong Kong. As a Hong Kong data subject, you have legal rights in relation to the Personal Data we hold about you (to the extent permitted under applicable laws and regulations). You are entitled to make a Privacy Request to receive a copy of the Personal Data we process about you, a data correction request as well as a right to reject the use of your Personal Data for direct marketing purposes. We may charge a fee for a Privacy Request for access.
        • China Mainland. Graze will only collect and use your Personal Data with your consent or with another lawful basis as described in this Personal Notice. You can withdraw your consent anytime. When you withdraw consent, Graze the Personal Data processing based on your previous consent remains valid. Graze protects your Personal Data subject rights under PRC privacy laws, which includes the right to access, rectify, erase, copy Personal Data, and the like. For more information, see Your Privacy Controls above.
        • Russia. If you are using any Services Russia, by doing so you consent to: (i) the processing of your information in accordance with this Personal Notice for the purposes of the Russian Federal Law No. 152-FZ dated 27 July 2006 “On Personal Data” (as amended) or any replacement regulations; (ii) if legitimate interests, optimization of the Services or carrying out of the contract are mentioned herein, you agree that, for the purposes of Russian law, the consent so provided can be considered an additional ground for processing (meaning that the processing is conducted with your consent) and this consent also covers the processing of any cookies (to the extent that those qualify as personal data under Russian law); (iii) the cross-border transfer of your information to any country where Graze has databases or affiliates, in particular United States or other jurisdictions; (iv) for the purposes of Article 152.1 of the Russian Civil Code, the processing of your image in accordance with this Personal Notice; and (v) for the purposes of Federal Law “On Marketing/Advertising”, that we may share advertising/marketing communications with you, unless you have opted-out from such communications. You have the rights to access, rectification, erasure/deletion, restrict processing to storage only, object, and you can control the use of your Personal Data for advertising purposes. We will update this posting if we materially change this Personal Notice and we may request you to acknowledge such changes. Unless we require your acknowledgment, you shall be deemed to have agreed to the changes if you continue using the Services after the updated posting and any required notification. As regards the representative for Russia, you can contact us at legal@graze.social. Please include the word “Russia” in the subject line.
    7. DATA SECURITY

      Graze has implemented and maintains reasonable and appropriate security procedures and practices to help protect your Personal Data from unauthorized or illegal access, destruction, use, modification, or disclosure. Our security measures are appropriate to the volume, scope, and nature of the Personal Data processed and designed to meet our duty of care with respect to your Personal Data. The Services are designed with data security in mind to continuously protect your data and our systems. Graze maintains internal policies to govern the collection, processing, and handling of data. Access to Personal Data is limited to employees and contractors as needed to perform their job functions. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations. We also ensure that our employees, contractors, and agents responsible for handling privacy inquiries are informed of applicable legal requirements and we restrict access to those who need that information to process it.

      Please note that no transmission of data over the internet is 100% secure, and Graze cannot guarantee that unauthorized third parties will not defeat our security measures or use your Personal Data for improper purposes. Users are responsible for maintaining the confidentiality of their login credentials and account access.

    8. CROSS-BORDER DATA TRANSFERS

      Graze is owned and operated in the United States. We use technical infrastructure in the United States and other jurisdictions to provide our Services to Users wherever they are located. This means data must sometimes be transferred across jurisdictional boundaries. When your information is moved from your home country to another country, the laws and rules that protect your Personal Data in the country to which your information is transferred may be different from those of the country where you live. For example, if your information is in the United States, it may be accessed by government authorities in accordance with U.S. law.

      Graze is committed to transferring Personal Data using a lawful data transfer mechanism. Specifically, when we transmit data from the EU, UK, or Switzerland to the U.S. or other jurisdictions, we do so pursuant to the standard contract clauses approved by the European Commission and employ those security measures required by the country in question to secure the data. Any such transfer is performed on the legal basis that the transfer is necessary to provide you with the Services.

      Graze does not warrant that the Services are appropriate or authorized for use in any other jurisdictions. Each User is solely responsible for determining whether their use of our Services complies with applicable laws. Your use of our Services constitutes your consent to the transfer and processing of your Personal Data as described in this section.

    9. THIRD-PARTY PLATFORMS

      The Services are available via integrations with Bluesky and third-party websites or platforms. Graze is not responsible for and has no ability to control the privacy and data collection, use, and disclosure practices of any third party. Use of third-party websites or platforms is subject to the third party’s privacy policies and practices, not ours. Graze has no control over any third party’s privacy practices. Please review the privacy policies of such websites and platforms before submitting any information.

    10. DATA BROKER AND REMOVAL SERVICE REQUESTS

      For Data Brokers, Privacy Services, and Authorized Agents

      If you are a data broker, data removal service provider, authorized agent, or privacy compliance service acting on behalf of individuals to submit data removal requests, we provide a dedicated API endpoint to streamline the processing of such requests.

      Please note: To ensure efficient processing and avoid unnecessary manual review, we require that all bulk or automated removal requests from third-party services be submitted through our designated API endpoint rather than through standard support channels or web forms.

      API Documentation and Implementation

      Complete technical documentation for our privacy compliance API, including request formatting, authentication requirements, and response handling, is available at:

      https://www.graze.social/docs/api-documentation-privacy-compliance-endpoints

      Requirements for Third-Party Services

      Organizations submitting requests on behalf of users must:

      • Maintain proper authorization from the individuals they represent
      • Use the documented API endpoint for all automated or bulk requests
      • Include valid email addresses associated with user accounts
      • Comply with applicable data protection regulations including GDPR, CCPA, and other relevant privacy laws

      Processing Timeline

      Requests submitted through the API are processed automatically where possible, with manual review conducted as necessary. We aim to comply with all valid removal requests within the timeframes required by applicable law.

      For questions regarding API access or technical implementation, please contact our privacy team at legal@graze.social.

      Note: This streamlined process is designed to facilitate compliance with data protection regulations while ensuring the security and integrity of our systems. Individual users seeking to exercise their privacy rights should continue to use our standard data removal request process outlined above.

      11. METRICS DISCLOSURE CHART

      Pursuant to the California Consumer Privacy Act, Graze Social PBC provides the following Consumer Requests Metrics. “Requests” refers to all of the following type of requests:

      • Requests to Delete
      • Requests to Know
      • Requests to Know what personal information was sold or shared, and to whom it was sold or shared
      • Requests to opt out of the sale or sharing of personal information
      • Requests to limit the use and disclosure of sensitive personal information
      Requests received from consumers in 2024:
      0
      Requests complied with in whole or in part in 2024:
      0
      Requests denied in 2024:
      0
      Median days taken to respond substantively to Requests in 2024:
      0
      Requests received from consumers in 2025:
      0
      Requests complied with in whole or in part in 2025:
      0
      Requests denied in 2025:
      0
      Median days taken to respond substantively to Requests in 2025:
      0