Legal
Privacy Policy
Effective date: March 1, 2025 · Last updated: March 1, 2025
1. Introduction and Scope
Granite Cloud & Code ("Company,""we," "us," or "our"), located at 287 Winona Road, New Hampton, NH 03256, operates the website at granitecloud.io (the "Site") and provides professional web design, development, and cloud hosting services (collectively, the "Services"). This Privacy Policy (this "Policy") describes how we collect, use, disclose, retain, and protect personal information about individuals who visit the Site or use the Services ("you" or "your").
This Policy does not apply to information processed by us on behalf of our clients as a service provider or data processor — such processing is governed by the applicable service agreement between Company and the relevant client.
By accessing the Site or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with our practices, please discontinue use of the Site and Services.
2. Information We Collect
2.1 Information You Provide Directly
Account Registration. When you create a client portal account, we collect your full name, email address, and a password (stored using bcrypt hashing; we never store plaintext passwords). If you enable two-factor authentication, we also store a two-factor secret and encrypted recovery codes.
Communications. When you contact us by email, phone, or other means, we collect the information you provide, which may include your name, email address, phone number, and the content of your inquiry.
Client Engagements. In the course of providing Services, you may provide us with business information, project assets, login credentials, and other materials. Such information is used solely to perform the contracted Services and is subject to the confidentiality obligations in your service agreement.
2.2 Information Collected Automatically
Session and Log Data. When you access the Site or client portal, our servers and session management infrastructure automatically record certain information, including your Internet Protocol (IP) address, browser type and version, operating system, referring URL, pages requested, and the date and time of each request. Authenticated sessions additionally record your user ID and user agent string in our session store.
Cookies and Similar Technologies. We use cookies as described in Section 5 of this Policy.
3. How We Use Personal Information
We use the personal information we collect for the following purposes:
- Account Management: To create and maintain your client portal account, authenticate your identity, and manage your account settings and preferences.
- Service Delivery: To provide, operate, maintain, and improve the Services we have contracted to provide.
- Transactional Communications: To send account-related notifications, including email address verification, password reset instructions, and security alerts.
- Security and Fraud Prevention: To monitor for unauthorized access, detect and investigate suspicious activity, enforce our Terms of Service, and protect the rights, property, and safety of the Company and its users.
- Legal Compliance: To comply with applicable laws, regulations, legal process, or governmental requests.
- Business Operations: To maintain records for accounting, tax, and business administration purposes.
We do not sell, rent, or otherwise trade your personal information to third parties for their own marketing purposes. We do not use your personal information for behavioral advertising.
4. Disclosure of Personal Information
We may disclose your personal information in the following circumstances:
4.1 Service Providers. We share personal information with third-party vendors and service providers who perform functions on our behalf, subject to confidentiality obligations and restrictions on use consistent with this Policy:
| Provider | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure and hosting | IP addresses, server logs, hosted application data | aws.amazon.com/privacy |
| Mailgun (Sinch) | Transactional email delivery | Email address, message content | mailgun.com/privacy-policy |
4.2 Legal Requirements. We may disclose personal information if we reasonably believe disclosure is required to: (a) comply with applicable law, regulation, legal process, or a valid governmental request; (b) enforce our Terms of Service or other agreements; (c) detect, prevent, or address fraud, security, or technical issues; or (d) protect the rights, property, or safety of the Company, our users, or the public.
4.3 Business Transfers. In the event of a merger, acquisition, reorganization, sale of assets, or bankruptcy, personal information may be transferred as part of that transaction. We will provide notice before personal information becomes subject to a materially different privacy policy.
4.4 With Your Consent. We may disclose personal information for any other purpose with your prior express consent.
5. Cookies
We use the following cookies on the Site and client portal:
| Category | Cookie / Identifier | Purpose | Duration |
|---|---|---|---|
| Strictly Necessary | Session cookie (named after application) | Maintains authenticated session state; required for login functionality | Session (deleted on browser close; or 120 minutes of inactivity) |
| Strictly Necessary | XSRF-TOKEN | Cross-site request forgery (CSRF) protection | Session |
| Functional | appearance | Stores your display theme preference (light, dark, or system) | Persistent (1 year) |
| Functional | sidebar_state | Stores your sidebar expanded/collapsed preference in the client portal | Persistent (1 year) |
We do not use analytics cookies, advertising cookies, or any third-party tracking cookies. You may configure your browser to block or delete cookies; however, disabling strictly necessary cookies will impair your ability to use the authenticated portions of the Site.
6. Data Retention
We retain personal information for as long as necessary to fulfill the purposes described in this Policy, unless a longer retention period is required or permitted by applicable law.
| Data Type | Retention Period | Basis |
|---|---|---|
| Account data (name, email, hashed password) | Duration of account + 30 days after deletion request | Service provision |
| Session records (IP address, user agent) | 120 minutes after last activity | Security and authentication |
| Password reset tokens | 60 minutes from issuance or until used | Security |
| Server access logs | 90 days | Security and debugging |
| Business records and correspondence | 7 years | Legal and tax obligations |
When personal information is no longer required for the purposes for which it was collected, we will securely delete, anonymize, or render it inaccessible.
7. Data Security
We implement commercially reasonable administrative, technical, and physical security measures designed to protect personal information from unauthorized access, use, disclosure, alteration, or destruction, including:
- Encryption of data in transit via TLS/HTTPS;
- Bcrypt hashing of passwords (minimum cost factor of 12);
- HttpOnly and SameSite cookie attributes to mitigate cross-site scripting and CSRF attacks;
- Access controls and principle of least privilege for systems handling personal data;
- AWS infrastructure security controls, including VPC isolation and IAM policies.
Notwithstanding the foregoing, no method of transmission over the Internet or method of electronic storage is completely secure. We cannot guarantee absolute security, and you transmit personal information at your own risk. If you discover a security vulnerability, please report it promptly to info@granitecloud.io.
8. Your Rights and Choices
8.1 General Rights. Subject to applicable law, you may have the right to:
- Access: Request confirmation of whether we process your personal information and obtain a copy of such information.
- Correction: Request correction of inaccurate or incomplete personal information. You may update most account information directly through your account settings.
- Deletion: Request deletion of your personal information, subject to any legal obligations requiring us to retain certain data.
- Restriction: Request that we restrict processing of your personal information in certain circumstances.
- Portability: Request a copy of your personal information in a structured, commonly used, machine-readable format.
8.2 California Residents (CCPA/CPRA). If you are a California resident, you have the following additional rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act:
- The right to know the categories and specific pieces of personal information we have collected about you;
- The right to know the categories of sources from which personal information is collected, the business or commercial purpose for collecting it, and the categories of third parties with whom it is shared;
- The right to delete personal information we have collected, subject to certain exceptions;
- The right to correct inaccurate personal information;
- The right to opt out of the sale or sharing of personal information — we do not sell or share personal information as defined by the CCPA;
- The right to non-discrimination for exercising your privacy rights.
Categories of personal information collected in the preceding 12 months and the purposes for which each category is used:
| CCPA Category | Examples Collected | Business Purpose |
|---|---|---|
| Identifiers | Name, email address, IP address | Account management, security, service delivery |
| Internet / Electronic Network Activity | Browser type, pages visited, session data | Security, fraud prevention, service operation |
| Inferences | UI theme and sidebar preferences | Personalization of portal experience |
8.3 Exercising Your Rights. To submit a request to exercise any of the rights described above, please contact us at info@granitecloud.io with the subject line "Privacy Request." We will respond to verifiable requests within thirty (30) days. We may need to verify your identity before processing your request. We will not discriminate against you for exercising your rights.
9. Children's Privacy
The Site and Services are not directed to, and we do not knowingly collect personal information from, children under the age of thirteen (13). If we become aware that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete such information promptly. If you believe we may have collected information from a child under 13, please contact us at info@granitecloud.io.
10. Third-Party Links
The Site may contain hyperlinks to third-party websites or services that are not operated by us. We have no control over, and assume no responsibility for, the content, privacy policies, or practices of any third-party websites or services. We encourage you to review the privacy policies of any third-party website you visit.
11. Changes to This Policy
We reserve the right to modify this Policy at any time. If we make material changes, we will notify you by posting the revised Policy on the Site with an updated effective date and, where appropriate, by sending an email notification to registered account holders. Your continued use of the Site or Services after the effective date of any modification constitutes your acceptance of the revised Policy. If you do not agree to the modified Policy, you must discontinue use of the Site and Services.
12. Contact Information
If you have questions, concerns, or requests regarding this Policy or our privacy practices, please contact us at:
Granite Cloud & CodeAttn: Privacy
287 Winona Road
New Hampton, NH 03256
info@granitecloud.io
(603) 800-1464
