Privacy Policy
Last updated: 20 April 2026
Grook is a community platform operated from Bangalore, India. This policy describes what we collect, what we don't, how we handle it, and your rights. If anything here is unclear, email support@grook.app — a human will reply.
What we collect
Account information (email address, username, and a bcrypt-hashed password). Content you create (guilds, rooms, posts, messages, uploads). Metadata about your activity (session timestamps, IP address for rate limiting and abuse prevention, device user-agent). Payment identifiers from Stripe if you take creator payouts or make a paid purchase.
What we do not collect
We do not collect government identification, passports, driver's licences, or any state-issued ID. We do not collect biometric data — no face scans, no fingerprints, no voice prints. We do not build behavioural profiles for advertising. We do not embed third-party analytics SDKs that receive user behaviour data.
Direct messages (end-to-end encrypted)
Direct messages are encrypted on your device using the Signal Protocol. Private keys never leave your device. Our servers relay encrypted blobs between participants and cannot decrypt them — not for moderation, not for support, not for any legal request, because we do not hold the keys.
Guild messages
Messages posted in guild rooms are encrypted at rest using per-guild data encryption keys, which are themselves wrapped by a key encryption key held in Google Cloud Secret Manager. Guild messages are visible to guild members and moderators as the room's permissions allow.
Media uploads
Every uploaded image is hash-checked against Microsoft PhotoDNA synchronously before the upload is accepted. Matches trigger immediate deletion, account suspension, and a report to the National Center for Missing and Exploited Children. This check cannot be disabled by any setting. Uploaded media is stored in Google Cloud Storage and served through a Cloudflare-fronted CDN.
Payments
Creator payouts and paid features are processed by Stripe Connect. We never store card numbers, bank account details, tax documents, or identity-verification documents — those remain with Stripe. We store a Stripe Connect account identifier and payout eligibility state.
Hosting
Grook's infrastructure runs on Google Cloud Platform, deployed across multiple regions to serve members near their location. PostgreSQL via Cloud SQL, Redis via Memorystore, and media via Cloud Storage. DNS, CDN, and embed proxying are provided by Cloudflare.
Retention and deletion
Messages you delete are soft-deleted — the content is nulled and the record is retained for moderation audit for 90 days. Account deletion removes personal data within 30 days, excluding data retained to comply with legal obligations (for example, records tied to an NCMEC report). Moderation audit logs are retained for as long as your guild exists.
Your rights
You can request a full export of your personal data at any time. You can request deletion of your account at any time. For now, both requests go to support@grook.app and are fulfilled within 30 days. Once the platform launches, these will also be available as self-service options in settings.
Warrant canary and transparency reports
We publish a warrant canary on the first of every month stating that we have not received any legal process requiring us to surveil our users that we are gagged from disclosing. We publish a quarterly transparency report covering government request volumes, compliance rates, moderation actions, and breach history. Published reports are permanent — we never edit or delete them.
Third parties
Cloudflare (DNS, CDN, proxy). Google Cloud (compute, database, storage, email delivery). Stripe (payments). Microsoft PhotoDNA (CSAM detection). Google Perspective (toxicity scoring — surfaces content for human moderator review, never acts automatically). Google Vision SafeSearch (image moderation). Oracle Email Delivery (transactional email). Each operates under its own privacy policy.
Children
Grook is not intended for anyone below the minimum age for online services in their jurisdiction. We do not knowingly collect personal data from such users. If you believe a child has registered, email support@grook.app and we will delete the account.
Changes to this policy
Material changes are announced on our social channels and reflected in the Last Updated date above. For privacy changes that affect you directly, we will email you.
Contact
Questions about this policy, privacy requests, or legal enquiries: support@grook.app.