This Privacy Policy explains how Grid Heap, Inc., a Delaware corporation ("TrainShell", "Grid Heap", "Company", "we", "us", or "our"), handles personal information in connection with the Service.
The Service is operated from the United States and delivered through a globally distributed edge network. If you use the Service from outside the United States, your information may be accessed, transferred, and processed in the United States and other jurisdictions where we or our providers operate.
1. Scope and roles
We act as controller, operator, or equivalent role for account administration, security, service operations, compliance, and business records.
We act as processor, service provider, or entrusted party for personal data contained in files, prompts, repositories, datasets, logs, secrets, terminal activity, model artifacts, and other content you submit or direct us to process through the Service ("User Content"), except where we need to use that information for security, legal compliance, billing, abuse prevention, or service protection.
You are responsible for ensuring that your use of the Service and any personal data in User Content has an appropriate legal basis and all required notices or consents.
2. Information we collect
| Category | Examples |
|---|---|
| Account data | Name, email address, avatar, provider account ID, and session records. |
| Authentication and integration data | OAuth tokens, token metadata, scopes, repository metadata, codespace metadata, and Google Drive metadata. |
| Configuration data | Provider credentials, SSH keys, secrets, storage definitions, recipes, job settings, and instance settings. |
| User Content | Files, datasets, prompts, command input and output, transfer instructions, job metadata, and generated artifacts. |
| Usage and security data | IP address, browser and device data, request metadata, timestamps, audit records, and bot mitigation signals. |
| Host and agent telemetry | Hostname, operating system, hardware summary, heartbeat data, connection status, and session identifiers. |
| Communications | Support requests, feedback, and account or service communications. |
We collect information from you, your browser or device, connected services, remote environments you connect, and our infrastructure and security providers.
3. How we use information
We use personal information to provide, secure, support, and improve the Service, to comply with law, and to enforce our agreements. Where applicable law requires a legal basis, we generally rely on contract performance, legitimate interests, legal obligations, and consent where required.
| Purpose | Examples |
|---|---|
| Operate the Service | Authentication, sessions, storage, compute orchestration, remote terminals, agents, jobs, and integrations. |
| Follow your instructions | Access linked repositories or files, run transfers, route prompts, and invoke enabled integrations or providers. |
| Security and abuse prevention | Session validation, rate limiting, bot detection, incident investigation, and service protection. |
| Support and improvement | Troubleshooting, diagnostics, reliability improvements, and product support. |
| Legal and business operations | Compliance, dispute handling, recordkeeping, sanctions or export controls, and protection of rights. |
4. Disclosure of information
We disclose personal information only as needed to operate the Service, follow your instructions, protect rights and security, or comply with law.
| Recipient | Examples | Purpose |
|---|---|---|
| Infrastructure providers | Hosting, storage, routing, security, bot mitigation, and managed AI infrastructure. | Hosting, storage, routing, security, and core service delivery. |
| Identity and integration providers | GitHub, Google, Apple, Notion, Hugging Face, and Google Drive. | Authentication and customer-enabled integrations. |
| Customer-selected providers | Vast.ai, RunPod, Lambda, Hugging Face, and connected remote environments. | Provisioning, storage, compute, and customer-directed workflows. |
| Professional and legal recipients | Advisers, auditors, insurers, transaction parties, regulators, courts, and law enforcement. | Compliance, corporate transactions, and protection of legal rights. |
5. International transfers
The Service is operated from the United States and delivered through a globally distributed edge network, with globally distributed providers. Personal information may therefore be processed in the United States and other jurisdictions where we, our providers, or your selected services operate.
If you connect external accounts, provision third-party infrastructure, or use external AI, storage, or repository services through the Service, you instruct us to transfer relevant data as needed to perform your request.
Where required, we aim to rely on recognized transfer mechanisms such as standard contractual clauses, the EU-US Data Privacy Framework, the UK Extension and Swiss-US framework, adequacy decisions, certification-based mechanisms, separate consent, or another valid legal basis.
6. Retention
We keep personal information for as long as reasonably necessary for the purposes described in this Policy, including to provide the Service, maintain security, resolve disputes, enforce agreements, and comply with law.
- Account records are generally retained for the life of the account and a reasonable period afterward.
- Tokens, credentials, and secrets are retained until revoked, replaced, deleted, or no longer needed.
- Session, host, job, and transfer records may be retained for operational, support, and security purposes.
- Backups and residual copies may remain for a limited period for recovery, fraud prevention, or legal preservation.
7. Security
We use reasonable technical and organizational measures designed to protect personal information, including access controls, encrypted transport, provider-managed infrastructure protections, and application-layer encryption for selected credentials and secrets.
No system is completely secure. You remain responsible for protecting your own accounts, credentials, remote environments, repositories, and endpoints.
8. Your rights
Depending on applicable law, you may have rights to access, correct, delete, restrict, object to, or port certain personal information, and to withdraw consent where processing depends on consent.
You may also disconnect integrations, revoke tokens through the relevant provider, and delete stored credentials or secrets through the Service where available. We may need to verify identity and authority before responding to a request.
Contact us at legal@gridheap.com to make a privacy request.
9. Cookies and similar technologies
We use essential cookies and similar technologies for authentication, session management, and security. We may also use browser storage for product settings such as theme preferences. Bot mitigation services may set or read cookies or similar signals as part of anti-abuse checks.
10. Children
The Service is not directed to children under 18. If you believe a child has provided personal information to us without authorization, contact us so that we can review and take appropriate action.
11. Changes
We may update this Privacy Policy from time to time. We will post the updated version on this page and update the effective date above. If required, we will provide additional notice.
12. Contact
Privacy requests and questions can be sent to legal@gridheap.com.