This policy is effective as of 1/1/2026.

GRITS is a web platform that allows institutions to easily track, analyze, and report on energy, carbon, water, and waste reduction projects.

In order to provide the GRITS service, we and our service providers will collect, use, disclose, or otherwise manage certain limited information about you. We may use this information:

• To provide access to your institution’s GRITS account, to provide technical support, and notify you about updates to the platform.
• To help better understand how users interact with our user interfaces and services.
• To comply with any laws, regulations, court orders, subpoenas or other legal processes or investigations, including to comply with rules that apply to us and to our service providers, and to protect ourselves and other individuals from harm. 

What personal information is collected? 

Creating a GRITS log-in requires the collection of a user’s name and email address.

GRITS subscriptions require the collection of payment information such as a credit card number, which is governed by the privacy policy of our third-party payment platform, Wave Financial Inc.

How is this information collected?

A user’s name and email address is either provided to GRITS Admins by the user when access is requested or by another individual or organization requesting access on behalf of the user. GRITS staff may also perform a web search to locate that information on publicly available websites if the request does not include one or both pieces of information.

How is this information used?

Personal information allows for the creation of GRITS log-ins and for GRITS Admins and our service providers to provide support or notifications about updates to the platform. It also allows us to comply with any relevant disclosure laws. We do not sell this information to third parties.

Who has access to this information?

GRITS Admins have access to the personal information of all GRITS users. Our service providers Olark and Userpilot allow us to offer in-app live chat, self-guided tutorials, and troubleshooting, and these platforms access users’ personal information to provide these services. All users within an institution’s GRITS account are able to see the personal information of other users within the same institution. If a user has access to the GRITS Connect feature and sends a contact request to a user at a different institution, they agree to share their personal information with the recipient (and will see the recipient’s personal information if the request is accepted).

How long is your personal information retained?

Users’ personal information is retained as long as their GRITS log-in exists. GRITS users can remove their personal information from GRITS by deleting their log-in manually or by requesting that GRITS Admins remove it by emailing support@gogrits.org.

Can you review or correct your personal information?

GRITS users are able to review or correct their personal information at any time by logging into their institution’s GRITS account and viewing or editing their profile.

What security measures are used to protect your personal information?

When accessing GRITS, a user’s log-in credentials (email address and password) are encrypted in transit. Personal information is stored in our Postgres database, which is managed by Heroku, and is encrypted at rest. 

All user log-ins are required to utilize a password with a minimum length of at least eight characters, with at least three of the four following types: uppercase letters, lowercase letters, one number, or one non-alphanumeric symbol. Multi-factor authentication is also available to all users to provide an extra layer of security.

GRITS Admin log-ins utilize both minimum password requirements and multi-factor authentication, in addition to other security measures.

Contacting us

We can be contacted about this privacy policy at support@gogrits.org.