Security & Data Privacy

Your grant data is yours.

Proposals are sensitive — unannounced ideas, budgets, partners, and the words you sweated over. We never sell it, never share it, and never use it to train AI models. Here is how we keep it safe.

Encrypted, always

Your drafts and uploads are encrypted in transit and at rest with industry-standard encryption.

Never trains AI

Your proposals are never used to train AI models — not ours, not anyone's.

Yours to delete

Delete your data whenever you want. We keep only what the law requires us to.

EU-based, GDPR-first

Operated from Estonia, in the EU. GDPR is the baseline, not an add-on.

Your data belongs to you

Everything you put into Joltoo — your RFPs, drafts, answers, and uploads — is yours. We use it only to give you the result you asked for. We never sell it, never share it with other customers, and never repurpose it.

There is no secondary use of your work: no aggregating, anonymizing, or mining it to improve our product. Full stop.

AI that doesn't learn from you

Joltoo's writing help is powered by leading, enterprise-grade AI. Under the terms we operate on, your content is not used to train AI models. Your proposals help you win funding — they don't become training data for anyone.

Encryption

All traffic between you and Joltoo is encrypted in transit, and everything we store — documents, drafts, and account data — is encrypted at rest, using strong, industry-standard encryption.

Where your data lives

Joltoo is operated by Waveup OÜ, a company registered in Estonia, in the EU. We take an EU-first approach to hosting and storage, and we work only with reputable, security-vetted infrastructure providers under data-protection agreements.

Access and separation

Your organization's data is kept separate from every other customer's, and access inside your team is limited by role. Sign-in is protected with email verification and secure password handling.

Your rights and data deletion

Under GDPR you can ask to access, correct, export, or delete your personal data. You can remove your content from your account at any time, and you can close your account and ask us to erase your data entirely.

Deletion is permanent and can't be undone. We keep a limited set of records only where the law requires it — for example, billing and tax history.

We also respect the obligations of US institutions, including schools handling student records under FERPA. If your organization has specific data-handling needs, get in touch and we'll work with you.

Compliance

As an EU company, Joltoo is built around GDPR from the ground up. We don't claim certifications we don't hold — if you need specifics for procurement or a vendor review, ask and we'll tell you exactly where we stand.

Reporting a security issue

Found a security problem? We want to hear about it. Email hello@joltoo.com with the subject “Security report” and enough detail to reproduce it. Please give us a reasonable window to fix it before sharing it publicly — we won't pursue researchers who report in good faith.

Questions about how we handle your data?