Privacy Policy

Griffify Studios LLC — Griffify VDI Managed Desktop Service

Last Updated: May 29, 2026 · Effective: May 29, 2026

Terms of Service / Privacy Policy / Disclaimer

TL;DR: We collect the information you submit in our questionnaire to follow up about Griffify VDI. All personally identifiable information is encrypted at rest. We do not sell your data. You can request deletion at any time by emailing sales@griffify.com.

1. Introduction

Griffify Studios LLC (“Griffify,” “we,” “us,” or “our”) operates the Griffify VDI website at vdi.griffify.com and the associated lead-discovery questionnaire (the “Site”). This Privacy Policy explains what information we collect, how we use it, who we share it with, and what rights you have.

If you become a Griffify VDI customer, additional data handling terms will be addressed in your Master Services Agreement and, where applicable, a Data Processing Addendum (“DPA”).

2. Information We Collect

2.1 Information You Provide

When you submit our discovery questionnaire, we collect:

  • Contact details: first name, last name, company name, business email address, and phone number
  • IT environment details: number of users, current desktop setup, cloud readiness, compliance requirements, software needs, budget range, and timeline — across up to nine questionnaire sections
  • Additional notes: any free-text information you choose to include

All contact details and questionnaire answers are encrypted at rest using AES-256 (Fernet symmetric encryption) before being stored in our database.

2.2 Information Collected Automatically

When you submit the questionnaire, we automatically record:

  • IP address: for security and fraud prevention purposes
  • User-agent string: browser and operating system information
  • Submission timestamp: date and time of form submission

2.3 Anti-Bot Validation (Cloudflare Turnstile)

We use Cloudflare Turnstile on the final step of our questionnaire to prevent automated submissions. Cloudflare receives your IP address and browser signals to generate a challenge token. Cloudflare’s use of this data is governed by the Cloudflare Privacy Policy. We store only the validation result (pass/fail); we do not store the full challenge token.

2.4 Future Customer Data

If you engage Griffify VDI as a customer, additional personal data (end-user accounts, workspace configuration, audit logs) will be collected and processed as described in your Order Form, Master Services Agreement, and applicable DPA.

3. How We Use Your Information

We use the information we collect to:

  • Follow up on your inquiry: contact you by email or phone to discuss your VDI requirements and provide a proposal
  • Manage our sales pipeline: track and prioritize leads internally
  • Improve the Site and questionnaire: understand which questions are most relevant and refine our onboarding flow
  • Prevent fraud and abuse: detect and block automated or malicious submissions
  • Comply with legal obligations: respond to lawful requests from government authorities

We will not use your information to send unsolicited marketing communications unrelated to Griffify VDI.

4. How We Share Your Information

4.1 Service Providers (Sub-processors)

We share data with the following third-party service providers solely to operate the Site:

  • Cloudflare: Edge network, DDoS protection, and Turnstile anti-bot validation. Your IP address and browser signals are processed by Cloudflare on every page request.
  • Heroku (Salesforce): Application hosting. All submitted data resides on Heroku-managed infrastructure hosted on AWS.
  • Neon (EDB): Managed PostgreSQL database provider. Encrypted questionnaire data is stored in Neon’s cloud database.
  • Resend: Transactional email delivery. When you submit the questionnaire, Resend delivers an internal notification to the Griffify sales team. We send only the data needed for that notification; we do not use Resend for marketing.
  • Microsoft Azure: When Griffify provisions a VDI environment for a customer, data may enter Microsoft Azure infrastructure governed by the Microsoft Trust Center and applicable data protection terms.

4.2 We Do Not:

  • Sell or rent your personal data to third parties
  • Use your data for targeted advertising
  • Share your data with data brokers
  • Access your data for purposes beyond those described in this Policy

4.3 Legal Disclosure

We may disclose your information if required to do so by law, regulation, or valid legal process (e.g., subpoena, court order), or when we believe in good faith that disclosure is necessary to protect the rights, property, or safety of Griffify, our customers, or the public.

5. Data Security

We implement the following measures to protect your data:

  • Encryption at rest: All PII (name, email, phone) and questionnaire answers are encrypted using AES-256 (Fernet) before database storage
  • Encryption in transit: All data transmitted between your browser and our servers is protected by HTTPS/TLS
  • Access controls: Database and application access is restricted to authorized personnel only
  • Dependency management: We monitor and apply security patches to our application dependencies regularly

Note: No method of transmission over the Internet or electronic storage is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security.

6. Your Data Rights

You have the following rights with respect to your personal data:

6.1 Access

You may request a copy of the personal information we hold about you.

6.2 Correction

You may request correction of inaccurate or incomplete information.

6.3 Deletion

You may request deletion of your personal data. We will honour deletion requests within 30 days, subject to any legal retention obligations.

6.4 Objection and Restriction

You may object to or request restriction of processing of your personal data in certain circumstances.

To exercise any of these rights, email sales@griffify.com with the subject line “Privacy Request” and a description of your request. We may need to verify your identity before processing the request.

7. Data Retention

We retain lead questionnaire data for up to three (3) years from the date of submission, or until you request deletion, whichever comes first. This window allows us to follow up if your requirements change and to maintain records for business purposes.

If you become a customer, retention of your data as a tenant is governed by your Order Form and MSA. Upon termination, data is returned or deleted per the process described in the Terms of Service.

8. Children’s Privacy

Griffify VDI is a business-to-business service intended for use by adults acting on behalf of their organizations. We do not knowingly collect personal information from individuals under 18 years of age. If you believe we have inadvertently collected such information, please contact us immediately and we will delete it.

9. International Data Transfers

Our infrastructure is primarily located in the United States. If you are accessing the Site from the European Economic Area (“EEA”), United Kingdom, or another jurisdiction with data transfer restrictions, your data may be transferred to and processed in the United States. We rely on appropriate safeguards (including standard contractual clauses where required) to facilitate such transfers in compliance with applicable law.

10. California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the right to:

  • Know what categories of personal information we collect and why
  • Know whether your personal information is sold or disclosed (we do not sell it)
  • Opt out of the sale of personal information (not applicable — we do not sell data)
  • Access your personal information
  • Delete your personal information
  • Non-discrimination for exercising any of the above rights

To submit a CCPA request, contact us at sales@griffify.com.

11. European Privacy Rights (GDPR)

If you are in the EEA or United Kingdom, the General Data Protection Regulation (“GDPR”) or UK GDPR applies to our processing of your personal data. You have the right to:

  • Access your personal data (Article 15)
  • Rectification of inaccurate data (Article 16)
  • Erasure (“right to be forgotten”) (Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20)
  • Object to processing (Article 21)
  • Withdraw consent at any time where processing is consent-based

Legal basis for processing:

  • Legitimate interests (Article 6(1)(f)): processing your questionnaire submission to follow up on your VDI inquiry
  • Legal obligation (Article 6(1)(c)): compliance with applicable law
  • Contract performance (Article 6(1)(b)): where you are or become a customer

To exercise GDPR rights or lodge a complaint, contact us at sales@griffify.com. You also have the right to lodge a complaint with your local supervisory authority.

12. Cookies and Tracking

The Griffify VDI website uses a minimal number of cookies:

  • Django session cookie (sessionid): A strictly necessary functional cookie that maintains your questionnaire session across the multi-step form. No personal data is stored in this cookie directly. It expires when your browser session ends.
  • CSRF token (csrftoken): A security cookie required to protect form submissions from cross-site request forgery attacks.
  • Cloudflare cookies: Cloudflare sets cookies for DDoS protection and Turnstile validation. These are strictly necessary for security.

We do not use advertising cookies, tracking pixels, or third-party analytics cookies.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The “Last Updated” date at the top of this page reflects the most recent revision. For material changes, we will notify existing customers by email at least 30 days before the change takes effect. For lead submissions already on file, the updated policy applies from its effective date.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact:

Griffify Studios LLC
Email: sales@griffify.com
Website: https://vdi.griffify.com