We, Grammarly, Inc., address this Supplemental EEA+ Privacy Notice only to individuals located in the European Economic Area (EEA), United Kingdom (UK) and Switzerland who directly receive our products from us. If you receive our products because another organization is buying or making them available to you, such as if you are a member of a Grammarly Business or Grammarly for Education team account, we process your personal data on behalf of that organization and this Notice does not apply. When we refer to our products in this Notice, we're referring to all of the products and services that we provide directly to you, including our apps, websites, software, newsletters and emails. For more information about how we collect, use and disclose your personal data, please see the Grammarly Privacy Policy.

1. What laws apply?

If you are located in the EEA, the EU General Data Protection Regulation applies to the processing of your personal data. If you are located in the UK, the UK General Data Protection Regulation applies to the processing of your personal data. References to the "GDPR" are references to the General Data Protection Regulation as it applies in the country where you are located. If you are located in Switzerland, the provisions of the Swiss Federal Data Protection Act (the "FDPA") apply to you, and references to the GDPR below shall be interpreted analogously for the purposes of applying the FDPA.

2. Who is the data controller and who is its EEA and UK representative?

The data controller is us, Grammarly, Inc., 548 Market Street, #35410, San Francisco, CA 94104. 

We've appointed VeraSafe as our representative in the EEA and UK for data protection matters. You can contact VeraSafe in matters related to personal information processing using this contact form. Alternatively: 

• For users in the EEA, you can contact VeraSafe at VeraSafe Ireland Ltd, Unit 3D North Point House, North Point Business Park, New Mallow Road, Cork T23AT2P, Ireland.
  
• For users in the UK, you can contact VeraSafe at VeraSafe United Kingdom Ltd., 37 Albert Embankment, London SE1 7TL, United Kingdom.
  

3. What lawful bases of processing do we rely on? 

We rely on the following legal bases to process your personal data, as appropriate:

• Necessary for us to perform a contract with you or take steps at your request prior to entering into a contract per Article 6(1)(b) GDPR ("Contract Performance Legal Basis");
  
• Necessary for us to comply with an applicable legal obligation per Article 6(1)(c) GDPR ("Legal Obligations Legal Basis"); 
  
• Necessary for us to realize a legitimate interest based on an assessment of that interest and your privacy and other fundamental interests per Article 6(1)(f) GDPR ("Legitimate Interest Legal Basis"); or
  
• According to your consent per Article 6(1)(a) GDPR ("Consent Legal Basis"). In these cases, you can withdraw your consent at any time with future effect. 
  

The following table outlines the legal basis and, where applicable, the legitimate interests pursued with respect to each purpose for which we process personal data. 

4. Where is your personal data processed and on what basis do we transfer personal data across borders? 

We rely on service providers in locations including the United States, EEA, and worldwide. We take measures to ensure that service providers provide an adequate level of data protection by entering into appropriate data transfer agreements based on Standard Contractual Clauses, where applicable, and performing data protection assessments of data transfer arrangements as appropriate. Data transfer agreements are accessible upon request by contacting us at the details shown further above. We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce. Learn more.

5. Do you have to provide personal data?

You are not legally required to provide us with your personal data, but you may not be able to fully use our products if you do not provide us with personal data that we reasonably need to provide our products. If you do not allow us to collect information through cookies and similar technology, some parts of our website may not work properly or be as tailored to you as they could otherwise be, but they will still generally be usable. We will inform you of personal data that we reasonably need to fulfill the purposes in our privacy notices, such as by marking certain fields as mandatory on online forms requesting personal data from you.

6. What rights do you have?

In the EEA, Switzerland and the UK you have the following rights, subject to the conditions under the GDPR and/or local data protection law: 

(a) To object, on grounds relating to your particular situation, to our processing of your personal data. This includes the right to object to our processing of your personal data for direct marketing or where we are pursuing our legitimate interests or those of a third party. If we process your personal data based on our legitimate interests or those of a third party, you can object to this processing, and we will cease processing your personal data, unless the processing is based on compelling legitimate grounds or is needed for legal reasons. Where we use your personal data for direct marketing for our own products and services, you can always object and opt out of future marketing messages using the unsubscribe link in such communications.

(b) To obtain from us confirmation as to whether your personal data is being processed, and, where that is the case, to request access to details about how we process your personal data and copies of the personal data. 

(c) To obtain from us the rectification of inaccurate personal data concerning you. 

(d) To ask us to erase your personal data to the extent it is not required for legally required purposes. 

(e) To request restriction of processing of your personal data, in which case, it would be marked and processed by us only for certain purposes. 

(f) To receive your personal data which you have provided to us in a structured, commonly used and machine-readable format and you have the right to transmit the personal data to another entity without hindrance from us. 

(g) To lodge a complaint with a supervisory authority (only for EEA and UK).

(h) In some jurisdictions such as France and Portugal, you also have the right to provide us with guidelines as to the processing of your personal data after your death. 

You may view a list of supervisory authorities in the EEA, UK and Switzerland and their respective contact information here: 

• EEA
  
• United Kingdom
  
• Switzerland
  

To exercise your rights under applicable privacy law, to raise a privacy concern, or to make a data-related request, please contact us at the contact information further below and describe your request. We may ask for additional information from you to clarify your request and verify that you are authorized to make your request. We will respond to requests to exercise privacy rights according to applicable laws.

7.  Contact Information

You can contact us with questions relating to this Notice or requests to exercise your privacy rights by submitting a help desk request here, emailing privacy@grammarly.com, or contacting us via postal mail at Grammarly, Inc., 548 Market Street, #35410, San Francisco, CA 94104.