These Technical Specifications describe how we, Grammarly, Inc., process user content and personal data of our communication-assistant software, Grammarly. When we refer to "user content", we mean the text and documents that you upload, enter, or otherwise transmit when you use our products. When we refer to "personal data", we mean the data linked to a user, e.g. the primary email address, billing information, or data powering a personalized writing experience. We link data to a user by generating a unique numeric account identifier (user ID) when you create your Grammarly account and storing that identifier together with individual pieces of data. If you are an individual on our free or paid plan, you are the Grammarly user, and these Technical Specifications supplement our Terms of Service and Privacy Policy. 

If you are an organization within our Business, Enterprise, or Education plan, we process your data according to our standard Customer Business Agreement and Data Protection Agreement, unless your organization has negotiated separate agreements with Grammarly. 

Our applications can be installed onto your computer, in a web browser, on your mobile device, or via our website.

• When you download, install, and launch Grammarly for Your Desktop, we use operating system APIs to understand the application you are editing and the user content in those applications when it is edited. 
  
• When you download and install Grammarly web browser extensions, we use your browser’s extension API to access user content in multi-line text fields. We then use this user content, together with the hostname portion of the URL, as input to our suggestions. 
  
• When used on a mobile device, we use the keyboard API of your mobile operating system (i.e., iOS or Android) and metadata about the application you are using. For Android devices, we additionally utilize an overlay API to provide context and suggestions. Grammarly is integrated with a Samsung keyboard on some Samsung devices and is otherwise available in the iOS app store or Google Play store.
  
• When you use the Grammarly application via our website, you can access the Editor feature, which allows you to upload, draft, and edit documents within your browser. The contents of these documents are processed by our cloud to give you suggestions.
  

1. Providing suggestions to improve your writing

We generate grammar, error correction, clarity, tone, and other suggestions from your user content. We generate these suggestions on our cloud using the data transmitted as described above.

Any suggestion generated is cached for a limited window in memory (i.e., up to 24 hours) for performance and reliability. We have engineered the cache with privacy in mind so that we cannot access the content of a specific user just by knowing their user ID.

2. Personalizing suggestions to you

You can control whether you would like to use any of the features below (“personalization features”) in your account settings. If any personalization features are enabled, your user content will be stored as personal data on your device and in our cloud to power these features. If stored in the account, this personal data may be accessible to Grammarly support personnel for troubleshooting a problem, detected either by us or reported by you.

• Personal Dictionary: The terms you have added to your personal dictionary and related configuration information are stored as personal data in your Grammarly account. Your personal dictionary is processed with your user content and your user ID to arrive at a suggestion.
  
• Personalized Writing Suggestions: We tailor Grammary’s writing suggestions to you based on your writing and meta-data such as the audience of your writing. For example, when communicating with a colleague at work, Grammarly could anticipate how your audience may respond or what questions they may have and provide suggestions before you send the message to help you be understood as you intend. 
  
• Personalized Insights: We tailor Grammarly features and offer products by inferring information about you, such as the particular industry you work in. We make those inferences based on your writing and meta-data such as the websites where you use Grammarly. As an example, we may use these inferences to offer you to join your company’s existing Grammarly account. We may also collect additional information from third-party service providers, such as publicly available information on your company or job function, to improve the accuracy of our inferences. Please note that if we use third-party vendors for this service, we prohibit them from using your personal data for their purposes, and we prohibit these third parties from selling this data to other third parties. 
  
• Personalized Usage Tips: We generate personalized usage tips based on your writing, and share them via email with you. For example, we may use your writing to inform you of your top 5 most common writing mistakes or the most common ones that you write in.
  

3. Plagiarism detection

We provide functionality to find if sections of your user content are present elsewhere on the internet using common crawl data. If we detect a similarity between what you have written, we identify the passage and prompt you.

4. Using AI to generate text

We use LLMs with customized prompts to produce contextual suggestions for changes via our GenAI features. These use both your user content and the prompt (e.g. “improve it”, “make it more concise”) to produce a suggestion. 

The GenAI feature maintains an on-device history of your prompts. The data is encrypted at rest. It is retained for up to 7 days or when you log out of the Grammarly application, whichever happens first.

When we use LLMs provided by third parties, data is sent from your client to them via our cloud. Your IP address and user ID are not sent to the third party, and the third party won’t store the request.

5. App Actions

Grammarly integrates with a number of third-party applications such as Giphy, Google Workspace, and Confluence to allow you to insert content from them into your writing. You must opt-in to the use of each by accepting the third-party privacy disclosure. The granted token is saved in the Grammarly cloud and associated with your account and is only available to you via your interactions with app actions. The list of tokens you have stored is disclosed in your Personal Data Report.

After opting in, when you use an app action, only the following is sent to the third party:

• The user token that authorizes Grammarly, as described above.
  
• The information that you enter in the action window.
  

No other data or user content from your writing is shared with the third party.

Transparency

You can request a Personal Data Report to obtain a report listing your personal data that Grammarly stores.

We process user content on Grammarly-managed servers hosted by Amazon Web Services in data centers located in the USA (“Grammarly cloud” or “our cloud”).

Generative AI features are powered by third-party LLM models referred to in our sub-processor list. Data is processed by the sub-processors at locations in the USA, and our contracts prohibit sub-processors from retaining your data on their servers or using it for model improvement or similar purposes unrelated to providing the service.

Some suggestions are generated locally on the device, and if so, are not processed or stored on our cloud nor sent to our sub-processors.

When you use Grammarly applications, messages are sent via our APIs to the Grammarly Cloud.

Event Data

The following data is sent for all events:

• Event time
  
• Your IP address
  
• Authorization information, including user ID
  
• Client or Browser Version, including operating system details.
  

Writing data

When writing, the following information is sent:

• User content and context from the application you are using, e.g.
  
  • In email, we collect your response, the subject of the email, and the audience.
    
  • In Slack, we collect your message, the channel name, and/or whom you are messaging. 
    
• Operating system identifier of the application container (either the hostname part of a web application’s URL or the OS-level application identifier)
  
  • We restrict the collection of this information to a limited amount of well-known applications and websites.
    

In a writing session, Grammarly logs “events”, to indicate

• That you are using Grammarly in a document.
  
• When you accept or reject a suggestion.
  
• When you end your writing session.
  

These events contain the suggestion and the user content that generated it. We use these tracking events for product improvement purposes. If you opt out of Grammarly using your user content for training purposes to improve its products, Grammarly tracking events do not contain user content.

Feedback and Survey Data

We conduct surveys and collect feedback about our features. This includes:

• Event time
  
• Your user ID
  
• Your IP address
  
• Your browser or client information
  
• Information relating to the feature you are giving feedback to
  
• Your responses to any questions as part of the feedback process
  

Generative AI Data

When using Grammarly’s generative AI functionality, the following information is transmitted to our cloud:

• User content from the browser or application in use when the generative AI feature is invoked.
  
• Any prompt text you enter and information about buttons that you select (e.g., “Improve it”).
  

Your prompt history is saved on device.

Generative AI data sent to third-party LLM models is not associated with event identifiers such user ID and is proxied through Grammarly so as to keep the user’s IP address private from the third party.

Application Behavior Data

When Grammarly’s products encounter a crash or error, we transmit:

• Information about the website or application you are using at the time.
  
• Context around the error (such as stack traces or other system-level details).
  
• The user content that was visible during the error.
  
• Information about the version of Grammarly, the operating system, and the application context.
  

We use this information to troubleshoot the system and update our application.

Support Data

When you submit a support request to Grammarly through our applications, we will collect the context of your action and any additional information you provide for our support staff to review.

Website Data

When you are using the Grammarly website, we collect:

• Event time
  
• Your IP address and the location derived from it
  
• Your browser type, such as its User Agent identifier.
  
• The page you are viewing, and referring page. (Referer)
  

• All data sent to Grammarly servers from client applications is encrypted in transit with TLS 1.2
  
• All data at rest is encrypted using AES256.
  
• Our systems are built with a least-privilege model. In general, Grammarly employees cannot view identifiable personal data. Grammarly employees need a business reason to access data and cannot access your user content unless you submit a support request with highlighted content.
  
• Grammarly employees needing access to our cloud must obtain just-in-time credentials. 
  
• Customer service employees have access only to account information, not user content, and only to provide support.
  

Any user content that is collected for model or feature training purposes is:

1. Sampled randomly across all content.
   
2. Stored and aggregated without user ID. 
   
3. Transformed with personally identifiable information removed.
   
4. Retained for a maximum of 13 months.
   
5. Accessed only by Grammarly employees with a specific business reason.
   

As described above, you can opt out of Grammarly using your data for product improvement.  

We delete personal data when you cancel your account. When this occurs, we immediately make your personal data unavailable from production APIs, and permanently expunge it from all systems within 30 days.

Any data sent to Grammarly’s service providers is encrypted in transit via TLS. Authentication of credentials for such processing is managed via the vendor’s authentication mechanism. Any required credentials are secured in a cryptographic vault in our cloud.

We rely on service providers in the United States, EEA, and worldwide (please see our list of sub-processors here). We take measures to ensure that service providers provide an adequate level of data protection by entering into appropriate data transfer agreements based on Standard Contractual Clauses, where applicable, and performing data protection assessments of data transfer arrangements as appropriate. Data transfer agreements are accessible upon request by contacting us at the details shown further above. We comply with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework as set forth by the U.S. Department of Commerce (learn more).