Granite is a consent and approval service. When an application or AI agent wants to take an action on your behalf — use a capability, access storage, act under a delegation — it asks Granite, and Granite asks you. You review the request, approve or deny it, and Granite records your decision as a durable audit trail that the requesting application can verify. Granite is operated by Stackwell Labs LLC, a company registered in Wyoming, USA, which is the data controller for the data described in this policy.
Granite collects exactly the following, and nothing else:
To be explicit about what is not here: Granite holds no email addresses and no names. There is no tracking, no analytics, and no advertising. We do not sell or share your data — to anyone, for anything.
We use your data for these purposes only.
Where the GDPR applies, our lawful bases are: performance of a contract (Art. 6(1)(b)) for operating the service — showing you requests, recording your decisions, and maintaining the consent audit trail; consent (Art. 6(1)(a)) for push notifications, which you can withdraw at any time by disabling notifications or removing a device; and our legitimate interests (Art. 6(1)(f)) in keeping the service secure and preventing abuse.
The application that filed an approval request learns the outcome — your decision (approve or deny), when you made it, and the request's identifiers — by querying Granite or via delivery to a callback URL it registered. That disclosure is the point of the service: it is how a requesting application verifies what you authorized. No other party receives your data.
Granite runs on three providers:
us-east-1 (N. Virginia, USA) region.Granite stores and processes data in the United States. If you use Granite from the EEA, the UK, or another jurisdiction with data-transfer rules, your data is sent to and processed in the US, and is protected as described in this policy.
Approval requests, decisions, and grants are retained indefinitely for as long as your account exists. This is deliberate: the record that you authorized — or refused — an action is the guarantee Granite provides, and the parties relying on a grant may need to verify it long after the decision was made. A consent record that quietly expires is not a consent record.
Deleting your account removes your data, including those records (see below).
You can exercise these rights yourself, without asking us:
GET /v1/me/export with your bearer token.DELETE /v1/me with your bearer token. Deletion
erases everything under your account: approval requests, decisions, grants,
registered devices, and notification preferences.The self-serve mechanisms above cover access, portability, and erasure. The GDPR also grants rectification, restriction, and objection — Granite stores no profile about you to rectify, but if any record we hold is wrong, email us and we will correct or restrict it. The CCPA grants the rights to know, delete, correct, and opt out of the sale or sharing of personal information — we sell nothing and share nothing for advertising, so there is nothing to opt out of. For any of these, email privacy@granitegranted.com. If you are in the EEA or UK, you may also lodge a complaint with your supervisory authority.
Granite is not directed to children under 13 — or the higher minimum age your jurisdiction sets for consenting to online services (up to 16 in parts of the EU) — and we do not knowingly collect data from them. If you believe a child has an account, email privacy@granitegranted.com and we will delete it.
If a breach affects your data, we will notify you without undue delay and, where required, the supervisory authority.
If this policy changes, we will update it here and revise the effective date above.