Privacy Policy

Last updated: 3 May 2026

This Privacy Policy explains how SharkFin AI DOO ("we", "us") processes personal data through the GrantRadar EU service operated at grantradar.fund. We comply with the EU General Data Protection Regulation (GDPR) and Serbian data protection law.

1. Data Controller

Controller details

SharkFin AI DOO
Novi Beograd, Republic of Serbia
Tax ID (PIB): 115494113
Legal representative: Andrea Jevtović
Contact: hello@grantradar.fund

2. Data We Collect

2.1 Information you provide

Company information: sector, size, country, revenue band, age, current projects, funding interests
Contact details: name, email address, company name
Consents: records of consents you provide

2.2 Information collected automatically

Technical data: IP address, browser type, device information, pages visited
Cookies: Essential cookies only. We do not use marketing or third-party tracking cookies.

3. Legal Basis for Processing

Activity	Legal basis
Free Quick Scan delivery	Art. 6(1)(f) GDPR — legitimate interest
Paid report delivery	Art. 6(1)(b) GDPR — contract performance
Service operation & security	Art. 6(1)(f) GDPR — legitimate interest
Legal compliance	Art. 6(1)(c) GDPR — legal obligation
Waitlist communication	Art. 6(1)(a) GDPR — consent

4. How We Use Your Data

Generate funding eligibility analysis reports
Deliver reports via email
Communicate with you about your request
Improve our matching algorithms (aggregated, anonymized data only)
Comply with legal obligations

5. Data Retention

Data type	Retention period
Company submission data	3 years from submission
Generated reports	3 years for service quality
Email correspondence	2 years
Payment records (paid tiers)	10 years (legal requirement)
Aggregated analytics	Indefinite (no personal data)

6. Sub-processors

We use the following processors to operate this service. Each is bound by Data Processing Agreements and EU Standard Contractual Clauses where applicable:

Processor	Purpose	Location
Anthropic (Claude API)	AI matching engine	USA (SCCs)
Make.com (Celonis)	Workflow automation	EU/USA (SCCs)
Supabase	Database hosting	EU
Netlify	Web hosting	USA (SCCs)
Cloudflare	DNS, CDN, security	Global (SCCs)
Lemon Squeezy	Payment processing (paid tiers)	USA (SCCs)
Resend	Email delivery	EU/USA (SCCs)

7. International Transfers

Some of our processors are located outside the EEA. All transfers are protected by EU Standard Contractual Clauses (SCCs) approved by the European Commission, plus supplementary technical measures where appropriate. We perform Transfer Impact Assessments before engaging non-EEA processors.

8. Your Rights Under GDPR

You have the following rights with respect to your personal data:

Right of access (Art. 15) — Request a copy of your data
Right to rectification (Art. 16) — Correct inaccurate data
Right to erasure (Art. 17) — Request deletion ("right to be forgotten")
Right to restriction (Art. 18) — Limit how we process your data
Right to data portability (Art. 20) — Receive your data in machine-readable format
Right to object (Art. 21) — Object to processing based on legitimate interest
Right to withdraw consent — At any time, where processing is based on consent
Right to lodge a complaint — With your local data protection authority

To exercise these rights, contact hello@grantradar.fund. We respond within 30 days.

9. AI Processing & Automated Decision-Making

EU AI Act Notice: This service uses AI systems classified as limited-risk under the EU AI Act. Reports are generated using artificial intelligence, then reviewed by a human analyst before delivery. We do not make automated decisions producing legal effects on you. You always have the right to challenge any output and request human re-evaluation.

10. Security

We implement appropriate technical and organizational measures, including:

TLS 1.3 encryption for all data in transit
Encrypted database storage
Strict access controls and audit logging
Regular security reviews
Incident response procedures (72-hour breach notification)

11. Children

This service is intended for businesses and persons aged 18 and over. We do not knowingly collect data from children.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to active users. The "Last updated" date at the top reflects the current version.

13. Contact & Complaints

For privacy questions or to exercise your rights:
Email: hello@grantradar.fund

You also have the right to lodge a complaint with the Serbian Data Protection Authority (Poverenik za informacije od javnog značaja i zaštitu podataka o ličnosti) or any EU data protection authority in your country of residence.