Legal
Privacy Policy
Last updated: July 1, 2026
The short version
- Anneal is operated by The Carlisle Companies LLC and is built on the grāmatr platform.
- We do not sell your data.
- Your context data is encrypted at rest, isolated per account with row-level security, and sent over TLS in transit.
- On Individual and Team plans, use of your data to improve our models is included and is not optional. Enterprise plans support opt-out.
- Payments run through Stripe — we never store your full card number.
- You have full data-subject rights under GDPR and CCPA — access, correction, deletion, and portability.
- Questions or requests: privacy@carlislecos.com.
1. Who we are
Anneal is a subscription software product operated by The Carlisle Companies LLC (“Anneal,” “we,” “us,” and “our” throughout this policy), a Missouri limited liability company. Anneal is built on the grāmatr platform, the underlying intelligence technology of gramatr, LLC. grāmatr provides the technology; The Carlisle Companies LLC operates the Anneal product and is responsible for your data as described here.
Contact: privacy@carlislecos.com
The Carlisle Companies LLC · 167 Lamp and Lantern Village, Suite 253, Chesterfield, MO 63017-8208
EU and UK users: if you are in the EU or UK and want to exercise your rights or file a complaint, email privacy@carlislecos.com. This page will be updated if and when an in-EU representative under GDPR Article 27 is appointed.
2. What this policy covers
This policy covers the Anneal website, sign-up and onboarding flows, and the Anneal application — including individual and team accounts. It explains what we collect when you create an account, subscribe, and use Anneal across the AI tools you connect.
Anneal connects to third-party AI tools you choose to use — including Claude Code, Codex, Gemini, and VS Code. When Anneal delivers context to one of these tools at your direction, the data you send to that provider is also governed by that provider’s own privacy policy. We are not responsible for how third-party AI providers handle data once it reaches them.
3. What we collect
Information you provide
- Account information: name, email address, and password (stored hashed) when you create an individual or team account.
- Team information: for team accounts, the team name, member invitations, and role assignments. Team admins manage shared context and can configure what is shared across the team versus kept private.
- Billing information: your subscription tier and billing contact. Card details are collected and processed by Stripe — we do not store your full card number (see Section 6).
- Your context data: the knowledge, entities, patterns, and session data Anneal stores on your behalf to make your AI tools context-aware and compounding over time.
- Support and communications: messages you send us and information you provide when you contact support.
Information collected automatically
- Standard server logs: IP address, user agent, pages visited, referring URL, and timestamps.
- Product usage and diagnostic events used to operate, secure, and improve Anneal.
- Website analytics — we use Google Analytics 4 and NEXT90 Insights to measure website traffic and usage. These set analytics cookies. We do not use advertising cookies.
Cookies
We use essential cookies for session state and authentication. We also use analytics cookies set by Google Analytics 4 and NEXT90 Insights to measure website traffic and usage. We do not use advertising cookies.
4. How we use it
- To provide Anneal — storing, retrieving, classifying, and delivering your context to the AI tools you connect.
- To create and manage your account, and to administer team membership and shared context for team accounts.
- To process your subscription and payments through Stripe.
- To operate, secure, debug, and improve the product and website.
- To respond to support requests and send service-related communications.
- To comply with legal obligations.
Model improvement — how Anneal learns
Anneal gets better by learning from how it is used. On the Individual and Team plans, we use data from your use of the Service — including the content of your interactions — to train and improve our models and the Service. This is a core part of how Anneal works and is not optional on these plans.
If you need to opt out of model training, or require HIPAA- or PII-specific protections, those are available only through an Enterprise implementation, where Anneal runs on infrastructure we control. The Individual and Team plans are not intended for protected health information (PHI) or other regulated or highly sensitive personal data — please do not submit such data on these plans. To discuss an Enterprise deployment, email hello@gramatr.com.
Lawful bases (GDPR Article 6): contractual necessity (providing the service you subscribe to); legitimate interests (securing and improving the product); and legal obligation (compliance with applicable law).
5. How we share it
We do not sell personal information. We disclose data only in these circumstances:
- Sub-processors — the vendors listed in Section 6 who help us deliver the service.
- At your direction — when you connect a third-party AI tool (Claude Code, Codex, Gemini, VS Code), context is delivered to that provider under its own policy.
- Within your team — for team accounts, context you or an admin designates as shared is visible to other members of your team.
- Legal requirements — where disclosure is required by law, court order, or regulatory authority, or to protect legal rights and safety.
- Business transfers — in connection with a merger, acquisition, or sale of assets, with notice to affected users.
6. Sub-processors
We engage the following sub-processors to deliver Anneal. This list will be kept current as our vendors change.
| Vendor | Purpose | Notes |
|---|---|---|
| Stripe, Inc. | Payment processing | Handles card data; we do not store full card numbers. See Stripe’s privacy policy. |
| Microsoft Azure | Application & database hosting, storage | Private-cloud hosting for the Anneal application and your encrypted context data (US). |
| Cloudflare, Inc. | Website hosting, CDN, DDoS protection | Global edge network fronting the Anneal website (US-based). |
| Google Analytics 4 | Website analytics | Measures website traffic and usage. See Google’s privacy policy. |
| NEXT90 Insights | Website measurement / data engine | Website measurement and analytics data engine. |
| Firebase Authentication / Google Cloud (Google LLC) | Account authentication / sign-in | Verifies your identity and manages sign-in; runs on Google Cloud’s identity platform. See Firebase’s privacy information and Google Cloud’s privacy notice. |
7. How we protect it
- Encryption at rest — your context data is encrypted at the storage level.
- Row-level security — data isolation is enforced at the database level. Every query is scoped to your account via per-transaction session variables. This is architectural isolation, not application-level filtering.
- Encryption in transit — all connections use TLS.
- Credential security — passwords are hashed; API keys, where issued, are hashed before storage and shown once at creation.
- Access controls — access to your data is limited to personnel with a business need.
8. How long we keep it
| Data type | Retention |
|---|---|
| Account and profile data | For as long as your account is active; deleted on account closure or request. |
| Context data (knowledge, entities, patterns, session data) | Default 60 days of session history; configurable up to 90 days. Retained while your account is active, then deleted on closure or request. |
| Billing records | Retained as required by tax and accounting law. |
| Server logs | 30 days. |
When you close your account, your context data is permanently deleted within 30 days, unless a longer retention period is required by law. Deletion is prospective.
9. Your data rights
Depending on where you live, you have the following rights over your personal data:
- Access — request a copy of your personal data.
- Correction — request correction of inaccuracies.
- Deletion — request erasure where no overriding legal obligation applies.
- Portability — receive your data in a machine-readable format.
- Restriction — limit processing pending resolution of a dispute.
- Objection — object to processing based on legitimate interests.
California residents (CCPA/CPRA): you have the right to know, delete, and correct your personal information, and to opt out of the sale or sharing of personal information. We do not sell or share personal information.
To exercise any right: email privacy@carlislecos.com. We respond within the timelines required by applicable law (30 days for GDPR, 45 days for CCPA). For team accounts, some requests may be routed through your team admin where they control the shared context.
10. International transfers
Anneal is operated from the United States. If you access Anneal from outside the U.S., your data is transferred to and processed in the United States. Where required, transfers from the EU or UK rely on Standard Contractual Clauses (SCCs) with our sub-processors. This policy and your use of Anneal are governed by the laws of the State of Missouri; further terms are set out in our Terms of Service.
11. Children
Anneal is not directed at children. We do not knowingly collect personal information from individuals under 16. If you believe a child has provided us with personal information, contact privacy@carlislecos.com and we will delete it.
12. Changes to this policy
We may update this policy as Anneal evolves. When we do, we will update the “Last updated” date above. For material changes, we will provide notice through the product or by email before the change takes effect.
13. Contact
Questions about this policy, or to exercise your data rights:
privacy@carlislecos.com
The Carlisle Companies LLC · 167 Lamp and Lantern Village, Suite 253, Chesterfield, MO 63017-8208
See also our Terms of Service.