Privacy Policy

Obelisk Studio LLC ("Obelisk Studio") is an independent studio organized under the laws of the United States and based in Burbank, California. Grace Production OS (the software product) is operated by Obelisk Studio LLC. References below to "we," "us," and "our" mean Obelisk Studio LLC.

For some data we are the controller (we decide why and how it is processed): your account and billing information, the beta-access and contact details you send us directly, and our own marketing communications. For the cast, crew, and production data that a customer organization manages in Grace, that customer is the controller and we act as their processor, handling the data only on their documented instructions. Our Data Processing Addendum at graceproductionos.com/legal/dpa governs that processor relationship.

Our privacy contact is the Obelisk Studio Privacy Lead, who can be reached at [email protected]. For the full registered address and any inquiry that requires postal correspondence, write to that address and we will respond with the appropriate mailing information.

Account information. Your name, email address, and password (stored only as a one-way hash by our authentication provider). Optionally a profile photo and username.

Production content you upload. Scripts, schedules, budgets, call sheets, dailies, screeners, photos, and any other production materials you create or import.

Cast and crew records you enter. Names, contact information, role/department, deal terms, work eligibility documents, and per-person rates and notes you choose to record.

Billing information. Your card details are never seen by Grace. They're collected directly by our payment processor (Stripe). We retain billing history, invoice metadata, and subscription state.

Usage information. Standard server logs (IP address, request time, route, status code), error reports, and product-analytics events: page views (recording the in-app route you visited, with sensitive tokens and query parameters redacted from the path), how long a screen was open, and a fixed set of feature-usage actions, all captured under a pseudonymous identifier via PostHog as described under "Product analytics" below. We don't run advertising tracking, cross-context behavioral advertising, or session-replay tools.

Communications. If you contact us or send a call sheet, invitation, or screener through Grace, we retain the message contents and recipients.

Electronic signatures and signing records. When a document is sent for electronic signature through Grace, we process the recipients' names and email addresses, the signatures they apply, and a tamper-evident audit log recorded as legal evidence that the document was executed — including each signer's IP address, browser/device (user agent), and the timestamps of when the request was sent, opened, and signed. Recipients may be people who do not hold a Grace account (for example, cast or crew asked to sign a single document).

Beta-access and waitlist submissions. If you request beta access or contact us through our marketing site, we collect what you provide, typically your name, email address, professional role, country, production stage, and the tools you currently use, so we can evaluate and respond to your interest.

To deliver the product: render dashboards, send the call sheets and emails you compose, parse scripts you upload, generate PDFs, send documents you choose for electronic signature, process payments. To diagnose bugs and outages from the server logs. To understand which features are adopted and where users get stuck, through the privacy-minimal product analytics described under "Product analytics" below. To communicate with you about your account, security issues, and material changes to the service.

We do not sell your data, share it with advertisers, or use it to train third-party AI models for purposes beyond serving your request.

The following companies receive specific data to operate Grace. Each is contractually bound to use that data only to deliver their service to us.

When you add cast or crew to a production, you're representing that you have a legitimate production-related need for their contact and rate information. Grace's tiered access controls (the Dot System and section-level permissions) are designed so that producers see what producers need to see, department heads see their own departments, and crew see their own information, minimizing data exposure even within a production.

Above-the-line phone numbers are masked by default for below-the-line crew, with the option to override per role. Cast minors and their guardians have additional access protections that mirror standard production-side compliance practice.

Vault screeners use a magic-link plus six-digit access code flow with device-kick enforcement and per-session forensic logging. These features exist specifically because confidential cuts get leaked and the industry has learned to value attribution.

Because this is a real concern for our user base: when you upload a script, its full text is sent to Amazon Bedrock for parsing into scenes, characters, and breakdown elements. Bedrock runs the model within Amazon Web Services and does not store, train on, or share the content. The same Bedrock processing powers the Grace AI assistant panel and VFX-shot suggestions. If Bedrock is unavailable, processing falls back to Google Cloud Vertex AI (Gemini) and, as a last-resort failover, to the Anthropic (Claude) and Google (Gemini) direct APIs.

Amazon Bedrock and Google Cloud Vertex AI, and the failover Anthropic and Google API tiers, all commit in their terms of service to not training models on this content, and all encrypt traffic in transit. We do not send scripts anywhere else, do not retain copies outside your Grace account, and do not share scripts with third parties for marketing or analytics.

If you have a script that cannot leave a closed network for legal or contractual reasons (e.g., NDA-bound studio material), do not upload it to Grace.

We use Sentry (operated by Functional Software, Inc.) to detect and diagnose technical errors so we can keep the service reliable. When an error occurs, Sentry receives diagnostic data: the error message and stack trace, the page or route where it occurred (configured to redact sensitive tokens and query parameters), your browser, device, and operating-system type, and a pseudonymous account identifier that lets us count affected users and correlate an error to your account for support. We do not send Sentry your name or email address, and we do not send the contents of your scripts, budgets, schedules, call sheets, or other production data. Sentry processes this diagnostic data in the United States under a data processing agreement.

We use PostHog to understand which features are adopted and where users get stuck, so we can improve Grace. We run it in a deliberately minimal, confidentiality-first configuration. We capture only a fixed set of explicit events: page views (which record the in-app route you visited, with sensitive tokens and query parameters redacted from the path before transmission), how long a screen was open, and lifecycle actions such as signing up, creating a production, or sending a call sheet. We do not use automatic event capture; every event is one we deliberately defined. We identify those events by a pseudonymous account identifier together with pseudonymous organization and production identifiers, which carry only a few non-identifying attributes (the organization's subscription plan, and the production's union status, shoot-day count, and status). The events themselves carry non-identifying metadata only (counts and category labels, for example how many recipients a call sheet had). We do not enable session replay, autocapture, or heatmaps, and we do not send PostHog your name, email address, or the contents of your scripts, budgets, schedules, call sheets, or other production data.

To keep this data on our own domain, analytics events are routed through a same-origin proxy on Grace rather than sent to PostHog directly from your browser. PostHog sets a first-party cookie and uses browser local storage to remember the pseudonymous identifier. PostHog processes this data in the United States under a data processing agreement. PostHog runs only inside the signed-in Grace application; it is not loaded on our public marketing site, on the sign-in or sign-up pages, on the admin console, or on the Vault and share screener pages.

Grace lets you send certain documents (such as compliance forms) for electronic signature. We provide this with a signing service we host ourselves on the infrastructure already listed above (Railway for compute, a dedicated Neon database, and Resend for email). The document is not sent to any outside signing company; it stays within our own systems.

When you send a document for signature, the recipients you choose receive an email from us with a secure link to review and sign it. We process their name and email address, the signature they apply, and a tamper-evident audit log kept as legal evidence that the document was executed — each signer's IP address, browser and device type, and the timestamps of when the request was sent, opened, and signed. Recipients may be people who do not have a Grace account; we process their information only to obtain and record their signature on that document. Once everyone has signed, the fully-executed PDF (with its signing certificate and audit log) is stored in your Grace account, and a copy is emailed to the signers.

The signing page sets a short-lived session cookie on the signing service's own subdomain solely to run the signing session. We do not use the signing service for analytics, advertising, or model training.

Grace uses session cookies set by Clerk to keep you signed in, a small HMAC-signed cookie to remember your active organization, (during checkout) cookies set by Stripe on its hosted pages, and a first-party cookie plus browser local storage set by our product-analytics tool (PostHog) to hold a pseudonymous identifier. Vault screener sessions use a separate HMAC-signed cookie scoped to the share token.

We use one product-analytics tool, PostHog, which records a fixed set of explicit events keyed to a pseudonymous identifier and does not track you across other websites; it is described under "Product analytics" above. We do not use third-party advertising cookies, marketing pixels, or cross-site tracking. Error reports are handled as described under "Error monitoring and diagnostics" above.

While your account is active. We retain all data necessary to operate the service.

After cancellation. We retain your data for up to 30 days to allow recovery if you resubscribe. After 30 days, your production data is deleted from active systems. Encrypted backups age out within 90 additional days.

Billing records. We retain invoices and payment history for as long as required by tax and accounting law (typically seven years in the United States), independent of your account status.

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the following legal bases under Article 6(1) of the GDPR (and equivalent provisions of the UK GDPR and the Swiss FADP):

Contract performance, creating and operating your account, billing you, delivering call sheets and screeners you compose, sending documents you choose for electronic signature, and otherwise providing the service you have asked for.

Legitimate interest, diagnosing outages, preventing abuse, securing the platform, operating ordinary server logs, understanding feature adoption through privacy-minimal product analytics (PostHog, described above), and maintaining a tamper-evident signing audit log (including signers' IP addresses and timestamps) as legal evidence that a document was executed. We balance these interests against your privacy expectations and do not use legitimate interest as a basis for marketing.

Legal obligation, retaining billing and tax records, responding to lawful regulatory inquiries, and complying with industry-specific requirements (e.g., minor-employment record-keeping where applicable).

Consent, only where consent is the appropriate basis: optional marketing emails, any non-essential cookies that require consent under applicable local law, and any other purpose presented to you with a clear opt-in.

Where we ask for consent, you may withdraw it at any time by writing to [email protected] or by using the in-product control where one is provided. Withdrawal does not affect the lawfulness of processing carried out before the withdrawal.

Under the California Privacy Rights Act ("CPRA"), certain categories of personal information are designated as Sensitive Personal Information ("SPI"). Within Grace, the SPI we handle is limited to:

Account credentials. Your password is stored only as a one-way hash by our authentication provider (Clerk). We never see or store the plaintext.

Precise geolocation in the form of production-location coordinates and shoot-day coordinates derived from addresses you enter.

We use SPI only as necessary to deliver the service: to authenticate you, to render maps and distances, and to attach weather forecasts to call sheets. We do not use SPI to infer characteristics about you, for targeted advertising, for cross-context behavioral advertising, or for any purpose outside the service you have asked for.

Because we operate within the CPRA's "service necessity" exception, there is no separate "Limit the Use of My Sensitive Personal Information" link to enable. We are not using SPI beyond what the service requires. If our use of SPI ever changes, this section will change accordingly and we will obtain consent where the law requires it.

Regardless of where you live, you can ask us to:

Access the data we hold about you, in a portable format.

Correct inaccuracies in your account information.

Delete your account and the data associated with it, subject to the retention timelines above and any legal records we are required to keep.

Restrict or object to particular uses of your data.

If you are in the European Economic Area, the United Kingdom, or Switzerland, you have these rights under the GDPR. You also have the right to lodge a complaint with your national supervisory authority (for example, the Information Commissioner's Office in the United Kingdom, your member-state data protection authority in the EEA, or the Federal Data Protection and Information Commissioner in Switzerland) at any time, without first contacting us.

If you are a California resident, you have analogous rights under the CCPA and CPRA, including the right to opt out of sale or sharing of personal information (though as noted, we do not sell or share for advertising in any case) and the right to limit the use of your SPI, addressed in the section above.

Account-holders can submit data-access, correction, and deletion requests from Settings → Account inside Grace. Anyone else (including production crew whose contact details we hold but who never created a Grace account) can submit a request by emailing [email protected]. We respond within 30 days.

Traffic between your browser and Grace is encrypted in transit (TLS 1.2 or higher). Files at rest in Cloudflare R2 are encrypted using AES-256. Database contents at rest on Neon are encrypted using AES-256.

Passwords are stored only as one-way hashes by Clerk. We do not store, see, or process plaintext passwords.

Vault screeners apply per-viewer watermarking and device-kick enforcement to make the path of any captured copy attributable. This is a deterrent layer, not a guarantee against determined screen capture.

If we become aware of a breach affecting your data, we will notify you and any relevant regulators within the timelines required by applicable law.

Grace is not directed to children under 13 and we do not knowingly collect personal information from anyone under 13 within the meaning of the United States Children's Online Privacy Protection Act ("COPPA"). If you believe we have inadvertently collected such information, please email [email protected] and we will delete it promptly.

Productions frequently involve minor cast members. Grace's data model treats minor cast as records about a minor, entered by the production team (typically the casting team or unit production manager) who carry the production-side legal duty around minor employment. The guardian role exists to allow a parent or legal guardian to see Grace records about their minor child during a production.

If you are a minor who has been given direct sign-in access to Grace and you wish to have your account closed, please email [email protected] and we will close the account.

Grace's customer-facing infrastructure is hosted in the United States. Some of our service providers and personnel operate from other jurisdictions. Most notably, Thy Dark Hour Systems (OPC) Pvt Ltd, our software-development and operations partner, is based in India. If you access Grace from outside the United States, your data will be transferred to and processed in the United States and in India. By using Grace from another jurisdiction, you consent to these transfers.

For users in the European Economic Area, the United Kingdom, or Switzerland, we rely on the EU Standard Contractual Clauses (and the UK International Data Transfer Agreement / UK Addendum where applicable) as the legal basis for international transfers. We apply technical and organizational safeguards to these transfers, including encryption in transit and at rest, contractual data-protection terms with each sub-processor, and reliance on the EU–US Data Privacy Framework where the vendor is certified. Our Data Processing Addendum is summarized at graceproductionos.com/legal/dpa, and the executable version is available on request to [email protected].

We may update this policy as Grace evolves, new service providers come online, or laws change. The "Last updated" date at the top of this page always reflects the current version.

Material changes (anything that meaningfully expands what we collect, who we share it with, or how we use it) will be communicated by email to active account holders at least 14 days before taking effect, and we will obtain affirmative consent where the law requires it.