Grammarly’s product can’t access anything you type unless you are actively using it. For example: If you’re using one of our desktop applications, browser extensions, or mobile applications, you can see that it is activated in a text field by looking for a visible Grammarly logo or an icon showing the number of suggestions waiting for you. When a developer has integrated a Grammarly API in their application, you can see Grammarly's floating button in the bottom right corner of the page where suggestions are being delivered.

To check text and provide suggestions, Grammarly uses powerful server-based algorithms that are too complex to be stored locally on a user’s device. The servers are hosted by AWS in the United States.

Grammarly’s writing assistant is blocked from accessing text in fields marked “sensitive.” This means that Grammarly’s desktop applications, browser extensions, and mobile applications do not see anything typed in credit card forms, password fields, URL fields, or fields where similar private information is provided.

By default, we also block the product from running where you can’t edit text (known as “read-only” fields), such as the instructions to a web form.

We think you should know exactly what Grammarly has stored about you. To view the personal data associated with your account, submit a request through your account hub. Requiring you to be logged in helps us ensure that only you can request information about yourself. If you delete your account, we will remove your personal information from our systems.

If you use the Grammarly Editor, you can view all documents you have saved—we store them so you have access until you choose to delete them. If you delete your account, we will delete these documents from our servers.

Grammarly restricts employee access to customer data across our network, infrastructure, and services. Only those authorized to access data critical to their work may do so. This is often referred to as the “principle of least privilege.”

Grammarly relies on trusted third-party vendors for specific services and functions, such as hosting our servers, email communication, and customer support services. We regularly evaluate vendor security, and we validate that all user information is removed from third-party systems after there is no longer any need for its storage. Read more about the third-party subprocessors we use.

Grammarly does not own the text you write while using our product. You always retain all rights to your text, including copyrights and duplication privileges. In short, your work remains yours.

Grammarly complies with regulations regarding data privacy and protection. This includes the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and the Health Insurance Portability and Accountability Act (HIPAA), among other frameworks that govern Grammarly’s privacy obligations.

Grammarly’s in-house team of security specialists is dedicated to fortifying the security of our product, infrastructure, and operations. Company executives are directly involved in overseeing security strategy and enforcement.

We also run a Security Champions program. Team members across the organization train on information security matters and drive team-specific security initiatives. This helps ensure company-wide attention to security issues.

We use industry-standard encryption to protect all user data in transit and at rest. Whether you’re receiving suggestions through a desktop application or browser extension, or you’re saving documents in your Grammarly Editor, all your data is encrypted and safeguarded.

To aid users in keeping their accounts secure, we offer two-step verification—also known as two-step authentication, a type of multi-factor authentication. We also offer guidance about maintaining strong passwords. These help ensure your account can only be accessed by you.

Grammarly protects against unauthorized access through constant auditing and monitoring. We are vigilant about identifying unexpected account behavior, and we notify affected users if we learn of unauthorized account access.

We ask outside experts to validate the strength of our information security. That’s why we operate a bug bounty program with HackerOne, where we invite ethical hackers to search for potential software vulnerabilities and report them directly to our Security team.

We regularly hire security firms to evaluate our systems through “penetration tests,” which simulate a cyber attack to check for anything that could be exploited. We also invite enterprise customers to contract third parties of their choosing to perform these tests.

Third-party auditors review our security practices to help us achieve trusted industry standards. We have received a SOC 2 (Type 2) report and are certified with ISO 27001, 27017, and 27018, among other attestations.

We are proud to be members of the Cloud Security Alliance, a nonprofit dedicated to promoting secure cloud computing.

We host a security whitepaper to offer transparency into our security practices and procedures.