Privacy Policy for Grik.io

Ricochet for coding and Rico for video / media generation

Effective date: June 13, 2026. Last updated: June 13, 2026.

Quick Summary

This summary is provided for convenience only and does not replace the full Policy. If there is any conflict, the full Policy below controls.

• Grik.io provides Ricochet and Rico. Ricochet is for coding, agentic development and remote work with agents through interfaces, applications and messengers. Rico is for generation, editing and processing of video, images, audio and other media.
• BYOK is free. If you use your own API keys and route model calls directly from your local environment or infrastructure to the AI provider you choose, we do not receive or store your input tokens, output tokens, prompts, repository code, files or model outputs, except for data that you separately send to us through an account, support, telemetry, synchronization, billing, hosted gateway, cloud agent or Grik.io integrations.
• In hosted inference, credit, cloud-agent, messenger-agent or managed mode, we may process your prompts, commands, files, code snippets, logs, media and model outputs to perform your request, calculate usage, provide security and support.
• We do not claim ownership of your User Content. You retain your rights in Inputs and Outputs to the extent permitted by applicable law and third-party provider terms.
• We do not sell your personal data as a standalone commodity. We may share data with infrastructure providers, payment processors, AI providers, messenger providers, analytics, security and support vendors when needed to operate the Service.
• We do not use private user code, private repositories, private media, chats or BYOK content to train our own foundation models. Aggregated or de-identified technical metrics may be used to improve the product. Third-party AI providers may process data under their own terms.
• You may request access, correction, export, deletion or restriction of your personal data, opt out of marketing messages and manage cookies.

Contents

• 1. Who we are and what this Policy covers
• 2. Key definitions
• 3. Data we collect
• 4. BYOK, hosted inference and third-party AI providers
• 5. Ricochet data: coding, agents, repositories and messengers
• 6. Rico data: video, images, audio and media
• 7. Cookies, telemetry and analytics
• 8. How we use data
• 9. Legal bases for processing
• 10. How we disclose data
• 11. International transfers
• 12. Retention and deletion
• 13. Security
• 14. Your rights and choices
• 15. Children and minors
• 16. Automated processing, safety and moderation
• 17. Open source and third-party services
• 18. Changes to this Policy
• 19. Contact
• 20. Regional supplements

1. Who we are and what this Policy covers

This Privacy Policy (the “Policy”) explains how TK BAZIS-M LLP, BIN 191040029631, operating under the product brand Grik.io (“Grik.io,” “we,” “us,” or “our”), collects, uses, stores, discloses and otherwise processes personal data and other User Content when you use our websites, applications, APIs, extensions, CLI tools, web interfaces, cloud agents, gateways, billing systems, messenger integrations, software, open-source components and related services.

This Policy applies to Grik.io as a whole, including Ricochet and Rico, unless a specific product, order form, contract, enterprise agreement, DPA or product setting states otherwise.

If you use the Service on behalf of a company, team, employer, client or other organization, you represent that you have authority to provide data on behalf of that organization and its users, and that you have provided all required notices, consents, access rights and internal approvals.

This Policy does not govern independent processing by third-party AI providers, payment processors, messengers, app stores, repository providers, hosting providers, cloud platforms or other external services, even when they are connected to Grik.io. Their processing is governed by their own policies and terms.

Role

Details

Data controller / operator

TK BAZIS-M LLP, BIN 191040029631

Address

Office 31, 5/49 Stepnoy 1 microdistrict, Kazybek Bi district, Karaganda, Karaganda Region, 100000, Republic of Kazakhstan

Privacy email

support@grik.io

Products

Grik.io, Ricochet, Rico, related applications, websites, APIs, extensions, CLI, gateway, cloud-agent and integrations

2. Key definitions

• “Personal Data” means any information relating to an identified or identifiable individual, including account, contact, technical, payment and usage data.
• “User Content” means data that you input, upload, import, send, connect or generate through the Service, including prompts, messages, code, files, repositories, terminal output, images, video, audio, scripts, settings, logs, model responses and processing results.
• “Input” means requests, commands, files, messages, media, code, context or other materials you provide for processing.
• “Output” means responses, code, patches, video, images, audio, media, actions or other results generated or prepared by the Service or third-party AI providers.
• “Actions” means actions performed by an agent at your direction, such as reading files, modifying code, running commands, creating pull requests, sending messages, processing media, calling an external API or interacting with a connected service.
• “BYOK” means Bring Your Own Key, a mode where you use your own API keys, accounts or infrastructure to access AI providers or local models.
• “Hosted inference” means a mode where model requests are routed through Grik.io infrastructure, gateway, credits, keys or managed partners.
• “Messenger integrations” means integrations with Telegram, WhatsApp, Discord, Slack, email, SMS or other channels through which you interact with Ricochet, Rico or Grik.io agents.

3. Data we collect

The categories of data we collect depend on the product, operating mode and settings you choose. We aim to collect only the data needed to provide the Service, security, billing, support, legal compliance and product improvement.

3.1 Data you provide to us

• Account and contact data: name, username, email, phone number, password or one-time codes, language, country, organization, role, account settings, team identifiers and workspace identifiers.
• Authorization and integration data: OAuth tokens, access tokens, refresh tokens, webhook secrets, API keys, repository connection settings, messenger, cloud, storage, CI/CD, model provider and other integration credentials. Where possible, secrets are stored encrypted or locally on your side, depending on the mode.
• User Content: prompts, commands, messages, context, code, diffs, pull requests, issues, files, documentation, terminal output, build logs, images, video, audio, subtitles, captions, style references, storyboards, feedback and other materials.
• Payment and commercial data: plan, credits, usage, invoices, transactions, currency, payer details, tax information, legal name, address, payment and refund history. Full payment card details are typically processed by the payment provider and are not stored directly by us.
• Support and communication data: support tickets, emails, chat messages, call or demo recordings where used and permitted by law, survey responses, feedback, bug reports and crash reports.
• Business cooperation data: company representative contact details, job title, company name, enterprise requirements, security questionnaires, procurement, legal documents and correspondence.

3.2 Data collected automatically

• Technical data: IP address, approximate location based on IP, device type, operating system, browser, language, time zone, app version, identifiers, screen resolution, crash diagnostics, performance metrics, referral URL and network data.
• Usage data: features used, access time, session duration, selected models, agent modes, number of requests, input/output usage, inference cost, task status, render queue, error logs, buttons and settings used.
• Security and abuse-prevention data: login events, device fingerprints where appropriate, suspicious activity, rate limits, anti-fraud signals, attempts to bypass limits, policy violations and incident investigation data.
• Cookies and similar technologies: necessary cookies, local storage, analytics cookies, preferences cookies, marketing cookies, pixels and web beacons where enabled and permitted by law or your settings.

3.3 Data from third-party sources

• Authentication and account providers may provide email, name, avatar, organization ID and authorization status.
• Repository and project-management providers may provide repository metadata, issues, commits, pull requests, file tree, comments, actions and permissions if you connect the integration.
• Messengers may provide chat ID, user ID, username, messages, attachments, voice/video, group metadata, timestamps and delivery status if you interact with Grik.io through a messenger.
• Payment providers may provide payment status, billing identifiers, last four card digits, country, invoice status and anti-fraud signals.
• AI providers and model gateways may return outputs, usage, latency, safety flags, error logs and billing metadata.

4. BYOK, hosted inference and third-party AI providers

4.1 BYOK mode

BYOK is a free mode of using the Grik.io tool. You may use your own keys, accounts, local models or infrastructure where the relevant integration is supported by the product.

• If model calls are routed directly from your local environment or your infrastructure to the AI provider you choose, Grik.io does not receive or store input tokens, output tokens, prompts, responses, underlying code, files, media or API usage for that request.
• If you enable cloud sync, history, messenger agent, hosted gateway, remote execution, team analytics, shared BYOK, managed secrets, support debugging or billing reconciliation, the relevant data may be transmitted to and processed by Grik.io to the extent necessary for that feature.
• Your API keys and secrets may be stored locally on your device, in your vault or in encrypted Grik.io storage if you explicitly use hosted/managed mode. You are responsible for configuring provider keys, permissions, budgets and limits correctly.
• We do not control the terms, retention, training, logging, security or cost of the third-party AI provider you choose in BYOK mode. You should review that provider’s terms, privacy policy, DPA and opt-out settings.

4.2 Hosted inference, credits and Grik.io Gateway

When you use hosted inference, credits, Grik.io Gateway, cloud-agent or keys/providers supplied through Grik.io, we may process and transmit your Inputs and necessary metadata to selected AI providers or model routers to generate Outputs and perform Actions.

• We may view and process prompts, code snippets, files, repository context, media, instructions, conversation history, tool calls, outputs, usage, latency, cost, model ID and error logs to the extent necessary to perform the request, billing, security and support.
• AI providers may process, store or use data according to their own terms. Some providers offer zero-retention, no-training, enterprise privacy or opt-out settings; others may log data or use it to improve models. We may show you provider information, but we do not guarantee that such information is complete or current.
• Where technically available, we will try to select privacy-friendly processing modes for paid hosted plans, but final availability depends on the provider, region, model and your plan.
• You are responsible for not submitting secrets, private keys, personal data of third parties, protected health information, classified/sensitive government information, trade secrets without permission or other data that should not be transmitted to the selected provider.

5. Ricochet data: coding, agents, repositories and messengers

Ricochet may perform agentic tasks, write and edit code, read files, run commands, connect to repositories, CI/CD, issue trackers, documentation, knowledge bases, cloud/storage and messengers. Depending on your settings, this may involve processing the following data:

• code, configuration files, tests, package manifests, lock files, build logs, terminal output, stack traces, diffs, commit messages, pull requests, comments, issues, project documentation and prompts;
• repository metadata, such as name, branches, file list, commit authors, timestamps, labels, reviewers, CI/CD statuses and access rights;
• remote-agent session data, such as commands, approvals, tool calls, screenshots, task state, execution results, error logs and interaction history;
• messenger data, such as chat ID, user ID, username, messages, attachments, voice messages, timestamps, group/channel metadata and delivery status;
• secrets and keys only if you explicitly provide them or connect managed secrets. We recommend secret scanning, masked variables, allowlists and minimum permissions.

Ricochet may perform Actions at your direction. You are responsible for the permissions you grant to the agent, the commands you approve and the external services you connect. We may keep logs of Actions, approvals and results for security, diagnostics, usage accounting and dispute resolution.

6. Rico data: video, images, audio and media

Rico may use generative AI models and media tools for creation, editing, stylization, upscaling, dubbing, transcription, lip-sync, storyboard, image-to-video, text-to-video, video-to-video and other media operations.

• You may upload images, videos, audio, text, prompts, style references, masks, seeds, negative prompts, subtitles, voice samples, characters, avatars, metadata and generation parameters.
• To operate Rico features, we may analyze frames, objects, scenes, motion, contours, audio, transcripts and other technical features. If you use features involving faces, portraits, voice or likeness, we may process related features solely to perform the requested function, safety, moderation and abuse prevention, and not to identify a person unless expressly stated otherwise.
• You must have rights, permissions and consents to upload and process faces, voices, images, video, music, logos, trademarks and other third-party materials. You must not use Rico for unlawful impersonation, deception, non-consensual deepfakes, privacy violations, harassment, sexual content involving minors or other prohibited activity.
• Media files may be temporarily cached, segmented and transmitted to third-party model providers, storage, render workers, CDN or moderation services to perform generation, processing, delivery and safety.
• If you publish Output publicly, send it to other users or export it to third-party services, further distribution and processing may be governed by the terms of those platforms.

7. Cookies, telemetry and analytics

We may use cookies, local storage, pixels, web beacons, SDKs and similar technologies to operate websites and applications, sign you in, provide security, save preferences, perform analytics and attribution, conduct marketing and improve the product.

Category

Purpose

Necessary

Account login, security, routing, session state and abuse prevention. Usually cannot be disabled through the cookie banner.

Functional

Remembering language, region, theme, model preferences, UI settings and consent preferences.

Analytics

Understanding product usage, performance, crash analytics, adoption metrics and improving UX.

Marketing

Measuring campaign performance, referral attribution, retargeting and personalization where applicable and permitted.

You can manage cookies through your browser settings, cookie banner or application settings where available. Disabling cookies may make some features unavailable.

Ricochet and Rico telemetry, where enabled, is intended for diagnostics, security, billing, product analytics and product improvement. In privacy-friendly modes, it should not contain source code, prompts or media content, except where such data is needed for a selected feature, support request, crash report, hosted inference, cloud session or safety review.

8. How we use data

• to provide, maintain, route and improve Grik.io, Ricochet, Rico, APIs, gateway, cloud-agent, messenger-agent, inference, rendering, billing and related features;
• to create and administer accounts, workspaces, teams, roles, permissions, SSO, access controls and security settings;
• to process requests, generate Outputs, perform Actions, save history, synchronize across devices and provide support;
• to calculate usage, credits, plans, payments, invoices, refunds, limits, fraud prevention and billing reconciliation;
• for security, including detecting abuse, malware, unauthorized access, prompt injection, credential leaks, spam, DDoS, policy violations and other risks;
• for content moderation, safety review, enforcing acceptable use rules and preventing illegal content and harmful actions;
• for communications, including service notices, security alerts, policy changes, support responses, onboarding, product updates and marketing messages that you can opt out of;
• for analytics and product development, including aggregated and de-identified metrics, error detection, UX improvement, reliability, latency, cost routing and agentic workflow quality;
• to comply with law, tax and accounting obligations, respond to lawful government requests, protect rights, investigate disputes and enforce terms.

We do not use private user code, private repositories, private media, messenger messages or BYOK content to train our own foundation models. If we later offer a separate model-improvement program based on User Content, we will provide a separate notice, setting or consent where required by law.

9. Legal bases for processing

Depending on your country and applicable law, we may process data based on:

• performance of a contract with you or your organization, including providing the Service, billing, support and fulfilling your requests;
• your consent, such as for optional cookies, marketing, certain integrations, processing of certain media categories or enabling optional telemetry;
• legitimate interests of Grik.io or third parties, such as security, fraud prevention, product improvement, diagnostics, rights protection, analytics and business operations, where not overridden by your rights;
• compliance with legal obligations, including tax, accounting, sanctions, consumer, privacy, security and other mandatory requirements;
• protection of vital interests of a user or another person in emergency situations where applicable.

10. How we disclose data

We may disclose data only to the extent necessary for the purposes described in this Policy and with contractual, technical or organizational protections where applicable.

• AI providers, model gateways and inference partners to process Inputs, generate Outputs, perform Actions, calculate usage and diagnose errors in hosted inference or an integration you choose.
• Cloud, hosting, storage, CDN, database, queue, render and infrastructure providers for hosting, scaling, delivery, backup, video processing and agent operation.
• Payment providers, banks, accounting and tax partners for payments, invoices, refunds, anti-fraud, tax and accounting.
• Messenger, email, push, SMS and communication providers for delivery of messages, commands, notifications and agent updates.
• Repository, CI/CD, cloud, project management and productivity integration providers where you connect the relevant integration or direct an agent to interact with it.
• Analytics, crash reporting, security, abuse detection and support tool providers for monitoring, improvement, diagnostics and protection of the Service.
• Your organization, workspace admin or team owner if your account is created or used under an organization, domain, workspace, team plan or enterprise plan.
• Government authorities, courts, regulators and other parties where disclosure is required by law, court order, lawful request, rights protection, security or harm prevention.
• A buyer, successor or corporate transaction participant in connection with a reorganization, sale of business, financing, merger, acquisition or transfer of assets, subject to reasonable data protection.

We do not sell your personal data as a standalone commodity. If applicable law treats certain advertising cookies or sharing for cross-context behavioral advertising as a “sale” or “sharing,” you may use the available opt-out mechanisms.

11. International transfers

Grik.io is operated by a Kazakhstan company, but our users, model providers, cloud infrastructure, support, analytics and payment services may be located in different countries. Depending on the feature you choose, your data may be stored and processed in the Republic of Kazakhstan, the United States, the European Economic Area, the United Kingdom, Singapore, the UAE or other jurisdictions.

By using the Service and connecting third-party providers, you understand that data may be transferred outside your country. We will apply measures we consider reasonable and applicable, including processor agreements, data processing terms, standard contractual clauses, technical safeguards, encryption, access controls and transfer necessity assessments.

If a separate consent, contract or other mechanism is required for a transfer of certain data, we may request it or restrict the relevant feature.

12. Retention and deletion

We retain data no longer than necessary for the purposes described in this Policy, unless longer retention is required or permitted by law, contract, product settings, enterprise agreement, security requirements or your choices.

Category

Typical retention principle

BYOK direct/local

Not stored by Grik.io if requests go directly from your environment to the provider and Grik.io cloud features are not enabled.

Account and workspace

While the account is active and for a reasonable period after deletion for restoration, security and legal obligations.

Hosted prompts, outputs, code/media context

As needed for request fulfillment, history, synchronization, support, security or selected settings; may be deleted or de-identified upon request where permitted.

Credits, billing, invoices

For the period needed for accounting, tax, refunds, disputes and legal obligations.

Security logs

Kept for a reasonable period to investigate incidents, prevent abuse and protect the Service.

Analytics and aggregated data

May be retained longer in aggregated or de-identified form where it does not identify you.

When you delete your account, we will delete or de-identify account-related data except for data we are required or permitted to retain, such as billing records, legal records, security logs, dispute records, backups until rotation, data needed to prevent fraud/abuse, and aggregated or de-identified data.

Backups may remain for a limited time until automatic overwrite. If immediate deletion from backups is not technically possible, we will isolate the data from ordinary use until deletion or overwrite.

13. Security

• We use reasonable technical and organizational safeguards, such as encryption in transit, access restrictions, administrative action logging, least privilege, secret storage, backups, monitoring, vulnerability management and internal access rules.
• API keys, OAuth tokens and secrets stored by us should be stored encrypted or in dedicated secret storage where technically available.
• No service can guarantee absolute security. You are responsible for securing your devices, repositories, messengers, cloud accounts, API keys, budgets, approvals and permissions granted to agents.
• If you believe your account, API key, repository or integration has been compromised, immediately disable the relevant key or integration and contact us.

14. Your rights and choices

Depending on applicable law, you may have the right to:

• receive information about what data we process and why;
• request access to your data and a copy of the data;
• correct inaccurate or incomplete data;
• request deletion of data or your account;
• restrict processing or object to processing;
• receive a portable copy of data where applicable;
• withdraw consent where processing is based on consent;
• opt out of marketing messages;
• change cookie preferences, telemetry settings, integrations, AI-provider settings, BYOK/local/hosted routing and history;
• complain to a competent data protection authority where available by law.

To exercise your rights, contact us at support@grik.io. We may ask you to verify your identity, account or representative authority. We will respond within the time required by applicable law and may deny or limit a request where required by law, where it affects the rights of others, compromises security, relates to legal/billing/security records or is manifestly unfounded or excessive.

15. Children and minors

The Service is not intended for children. Unless expressly stated in a specific product, Grik.io is intended for users who are at least 18 years old or the age of majority/digital consent in their jurisdiction, whichever is higher. Minors may use the Service only with permission and supervision of a parent or legal guardian where permitted by applicable law and product terms.

Do not upload or process children’s personal data, images, video, voice, school records, medical information or other minors’ data without legal basis, permissions and consents. If you believe a child has provided us with personal data without proper consent, contact us.

16. Automated processing, safety and moderation

We may use automated systems to route requests, estimate costs, detect policy violations, malware, spam, fraud, prompt injection, unsafe media, deepfake abuse, rights violations, attempts to bypass limits and other risks. These systems may limit a feature, delay a render, request additional confirmation, block a request or send an event to manual review.

We do not use automated processing to make decisions that have legal or similarly significant effects on you, except where necessary for security, legal compliance, fraud/abuse prevention, contract performance or where permitted by applicable law. You may contact us to request review of a significant restriction where such right is available by law.

17. Open source and third-party services

Some Grik.io components may be open source or use open-source libraries. Public source code, issue trackers, pull requests, comments and public repositories may be accessible to third parties under the settings of the relevant platform. Do not publish secrets, personal data or confidential materials in public repositories.

Third-party services, including AI providers, messengers, payment systems, app stores, GitHub/GitLab/Bitbucket, cloud platforms, analytics and model gateways, have their own terms and policies. We are not responsible for their independent processing, errors, retention, training, security incidents, availability or changes to terms.

18. Changes to this Policy

We may update this Policy as our product, laws, infrastructure, integrations, pricing, AI providers or security practices evolve. For material changes, we will try to notify you through the website, application, email, in-product notice or another reasonable method. Continued use of the Service after changes become effective means you accept the updated Policy, unless applicable law requires another consent mechanism.

19. Contact

For privacy, personal data, account deletion, complaints, security or rights requests, contact us at:

Item

Details

Company

TK BAZIS-M LLP, BIN 191040029631

Address

Office 31, 5/49 Stepnoy 1 microdistrict, Kazybek Bi district, Karaganda, Karaganda Region, 100000, Republic of Kazakhstan

Email

support@grik.io

Director

Sergey Sergeevich Vasiliev, acting on the basis of the Charter

20. Regional supplements

20.1 Republic of Kazakhstan

Where the law of the Republic of Kazakhstan applies, we process personal data in accordance with applicable requirements on personal data and its protection. You may request information about processing, correction, blocking or destruction of personal data in the cases and manner provided by applicable law.

20.2 EEA, United Kingdom and Switzerland

If GDPR, UK GDPR or similar rules apply to you, you may have rights of access, rectification, erasure, restriction, portability, objection, withdrawal of consent and complaint to a supervisory authority. International transfers may rely on adequacy decisions, standard contractual clauses or other applicable mechanisms.

20.3 United States and specific states

Depending on your state, you may have rights to know, access, correct, delete, receive a portable copy, opt out of sale/sharing for cross-context behavioral advertising or limit use of sensitive data. We do not sell personal data as a standalone commodity; where advertising cookies are considered sale/share under local law, use the available opt-out settings.

20.4 Other countries

If the laws of your country provide additional rights, we will consider your request in accordance with applicable requirements. Some features may be unavailable in certain regions due to legal, sanctions, privacy, safety or technical restrictions.