Breaking
VERA AI privacy agent now generally available across the platform 2,500+ integrations power one-click data subject requests Named an IDC MarketScape Leader in data privacy, Nov 2025 $45M Series C led by Third Point Ventures & Thomson Reuters 2026 Trends Report flags Shadow AI as a growing threat Customers include Salesforce, Databricks, Instacart & MLS VERA AI privacy agent now generally available across the platform 2,500+ integrations power one-click data subject requests Named an IDC MarketScape Leader in data privacy, Nov 2025 $45M Series C led by Third Point Ventures & Thomson Reuters 2026 Trends Report flags Shadow AI as a growing threat Customers include Salesforce, Databricks, Instacart & MLS
Company Dossier Privacy Tech San Francisco, CA Est. 2018

DataGrail

The Privacy Control Center for Modern Brands

The company that turned "delete my data" into a single button - and built a business on the plumbing everyone else avoids.

DataGrail - agentic data privacy platform brand image
THE SUBJECT: DataGrail's brand mark for its agentic privacy platform. Somewhere behind it, a piece of software is quietly deciding what a company is allowed to remember about you.
Share LinkedIn Twitter / X Facebook Instagram
2018
Founded
2,500+
Integrations
$84M+
Raised
3
Co-Founders

A Company That Sells You the Absence of a Problem

Here is a fact about privacy regulation that nobody puts on a billboard: the hard part is not the law. The law, if you read it slowly with a lawyer and a large coffee, is mostly comprehensible. The hard part is that a modern company's data about you is scattered across dozens - sometimes thousands - of different software tools, each with its own login, its own export format, and its own opinion about what "your data" even means. When you email a company and say "delete everything you have on me," you are asking a stranger to go on a scavenger hunt through a building they've never fully mapped. DataGrail, founded in 2018 and headquartered in San Francisco, sells the map.

More precisely, it sells software that automates the scavenger hunt. The company's pitch - and it is a genuinely useful pitch - is that compliance with GDPR, the California Consumer Privacy Act, and the alphabet soup of regulations that keep arriving should not require hiring one new human per regulation. It should require a platform. DataGrail's platform connects to more than 2,500 applications, which is a genuinely large number, and it uses those connections to do four unglamorous things well: map where personal data lives, fulfill data subject requests, manage consent, and run privacy and AI risk assessments.

None of this is exciting in the way a consumer app is exciting. That is, I think, the entire point. The best privacy software is the software you never think about, in the same way the best plumbing is the plumbing you never think about, right up until the moment a regulator or a journalist or a very angry customer asks a question and you have four weeks to answer it or you don't. DataGrail is betting - and so far the bet is working - that a lot of companies would prefer to answer in four minutes.

"DataGrail is the Privacy Control Center for modern brands to reduce risk and build trust." — DataGrail, company positioning

Three Founders, Three Continents, One Dull Problem

The company was started by Daniel Barber, Ignacio Zendejas, and Earl Hathaway - an Australian, a Mexican, and a Wisconsinite, respectively, which is the kind of detail that sounds like the setup to a joke and is instead just a fact about a cap table. Between them they had spent a combined few decades in and around data and third-party applications, at companies including Facebook, HP Labs, Quantcast, DocuSign, and Responsys. Zendejas and Hathaway build the data products; Barber, now CEO, takes them to market. They launched on Product Hunt in May 2018, which is a very startup way to be born, and raised a $4 million seed shortly after.

What is worth noticing here is the choice. Plenty of founders with that pedigree chase the flashy consumer problem or the obvious enterprise gold rush. This trio looked at data privacy - a field defined by regulatory tedium, cross-system complexity, and the constant threat of being blamed when something goes wrong - and decided it was worth a decade of their lives. The durable businesses are often hiding in the problems everyone else finds boring. Boring, done well, turns out to be a moat.

Funding History // Disclosed Rounds

Series A · 2018$4M
Series A+ · 2019$5.2M
Series B · 2021$30M
Series C · 2022$45M

The Money, and Who Handed It Over

DataGrail has raised more than $84 million in disclosed venture funding across five rounds. The early money came from Cloud Apps Capital Partners. Then things got strategically interesting: in 2019 the company took investment from American Express Ventures and from Okta, which is the sort of investor list that tells you the product touches identity and enterprise trust in ways that matter to serious infrastructure companies. The 2021 $30 million Series B was led by Felicis Ventures with Next47, DocuSign, and HubSpot along for the ride. The $45 million Series C in 2022 was led by Third Point Ventures and Thomson Reuters.

That last name is the tell. When Thomson Reuters - a company whose entire existence is bound up in legal, regulatory, and compliance information - writes a large check into a privacy platform, it is making a statement about where the workflow between "the law" and "the software that complies with the law" is heading. DataGrail wants to be the bridge, and it recruited a bridge-builder as a backer.

Enter Vera, the AI Agent Built to Do Less

The most recent chapter is an AI agent named Vera, which became generally available in 2025 and which DataGrail describes as a "complete privacy AI agent" living inside its workflows. Vera does the things you'd hope: it detects and investigates new cookies, suggests rules, and - crucially - only applies them when a human gives the word. Its AutoFill feature drafts evidence-based answers to privacy assessments using system metadata and previously completed work, turning a process that used to take months of email into one that takes minutes.

What makes Vera interesting is less what it does than what it refuses to do. It never trains on customer data. It only takes approved actions. It runs in a single-tenant environment, hosted separately from the main database, with no internet access, reaching data only through a multi-stage, permission-bound process. In a market full of AI demos that promise to do everything autonomously, DataGrail shipped an agent whose selling point is its constraints. For AI inside a regulated workflow, that is exactly right: the humans still sign off, the automation just removes the typing.

"In 2026, DataGrail will become a proactive, intelligent privacy expert that automatically detects risks, unifies privacy choices across the enterprise, and guides teams with AI-powered insights." — DataGrail 2026 Product Vision

Shadow AI Is the New Shadow IT

DataGrail also does the thing that good infrastructure companies do: it publishes research that makes its own product look necessary, which is not a criticism because the research also happens to be true. Its Privacy and AI Trends Report for 2026 spotlighted "Shadow AI" - employees quietly pasting company data into unapproved chatbots - as an emerging threat. This is shadow IT wearing a new costume, and it is precisely the sort of invisible risk that a data-mapping company is well positioned to both diagnose and sell you the cure for.

The through-line across all of it is a bet on order over chaos. Privacy regulation is not going to get simpler. AI is going to make the data landscape messier, not tidier. DataGrail's wager is that companies will increasingly refuse to manage this by hand, and will instead want a control center - a live map, an automated request queue, a consent ledger, and an AI agent that drafts the paperwork and waits to be told yes. Whether it becomes the category's defining company or a well-run challenger to the incumbent giant, the underlying thesis is sound: the least glamorous software often ends up being the most load-bearing.

The competition is real - OneTrust looms large, and TrustArc, Osano, Securiti, and Transcend are all in the arena. DataGrail's answer has been to be the tool people actually like using, integrate with nearly everything, and only then layer AI on top of a foundation that already works. It is a sensible order of operations. AI on top of a broken workflow just breaks faster.

Under the Hood

What You Can Actually Do With It

Four core jobs, one platform, an AI agent doing the grunt work
Live Data Map
An always-updating inventory of where personal and sensitive data lives across your systems - so "where is it?" has an answer.
Since 2020
Request Manager
Fulfills data subject access and deletion requests quickly and correctly across every connected app, not just the easy ones.
Since 2018
Consent Management
Capture and honor user privacy choices with customizable consent and cookie controls that stay in sync.
Since 2024
Privacy Assessments
Generate evidence-based PIAs and DPIAs in minutes, not months, tracked in a central risk register.
Since 2022
Data Discovery
Uncover PII and sensitive data across sources, surfacing risks - including Shadow AI - before they become incidents.
Ongoing
Vera (AI Agent)
Context-aware privacy AI that investigates cookies, auto-fills assessments, and acts only when a human approves. Never trains on your data.
GA 2025

A Seven-Year Climb, in Order

2018

DataGrail is founded

Barber, Zendejas & Hathaway launch in Palo Alto, debut on Product Hunt, and raise a $4M Series A.

2019

Strategic backing arrives

A Series A+ plus investment from American Express Ventures and Okta as privacy regulation accelerates.

2020

Data discovery launches

Data-mapping tools ship to help companies meet GDPR Article 30 record-keeping requirements.

2021

$30M Series B

Felicis Ventures leads, with Next47, DocuSign, HubSpot, and Okta participating.

2022

$45M Series C

Third Point Ventures and Thomson Reuters back the round; a privacy impact assessment product ships.

2024

Consent management ships

DataGrail rounds out its core suite with a full consent management platform.

2025

Vera goes GA; awards roll in

The AI privacy agent becomes generally available; DataGrail is named an IDC MarketScape Leader.

2026

The agentic vision

The platform reframes around proactive, AI-driven risk detection; the Trends Report flags Shadow AI.

Frequently Asked

What does DataGrail actually do?

It automates data privacy compliance - mapping where personal data lives, fulfilling data subject requests, managing consent, and running privacy and AI risk assessments across 2,500+ integrated apps, in line with GDPR, CCPA, and CPRA.

Who founded DataGrail and when?

Daniel Barber (CEO), Ignacio Zendejas, and Earl Hathaway founded it in 2018 in Palo Alto. It is now headquartered in San Francisco.

What is Vera?

Vera is DataGrail's AI privacy agent. It investigates cookies, auto-fills assessments, and takes only human-approved actions. It never trains on customer data and runs in a walled-off single-tenant environment.

How much has DataGrail raised?

More than $84M in disclosed venture funding across five rounds, including a $30M Series B (2021) and a $45M Series C (2022) led by Third Point Ventures and Thomson Reuters.

Who are its customers and competitors?

Customers include Salesforce, Databricks, Instacart, Dexcom, and Major League Soccer. It competes with OneTrust, TrustArc, Osano, Securiti, and Transcend, often pitching itself as a OneTrust replacement.