Privacy Policy

How we handle your account, connected-account, and usage data.

Last updated2026-05-01Privacy contactprivacy@growpad.io

1. Who we are

Growpad (“we”, “us”) is the data controller for the personal data you submit to our Service, and the data processor for any data you import from your Google or HubSpot accounts on behalf of end users.

Contact for privacy inquiries: privacy@growpad.io.

2. What we collect

Account data (you provide): email, display name (optional), your organization name + domain.

Connected-account data (you authorize): Google Search Console metrics; Google Analytics 4 metrics; HubSpot deal stages + amounts + close dates (aggregate, no contact PII).

Usage data (we observe): page views, feature interactions, recommendation feedback, IP address and user-agent for audit logging (90-day retention).

What we do NOT collect: contact-level PII from your CRM; payment card data (Stripe is the processor when billing ships).

3. Why we collect it

  • Service delivery — search-intent clusters + pipeline recommendations.
  • Security + fraud prevention — audit logs retained 90 days.
  • Customer support — so we have context when you email us.
  • Product improvement — aggregate metrics on recommendations acted on. Never shared or sold; never tied to individual users.

We rely on legitimate interest (GDPR Art 6(1)(f)) for service delivery + security, and consent for product-improvement analytics (opt out from /account/notifications).

4. Who we share with

Only the subprocessors listed below:

  • Supabase — authentication (magic link, OAuth). Sees your email + auth events.
  • AWS Bedrock + Moonshot AI — LLM processing of evidence bundles (default model: Kimi K2.5 hosted on AWS Bedrock in us-east-1). Sees aggregate metrics and cluster labels, never raw API payloads. AWS Bedrock’s terms forbid model training on customer prompts.
  • Google — you connect GSC/GA4; Google sees the same.
  • HubSpot — you connect HubSpot; HubSpot sees the same.
  • SMTP provider (Postmark / Mailgun / Amazon SES — our choice) — magic-link + transactional email delivery.
  • Sentry (optional, error aggregation) — stack traces with PII scrubbed at the SDK layer.

We do not currently process payments or share data with any payment processor. If we add billing later, we’ll update this policy and notify you in advance.

We do NOT sell, rent, or share personal data for third-party marketing.

5. Where we store it

Primary: single-VM EC2 instance in us-east-1. Backups: encrypted with age, stored in MinIO/S3 (same region), retained 30 days. Encrypted in transit (TLS 1.2+ everywhere); OAuth tokens Fernet-encrypted at rest. No user data leaves the region except when sent to the subprocessors listed above.

6. Retention

  • Raw API payloads: 180 days
  • Normalized + aggregated data: 1 year
  • Reports + recommendations: indefinite until you delete them
  • Recommendation feedback: indefinite (aggregated, no PII)
  • Account deletion → 30-day soft-delete grace → hard-purge
  • Audit logs: 90 days; backups: 30 days encrypted

7. Your rights (GDPR + analogous)

  • Access (Art 15): JSON export at /account/data-export
  • Portability (Art 20): same endpoint, machine-readable JSON
  • Rectification (Art 16): /account or email us
  • Erasure (Art 17): DELETE /users/me in-app or email privacy@…
  • Restriction (Art 18): email privacy@…
  • Objection (Art 21): email privacy@…
  • Withdraw consent: /account/notifications unsubscribe; disconnect any connector from /integrations

We respond within 30 days. No fees for reasonable requests; excessive requests may incur a fee per Art 12(5).

8. Children

The Service is not directed at children under 16. If you believe a child has signed up, email privacy@growpad.io and we’ll delete the account.

9. Changes

We’ll notify customers of material changes at least 30 days in advance via email + in-app banner.

10. Complaints

You may lodge a complaint with your local data protection authority. For EU customers: the relevant DPA depends on your country of residence.

Questions: privacy@growpad.io.