1. Introduction
Growth Protocol, Inc. (“Company,” “we,” “us,” or “our”) respects the privacy of our customers, partners, and visitors. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you use our website at growthprotocol.ai, our cloud-based software-as-a-service platform, and any related services (collectively, the “Services”).
This Privacy Policy applies to personal information we collect from individuals who visit our website, representatives of our business customers and prospective customers, and other individuals who interact with us in a professional capacity. Our Services are designed for business use and are not directed at consumers or children under 16.
By accessing or using our Services, you acknowledge that you have read and understood this Privacy Policy. If you are using the Services on behalf of an organization, you represent that you are authorized to accept this Privacy Policy on that organization’s behalf.
2. Information We Collect
We collect personal information in several ways, depending on how you interact with us and our Services.
2.1 Information You Provide Directly
Account and Registration Information: When you or your organization signs up for our Services, we collect business contact information such as your name, email address, job title, company name, phone number, and billing address.
Payment and Billing Information: We collect billing details such as company name, billing address, and payment card or bank account information. Payment processing is handled by third-party payment processors; we do not store full payment card numbers on our systems.
Communications: When you contact us for support, submit inquiries, or participate in surveys, we collect the content of those communications along with your contact details.
Customer Data: Our customers may upload or submit data to the Services in the course of using the platform (“Customer Data”). We process Customer Data on behalf of our customers as a service provider/processor. The customer’s own privacy policy governs its collection and use of Customer Data.
2.2 Information Collected Automatically
Usage Data: We automatically collect information about how you interact with the Services, including pages visited, features used, clickstream data, session duration, and referring URLs.
Device and Technical Information: We collect device type, operating system, browser type and version, screen resolution, IP address, and unique device identifiers.
Log Data: Our servers automatically record information such as access times, server logs, error reports, and diagnostic data.
Cookies and Similar Technologies: We use cookies, pixel tags, web beacons, and similar technologies to collect information about your browsing activity. See Section 8 (Cookies and Tracking Technologies) for details.
2.3 Information from Third Parties
Business Partners and Integrations: If you connect third-party services to our platform, we may receive information from those services as authorized by you or your organization.
Publicly Available Sources: We may collect business contact information from public sources, professional networking platforms, and commercial data providers for marketing purposes.
Referrals: If someone refers you to our Services, we may receive your business contact information from the referring party.
3. How We Use Your Information
We use the information we collect for the following purposes:
Providing and Maintaining Services: To operate, maintain, improve, and personalize the Services, including processing transactions and sending service-related communications.
Customer Support: To respond to your requests, troubleshoot issues, and provide technical assistance.
Analytics and Improvement: To understand how users interact with the Services, identify trends, and improve functionality, performance, and user experience.
Security and Fraud Prevention: To detect, investigate, and prevent security incidents, fraud, unauthorized access, and other harmful activity.
Marketing and Communications: To send promotional communications about our products, services, and events, subject to your communication preferences and applicable law. You may opt out at any time.
Compliance and Legal Obligations: To comply with applicable laws, regulations, legal processes, and enforceable governmental requests.
Business Operations: To conduct business planning, reporting, auditing, and other internal management purposes.
Contractual Performance: To fulfill our obligations under our agreements with you or your organization.
4. Legal Bases for Processing (EEA, UK, and Switzerland)
If you are located in the European Economic Area (“EEA”), the United Kingdom (“UK”), or Switzerland, we process your personal data only when we have a valid legal basis to do so under the General Data Protection Regulation (“GDPR”), the UK GDPR, or the Swiss Federal Act on Data Protection (“FADP”), as applicable. Our legal bases include:
Legal Basis
Description and Examples
5. How We Share Your Information
We do not sell personal information. We may share your personal information with the following categories of recipients:
5.1 Service Providers
We engage third-party companies and individuals to perform services on our behalf, such as hosting, data analytics, payment processing, customer support, email delivery, and marketing. These service providers are contractually obligated to use personal information only as necessary to perform services for us and in accordance with this Privacy Policy.
5.2 Business Transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of all or a portion of our assets, your personal information may be transferred as part of that transaction. We will notify you via email and/or a prominent notice on our website of any change in ownership or uses of your personal information.
5.3 Legal Requirements and Protection of Rights
We may disclose personal information if required to do so by law or in the good-faith belief that such action is necessary to: (a) comply with a legal obligation, court order, or legal process; (b) protect and defend our rights or property; (c) prevent fraud or other illegal activity; (d) protect the personal safety of users or the public; or (e) protect against legal liability.
5.4 With Your Organization
If you access the Services through an account provided by your employer or another organization, we may share information about your use of the Services with that organization in accordance with our agreement with them.
5.5 Affiliates
We may share personal information with our corporate affiliates and subsidiaries for purposes consistent with this Privacy Policy.
5.6 With Your Consent
We may share personal information with third parties when you have given us explicit consent to do so.
6. International Data Transfers
Growth Protocol, Inc. is based in the United States. If you access the Services from outside the United States, please be aware that your information may be transferred to, stored, and processed in the United States and other countries where our service providers operate.
For transfers of personal data from the EEA, UK, or Switzerland to countries that have not received an adequacy decision, we rely on appropriate safeguards, including:
Standard Contractual Clauses (SCCs): We use the European Commission’s Standard Contractual Clauses (and the UK’s International Data Transfer Addendum, where applicable) to provide appropriate safeguards for cross-border transfers of personal data.
EU-U.S. Data Privacy Framework: If applicable: Growth Protocol, Inc. complies with the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, as set forth by the U.S. Department of Commerce.
Supplementary Measures: Where necessary, we implement additional technical and organizational measures to ensure an adequate level of protection for transferred personal data.
You may request a copy of the applicable transfer mechanisms by contacting us at the details provided in Section 16.
7. Data Retention
We retain personal information for as long as necessary to fulfill the purposes for which it was collected, including to satisfy legal, accounting, or reporting requirements, to resolve disputes, and to enforce our agreements.
When determining retention periods, we consider the amount, nature, and sensitivity of the personal information; the potential risk of harm from unauthorized use or disclosure; the purposes for which we process the information; whether we can achieve those purposes through other means; and applicable legal, regulatory, tax, accounting, or other requirements.
When personal information is no longer required, we will securely delete or anonymize it. If deletion is not immediately possible (for example, because data is stored in backup archives), we will securely store the information and isolate it from further processing until deletion is possible.
8. Cookies and Tracking Technologies
We use cookies and similar tracking technologies to collect and use information about you and your interaction with the Services. Cookies are small text files stored on your device that help us recognize you and remember your preferences.
8.1 Types of Cookies We Use
Cookie Type
Purpose
8.2 Managing Cookies
You can control and manage cookies through your browser settings. Most browsers allow you to refuse or delete cookies. Please note that disabling certain cookies may affect the functionality of the Services. For more information about cookies and how to manage them, visit www.allaboutcookies.org.
Where required by applicable law, we will obtain your consent before placing non-essential cookies on your device.
8.3 Do Not Track
Some browsers transmit “Do Not Track” (DNT) signals to websites. Because there is no common agreement about how to interpret DNT signals, our Services do not currently respond to browser DNT signals. Instead, you may manage your cookie preferences as described above or exercise your rights under applicable law.
9. Data Security
We implement and maintain reasonable administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, alteration, disclosure, or destruction. These measures include:
• Encryption of data in transit (TLS/SSL) and at rest.
• Access controls limiting personnel access to personal information on a need-to-know basis.
• Regular security assessments, vulnerability scans, and penetration testing.
• Incident response procedures to address potential data breaches.
• Employee training on data protection and security practices.
While we strive to protect your personal information, no method of transmission over the Internet or electronic storage is completely secure. We cannot guarantee absolute security, but we are committed to promptly notifying affected individuals and relevant authorities of any data breach in accordance with applicable law.
10. Your Rights and Choices
Depending on your location, you may have certain rights regarding your personal information. We honor these rights in accordance with applicable law.
10.1 General Rights
Regardless of your location, you have the right to:
Opt out of marketing communications by clicking the “unsubscribe” link in any promotional email or contacting us directly.
Update your account information by logging into the Services or contacting us.
Request information about the personal data we hold about you.
11. Additional Rights for EEA, UK, and Swiss Residents
If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have the following additional rights under the GDPR, UK GDPR, or FADP:
Right of Access: You have the right to request a copy of the personal data we hold about you, along with information about how we process it.
Right to Rectification: You have the right to request that we correct inaccurate or incomplete personal data.
Right to Erasure: You have the right to request that we delete your personal data in certain circumstances, such as when it is no longer necessary for the purposes for which it was collected.
Right to Restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances, such as when you contest the accuracy of the data.
Right to Data Portability: You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller.
Right to Object: You have the right to object to processing based on our legitimate interests or for direct marketing purposes. We will cease processing unless we demonstrate compelling legitimate grounds.
Right to Withdraw Consent: Where processing is based on consent, you may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
Right to Lodge a Complaint: You have the right to lodge a complaint with your local supervisory authority. A list of EEA supervisory authorities is available at https://edpb.europa.eu.
We will respond to your request within one (1) month, as required by the GDPR. This period may be extended by up to two additional months for complex or numerous requests, in which case we will inform you of the extension and the reasons for the delay.
Data Protection Officer: If applicable, you may contact our Data Protection Officer at dpo@growthprotocol.ai. Our EU and UK representatives can be contacted at privacy@growthprotocol.ai.
12. Additional Disclosures for California Residents
This section provides additional information required by the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA/CPRA”), for California residents. To the extent that we collect personal information that is subject to the CCPA/CPRA, the following applies.
12.1 Categories of Personal Information
In the preceding twelve (12) months, we have collected the following categories of personal information, as defined by the CCPA/CPRA:
Category
Examples
Business Purpose
12.2 Your California Privacy Rights
As a California resident, you have the following rights:
Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you, the categories of sources, the business purposes for collection, and the categories of third parties with whom we share personal information.
Right to Delete: You may request that we delete personal information we have collected from you, subject to certain exceptions.
Right to Correct: You may request that we correct inaccurate personal information we maintain about you.
Right to Opt Out of Sale/Sharing: We do not sell personal information, nor do we share personal information for cross-context behavioral advertising. If this changes, we will provide a “Do Not Sell or Share My Personal Information” link on our website.
Right to Limit Use of Sensitive Personal Information: We do not use or disclose sensitive personal information for purposes beyond those authorized by the CCPA/CPRA.
Right to Non-Discrimination: We will not discriminate against you for exercising any of your CCPA/CPRA rights.
12.3 How to Exercise Your Rights
To exercise your California privacy rights, you may submit a verifiable consumer request by emailing us at privacy@growthprotocol.ai or by visiting growthprotocol.ai/privacy. We will verify your identity before processing your request. If you designate an authorized agent to make a request on your behalf, we may require proof that the agent has valid authorization and may still ask you to verify your identity directly.
We will respond to verifiable consumer requests within forty-five (45) days. If we need additional time (up to an additional 45 days), we will inform you of the reason and the extension period in writing.
12.4 California Shine the Light
Under California Civil Code Section 1798.83, California residents may request information regarding the disclosure of personal information to third parties for direct marketing purposes. As stated above, we do not disclose personal information to third parties for their direct marketing purposes.
13. Additional Disclosures for Other U.S. State Residents
Residents of certain other U.S. states may have additional privacy rights under their state’s data protection laws, including but not limited to the Virginia Consumer Data Protection Act (VCDPA), the Colorado Privacy Act (CPA), the Connecticut Data Privacy Act (CTDPA), the Utah Consumer Privacy Act (UCPA), the Texas Data Privacy and Security Act (TDPSA), the Oregon Consumer Privacy Act (OCPA), the Montana Consumer Data Privacy Act (MCDPA), and similar enacted legislation.
If you are a resident of a state with an applicable consumer data privacy law, you may have the following rights (to the extent provided under your state’s law):
Right to Access: Confirm whether we are processing your personal data and access such data.
Right to Correct: Correct inaccuracies in your personal data.
Right to Delete: Delete personal data you have provided or that we have obtained about you.
Right to Data Portability: Obtain a copy of your personal data in a portable and readily usable format.
Right to Opt Out: Opt out of the processing of personal data for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects.
To exercise these rights, please contact us using the information in Section 16. If we decline your request, you may have the right to appeal. We will provide instructions on how to appeal in our response to your request.
14. Children’s Privacy
Our Services are designed for business use and are not directed at individuals under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information as soon as possible. If you believe that a child under 16 has provided us with personal information, please contact us at the details provided in Section 16.
15. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, and other factors. When we make material changes, we will notify you by updating the “Effective Date” at the top of this Privacy Policy and, where required by applicable law, providing additional notice (such as adding a statement to our website or sending you a notification).
We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information. Your continued use of the Services after the effective date of any changes constitutes your acceptance of the revised Privacy Policy.
16. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:
Growth Protocol, Inc.
600 3rd Ave.
2nd Floor
New York, NY 10016
Email: privacy@growthprotocol.ai
For EEA/UK inquiries, you may also contact our Data Protection Officer or our local representative (see Section 11).
For California-specific inquiries, you may also submit a request through our online privacy request form at growthprotocol.ai/privacy.