Privacy Policy
Last updated: May 30, 2026
This Privacy Policy explains how Growth Labs (“Growth Labs,” “we,” “us,” or “our”) collects, uses, shares, and protects personal data when you use the Growth Labsclient hub (the “Service”). We act as the data controller for the personal data described below.
1. Who this policy covers
The Service is a private platform for Growth Labs and its clients. It is used by two kinds of people:
- Client users— people we invite to access their company’s portal to review onboarding, content, approvals, reports, and files.
- Team users — Growth Labs staff who manage client work inside the admin area.
2. Data we collect
We collect only what we need to run the Service:
- Account data: name, email address, and an encrypted password (we never see your password in plain text).
- Client business data you provide: brand details, onboarding questionnaire answers, social links, content drafts and approvals, requests, and any files or brand assets you upload.
- Usage and technical data: basic request metadata such as IP address and browser type, processed by our hosting provider to deliver and secure the Service.
We do not use advertising trackers, third-party analytics, or behavioural profiling. See our Cookie Notice for details on the small set of essential cookies we use.
3. How we use data
- To provide, maintain, and secure the Service and your account.
- To deliver the agency services you have engaged us for.
- To send service communications (for example, invitations, password resets, and notifications about your content or requests).
- To respond to your questions and support requests.
- To comply with legal obligations and enforce our terms.
4. Legal bases for processing
Where the EU/UK General Data Protection Regulation (GDPR) applies, we rely on the following legal bases:
- Performance of a contract — to provide the Service and the agency work you have engaged us for.
- Legitimate interests — to keep the Service secure, prevent abuse, and improve how it works, balanced against your rights.
- Legal obligation — where we must retain or disclose data to comply with the law.
- Consent — where we ask for it specifically; you may withdraw consent at any time.
5. AI-assisted features
Some optional features use a third-party AI provider (Anthropic) to help draft reports, content ideas, and insights. When you use one of these features, only the content you submit for that task is sent to the provider to generate a response. This content is not used to train AI models. AI features are optional and are only active when an administrator has enabled them.
6. Sharing and sub-processors
We do not sell personal data. We share it only with vetted service providers (“sub-processors”) who help us run the Service under contractual data protection obligations:
| Provider | Purpose | Data involved |
|---|---|---|
| Supabase | Database, authentication, and file storage hosting | Account credentials, profile data, client business data, uploaded files |
| Vercel | Application hosting and content delivery | Request metadata (IP address, user agent) for serving the app securely |
| Anthropic (optional, when AI features are enabled) | AI-assisted drafting (reports, content ideas, insights) | Only the content you submit to an AI feature; not used to train models |
We may also disclose data where required by law, to protect our rights, or in connection with a business transfer.
7. International transfers
Our providers may process data in countries outside your own. Where personal data is transferred internationally, we rely on appropriate safeguards (such as the provider’s Standard Contractual Clauses) to protect it.
8. Data retention
We keep personal data for as long as your account is active and as needed to provide the Service. When an engagement ends, we retain data only as long as necessary for legitimate business and legal purposes, then delete or anonymise it. You can ask us to delete your data sooner (see your rights below).
9. How we protect data
- Strict tenant isolation: each client can only access their own company’s data, enforced at the database level with row-level security.
- Encryption in transit (HTTPS) and at rest with our hosting providers.
- Passwords are stored only as salted, hashed values.
- Access to the admin area is limited to authorised Growth Labs team members.
10. Your rights
Depending on where you live, you may have the right to access, correct, delete, export, or restrict the processing of your personal data, and to object to certain processing. Under GDPR these include the rights of access, rectification, erasure (“right to be forgotten”), restriction, data portability, and objection. You also have the right to lodge a complaint with your local data protection authority.
To exercise any of these rights, email us at privacy@trygrowthlabs.io. We will respond within the timeframes required by applicable law.
11. Children
The Service is intended for business use and is not directed to children under 16. We do not knowingly collect personal data from children.
12. Changes to this policy
We may update this policy from time to time. When we do, we will revise the “Last updated” date above and, where appropriate, notify you.
13. Contact us
For privacy questions or requests, contact us at privacy@trygrowthlabs.io. For general enquiries, email hello@trygrowthlabs.io.