// Legal

Privacy Policy

Last updated — May 21, 2026

Grow Studio ("we", "us") respects your privacy. These policies are written to cover the EU/UK (GDPR) and California (CCPA/CPRA), and to set out reasonable defaults for visitors elsewhere.

1. Who we are

Data controller: Grow Studio, [Registered office address — please update]. Registration: [Company registration number — please update]. Contact: privacy@grow.contact.

2. What we collect

  • Lead / contact data — name, email, budget tier, message you send via our forms.
  • Payment data — order ID, amount, tier, customer name and email (card data is handled by PayPal; we never see or store it).
  • Project data — information you share to scope and deliver a build.
  • Technical data — IP address, browser/device info, pages viewed, performance metrics.
  • Cookies — see our Cookie Policy.

3. Why we process it (legal bases — GDPR)

  • Contract — to respond to enquiries, deliver paid work, send receipts and project updates.
  • Legitimate interests — site security, fraud prevention, basic analytics, improving our service.
  • Consent — non-essential cookies, marketing emails (where applicable). You can withdraw at any time.
  • Legal obligation — tax, accounting, anti-fraud and record-keeping.

4. Who we share it with

  • PayPal — payment processing (PCI-DSS certified).
  • Cloudflare — hosting, DNS, edge delivery.
  • Supabase — encrypted database and storage.
  • Email delivery providers — to send transactional email from notify.grow.contact.
  • Tax, legal and accounting advisors where required by law.

We do not sell your personal information.

5. International transfers

Some processors are located outside the EU/UK. Where personal data is transferred, we rely on adequacy decisions or Standard Contractual Clauses (SCCs) and equivalent UK safeguards.

6. How long we keep it

  • Lead messages: up to 24 months from last contact.
  • Payment & invoice records: as required by tax law (typically 6–10 years).
  • Project files: 24 months after final delivery, then archived or deleted on request.
  • Email logs: 12 months for deliverability and abuse monitoring.

7. Your rights

EU / UK (GDPR): access, rectification, erasure, restriction, portability, objection, and the right to lodge a complaint with your local supervisory authority (e.g. the ICO in the UK, your national DPA in the EU).

California (CCPA/CPRA): right to know, delete, correct, opt out of "sale" or "sharing" (we do neither), and the right to limit use of sensitive personal information. We do not discriminate against you for exercising these rights.

To exercise any right, email privacy@grow.contact. We respond within 30 days.

8. Security

We use TLS in transit, encryption at rest, Row Level Security on our database, scoped service tokens, and regular dependency and security scans. No system is perfectly secure — please report concerns to privacy@grow.contact.

9. Children

Our services are not directed to children under 16. We do not knowingly collect their data.

10. Changes

We will post changes to this policy on this page and update the "last updated" date. Material changes will be notified by email where we hold an address for you.