GrowGanic

Legal

Privacy Policy

Last updated May 8, 2026

This policy describes what we collect, how we use it, and what rights you have. Plain English. No dark patterns.

1. Who we are

GrowGanic operates the autonomous SEO platform at growganic.io. We're the data controller for the personal information described here. Contact: [email protected].

2. What we collect

Account information. Name, email, hashed password (or OAuth profile data if you sign in with Google or GitHub).

Project data. Domains you add, keywords you track, articles generated through the service, audit results, and any inputs you provide to our pipelines.

Integration credentials. When you connect a CMS (WordPress, Webflow, Ghost) or service (Google Search Console), we store the API keys and tokens you provide. These are encrypted at rest with AES-256 and only decrypted in memory when needed to call the integration.

Billing information. Plan, billing email, billing country, and Stripe customer/subscription IDs. Card numbers are handled entirely by Stripe; we never see or store them.

Usage analytics. Pages visited, features used, and anonymized event data so we can improve the product. Collected via PostHog.

Error and performance data. Stack traces and request metadata when something breaks, sent to Sentry to help us fix bugs quickly.

Cookies. Strictly necessary cookies for authentication (Better-Auth session cookie, HttpOnly, SameSite=Lax). Functional cookies for analytics and product improvement (PostHog). No advertising cookies.

3. How we use it

To operate the service:

  • Authenticate your sessions and protect your account
  • Run the autonomous pipeline (keyword research, generation, scoring, publishing)
  • Track keyword rankings and audit your sites
  • Send transactional emails (verification, password reset, billing receipts, integration alerts)
  • Process payments via Stripe
  • Provide customer support when you reach out

To improve the service:

  • Analyze aggregate usage patterns to find friction points
  • Debug errors using Sentry traces
  • Test new features with opt-in cohorts

To comply with legal obligations and enforce our terms (fraud prevention, abuse handling, billing records).

We do not sell your personal data to anyone. We do not use your project data, articles, or generated content to train AI models or for any purpose other than providing the service to you.

4. Sub-processors & third-party services

We use the following sub-processors to operate the service. They access data only as needed to perform their function and are bound by their own data processing agreements with us.

  • Stripe for payments, billing, and fraud prevention (US/EU)
  • Third-party AI inference providersfor content generation, optimization, and analysis. Content inputs are sent only as needed to complete a task and are not used to train any provider's models. The specific provider mix is part of our proprietary infrastructure; an enterprise sub-processor list is available on request under NDA.
  • Transactional email provider for verification, receipts, and integration alerts
  • Product analytics provider for aggregated usage data
  • Error monitoring provider for crash reports and performance traces
  • Bot detection provider for protecting auth forms from automated abuse
  • Cloud hosting and storage providers for the application, database, and file storage
  • Google & GitHub OAuth (optional sign-in providers)
  • Google Search Console (read-only access to your own GSC data, only when you connect it)

Stripe is named explicitly because you interact with it directly at checkout. The full named sub-processor list is available to enterprise customers under NDA via [email protected].

5. Google API data: sharing, transfer, and disclosure

GrowGanic uses Google APIs in two contexts. This section describes exactly what data we receive from Google, how we use it, and with whom it is shared, transferred, or disclosed.

Google OAuth (sign-in). When you sign in with Google we receive your Google account name, email address, and profile picture URL. We use these solely to create and identify your GrowGanic account. This data is:

  • Stored in our database, hosted on our cloud infrastructure provider (Railway / Neon Postgres), to authenticate your future sessions.
  • Never sold, rented, or shared with any advertiser, data broker, or other third party.
  • Not used to train any AI or machine-learning model.
  • Not disclosed to any party other than the infrastructure providers needed to operate the service (hosting, database, transactional email for account notices).

Google Search Console (optional integration). When you explicitly connect your Google Search Console account, GrowGanic is granted read-only access to your GSC property data: search impressions, clicks, average position, keyword queries, and page URLs for the site(s) you own. We use this data solely to:

  • Display your site's search performance inside your GrowGanic dashboard.
  • Inform keyword research and content recommendations within the service.

Your Google Search Console data is:

  • Stored in our database and processed on our cloud infrastructure to render your dashboard.
  • Never sold, disclosed, or transferred to any third party for any purpose other than operating the service for you.
  • Not used to train AI or machine-learning models.
  • Not shared with advertisers, analytics companies, or any party outside our service infrastructure.
  • Revocable at any time by disconnecting the integration from your account settings or by revoking access in your Google Account permissions page.

No sharing beyond service infrastructure. The only parties who process Google user data on our behalf are:

  • Railway: application hosting and compute (United States)
  • Neon: PostgreSQL database (United States)
  • Upstash / Redis: job queue and caching (United States)

Each of these providers acts as a data processor under our instruction and is bound by contractual data-processing terms. No Google user data is transferred to any other entity.

GrowGanic's use and transfer of information received from Google APIs to any other app adheres to the Google API Services User Data Policy, including the Limited Use requirements.

7. Affiliate program

When you sign up via an affiliate referral link (growganic.io/r/[code] or any URL carrying our ?ref= parameter), the referring affiliate is shown your account email, name, signup date, and high-level activity signals (funnel stage, article count, last active) inside their affiliate dashboard. They use this to decide whether to follow up via their own outreach channels (email, DM). The affiliate never sees your password, payment information, content, or keywords.

Every affiliate must accept program terms requiring a lawful basis for any outreach (prior relationship, prior consent, or that you signed up via their direct outreach channel). If you receive unwanted contact, reply STOP or report it to [email protected] and we will revoke their program access. To opt out of affiliate referrals entirely, sign up directly at growganic.io without clicking a referral link.

8. International data transfers

Some of our sub-processors are located in the United States. When transferring personal data from the EU/UK to the US, we rely on Standard Contractual Clauses (SCCs) and the data processing agreements of those providers.

9. Data retention

We keep your account data for as long as your account is active. After you delete your account, we retain your data for 90 days (in case you return) and then permanently delete it.

Billing records are retained as required by tax law (typically 7 years). Anonymized analytics may be retained indefinitely.

Generated content remains under your control: you can delete individual articles at any time from your dashboard.

10. Security

Sensitive credentials (CMS API keys, OAuth tokens) are encrypted at rest with AES-256. Database connections use TLS. Authentication uses industry-standard password hashing and HttpOnly session cookies. Access to production data is limited to authorized engineers.

No system is 100% secure. If a breach affects you, we'll notify you without undue delay and within 72 hours where required by law.

11. Your rights (GDPR, UK GDPR)

If you're in the EU, UK, or Switzerland, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccurate data
  • Delete your data (“right to be forgotten”)
  • Restrict or object to certain processing
  • Data portability (export your data in a structured format)
  • Withdraw consent where we rely on it
  • Lodge a complaint with your supervisory authority

You can exercise most of these directly from your account settings, or email [email protected] with subject [Privacy]. We'll respond within 30 days.

12. Your rights (CCPA, California residents)

If you're a California resident, you have the right to:

  • Know what personal information we collect and why
  • Request deletion of your personal information
  • Opt out of any “sale” of your personal information (we don't sell)
  • Non-discrimination for exercising these rights

We don't sell personal information. To submit a CCPA request, email [email protected].

13. Children

GrowGanic isn't directed to children under 16. We don't knowingly collect personal information from anyone under 16. If you believe a child has provided us with information, contact us and we'll delete it.

14. Changes to this policy

We may update this policy. Material changes will be communicated via email or in-app notice. The “Last updated” date at the top reflects the latest revision.

15. Contact

For privacy questions, data subject requests, or anything else: [email protected] with subject [Privacy]. We'll respond within 30 days.