Data Processing Agreement

Last Updated: May 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between you (“Controller”) and Growino (“Processor”) and applies wherever Growino processes personal data on your behalf. It satisfies the requirements of GDPR Article 28.

1. Definitions

ControllerThe user or business that determines the purposes and means of processing — i.e., you.
ProcessorGrowino, acting on the Controller's instructions.
Personal DataAny data relating to an identified or identifiable natural person processed via the service (e.g., data subjects whose activity is captured in connected Google properties).
Sub-processorA third party engaged by Growino to process personal data on the Controller's behalf.
GDPRRegulation (EU) 2016/679 and its national implementing legislation.

2. Subject Matter and Duration

Growino processes personal data for the duration of the active subscription. Processing stops immediately upon account termination; data is deleted within 30 days unless a longer retention is required by law.

3. Nature and Purpose of Processing

NatureCollection via Google API read-only scopes; storage in encrypted database; analysis and display within the application; AI-assisted insight generation.
PurposeProvision of the Growino SEO/SEM analytics service as described in the Terms of Service.
Types of personal dataEmail addresses, Google account identifiers, search query strings, URL paths, and aggregated behavioural metrics from Google Analytics 4.
Categories of data subjectsWebsite visitors and users of properties connected by the Controller; the Controller's own account holder.

4. Controller Obligations

The Controller warrants that:

  • It has a lawful basis for processing all personal data submitted to the service.
  • It has obtained all necessary consents from data subjects where consent is the legal basis.
  • It will not instruct Growino to process data in a manner that violates applicable law.
  • It will notify Growino without undue delay of any changes to instructions that affect processing.

5. Processor Obligations

Growino shall:

  • Process personal data only on documented instructions from the Controller.
  • Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
  • Implement the technical and organisational security measures described in §6.
  • Assist the Controller in fulfilling data subject rights requests (access, erasure, portability) within 72 hours of receiving a validated request.
  • Assist the Controller in conducting Data Protection Impact Assessments where required.
  • Delete or return all personal data upon termination at the Controller's choice.
  • Make available all information necessary to demonstrate compliance with this DPA.

6. Security Measures

Encryption in transitTLS 1.2 minimum for all API and browser connections.
Encryption at restAES-256-GCM for database storage; separate key for credentials (BYOK keys).
Access controlRole-based access; principle of least privilege; no employee access to raw Google tokens without audit log.
PseudonymisationAI prompts receive anonymised keyword/metric data only — no PII forwarded to LLM providers.
AvailabilityDaily encrypted backups retained 30 days; point-in-time recovery.
TestingPeriodic security reviews; responsible disclosure policy published at growino.com/security.

7. Sub-processors

The Controller grants general written authorisation for the sub-processors listed below. Growino will give at least 14 days’ notice before adding or replacing a sub-processor.

Supabase Inc.Database hosting — EU region (Frankfurt).
Vercel Inc.Application and serverless function hosting.
Google LLCOAuth authentication and API data source.
OpenAI / Anthropic / other LLM (configurable)AI insight generation. Receives anonymised metric data only; no PII. Controller may supply own key (BYOK) to select provider.

8. International Transfers

Where sub-processors transfer personal data outside the EEA, Growino ensures appropriate safeguards are in place via Standard Contractual Clauses (SCCs) adopted under GDPR Article 46(2)(c), or an adequacy decision where applicable.

9. Data Breach Notification

Growino will notify the Controller without undue delay, and no later than 72 hours after becoming aware of a personal data breach affecting data processed under this DPA. Notification will include, to the extent known: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.

10. Audit Rights

The Controller may request evidence of compliance with this DPA once per calendar year (or more frequently if a breach occurs) by submitting a written request to privacy@growino.com. Audits are conducted at the Controller’s cost and subject to reasonable prior notice.

11. Liability

Each party’s liability under this DPA is subject to the limitation of liability clause in the Terms of Service. Nothing in this DPA limits a data subject’s rights against either party under applicable data protection law.