Data Processing Agreement
Last Updated: May 2026
1. Definitions
| Controller | The user or business that determines the purposes and means of processing — i.e., you. |
| Processor | Growino, acting on the Controller's instructions. |
| Personal Data | Any data relating to an identified or identifiable natural person processed via the service (e.g., data subjects whose activity is captured in connected Google properties). |
| Sub-processor | A third party engaged by Growino to process personal data on the Controller's behalf. |
| GDPR | Regulation (EU) 2016/679 and its national implementing legislation. |
2. Subject Matter and Duration
Growino processes personal data for the duration of the active subscription. Processing stops immediately upon account termination; data is deleted within 30 days unless a longer retention is required by law.
3. Nature and Purpose of Processing
| Nature | Collection via Google API read-only scopes; storage in encrypted database; analysis and display within the application; AI-assisted insight generation. |
| Purpose | Provision of the Growino SEO/SEM analytics service as described in the Terms of Service. |
| Types of personal data | Email addresses, Google account identifiers, search query strings, URL paths, and aggregated behavioural metrics from Google Analytics 4. |
| Categories of data subjects | Website visitors and users of properties connected by the Controller; the Controller's own account holder. |
4. Controller Obligations
The Controller warrants that:
- It has a lawful basis for processing all personal data submitted to the service.
- It has obtained all necessary consents from data subjects where consent is the legal basis.
- It will not instruct Growino to process data in a manner that violates applicable law.
- It will notify Growino without undue delay of any changes to instructions that affect processing.
5. Processor Obligations
Growino shall:
- Process personal data only on documented instructions from the Controller.
- Ensure that personnel authorised to process personal data are bound by confidentiality obligations.
- Implement the technical and organisational security measures described in §6.
- Assist the Controller in fulfilling data subject rights requests (access, erasure, portability) within 72 hours of receiving a validated request.
- Assist the Controller in conducting Data Protection Impact Assessments where required.
- Delete or return all personal data upon termination at the Controller's choice.
- Make available all information necessary to demonstrate compliance with this DPA.
6. Security Measures
| Encryption in transit | TLS 1.2 minimum for all API and browser connections. |
| Encryption at rest | AES-256-GCM for database storage; separate key for credentials (BYOK keys). |
| Access control | Role-based access; principle of least privilege; no employee access to raw Google tokens without audit log. |
| Pseudonymisation | AI prompts receive anonymised keyword/metric data only — no PII forwarded to LLM providers. |
| Availability | Daily encrypted backups retained 30 days; point-in-time recovery. |
| Testing | Periodic security reviews; responsible disclosure policy published at growino.com/security. |
7. Sub-processors
The Controller grants general written authorisation for the sub-processors listed below. Growino will give at least 14 days’ notice before adding or replacing a sub-processor.
| Supabase Inc. | Database hosting — EU region (Frankfurt). |
| Vercel Inc. | Application and serverless function hosting. |
| Google LLC | OAuth authentication and API data source. |
| OpenAI / Anthropic / other LLM (configurable) | AI insight generation. Receives anonymised metric data only; no PII. Controller may supply own key (BYOK) to select provider. |
8. International Transfers
Where sub-processors transfer personal data outside the EEA, Growino ensures appropriate safeguards are in place via Standard Contractual Clauses (SCCs) adopted under GDPR Article 46(2)(c), or an adequacy decision where applicable.
9. Data Breach Notification
Growino will notify the Controller without undue delay, and no later than 72 hours after becoming aware of a personal data breach affecting data processed under this DPA. Notification will include, to the extent known: nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed.
10. Audit Rights
The Controller may request evidence of compliance with this DPA once per calendar year (or more frequently if a breach occurs) by submitting a written request to privacy@growino.com. Audits are conducted at the Controller’s cost and subject to reasonable prior notice.
11. Liability
Each party’s liability under this DPA is subject to the limitation of liability clause in the Terms of Service. Nothing in this DPA limits a data subject’s rights against either party under applicable data protection law.