Privacy Policy

Last updated: 15 May 2026 · Version 2026-05-15

This is a template. Have a lawyer review before going live.

1. Who we are (Data Controller)

GrowthCore Suite is the data controller for the personal data described in this policy. For privacy questions, contact privacy@growthcoresuite.com.

2. What we collect & why (legal bases — GDPR Art. 6)

  • Account data (email, password hash) — to provide the service. Legal basis: contract.
  • Lead form submissions (name, email, business, message) — to respond to enquiries. Legal basis: consent + legitimate interest.
  • Subscription & payment data (Stripe customer ID, subscription state) — to process payments. Legal basis: contract + legal obligation (tax records).
  • Analytics events (page views, clicks, device type) — to improve the service. Legal basis: consent (cookie banner).
  • Email engagement (sends, bounces, unsubscribes) — to operate transactional & marketing email. Legal basis: contract / consent.

3. Retention periods

  • Account data — for the lifetime of your account, then deleted within 30 days of account closure.
  • Lead submissions — 24 months from last contact.
  • Analytics events — automatically deleted after 14 months.
  • Subscription/payment records — 7 years (legal obligation).
  • Suppressed-email list — kept indefinitely to honour your opt-out.

4. Sub-processors (recipients)

We share personal data with these vetted sub-processors who act on our behalf under written DPAs:
  • Supabase (database & auth) — EU region.
  • Stripe (payments) — global; PCI-DSS Level 1.
  • Mailgun (transactional email) — EU region.
  • Cloudflare (CDN & security) — global.
  • Google Analytics 4 (with consent) — IP anonymisation enabled, ad signals disabled.
  • Google Cloud Storage (image hosting) — EU region.

5. International transfers

Where data is transferred outside the EEA/UK (e.g. to Stripe or Cloudflare in the US), we rely on the EU Standard Contractual Clauses (SCCs) and, where applicable, the EU–US Data Privacy Framework.

6. Your rights (GDPR Art. 15–22)

You have the right to: access, rectify, erase, restrict, port, and object to processing of your personal data, and to withdraw consent at any time. Exercise these rights via our GDPR request form or — if you have an account — directly from your privacy dashboard. We respond within 30 days. You also have the right to lodge a complaint with your local supervisory authority.

7. Security

We use industry-standard security: encryption in transit (HTTPS/HSTS), encryption at rest, Row-Level Security on the database, scoped service credentials, HMAC-verified webhooks, and a strict Content-Security-Policy. Despite this, no system is 100% secure. We notify affected users and supervisory authorities of qualifying breaches within 72 hours (GDPR Art. 33).

8. Cookies

See our Cookie Policy for the categories of cookies we use and how to manage them.

9. Changes

When we make material changes we'll re-prompt you for consent and update the "Last updated" date above.

10. Contact

Privacy questions: privacy@growthcoresuite.com.