1. Who we are (data controller)
GrowMe Locally is a business unit of Ads and Funnel Private Limited, J0008, Grand Ajnara Heritage, Noida Sector 74, Uttar Pradesh, India. For the personal data of our account holders we act as the data controller. For business data you connect through Google (your listings, reviews, customer review content) we act as a data processor on your instructions. Data protection contact: support@growmelocally.com.
2. What we process and why (lawful bases)
Account data — name, email, hashed password — processed to perform our contract with you (Art. 6(1)(b)). Billing data — plan, payment status, invoices — processed for contract performance and legal/tax obligations (Art. 6(1)(c)); card details are held by our payment processors, never by us. Google Business Profile data — listings, reviews, performance metrics, OAuth tokens — processed on your instruction to deliver the features you switch on (Art. 6(1)(b)). Usage analytics — feature usage, error logs — processed under legitimate interest (Art. 6(1)(f)) to keep the service secure and improve it. We do not sell personal data and we do not use it for third-party advertising.
3. Your rights
Under GDPR you have the right of access (a copy of your data), rectification (correct inaccurate data), erasure ("right to be forgotten"), restriction of processing, data portability (a machine-readable export), objection to processing based on legitimate interest, and the right to withdraw consent at any time where processing is based on consent. You also have the right to lodge a complaint with your local supervisory authority. Exercising any right is free of charge.
4. How to exercise them
Email support@growmelocally.com from the address on your account with the right you want to exercise. We respond within 30 days as required by Art. 12(3). You can also delete your account and its data from account settings, disconnect Google at any time (which revokes our access tokens), and revoke our access directly from your Google account security page.
5. Data retention
Account and business data are kept while your account is active. When you delete your account, personal data is deleted or irreversibly anonymized within 30 days, except records we must keep longer for legal, tax, or fraud-prevention obligations (kept no longer than legally required). Backups roll off automatically within 30 days.
6. International transfers
Our servers are operated by our hosting provider, and some sub-processors (below) operate outside the EU/EEA, including in the United States and India. Where personal data leaves the EU/EEA, the transfer is protected by the sub-processor's EU Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework.
7. Sub-processors
Google (OAuth, Business Profile API, performance data, and Gemini AI), Stripe and Razorpay (payments), our transactional email provider, our cloud hosting provider, and AI model providers (OpenAI, Anthropic, Google) used solely to generate the content you request — business inputs sent to AI providers are not used by them to train their models under our API terms. We sign data-processing agreements with each sub-processor.
8. Security
Passwords are hashed (bcrypt), OAuth tokens are stored encrypted, all traffic is TLS-encrypted, access to production data is restricted and logged, and payment card data never touches our servers (handled entirely by Stripe/Razorpay, both PCI-DSS Level 1).
9. Cookies
We use essential cookies only (authentication, session, CSRF protection) plus the consent banner itself. Optional analytics or chat widgets load only on the public website, never inside the app, and are disclosed in the cookie banner. No advertising or cross-site tracking cookies are used.
10. Breach notification
If a personal-data breach is likely to result in a risk to your rights, we notify the competent supervisory authority within 72 hours of becoming aware (Art. 33) and inform affected users without undue delay (Art. 34).