Last updated: June 5, 2026
1. Introduction
GrowStart AI ("we", "us", or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data in accordance with the Digital Personal Data Protection (DPDP) Act, 2023 of India.
2. Data We Collect
We collect the following types of data:
- Account Information: Name, email address, phone number, business name, business type, city
- Business Data: Leads, bookings, customer names, phone numbers, and service details you enter into the platform
- Payment Data: Processed securely by Razorpay. We do not store credit card or bank account numbers
- Google Data: When you connect Google, with your explicit permission we access your Google Analytics data and your Google Business Profile — to read and reply to your reviews, read your profile details, and read your profile's performance metrics (see Section 6)
- AI Usage Data: We track which AI tools you use and token consumption for billing and optimization
- Technical Data: IP address, browser type, device information, and usage logs for security and analytics
3. How We Use Your Data
We use your data to:
- Provide and improve the GrowStart AI service
- Process payments and manage subscriptions
- Generate AI-powered marketing content tailored to your business
- Send transactional emails (account verification, payment receipts, password resets)
- Provide customer support
- Analyze usage patterns to improve the Service (using anonymized, aggregated data)
We do NOT sell, rent, or trade your personal data to third parties for marketing purposes.
4. Data Storage and Security
Personal data is primarily stored on Amazon Web Services (AWS) servers in Mumbai, India (ap-south-1 region).
We implement the following security measures:
- SSL/TLS encryption for all data in transit (HTTPS only)
- Database encryption at rest using AWS-managed encryption
- Application-level encryption (AES-256-GCM) for sensitive credential columns such as third-party OAuth tokens
- Private subnet isolation for database servers (no public internet access)
- JWT-based authentication: short-lived access tokens (1 hour) paired with DB-backed refresh tokens with single-use rotation and reuse-detection
- Bcrypt-hashed passwords (cost factor 12+)
- Per-IP rate limiting on authentication and AI endpoints
- Security groups restricting database access to the application server only
- Defense-in-depth Content Security Policy and standard security headers via helmet
5. Third-Party Services
We integrate with the following third-party services. Each has its own privacy policy:
- Razorpay: Payment processing (PCI-DSS compliant). Card and bank account details are handled by Razorpay; we never see or store them.
- Google APIs (Analytics, Business Profile): Accessed only after you complete OAuth consent. OAuth tokens are encrypted at rest in our database.
- Anthropic Claude AI: Used to generate marketing content. We call Anthropic using our own backend API key — only the prompt text you trigger (and any business context you choose to attach) is sent.
- AWS SES: Transactional email (account verification, payment receipts, weekly reports, birthday/anniversary reminders).
- AWS (RDS, S3, EC2, CloudFront): Cloud infrastructure and hosting.
- WhatsApp / Meta APIs: Used only if you enable WhatsApp campaigns; data sent only on your trigger.
- Cloudflare: DNS and CDN services.
Some of these services process data outside India. See Section 13 — Cross-Border Data Transfer for details.
6. Google User Data — Usage & Limited Use
When you connect your Google account, GrowStart AI requests the https://www.googleapis.com/auth/business.manage scope (to manage your Google Business Profile) and read-only Google Analytics access. We use this access solely to provide features inside your own dashboard, acting only on your behalf:
- Read and display your Google Business Profile reviews
- Post owner replies to your reviews — only drafts you have reviewed and approved, posted on your behalf
- Read your profile details (categories, verification status, business information) to compute a profile-completeness score
- Read your Business Profile performance metrics (profile views, calls, direction requests, website clicks)
- Read your Google Analytics (GA4) traffic data
Google OAuth access and refresh tokens are encrypted at rest using AES-256-GCM before storage in our database. If Google reports your refresh token as invalid (e.g., you revoke our access from your Google account), we automatically clear the dead token from our database on next use. You can disconnect Google at any time from your dashboard settings, which revokes our access.
Limited Use. GrowStart AI's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically: we do not sell Google user data; we do not use it for advertising or any purpose beyond the dashboard features described above; we do not transfer it to third parties except as necessary to provide those features, to comply with applicable law, or as part of a merger/acquisition with notice to you; and we do not allow humans to read it except with your explicit consent, for security or debugging where required, or as compelled by law.
7. Data Retention
We retain your data for as long as your account is active. Upon account deletion or subscription cancellation:
- Your data is retained for 30 days (in case you wish to reactivate)
- After 30 days, all personal data is permanently deleted from our systems
- Anonymized, aggregated data may be retained for analytical purposes
8. Your Rights as a Data Principal (Under DPDP Act 2023)
Under the Digital Personal Data Protection (DPDP) Act, 2023, GrowStart AI is the "Data Fiduciary" and you, the user, are the "Data Principal". As a Data Principal you have the following rights:
- Right to Access (§11 of the Act): Request a summary of personal data we hold about you, the processing activities, and the categories of recipients with whom it has been shared.
- Right to Correction and Erasure (§12): Update inaccurate or incomplete data; request erasure of personal data that is no longer required for the purpose it was collected.
- Right to Withdraw Consent (§6(4)): Withdraw consent at any time. Withdrawal does not retroactively invalidate processing done before withdrawal, but stops further processing. Closing your account is one form of consent withdrawal.
- Right to Nominate (§13): Nominate another individual to exercise your rights in the event of your death or incapacity.
- Right of Grievance Redressal (§13(3)): File a complaint with our Grievance Officer (see Section 15). If unresolved, escalate to the Data Protection Board of India as constituted under the Act.
To exercise any of these rights, contact our Grievance Officer (Section 15) or email support@growstart.ai. We will respond within the timelines mandated by the DPDP Act.
Note: The DPDP Act does not include a standalone "data portability" right; your right of access (above) gives you the substantive equivalent.
9. Cookies
We use essential cookies for authentication and session management. We do not use tracking cookies or third-party advertising cookies.
10. Children's Privacy
The Service is not intended for individuals under 18 years of age. We do not knowingly collect personal data from children.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of significant changes via email. The "Last updated" date at the top indicates the most recent revision.
12. Contact Us
For privacy-related inquiries or to exercise your data rights:
- Email: support@growstart.ai
- Website: https://growstart.ai
13. Cross-Border Data Transfer
While personal data is primarily stored in India, some integrated services process portions of data outside India:
- Anthropic Claude AI (United States): Prompt text and generated content are processed on Anthropic's infrastructure when you use AI features. No personal data of your end-customers is sent unless you explicitly include it in a prompt.
- Google APIs (global infrastructure): Analytics and Business Profile data is fetched from Google's global servers.
- WhatsApp / Meta APIs (global infrastructure): Used only if you enable WhatsApp campaigns.
- AWS SES (regional, typically ap-south-1): Outbound email delivery may transit AWS infrastructure outside India depending on the recipient.
By enabling each integration you consent to the associated data transfer. We do not transfer personal data to any jurisdiction restricted by the Indian Government under the DPDP Act.
14. Breach Notification
In the event of a personal data breach, we will:
- Notify the Data Protection Board of India within the timeline mandated by the DPDP Act (currently 72 hours from awareness)
- Notify affected Data Principals via email, including the nature of the breach, the categories of data involved, and steps you can take to mitigate any risk
- Document the breach internally with a written post-incident analysis (root cause, remediation, preventive measures)
Notifications will be sent to the email address associated with your account. Please keep it current.
15. Grievance Officer
In accordance with Section 8(9) of the Digital Personal Data Protection (DPDP) Act, 2023 and Rule 3(11) of the Information Technology (Intermediary Guidelines) Rules, 2021, the Grievance Officer for GrowStart AI is:
- Name: Praveen Rajput
- Designation: Grievance Officer, GrowStart AI
- Email: grievance@growstart.ai
- Response time: We will acknowledge your grievance within 48 hours and resolve it within 30 days, as required by the DPDP Act.
If your grievance is not resolved to your satisfaction, you may escalate it to the Data Protection Board of India as constituted under the DPDP Act.