1. Introduction
Welcome to Growthflicks. We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains how Growthflicks (“we,” “us,” or “our”) collects, uses, discloses, and safeguards information when you visit our website, use our platform, or otherwise interact with our services (collectively, the “Service”).
Please read this policy carefully. By accessing or using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy. If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.
This Privacy Policy applies to all users of the Growthflicks platform worldwide, with additional rights granted to residents of the European Economic Area (“EEA”), the United Kingdom, and Switzerland under the General Data Protection Regulation (“GDPR”) and applicable national data protection laws.
2. Data Controller
For the purposes of applicable data protection law, the data controller of your personal information is:
If you have any questions about this Privacy Policy or our data practices, you may contact our Data Protection Officer at the email address listed above.
3. Data We Collect
We collect information you provide directly to us and information generated automatically when you use our Service.
Information You Provide
- Account information: name, email address, password (hashed), and profile details when you register.
- Billing information: payment method details processed securely by our third-party payment processor (Stripe). We do not store full card numbers.
- Connected social accounts: OAuth tokens for social media accounts you connect to our platform (Instagram, TikTok, YouTube, Threads, etc.).
- User content: prompts, uploaded media, and generated content you create or submit through the Service.
- Support communications: messages you send us via email or support channels.
- Survey and feedback responses: information you provide when you respond to surveys or submit feature requests.
Information Collected Automatically
- Usage data: pages visited, features used, credits consumed, tasks run, and interactions with the platform.
- Device and log data: IP address, browser type and version, operating system, referring URLs, and timestamps of requests.
- Cookies and similar technologies: session identifiers, preference data, and analytics data. See Section 6 for details.
Information from Third Parties
- Social platform APIs: when you connect a social media account, we receive profile information (handle, follower count, account type) and the permissions you grant us to publish on your behalf.
- Authentication providers: if you sign in via Google or another OAuth provider, we receive your name and email from that provider.
4. How We Use Your Information
We use your information for the following purposes:
- Providing the Service: to create and manage your account, process subscriptions, and operate the platform's features including AI content generation and social media publishing.
- Billing and payments: to process transactions, manage your subscription, and send invoices and receipts.
- Customer support: to respond to your inquiries, troubleshoot issues, and provide technical assistance.
- Service improvement: to analyze usage patterns, identify bugs, and improve the performance and features of the Service.
- Communications: to send transactional emails (account confirmations, password resets, billing notifications) and, with your consent, marketing communications about new features or offers.
- Security and fraud prevention: to detect, investigate, and prevent fraudulent activity, abuse, and other harmful conduct.
- Legal compliance: to comply with applicable laws, regulations, and lawful requests from public authorities.
- Aggregated analytics: to generate anonymised statistical data about Service usage that cannot identify individual users.
5. Legal Basis for Processing (GDPR)
Where GDPR applies, we rely on the following legal bases to process your personal data:
- Contract performance (Art. 6(1)(b)): processing necessary to provide the Service you have subscribed to, including account management, credit processing, and content generation.
- Legitimate interests (Art. 6(1)(f)): service improvement, security monitoring, fraud prevention, and internal analytics, where these interests are not overridden by your rights.
- Consent (Art. 6(1)(a)): where you have given us explicit consent, such as for marketing emails or non-essential cookies. You may withdraw consent at any time.
- Legal obligation (Art. 6(1)(c)): where processing is necessary to comply with applicable EU or Member State law, such as tax and accounting obligations.
6. Cookies and Tracking Technologies
We use cookies and similar technologies to operate our Service, remember your preferences, and understand how the Service is used. Our full cookie practices are described in our Cookie Policy.
In summary, we use: essential cookies required for authentication and session management; analytics cookies to understand platform usage; and preference cookies to remember your settings. You can manage non-essential cookies in your account settings or browser preferences.
7. How We Share Your Information
We do not sell, rent, or trade your personal data. We may share information with the following categories of recipients:
- Service providers: third-party vendors who process data on our behalf, including cloud infrastructure providers (hosting, storage), payment processors (Stripe), email delivery services, and AI model API providers. All such providers are bound by data processing agreements requiring them to handle your data only as instructed by us.
- Social media platforms: when you use our publishing features, we transmit the content you have created to the social platforms you have authorised us to access.
- Legal and regulatory authorities: when required by applicable law, court order, or governmental request, or to protect the rights, property, or safety of Growthflicks, our users, or the public.
- Business transfers: in the event of a merger, acquisition, or sale of all or a portion of our assets, your information may be transferred to the acquiring entity, provided it remains bound by this Privacy Policy.
- With your consent: in any other circumstance where you have given us explicit permission.
8. International Data Transfers
Our Services are operated from within the European Union. However, some of our third-party service providers are located outside the EEA, including the United States. Where we transfer personal data outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR requirements, including:
- Standard Contractual Clauses (SCCs) adopted by the European Commission;
- Transfers to countries that benefit from an EU adequacy decision;
- Binding Corporate Rules where applicable.
You can request a copy of the specific safeguards applied to the transfer of your data outside the EEA by contacting us at [email protected].
9. Data Retention
We retain your personal data only for as long as necessary for the purposes set out in this Privacy Policy or as required by applicable law.
- Active accounts: data is retained for the duration of your subscription and relationship with us.
- Deleted accounts: upon account deletion, we delete or anonymise your personal data within 30 days, except where we are required to retain it for legal, tax, or accounting obligations (typically up to 7 years for financial records).
- Generated content and prompts: retained for the period of your active subscription, and deleted within 30 days of account closure unless you request earlier deletion.
- Log and security data: retained for up to 12 months for security and fraud prevention purposes.
- Marketing consent records: retained as long as necessary to demonstrate compliance with marketing regulations.
10. Your Rights
Depending on your location, you may have the following rights regarding your personal data. Under GDPR, EEA and UK residents have the right to:
- Access: request a copy of the personal data we hold about you.
- Rectification: request correction of inaccurate or incomplete data.
- Erasure: request deletion of your personal data (“right to be forgotten”), subject to legal retention requirements.
- Restriction: request that we restrict the processing of your personal data in certain circumstances.
- Data portability: receive your personal data in a structured, machine-readable format and transmit it to another controller.
- Objection: object to processing based on legitimate interests or direct marketing.
- Withdraw consent: where processing is based on consent, withdraw that consent at any time without affecting the lawfulness of prior processing.
- Complaint: lodge a complaint with your supervisory authority. In Slovenia, this is the Information Commissioner (Informacijski pooblaščenec).
To exercise any of these rights, contact us at [email protected]. We will respond within 30 days. We may ask you to verify your identity before processing your request.
11. Security Measures
We implement industry-standard technical and organisational measures to protect your personal data against unauthorised access, accidental loss, destruction, or disclosure. These measures include:
- Encryption of data in transit using TLS 1.2 or higher;
- Encryption of data at rest using AES-256;
- Access controls and the principle of least privilege for internal systems;
- Regular security assessments and penetration testing;
- Multi-factor authentication for administrative access.
No method of transmission or storage is completely secure. In the event of a data breach that is likely to result in a risk to your rights and freedoms, we will notify you and the relevant supervisory authority as required by applicable law.
