Skip to content

Privacy Policy

This privacy policy explains how personal data is processed when users visit the website growthkit.tools, use the GrowthKit web app (app.growthkit.tools), the GrowthKit Chrome Extension, or make use of our services.

Responsible:

GrowthKit – Anita Suk Beratung

c/o brainchild ventures UG

Kolonnenstraße 8

10827 Berlin

Email: [email protected]

1. Types of Data Processed

We process personal data that is either collected automatically when visiting our website, actively submitted by you, or generated through the use of our AI-powered services.

1.1 Automatically Collected Data (Server & Device Information)

When accessing our website and web app, the following data is automatically processed for technical reasons:

  • IP address (shortened or anonymized where possible)
  • Date and time of access
  • Browser type and version
  • Operating system
  • Referrer URL (previously visited page)
  • Pages accessed
  • Technical log files

This data is necessary to operate the website securely and reliably.

1.2 Usage Data from the Web App and Chrome Extension

When using GrowthKit, we additionally process:

  • Chat messages and inputs to the AI assistant
  • System-generated memories (semantic summaries, metadata such as chapter, tags, timestamps)
  • Uploaded documents (PDF, DOCX, PPTX, images)
  • Browser context when using the Chrome Extension (current URL, page title, optionally selected text)
  • Configuration data (language settings, integration settings)

1.3 Integration Data

When you activate third-party integrations (e.g. Pipedrive, Dreamdata), we process:

  • API keys stored by you (encrypted in the Credential Vault)
  • Data retrieved through these integrations (e.g. CRM contacts, enrichment data, intent signals)

2. Data Actively Submitted by Users

2.1 Contact Forms and Demo Booking

When you fill out a form on our website or book a demo, we process:

  • Name
  • Email address
  • Company name and position (if applicable)
  • Contents of your inquiry

Transmission is automated via Lovable forms and processed through n8n workflows.

2.2 Newsletter (Brevo)

For newsletter distribution, we collect:

  • Email address
  • Optional: Name

Double opt-in is used.

2.3 Registration and Account Management

When registering for GrowthKit, we collect:

  • Name
  • Email address
  • Company information
  • Selected plan (Free / Growth / Scale)

2.4 Orders and Payment Processing

When you subscribe to a paid plan:

  • Name and billing address
  • Email address and plan information
  • Payment information is processed exclusively by Stripe and never stored on our servers

3. Purposes of Processing

We process personal data exclusively for:

  • Provision and operation of the GrowthKit platform (web app, Chrome Extension, API)
  • AI-powered analysis and processing of user inputs (chat, documents, CRM data)
  • Storage and management of memories in the knowledge system
  • Responding to inquiries and support
  • Newsletter distribution (only with consent)
  • Contract fulfillment and plan management
  • Optimization of our website and services
  • Statistical analysis of user behavior
  • Security and technical stability

4. Legal Basis (Art. 6 GDPR)

Processing is based on:

  • Art. 6(1)(b) – Contract performance / pre-contractual measures (account creation, plan usage, AI processing)
  • Art. 6(1)(a) – Consent (newsletter, cookies, tracking)
  • Art. 6(1)(f) – Legitimate interest (security, analytics, optimization, fraud prevention)

5. Tools and Third-Party Services

We use external service providers to technically operate GrowthKit and deliver our services. Data processing agreements (DPA) in accordance with Art. 28 GDPR have been concluded with all processors.

5.1 Supabase (Database and Hosting)

GrowthKit uses Supabase as its central database and backend infrastructure.

Data processed: User account data, memories, documents, encrypted API keys (Credential Vault), chat histories, team and collaboration data.

Hosting location: EU (AWS Frankfurt, eu-central-1).

Privacy policy: supabase.com/privacy

5.2 Anthropic (AI Processing)

We use the Anthropic API (Claude) to analyze user inputs, generate memories, process documents, and provide AI-powered recommendations.

Data processed: Chat messages, memory content, document text, CRM data in the context of analysis.

Important: When using the Anthropic API, submitted data is not used for training AI models. Data is only retained for the duration of request processing.

Privacy policy: anthropic.com/privacy

5.3 Cloudflare (Routing and Security)

Cloudflare Workers are used as a routing layer for API requests.

Data processed: IP addresses, request metadata, technical headers.

Privacy policy: cloudflare.com/privacypolicy

5.4 Stripe (Payment Processing)

Stripe processes all payment information for paid GrowthKit plans.

Data processed: Name, billing address, payment method, transaction data. Credit card data is processed exclusively by Stripe and never stored on GrowthKit servers.

Privacy policy: stripe.com/privacy

5.5 Lovable (Website and Forms)

Our marketing website is built and hosted with Lovable.

Data processed: Form inputs, technical information (IP, timestamps).

Privacy policy: lovable.dev/privacy

5.6 n8n (Automation Platform)

n8n processes form inputs and orchestrates workflows between GrowthKit services.

Data processed: Form content, integration data, workflow metadata. Data is only held temporarily during the processing workflow.

5.7 Brevo (Newsletter and Email)

Brevo processes data for newsletter distribution and transactional emails.

Data processed: Email address, name, sending metadata.

Provider based in the EU, GDPR-compliant.

Privacy policy: brevo.com/legal/privacypolicy

5.8 Google Analytics (optional)

Google Analytics may be used for statistical analysis of user behavior.

Data processed: Shortened IP address, page views, time on page, click behavior.

Opt-out: tools.google.com/dlpage/gaoptout

Data transfer to the USA is based on Standard Contractual Clauses (SCC) and the EU-US Data Privacy Framework.

6. GrowthKit Memory System

GrowthKit stores long-term semantic memories generated from your interactions with the AI assistant.

6.1 What is Stored?

  • Summaries and insights from chat conversations
  • Metadata: chapter assignment (e.g. ICP, Strategy, Pipeline), tags, timestamps
  • Uploaded documents and extracted content
  • Version history of memories

6.2 How are Memories Processed?

Memories are generated by the AI assistant (Anthropic Claude) from your inputs and stored in the Supabase database (EU, Frankfurt). They enable the AI assistant to work in a context-aware and personalized manner.

6.3 Your Control Over Memories

You can at any time:

  • View, edit, or delete individual memories
  • Restore deleted memories within a defined time window
  • Permanently and irreversibly delete all memories
  • Disable memory generation for specific interactions

7. Chrome Extension

The GrowthKit Chrome Extension allows you to use the AI assistant directly in your browser.

7.1 Data Processed

  • Page Context: URL and title of the currently visited page (only when actively used)
  • Selected Text: Text highlighted by the user on web pages (only upon explicit action)
  • Chat Messages: Inputs to the AI assistant via the extension panel

7.2 What the Extension Does NOT Do

  • No automatic tracking of browsing history
  • No access to passwords, form data, or cookies
  • No background data collection without active use
  • No access to other tabs or browser extensions

Page context is only transmitted during active interaction with the assistant and is not stored unless it becomes part of a memory.

8. Credential Vault (API Keys)

When you set up third-party integrations (Pipedrive, Dreamdata), your API keys are stored encrypted in the GrowthKit Credential Vault.

  • API keys are stored encrypted in the Supabase database (EU)
  • GrowthKit employees have no access to your decrypted API keys
  • Keys are only decrypted at runtime to retrieve data from connected services
  • You can revoke and delete API keys at any time

9. Cookies and Tracking

A cookie banner appears when you visit our website. We use:

  • Strictly necessary cookies (no consent required) — for session management and security
  • Analytics cookies (consent required) — for usage analysis
  • Marketing cookies (consent required, if enabled)

Cookies can be deleted or blocked at any time through your browser settings. You can adjust your cookie preferences via the cookie banner at any time.

10. Disclosure of Personal Data

Data is only shared:

  • With technical service providers to deliver our services (see Section 5)
  • For contract fulfillment
  • When required by law
  • With your explicit consent

Data Transfer to Third Countries

Through the use of Anthropic, Cloudflare, and optionally Google Analytics, data may be transferred to the USA. These transfers are based on:

  • The EU-US Data Privacy Framework
  • EU Standard Contractual Clauses (SCC)

Supabase (database), Brevo (email), and Stripe (payments) process data within the EU.

11. Data Retention

Data CategoryRetention Period
Contact inquiriesUntil inquiry is resolved, max. 6 months
Account dataUntil account deletion
MemoriesUntil manual deletion by user or account deletion
Uploaded documentsUntil manual deletion by user or account deletion
Contract and billing data6–10 years (statutory retention obligations)
Newsletter dataUntil withdrawal
Server logs7–30 days
CookiesDepending on category: session to max. 24 months
Credential Vault (API keys)Until manual deletion or account deletion

12. Rights of Data Subjects

You have the right at any time to:

  • Access stored data (Art. 15 GDPR)
  • Rectification of inaccurate data (Art. 16 GDPR)
  • Erasure ("right to be forgotten") (Art. 17 GDPR)
  • Restriction of processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection to processing (Art. 21 GDPR)
  • Withdrawal of consent (Art. 7(3) GDPR)

To exercise your rights, contact: [email protected]

Complaints may be directed to the competent data protection supervisory authority.

13. Data Security

We implement appropriate technical and organizational measures to protect your data:

  • Encrypted data transmission (TLS/SSL)
  • Encrypted storage of sensitive data (Credential Vault)
  • Access control and role-based permissions
  • Regular security updates
  • Hosting in the EU (Supabase on AWS Frankfurt)

14. Minors

Our website and services are not directed at persons under the age of 16. We do not knowingly collect data from minors.

15. Changes to This Privacy Policy

We reserve the right to update this privacy policy as needed, particularly in the event of changes to our services or legal requirements. The current version on this website always applies.

Last updated: March 2026

16. Contact

For questions about data protection or information requests:

Email: [email protected]