Privacy Policy
At Growmax LLC, we are committed to full transparency about how we collect, use, and protect your data. This Privacy Policy explains our practices in clear language — no hidden fine print. — Growmax LLC, USA — hello@growmax.io
1. Overview
This Privacy Policy applies to the Growmax ARC platform ("Service"), operated by Growmax LLC, a company registered in the United States of America. By using the Service, you agree to the collection and use of information in accordance with this policy.
This policy describes:
- What personal and business information we collect
- Why we collect it
- How we use it
- Who we share it with
- Your rights regarding your data
2. Information We Collect
2.1 Account & Identity Data
- Email address
- Password (stored as a salted one-way hash — never in plaintext)
- Full name
- Profile picture (via Google OAuth)
- Role and permissions
2.2 Organization & Business Data
- Company name and subdomain
- Country, currency, timezone, and date format preferences
- Customers, suppliers, and partners records
- Products, categories, brands, SKUs, and inventory
- Quotes, sales orders, purchase orders, invoices, credit notes, debit notes, and payments
- Tax configurations
- Price lists and discount rules
- Reports and analytics data
2.3 Authentication & Security Data
- Session tokens
- Two-factor authentication (2FA) secrets
- One-time passwords (OTPs) — not stored after verification
- Device fingerprint
- Login activity (timestamps, IP addresses, session metadata)
2.4 Uploaded Content
- Company logos and branding assets
- Product images
- Document attachments
2.5 Communication Data
- Chat messages
- Email notification records
- Activity logs
3. Google OAuth & Third-Party Authentication
Growmax ARC supports Google Sign-In for convenient authentication. When you sign in with Google, we receive the following information:
- Email address
- Full name
- Profile picture URL
- Google ID token (JWT)
We do NOT receive or store your Google password. We do NOT access your Google Drive, Gmail, Calendar, or any other Google services. You can revoke Growmax's access at any time via your Google Account permissions.
4. Cookies, Local Storage & Browser Data
We use browser storage mechanisms strictly for functional purposes. Below is a complete summary:
| Storage Type | Data Stored | Purpose |
|---|---|---|
| localStorage | Access / refresh / session tokens | Keeping you signed in |
| localStorage | Device fingerprint | Trusted device recognition |
| localStorage | Branding preferences | Faster page load |
| localStorage | Session activity timestamps | Session timeout management |
| Cookies | Session identifiers (httpOnly) | Secure session management |
We do NOT use any third-party tracking, advertising, or analytics cookies. All browser storage is strictly functional. You can clear this data by logging out or clearing your browser data.
5. How We Use Your Information
We use the information we collect to:
- Provide and operate the Service
- Authenticate your identity and manage sessions
- Send transactional emails (order confirmations, password resets, etc.)
- Enforce security policies and detect threats
- Personalize your experience within the platform
- Generate reports and business analytics
- Improve and enhance the Service
We do NOT:
- Sell your data to third parties
- Use your data for advertising or ad targeting
- Train AI or machine learning models on your business data
- Share your data with data brokers
6. Third-Party Services
We integrate with the following third-party services to operate the platform:
- Google Identity Services — Used for authentication (Google Sign-In). See Google's Privacy Policy.
- Postmark / ActiveCampaign — Used for transactional email delivery. See Postmark's Privacy Policy.
- Cloud Object Storage (S3-compatible) — Used for file storage (product images, documents, logos).
We do not share your personal or business data with any third party for their independent use.
7. Data Security
We implement industry-standard security measures to protect your data, including:
- Encryption in transit (TLS/HTTPS on all connections)
- Password hashing with per-user salts
- JWT-based authentication with refresh token rotation
- Two-factor authentication (TOTP)
- Session management with automatic timeouts and device tracking
- Role-based access control (RBAC)
- Multi-tenant data isolation
- Audit logging of critical actions
While no method of electronic transmission or storage is 100% secure, we commit to notifying affected users promptly in the event of a data breach.
8. Data Retention
- Account data: Retained while your account is active. Deleted upon account termination with a 30-day grace period.
- Business data: Retained while your subscription is active. You may delete individual records at any time.
- Session and authentication logs: Retained for up to 90 days.
- OTP codes: Expire and are deleted after use or within 10 minutes.
- Uploaded files: Retained while the associated record exists.
- Backups: May persist for up to 30 days beyond deletion.
9. Your Rights
You have the following rights regarding your personal data:
- Right to Access: Request a copy of the personal data we hold about you.
- Right to Correction: Request correction of inaccurate or incomplete data.
- Right to Deletion: Request deletion of your data within 30 days, subject to legal requirements.
- Right to Data Portability: Request a machine-readable export of your data.
- Right to Opt-Out: Opt out of non-essential communications. Note that transactional emails (e.g., password resets, order confirmations) cannot be opted out of.
To exercise any of these rights, contact us at hello@growmax.io. We will respond within 30 days.
10. California Residents (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: You may request details about the categories and specific pieces of personal information we have collected about you.
- Right to Delete: You may request deletion of your personal information.
- Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.
- Right to Opt-Out of Sale: We do NOT sell personal information. There is nothing to opt out of.
11. European Residents (GDPR)
If you are located in the European Economic Area (EEA), we process your personal data under the following legal bases:
- Consent: Where you have given explicit consent for specific processing activities.
- Contractual Necessity: Where processing is necessary to fulfill our contractual obligations to you.
- Legitimate Interest: Where processing is necessary for our legitimate business interests, provided your rights do not override those interests.
Data transfers to the United States are conducted with appropriate safeguards in place. Our Data Protection Officer (DPO) can be reached at hello@growmax.io. You have the right to lodge a complaint with your local data protection authority.
12. Children's Privacy
Growmax ARC is not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we discover that we have inadvertently collected data from a child under 16, we will delete it promptly.
13. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide email notice at least 30 days before the changes take effect. The "Last Updated" date at the top of this page reflects the most recent revision.
14. Contact Us
If you have questions or concerns about this Privacy Policy, please contact us:
- Company: Growmax LLC
- Location: United States of America
- Email: hello@growmax.io
See also our Terms of Service or Create an Account to get started.