What we keep, what we don't.
We hold the minimum data needed to run the engine for you, and we delete it promptly when you leave. This page explains, in plain language, exactly what that means.
Who we are
growyoursocials (the “Service”) is the data controller for personal data collected through the website at https://growyoursocials.xyz and through the engagement engine you authorize. For questions about your data write to privacy@growyoursocials.xyz.
What we collect
Account data
Email, name, password hash, billing country, time zone, plan tier.
Operational data
The Instagram account handles you connect, the access tokens needed to act on your behalf, the targeting parameters you configure (seeds, hashtags, geographies, persona tone), and the action logs the engine produces while running. Tokens are encrypted at rest with a key derived per-account.
Engagement data
For every action the engine fires, we keep: timestamp, target handle, action type, outcome (e.g. follow/no-follow). This is required so you can audit everything from the dashboard and so we can compute growth analytics.
Usage data
Standard server logs (IP, user-agent, pages visited, time spent), product telemetry (which dashboard pages you visit, which features you use). We don't track you across other websites.
What we use it for
- Operating the Service — running the engine, providing the dashboard, sending operational emails.
- Billing — charging your card via our payment processor, issuing invoices, handling refunds and chargebacks.
- Improving the model — we train per-niche models on aggregated, anonymized engagement signals. Never on the content of your DMs or comments without explicit consent.
- Support — responding to your questions.
- Legal compliance — tax records, fraud prevention, response to lawful authority requests.
Lawful basis (EU/UK)
If you are in the EU, UK, or another jurisdiction that requires it, our lawful bases for processing are: contract (running the Service you paid for), legitimate interest (security, fraud prevention, model improvement), and consent (the optional newsletter, product surveys).
Subprocessors
We share data with the following processors strictly to deliver the Service:
- Stripe — payment processing, billing addresses, tax data.
- Resend (or equivalent) — transactional email delivery.
- Cloudflare — CDN, DDoS protection, request logging.
- An EU-hosted cloud provider — primary application infrastructure.
Each subprocessor is bound by a Data Processing Agreement and only receives the minimum data needed. We will update this list materially before onboarding new processors.
Cookies & trackers
We use a small set of first-party cookies for authentication, security (CSRF tokens), and saving your dashboard preferences. We do not use third-party advertising trackers. If we enable analytics, we use a cookie-less, privacy-first product (Plausible or Fathom).
Data retention
- Account data — for as long as your account is active, plus 30 days after closure.
- Operational tokens — deleted within 24 hours of cancellation.
- Engagement logs — deleted within 90 days of cancellation. You can export everything as CSV any time before that.
- Billing records — retained for as long as required by tax law (usually 7–10 years).
Your rights
Wherever you live, you can:
- Access — ask for a copy of your data, returned within 30 days.
- Rectify — correct anything inaccurate.
- Delete — ask us to erase everything we hold, subject to tax-law minimums.
- Portability — receive your data in a machine-readable format.
- Object — to processing for marketing or model improvement.
- Withdraw consent — at any time, for anything we asked you to opt in to.
Email privacy@growyoursocials.xyz with “Privacy request — [type]” in the subject line. We reply within 30 calendar days.
International transfers
Our primary infrastructure is hosted in the EU. When data crosses borders (for example, to a U.S.-based payment processor), the transfer is governed by Standard Contractual Clauses approved by the European Commission.
Security
See our Security page for the full breakdown of what we do to protect your account. In short: encryption at rest, TLS in transit, derived per-tenant keys, audit logging, regular penetration testing, mandatory 2FA for staff.
Children
The Service is not intended for anyone under 18. We do not knowingly collect data from minors. If you believe we have, email us and we will delete it within seven days.
Changes
We post material changes to this policy at least fourteen days before they take effect, with an email to active customers.