Growth Method is built so that the features which act for you, the AI that drafts your campaigns, the agents that run on a schedule, and the integrations that reach into your other tools, stay within limits you can see and control. This page is the overview: how your account is protected, the limits on what the AI and its agents can do, what access you grant and how to narrow it, and how to reach us for anything not covered here.
Your account
Three protections guard your account, and they work together rather than replacing each other:
- Passkeys let you sign in with your device’s fingerprint, face, or PIN. A passkey can’t be phished, because it only works on the genuine Growth Method site.
- Two-factor authentication asks for a one-time code from an authenticator app on top of your password, so a stolen password isn’t enough to get in.
- Passwords must be at least 12 characters and are checked against known data breaches, so you can’t reuse one that has already leaked.
Set each one up in Keep your account secure.
Who can do what
Growth Method keeps permissions deliberately simple, so it’s always clear who can change what:
- Team managers can read and write across the app, including team settings such as goals, users, integrations, and agents.
- Team members can read and write across the app, but see team settings as read-only.
The settings that matter most for security, connecting integrations and creating agents, are manager-only. People can belong to more than one team, which is common for agencies. Managers can remove someone from a team in the app; deleting a person’s account entirely is done by contacting support@growthmethod.com. See Roles and permissions.
How the AI is kept safe
The AI can use the tools you connect, but it can’t quietly do whatever it likes with them. Growth Method reads each tool’s safety hints and decides what runs on its own:
- Read-only tools run automatically. A tool that only reads data is harmless to run without asking.
- Everything else asks for approval. If a tool can change or delete something, or doesn’t say what it does, the AI asks you before it runs.
These hints are treated as untrusted, the way the underlying standard tells apps to treat them, so Growth Method errs on the side of caution: anything not clearly marked read-only needs your say-so. You also choose, tool by tool, what each integration is allowed to do, and that scope can’t be widened quietly. To change what an integration is connected to, you disconnect and reconnect it on purpose. For each integration you can see its tools, the instructions it sends the AI, and its source, so you can check you recognise the provider before you rely on it. See Connect an integration.
Agents that run on their own
A custom agent can work on campaigns for you on a schedule. Several limits keep that safe to leave running:
- A fixed track. Every campaign moves through the same stages in the same order: Backlog, Planning, Live, Analysing, Complete. Growth Method moves a campaign forward in code, never by asking the AI, and only ever forward. An agent can’t skip a stage, repeat one, or loop back.
- How far it goes is your call. A Manual agent prepares a campaign and hands it back for you to take live, holding any action that changes a connected tool for your approval. An Autonomous agent goes further: once you’ve explicitly accepted that it can act in your connected tools without reviewing each step, it can take a scheduled campaign all the way to live on its own. Growth Method records who accepted that and when.
- It still can’t run away. Each run is capped at a fixed number of steps and can only move a campaign one stage forward, never looping or repeating. If a step needs a person, or a tool action fails, it stops and hands back rather than launching something half-finished.
- Every run is on the record. Each run happens in a conversation you can reopen at any time to see exactly what the agent did, stage by stage. Nothing it does is hidden.
See Automate campaigns with a custom agent.
Sharing outside your team
Public sharing links let you show a campaign to people outside your team without giving them an account. They’re built to limit exposure:
- Links give read-only access.
- Each campaign has one sharing link, shared by the whole team.
- Links expire after six weeks, and you can regenerate one at any time.
See Public sharing links.
Your data
You stay in control of what Growth Method can reach:
- You decide what’s connected. Integrations only expose the tools you switch on, and you can disconnect any of them at any time.
- Migrations are run by us, from exports you provide. There’s no self-serve import; the Growth Method team imports your data, verifies it, and confirms when it’s done. See Migrations.
For the full picture of how we host, encrypt, and retain data, and how we secure agents and integrations, see our Security details page. For a data processing agreement or our current list of sub-processors, contact support@growthmethod.com.
Report a security issue
If you think you’ve found a security vulnerability, please email security@growthmethod.com with the details so we can look into it. We’d rather hear from you early than not at all.