Privacy Policy
Effective: 15 May 2026
This Privacy Policy describes how Growth Method (“we”, “us”, “our”) collects, uses, and shares personal information when you visit growthmethod.com (our marketing site) or use app.growthmethod.com (our product). It applies to both.
We’ve written this in plain English. If anything is unclear, email us at privacy@growthmethod.com.
Who we are
Growth Method is operated by Growth Method Limited, a company registered in England and Wales (company number 12512334, VAT number GB 380 7638 72), with its registered office at Forest House Office, 3-5 Horndean Road, Bracknell, Berkshire, RG12 0XQ, United Kingdom.
For the purposes of the UK GDPR and the EU GDPR (where applicable), we are the data controller of the personal information described in this policy.
What we collect, and why
When you visit growthmethod.com
The marketing site does not use analytics, advertising trackers, or third-party cookies. If you fill in a contact form or request a demo, we store what you sent so we can reply to you.
When you use app.growthmethod.com
When you sign up for an account, we collect:
- Account details. Name, email address, password (stored hashed, never in plain text), optional profile photo, and, if you turn it on, two-factor authentication settings.
- Team and role. Which team you belong to and whether you’re a manager or a member.
- What you create in the product. Ideas, experiments, hypotheses, goals, metric results, comments, file uploads, and AI chat conversations. This content is yours; we hold it on your behalf so you can use the product.
- Connected integration data. When you connect a third-party service (Google Analytics, Google Search Console, PostHog, Webflow, GitHub, and others), we store an encrypted OAuth access token (and refresh token where provided) so we can read data from that service on your behalf. We only request the minimum scopes needed.
- Metric data fetched on your behalf. When the product fetches data from a connected integration to populate a goal or chart, we cache the result so the UI is fast. This data may contain whatever the connected service exposes (pageviews, conversion counts, search queries, etc.).
- Acceptance records. When you sign up or accept updated terms, we store the version of the Privacy Policy and Terms you accepted, along with the date and time.
Technical data we collect automatically
- Logs and diagnostics. Server logs (IP address, browser type, pages visited, timestamps) for security and debugging. We also send application errors to Sentry, our error-tracking provider, to fix bugs. We have configured Sentry to strip personally identifiable information from error reports.
- Cookies. We use a single first-party session cookie to keep you logged in. We do not use any third-party advertising or analytics cookies.
Legal bases (UK / EU GDPR)
Where UK or EU GDPR applies, we rely on the following legal bases:
- Contract. To provide the product to you and your team.
- Legitimate interests. To operate, secure, and improve the product; to communicate with you about your account; to prevent fraud and abuse.
- Legal obligation. Where we have to retain or disclose data to comply with law.
How we share your data
We do not sell your personal information. We share it only with the service providers below, who process it on our behalf to help us deliver the product:
| Sub-processor | What it processes | Where |
|---|---|---|
| DigitalOcean | Application hosting (compute, database) | European Union |
| Amazon Web Services (S3) | File uploads and profile photos | United States (us-east-1) |
| Mailgun | Transactional and notification emails | European Union |
| Sentry | Application error reports (with PII stripped) | United States |
| OpenAI | AI chat messages, content sent for AI scoring/categorisation, and text embedded for semantic search | United States |
| Anthropic | AI chat messages and content sent for AI features powered by Claude | United States |
| Google (GA4, Search Console) | Only if you connect these integrations. We request data on your behalf via OAuth | United States |
| PostHog | Only if you connect this integration. We request data on your behalf | European Union / United States (per your account) |
| Webflow | Only if you connect this integration. We request data on your behalf via OAuth | United States |
When data is transferred outside the UK or EEA, for example to AWS S3 in the United States or to our AI providers, we rely on the UK International Data Transfer Addendum and the EU Standard Contractual Clauses, together with each provider’s own safeguards (encryption in transit, data-processing addenda, and access controls).
AI features and your content
When you use AI features in the product (chat, scoring, categorisation, summaries, semantic search), the relevant content (your message, the idea or experiment text, or your goal context) is sent to OpenAI or Anthropic so they can generate a response.
We use both providers under their standard API terms, which mean:
- Your content is not used to train their general-purpose models.
- Your content is retained only for the short period needed to deliver the response and a brief abuse-monitoring window.
We do not send connected-integration credentials or other users’ personal information to AI providers.
How long we keep your data
- Account data. For as long as your account is active.
- Account deletion. When you delete your account, we delete your personal data within 30 days, except where we are required to retain it for legal, tax, or accounting reasons.
- Team-owned content. If you leave a team but the team remains, content you contributed to that team stays with the team. Your personal account data is still deleted on the schedule above.
- Backups. Encrypted database backups are retained for 30 days before being overwritten.
- Logs and error reports. Sentry events are retained for 90 days.
Your rights
If you are in the UK or EEA you have the right to:
- Access the personal data we hold about you.
- Correct it if it is wrong.
- Delete it (the “right to erasure”).
- Export it in a portable format.
- Object to or restrict certain processing.
- Withdraw consent at any time, where we rely on consent.
Email privacy@growthmethod.com and we will respond within 30 days. You also have the right to complain to the UK Information Commissioner’s Office (ICO) at ico.org.uk.
Age restriction
The product is intended for business use by adults only. You must be at least 18 years old to create an account. We do not knowingly collect personal information from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it.
Security
- All connections to the marketing site and the product are encrypted in transit (HTTPS).
- Passwords are stored hashed using bcrypt.
- OAuth access and refresh tokens for connected integrations are encrypted at rest in our database using application-level encryption.
- We follow the principle of least privilege for third-party integration scopes. For example, when you connect Google Analytics we ask you to pick specific properties rather than granting account-level access.
- Error reports sent to Sentry have personally identifiable information stripped.
No system is perfectly secure, but we take this seriously and design the product accordingly.
Changes to this policy
We will update this policy from time to time. The version date at the top tells you when it was last changed. If we make a material change, we will:
- Email all account holders before the change takes effect, and
- Prompt you to accept the updated policy the next time you sign in to the product.
You can always see the current version at growthmethod.com/privacy.
Contact
Questions? Email privacy@growthmethod.com or write to us at Growth Method Limited, Forest House Office, 3-5 Horndean Road, Bracknell, Berkshire, RG12 0XQ, United Kingdom.