Privacy Policy

DesignGrow ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform at designgrow.app, our mobile applications, and related services (collectively, the "Service"). Please read this Privacy Policy carefully. By using the Service, you consent to the practices described in this policy.

1. Information We Collect

1.1 Information You Provide

We collect information you provide directly, including:

• Account Information: Name, email address, password, company name, phone number, and business address when you register
• Profile Information: Professional details, role, and preferences you add to your profile
• Business Data: Inventory items, project details, client information, proposals, contracts, and invoices you create
• Payment Information: Billing details, bank account information, and payment card information (processed securely through our payment processing partner, Moov Financial)
• Merchant Information: Business verification data, tax identification numbers, and beneficial ownership information required for payment processing
• Communications: Messages, support requests, and feedback you send to us
• Content: Photos, documents, and other files you upload to the Service

1.2 Information Collected Automatically

When you use our Service, we automatically collect:

• Device Information: Device type, operating system, browser type, unique device identifiers
• Usage Data: Pages visited, features used, time spent, click patterns, and navigation paths
• Log Data: IP address, access times, referring URLs, and system activity
• Location Data: General location based on IP address; precise location only with your consent
• Cookies and Tracking: Information collected via cookies, pixels, and similar technologies
• Transaction Data: Payment amounts, dates, payment methods, and transaction statuses

1.3 Information from Third Parties

When you connect third-party services (QuickBooks, Xero, HubSpot, etc.), we receive data from those services as authorized by you. Our payment processing partner, Moov Financial, may also provide us with transaction status updates and verification results. We may also receive information from business partners, marketing partners, and publicly available sources.

2. How We Use Your Information

We use your information for the following purposes:

2.1 Provide and Improve the Service

• Create and manage your account
• Process transactions and send related communications
• Facilitate payment processing between you and your clients
• Provide customer support and respond to inquiries
• Deliver requested features and functionality
• Analyze usage patterns to improve the Service
• Develop new features and services

2.2 Payment Processing

• Create and verify your merchant account with our payment processing partner
• Process payments from your clients for invoices and proposals
• Transfer funds to your connected bank account
• Detect and prevent fraud and unauthorized transactions
• Comply with anti-money laundering (AML) and Know Your Customer (KYC) requirements
• Generate transaction reports and statements

2.3 Communications

• Send administrative notices, updates, and security alerts
• Send payment confirmations and receipts
• Send marketing communications (with your consent)
• Respond to your requests and inquiries

2.4 Security and Compliance

• Protect against fraud, unauthorized access, and security threats
• Monitor for violations of our Terms of Service
• Comply with legal obligations and enforce our agreements
• Satisfy payment network rules and regulatory requirements

2.5 AI Features

We use your data to power AI features like GrowGPT and virtual staging. Anonymized and aggregated data may be used to train and improve our AI models. You can opt out of AI training in your account settings.

3. Legal Bases for Processing (GDPR)

For users in the European Economic Area (EEA), UK, and Switzerland, we process your personal data based on:

• Contract Performance: Processing necessary to provide the Service you requested, including payment processing
• Legitimate Interests: Processing for our legitimate business interests (e.g., fraud prevention, security, product improvement)
• Consent: Processing based on your explicit consent (e.g., marketing communications)
• Legal Obligation: Processing required to comply with applicable laws, including financial regulations

4. How We Share Your Information

We do not sell your personal information. We may share your information in these circumstances:

4.1 Payment Processing Partner

We share necessary information with Moov Financial, Inc. to facilitate payment processing. This includes:

• Business verification data to create your merchant account
• Bank account information for deposits and withdrawals
• Transaction details to process payments
• Identity verification data for compliance purposes

Moov is subject to its own Privacy Policy and Platform Agreement.

4.2 Other Service Providers

We share data with trusted service providers who help us operate the Service, including:

• Hosting: Vercel (application hosting), Supabase (database and storage)
• Analytics: PostHog (product analytics)
• Email: Resend (transactional emails)
• AI: Groq, Google (AI model providers)

4.3 Connected Third-Party Services

When you connect integrations (QuickBooks, Xero, HubSpot, Zapier), your data is shared with those services according to your authorization and their privacy policies.

4.4 Legal Requirements

We may disclose your information if required by law, subpoena, court order, or to protect our rights, safety, or property, or that of others. This includes sharing information with financial regulators, law enforcement, or other government agencies when required.

4.5 Business Transfers

If DesignGrow is involved in a merger, acquisition, or sale of assets, your information may be transferred. We will notify you before your data becomes subject to a different privacy policy.

5. Payment Data Security

We take extra care to protect your payment and financial information:

• PCI Compliance: Payment card data is handled by our PCI-DSS compliant payment processor. We never store full card numbers on our servers.
• Bank-Level Encryption: All payment data is encrypted using industry-standard protocols (TLS 1.3, AES-256)
• Tokenization: Sensitive payment information is tokenized to minimize exposure
• Secure Transmission: All payment API communications use encrypted channels
• Fraud Monitoring: Real-time monitoring systems detect suspicious transaction patterns

6. General Data Security

We implement industry-standard security measures to protect your information:

• Encryption: Data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Access Controls: Role-based access controls and multi-factor authentication
• Data Isolation: Multi-tenant architecture with Row Level Security (RLS) ensures each organization's data is isolated
• Monitoring: Continuous security monitoring and logging
• Compliance: SOC 2 Type II compliant infrastructure partners

While we strive to protect your data, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials.

7. Data Retention

We retain your information for as long as your account is active or as needed to provide the Service. Specific retention periods include:

• Account Data: Retained while your account is active and for 30 days after deletion request
• Business Data: Retained while your account is active; exportable upon request
• Financial Records: Retained for 7 years to comply with tax, accounting, and financial regulatory requirements
• Payment Transaction Data: Retained for 7 years as required by financial regulations
• Log Data: Retained for 90 days for security and debugging purposes
• Backups: Retained for 30 days after data deletion

8. Your Rights and Choices

8.1 All Users

You have the right to:

• Access: View the personal information we hold about you
• Correction: Update or correct inaccurate information
• Deletion: Request deletion of your account and personal data (subject to legal retention requirements)
• Export: Download your data in a portable format
• Opt-out: Unsubscribe from marketing communications
• Manage Integrations: Connect or disconnect third-party services

8.2 European Users (GDPR)

If you are in the EEA, UK, or Switzerland, you also have the right to:

• Restriction: Request restriction of processing
• Objection: Object to processing based on legitimate interests
• Withdraw Consent: Withdraw consent at any time (without affecting prior processing)
• Portability: Receive your data in a structured, machine-readable format
• Lodge Complaint: File a complaint with your local data protection authority

8.3 California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Know: Request disclosure of personal information collected, used, and disclosed
• Delete: Request deletion of personal information
• Opt-out of Sale: We do not sell personal information
• Non-Discrimination: Exercise rights without discriminatory treatment
• Correct: Request correction of inaccurate personal information
• Limit Use of Sensitive Information: Limit processing of sensitive personal information

To exercise these rights, contact us at privacy@designgrow.app. We will respond within 45 days.

9. Cookies and Tracking Technologies

We use cookies and similar technologies to provide functionality, remember preferences, and analyze usage.

Types of Cookies We Use

• Essential Cookies: Required for the Service to function (authentication, security, payment processing)
• Functional Cookies: Remember your preferences and settings
• Analytics Cookies: Help us understand how you use the Service (PostHog)
• Marketing Cookies: Used to deliver relevant advertisements (with consent)

Managing Cookies

You can control cookies through your browser settings. Disabling certain cookies may affect Service functionality. For analytics opt-out, visit your account settings or use browser privacy tools.

10. International Data Transfers

Your information may be transferred to and processed in the United States and other countries where our service providers operate. We ensure appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Data Processing Agreements with all service providers
• Compliance with applicable data transfer frameworks

11. Children's Privacy

The Service is not intended for children under 18. We do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us.

12. Third-Party Links and Services

The Service may contain links to third-party websites and services. This Privacy Policy does not apply to those third parties. We encourage you to review their privacy policies before providing any information.

13. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and, for significant changes, by email. Your continued use of the Service after the effective date of any modifications constitutes acceptance of the updated policy.

14. Contact Us

If you have questions about this Privacy Policy or wish to exercise your rights, please contact us:

For GDPR inquiries, you may also contact our Data Protection Officer at dpo@designgrow.app.

California Privacy Notice Summary

As required by the CCPA/CPRA, here is a summary of our data practices: