GrowthRail
Legal

Global Privacy Policy

Last updated: May 2026

GrowthRail Inc. ("GrowthRail", "we", "us", or "our") respects your privacy and is committed to protecting it through our compliance with this policy. This Privacy Policy describes the types of information we may collect from you or that you may provide when you visit the website growthrail.com (our "Website") or use our SaaS referral-program infrastructure services (our "Service"), and our practices for collecting, using, maintaining, protecting, and disclosing that information across global jurisdictions.

For the purposes of global data protection laws (including the GDPR, UK GDPR, CCPA/CPRA, and LGPD), GrowthRail acts as a "Data Processor" (or "Service Provider") when providing the Service to our customers, processing data strictly on their behalf. Our customers are the "Data Controllers" (or "Businesses"). The definitive privacy terms regarding our processing of customer data live in our Data Processing Agreement (DPA). Contact hello@growthrail.com to request our standard DPA.

1. Information We Collect

We collect several types of information from and about users of our Website and Service, including:

  • Customer Account Information: Name, email address, company name, billing information, and account credentials required to provide the Service.
  • End-User Data (Processed on behalf of Customers): The IDs and attributes our customers send us via the SDK or API, plus event timestamps and device signals used for attribution (OS, OS version, timezone, locale, screen size, model, IP address). We process this data strictly under the instructions of our customers.
  • Usage Data & Telemetry: Details of your visits to our Website and use of the Service, including traffic data, location data, logs, and other communication data and the resources that you access and use.
  • Device and Security Data: Information about your computer and internet connection, including your IP address, operating system, authentication events, and browser type.

2. Prohibited Data (HIPAA & PCI-DSS)

GrowthRail is a referral infrastructure provider. We are not intended for the transmission, processing, or storage of Protected Health Information (PHI) under the Health Insurance Portability and Accountability Act (HIPAA), nor are we a PCI-DSS compliant payment gateway. Customers are strictly prohibited from submitting PHI, full credit card numbers, government-issued IDs (like Social Security Numbers), or highly sensitive biometric data into our Service.

3. Cookies and Tracking Technologies

We use cookies, web beacons, and similar tracking technologies to track activity on our Service and hold certain information. You can instruct your browser to refuse all cookies or to indicate when a cookie is being sent. However, if you do not accept cookies, you may not be able to use some portions of our dashboard. Our attribution SDK does not use invasive cross-site third-party tracking cookies; we rely on first-party probabilistic and deterministic device matching.

4. Data Sharing and Disclosure

We do not sell, trade, or rent your personal identification information. We may disclose personal information that we collect or you provide as described in this privacy policy:

  • To Sub-Processors & Service Providers: We employ third-party companies (e.g., AWS, Cloudflare) to facilitate our Service. A full list of our Sub-Processors is available upon request.
  • For Legal Reasons: To comply with any court order, law, or legal process, including to respond to any government or regulatory request.
  • Business Transfers: To a buyer or other successor in the event of a merger, divestiture, restructuring, reorganization, dissolution, or other sale or transfer of some or all of GrowthRail's assets.

5. Global Data Protection Rights (GDPR, UK GDPR, LGPD)

If you are a resident of the European Economic Area (EEA), the United Kingdom (UK), or Brazil, you have specific data protection rights. We aim to take reasonable steps to allow you to correct, amend, delete, or limit the use of your Personal Data. Your rights include:

  • The right to access: To request copies of your personal data.
  • The right to rectification: To request correction of inaccurate data.
  • The right to erasure ("Right to be Forgotten"): To request deletion of your personal data under certain conditions.
  • The right to restrict processing: To request restriction of processing your personal data.
  • The right to object to processing: To object to our processing, particularly for direct marketing.
  • The right to data portability: To request transfer of your data to another organization.
  • The right to lodge a complaint: You have the right to complain to a Data Protection Authority (DPA) about our collection and use of your Personal Data.

Note for End-Users: If you are an end-user of one of our Customers, please direct your request directly to them (the Data Controller). GrowthRail acts as a processor and will assist our Customers in fulfilling these requests.

6. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA) provide you with additional rights. GrowthRail acts as a "Service Provider". We do not sell or share your personal information or the personal information of our customers' end-users for cross-context behavioral advertising. You have the right to request disclosure of data collection and sales practices, the right to request deletion, the right to correct inaccurate personal information, and the right not to be discriminated against for exercising your CCPA rights.

7. International Data Transfers

Your information, including Personal Data, may be transferred to — and maintained on — computers located outside of your state, province, country, or other governmental jurisdiction where the data protection laws may differ. When transferring data from the EEA, UK, or Switzerland to jurisdictions without an adequacy decision, we rely on standard safeguards, such as the Standard Contractual Clauses (SCCs) approved by the European Commission or the UK Information Commissioner's Office.

8. Data Retention, Security & Breach Notification

Data is stored securely in PostgreSQL with multi-tenant isolation. API keys are BCrypt-hashed. We retain personal data only for as long as necessary to fulfill the purposes we collected it for, including for the purposes of satisfying any legal, accounting, or reporting requirements. Upon customer request or account termination, data is hard-deleted from active systems within 30 days and from backups within 90 days.

In the event of a security breach that materially affects customer data, GrowthRail is committed to notifying affected Data Controllers without undue delay and, where feasible, not later than 48 hours after having become aware of it, in compliance with GDPR and applicable global breach notification laws.

9. Changes to Our Privacy Policy

We will post any changes we make to our privacy policy on this page. If we make material changes to how we treat our users' personal information, we will notify you by email to the primary email address specified in your account.

10. Contact Information & Data Protection Officer

To ask questions, comment about this privacy policy, exercise your rights, or contact our Data Protection Officer (DPO), please reach out to us at:
Email: privacy@growthrail.com
GrowthRail Inc.
123 Innovation Drive, Suite 400
San Francisco, CA 94105