Privacy Policy

Introduction, Scope, and Data Security Commitment

 

The security of your data is very important for us. We always treat your personal and business data confidentially and with great care.

Your business data and KPI’s (e.g., sales statistics) are used exclusively for the operation of the GROWVE software. Under no circumstances will your data be analyzed, evaluated, interpreted, sold, or used outside GROWVE. You can be sure that it’s our top priority to ensure that your business secrets are safe!

The use of the internet pages of GROWVE is possible without any indication of personal data ; however, if a Data Principal (Data Subject) wants to use special enterprise services via our website, processing of personal data could become necessary. If the processing of personal data is necessary and there is no statutory basis for such processing, we generally obtain Consent from the Data Principal.

The processing of personal data, such as the name, address, e-mail address, or telephone number of a Data Principal shall always be in line with the General Data Protection Regulation (GDPR), and in accordance with the country-specific data protection regulations applicable to GROWVE, including the DPDP Act, 2023.

As the Data Fiduciary (Controller), GROWVE has implemented numerous technical and organizational measures to ensure the most complete protection of personal data processed through this website. However, Internet-based data transmissions may in principle have security gaps, so absolute protection may not be guaranteed. For this reason, every Data Principal is free to transfer personal data to us via alternative means, e.g., by telephone.

 

1. Definitions (Aligned with GDPR and DPDP Act)

 

Our data protection declaration is based on the terms used by the European legislator for the adoption of the General Data Protection Regulation (GDPR).

• a) Personal data: Any information relating to an identified or identifiable natural person (“Data Principal”). This includes identifiers such as a name, an identification number, location data, an online identifier, or factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

• b) Data Principal (Data subject): Any identified or identifiable natural person, whose personal data is processed by the Data Fiduciary responsible for the processing.

• c) Processing: Any operation performed on personal data, such as collection, recording, organization, structuring, storage, use, disclosure by transmission, dissemination, restriction, erasure, or destruction.

• d) Restriction of processing: The marking of stored personal data with the aim of limiting their processing in the future.

• e) Profiling: Any automated processing of personal data to evaluate certain personal aspects relating to a natural person, such as performance at work, economic situation, health, personal preferences, interests, reliability, behavior, location, or movements.

• f) Pseudonymisation: Processing of personal data such that the data can no longer be attributed to a specific Data Principal without additional information, provided that such information is kept separately and secure.

• g) Data Fiduciary (Controller): The natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

• h) Processor: A natural or legal person which processes personal data on behalf of the Data Fiduciary.

• i) Recipient: A natural or legal person, public authority, agency, or another body, to which the personal data are disclosed.

• j) Third party: A natural or legal person, public authority, agency, or body other than the Data Principal, Data Fiduciary, Processor, and authorized persons.

• k) Consent: Any freely given, specific, informed, and unambiguous indication of the Data Principal's wishes by a statement or a clear affirmative action, signifying agreement to the processing of personal data.

 

2. Name and Address of the Data Fiduciary (Controller)

 

Controller for the purposes of GDPR and Data Fiduciary for the purposes of the DPDP Act is: GROWVE RETAIL AND MANAGEMENT SERVICES PRIVATE LIMITED (Your company details will go here).

• Address: Unit no. 404, Filix Tower, LBS Marg, Oppo. Asian Paints, Sonapur, Bhandup West, Mumbai, Maharashtra 400078

• Email for Data Inquiries: admin@growve.in

• Website: www.growve.in

 

3. Cookies

 

The Internet pages of GROWVE use cookies, which are text files stored in a computer system via an Internet browser.

• Purpose: Cookies allow us to provide more user-friendly services, recognize website users, and optimize information and offers. For example, a user does not have to enter access data each time they access the website.

• Control: The Data Principal may, at any time, prevent the setting of cookies through our website by adjusting the Internet browser settings, and may thus permanently deny the setting of cookies. Already set cookies may be deleted at any time. Note that deactivating cookies may cause not all functions of our website to be entirely usable.

 

4. Collection of General Data and Information (Server Log Files)

 

The GROWVE website collects general data and information when a Data Principal calls up the website. This data is stored in the server log files.

• Data Collected: (1) browser types and versions, (2) the operating system used, (3) the referrer website, (4) the sub-websites visited, (5) the date and time of access, (6) an Internet protocol address (IP address), (7) the Internet service provider, and (8) other similar data that may be used in the event of attacks.

• Purpose: This information is needed to (1) deliver content correctly, (2) optimize website content and advertisement, (3) ensure the long-term viability of IT systems, and (4) provide law enforcement authorities with information necessary for criminal prosecution in case of a cyber-attack.

• Anonymity: GROWVE analyzes anonymously collected data statistically. The anonymous data of the server log files are stored separately from all personal data provided by a Data Principal.

 

5. Registration on our website

 

• Data Collection: The Data Principal has the possibility to register on the website. The personal data entered (e.g., name, e-mail) are collected and stored exclusively for internal use by the Data Fiduciary.

• Security Data: The IP address, date, and time of the registration are also stored. The storage of this data is necessary to prevent the misuse of our services and, if necessary, to investigate committed offenses.

• Disclosure: This data is not passed on to third parties unless there is a statutory obligation or the transfer serves the aim of criminal prosecution.

• Data Subject Rights: Registered persons are free to change or completely delete their personal data at any time. The Data Fiduciary shall, at any time, provide information upon request as to what personal data are stored about the Data Principal.

 

6. Subscription to our newsletters

 

• Subscription Process: The newsletter may only be received if the Data Principal has a valid e-mail address and registers for the shipping. A confirmation e-mail will be sent in the double opt-in procedure to secure Consent.

• Security Data: During registration, the Data Fiduciary stores the IP address, date, and time of registration , which is necessary to understand and prevent the (possible) misuse of the e-mail address.

• Usage: Personal data collected is used only to send our newsletter and essential information regarding the newsletter service.

• No Third-Party Transfer: There will be no transfer of personal data collected by the newsletter service to third parties.

• Withdrawal of Consent: The Data Principal may terminate the subscription or revoke consent to the storage of personal data at any time. A corresponding link is found in each newsletter.

​

7. Newsletter-Tracking

 

•  

  Tracking Pixels: The newsletter contains tracking pixels (miniature graphics). This enables log file recording and analysis to allow a statistical analysis of the success or failure of online marketing campaigns.

•  

  Data Collected: We may see if and when an e-mail was opened and which links were called up.

•  

  Purpose: This data is stored and analyzed to optimize the shipping of the newsletter and adapt the content of future newsletters to the Data Principal's interests.

•  

  No Third-Party Transfer: These personal data will not be passed on to third parties.

•  

  Withdrawal: Data Principals are entitled to revoke the respective separate declaration of consent issued by means of the double-opt-in procedure. Withdrawal from the receipt of the newsletter is automatically regarded as a revocation.

 

8. Contact possibility via the website

 

• If a Data Principal contacts the Data Fiduciary by e-mail or via a contact form, the personal data transmitted on a voluntary basis is automatically stored.

•  

  Purpose: The data is stored for the purpose of processing or contacting the Data Principal.

•  

  No Third-Party Transfer: There is no transfer of this personal data to third parties.
   

 

9. Comments function in the blog on the website

 

•  

  Data Collection: If a Data Principal leaves a comment on the blog, the comments made, the user's (pseudonym) chosen, and the date of the commentary are stored and published.

•  

  Security Logging: The IP address assigned to the Data Principal is also logged. This storage of the IP address is for security reasons and in case the Data Principal violates the rights of third parties or posts illegal content.

•  

  Disclosure: This collected personal data will not be passed to third parties, unless such a transfer is required by law or serves the aim of the defense of the Data Fiduciary.

 

10. Subscription to comments in the blog on the website

 

• The comments made may be subscribed to by third parties.

•  

  Double Opt-In: If a Data Principal subscribes, a confirmation e-mail is sent to check the double opt-in procedure to confirm the Data Principal is authorized for this option.

•  

  Termination: The option to subscribe to comments may be terminated at any time.

 

11. Routine erasure and blocking of personal data (Storage Limitation)

 

The Data Fiduciary shall process and store the personal data of the Data Principal only for the period necessary to achieve the purpose of storage, or as far as this is granted by the European legislator or other legislators in laws or regulations to which the Data Fiduciary is subject. If the storage purpose is not applicable, or if a prescribed storage period expires, the personal data are routinely blocked or erased in accordance with legal requirements.

 

12. Rights of the Data Principal (Data Subject)

 

The Data Principal is entitled to the following rights:

 

a) Right of confirmation

 

To obtain from the Data Fiduciary the confirmation as to whether or not personal data concerning him or her are being processed.

 

b) Right of access

 

To obtain from the Data Fiduciary free information about his or her personal data stored at any time and a copy of this information. This includes access to information on:

• The purposes of the processing.

• The categories of personal data concerned.

• The recipients or categories of recipients to whom the personal data have been or will be disclosed, including recipients in third countries.

• The envisaged period for which the personal data will be stored, or the criteria used to determine that period.

• The existence of the right to request rectification, erasure, restriction of processing, or to object to such processing.

• The existence of the right to lodge a complaint with a supervisory authority.

• The source of the personal data, where it was not collected from the Data Principal.

• The existence of automated decision-making, including profiling, and meaningful information about the logic and consequences involved.

• Whether personal data are transferred to a third country and the appropriate safeguards relating to the transfer.

 

c) Right to rectification

 

To obtain from the Data Fiduciary without undue delay the rectification of inaccurate personal data. The Data Principal shall have the right to have incomplete personal data completed.

 

d) Right to erasure (Right to be forgotten)

 

To obtain from the Data Fiduciary the erasure of personal data without undue delay where:

• The personal data are no longer necessary for the purposes for which they were collected.

• The Data Principal withdraws Consent and there is no other legal ground for the processing.

• The Data Principal objects to the processing and there are no overriding legitimate grounds, or objects to processing for direct marketing.

• The personal data have been unlawfully processed.

• The erasure is necessary for compliance with a legal obligation.

• The personal data have been collected in relation to the offer of information society services.

 

e) Right of restriction of processing

 

To obtain from the Data Fiduciary restriction of processing where:

• The accuracy of the personal data is contested, for a period enabling the Data Fiduciary to verify the accuracy.

• The processing is unlawful, and the Data Principal opposes erasure and requests restriction instead.

• The Data Fiduciary no longer needs the data, but they are required by the Data Principal for the establishment, exercise, or defense of legal claims.

• The Data Principal has objected to processing pending the verification of legitimate grounds.

 

f) Right to data portability

 

To receive the personal data concerning him or her, which was provided to the Data Fiduciary, in a structured, commonly used and machine-readable format. They shall have the right to transmit those data to another controller without hindrance, where technically feasible.

 

g) Right to object

 

To object at any time to processing of personal data concerning him or her which is based on legitimate interests, including profiling. The Data Fiduciary shall no longer process the personal data unless compelling legitimate grounds are demonstrated. The Data Principal has the right to object at any time to processing for direct marketing purposes, including related profiling.

 

h) Automated individual decision-making, including profiling

 

To not be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her, unless necessary for a contract, authorized by law, or based on explicit Consent. If the decision is necessary for a contract or based on explicit Consent, suitable measures shall be implemented, including the right to obtain human intervention.

 

i) Right to withdraw data protection consent

 

To withdraw his or her Consent to processing of personal data at any time.

 

13. Data protection provisions about the application and use of Facebook (Meta)

 

•  

  Integration: The website has integrated components of Facebook (Meta).

•  

  Data Flow: If a Data Principal is logged in at the same time on Facebook, Facebook detects with every call-up to our website which specific sub-site was visited. This information is collected and associated with the respective Facebook account. If the Data Principal clicks a button (e.g., "Like" or submits a comment), Facebook stores this personal data.

•  

  Prevention: The Data Principal can prevent this by logging off from their Facebook account before a call-up to our website is made.

 

14. Data protection provisions about the application and use of Google AdSense

 

•  

  Purpose: Google AdSense is used for the integration of advertisements on our website. It uses an algorithm to select advertisements that match the content of our site, enabling interest-based targeting via individual user profiles.

•  

  Data Flow: Google AdSense places a cookie. Through the cookie and tracking pixels, Alphabet Inc. (Google) gains knowledge of personal data, such as the IP address, to understand the origin of visitors and clicks. This data is stored and processed in the United States of America and may be disclosed to third parties.

•  

  Control: The Data Principal can prevent the setting of cookies at any time or delete existing cookies.

 

15. Integration with Google Analytics (Non-PII Use)

 

•  

  Specific Use: Through the integration with Google Analytics, GROWVE will only fetch ad expenses and show them in the profit & loss dashboard.

•  

  Data Exclusions: GROWVE does not use the Google Analytics integration to fetch any Personally identifiable information (PII).

•  

  Control: The integration can be connected and disconnected by the customer at any time. Deletion of the GROWVE account will lead to the deletion of saved data.

 

16. Data protection provisions about the application and use of Google Analytics (with anonymization function)

 

•  

  Function: We use Google Analytics with the anonymizer function (application "_gat. _anonymizeIp"). This abridges and anonymizes the IP address when accessing our websites from a Member State of the European Union or other contracting state to the EEA Agreement.

•  

  Purpose: To analyze the traffic and evaluate the use of our website to provide online reports.

•  

  Data Flow: Google Analytics places a cookie and, with each call-up, personal data, including the anonymized IP address, is transmitted to Google in the United States of America. Google may pass this data to third parties.

•  

  Control: The Data Principal can prevent the setting of cookies. Additionally, the Data Principal has the possibility of objecting to a collection of data by downloading and installing a browser add-on provided by Google.

 

17. Data protection provisions about the application and use of Cookiebot

 

•  

  Purpose: We use the consent management service Cookiebot (Cybot A/S) to obtain and manage consent from website users for data processing. This processing is necessary to comply with a legal obligation.

•  

  Data Processed: Your IP address (last three digits set to '0'), date and time of consent, browser information, URL, an anonymous/encrypted key, and your end-user consent status.

•  

  Storage: The key and consent status are stored in the browser for 12 months using the "CookieConsent" cookie.

•  

  Processor: Cybot is a recipient of your personal data and acts as a Processor for us.

 

18. Data protection provisions about the application and use of Google reCAPTCHA

 

•  

  Purpose: Used to check whether data entry (e.g., in a registration form) is made by a human or by an automated program (SPAM prevention).

•  

  Data Analysis: reCAPTCHA analyzes the behavior of the website visitor based on various characteristics, such as IP address, time spent, or mouse movements. This analysis starts automatically in the background.

•  

  Legal Basis: Data processing is based on a legitimate interest in protecting our web offerings from abusive automated spying and from SPAM.

 

19. Data protection provisions about the application and use of Google-AdWords (Conversion Tracking)

 

•  

  Purpose: The promotion of our website by the inclusion of relevant advertising on the websites of third parties and in Google search engine results.

•  

  Data Flow: If a Data Principal reaches our website via a Google ad, a conversion cookie is filed. This cookie is not used to identify the Data Principal , but checks whether certain sub-pages were called up, allowing us to understand if the ad generated sales.

•  

  Data Transmitted: Personal data, including the IP address, is transmitted to Google in the United States of America.

•  

  Control: The Data Principal can prevent the setting of cookies or object to the interest-based advertisement of Google by accessing Google's ads settings page.

 

20. Data protection provisions about the application and use of Instagram (Meta)

 

•  

  Integration: Components of the service Instagram are integrated.

•  

  Data Flow: If the Data Principal is logged in at the same time on Instagram, Instagram detects which specific sub-page of our website was visited. This information is collected and associated with the respective Instagram account.

•  

  Prevention: The Data Principal can prevent this by logging off from their Instagram account before a call-up to our website is made.

 

21. Data protection provisions about the application and use of Twitter (X)

 

•  

  Integration: Components of Twitter are integrated.

•  

  Data Flow: If the Data Principal is logged in at the same time on Twitter, Twitter detects which specific sub-page of our website was visited. This information is collected and associated with the respective Twitter account. If the Data Principal clicks a Twitter button, Twitter assigns this information to the personal account.

•  

  Prevention: The Data Principal may prevent this by logging off from their Twitter account before a call-up to our website is made.

 

22. Data protection provisions about the application and use of the live chat box

 

•  

  Provider: The live chat and email messenger system is provided by Intercom, Inc. and is used to improve our customer experience.

•  

  Data Flow: Intercom might become aware of your personal data (email address and your name) if you provide these in the chat box or your GROWVE account.

•  

  Customer Service: General questions may be answered by a customer service provider, Meta-Sistem S.R.L.. If you enter your email address and/or your name in the chat, these data might be visible to Meta-Sistem.

​

23. Data protection provisions about the application and use of YouTube

 

•  

  Integration: Components of YouTube are integrated. YouTube is a video portal, and YouTube, LLC is a subsidiary of Google Inc..

•  

  Data Flow: If the Data Principal is logged in on YouTube, YouTube and Google recognize with each call-up to a sub-page that contains a YouTube video, which specific sub-page was visited. This information is collected and assigned to the respective YouTube account.

•  

  Prevention: The delivery of this information may be prevented if the Data Principal logs off from their own YouTube account before a call-up to our website is made.

 

24. Data protection provisions about the application and use of Microsoft advertising

 

•  

  Purpose: Our website uses Microsoft Advertising to serve and display advertisements. It uses information, including your IP address and demographic information, to help make advertising more relevant.

•  

  Data Flow: Information is collected through the use of cookies and helps us understand and improve the performance of our advertising campaigns (e.g., number of ad shows/clicks).

•  

  Control: The Data Principal can opt out of Microsoft Advertising's personalized advertising program by visiting the Microsoft Advertising Opt-Out page. They may still see advertisements, but they will not be personalized.

 

25. Payment Method: Data protection provisions about the use of Cashfree as a payment processor

 

•  

  Service: Cashfree is an online payment service provider.

•  

  Data Exchange: The processing of the purchase contract requires personal data in connection with the respective order. This involves the exchange of payment information such as bank details, card number, date of validity, CVC code, and details of the financial situation.

•  

  Revocation: The Data Principal is able to revoke Consent to the handling of personal data at any time from Cashfree. A revocation shall not affect personal data which must be processed, used, or transmitted in accordance with contractual payment processing.

 

26. Payment Method: Data Protection Provisions for the Use of RazorPay as a Payment Processor

 

•  

  Service: RazorPay is an online payment service provider.

•  

  Data Exchange: The processing of the purchase contract requires personal data in connection with the respective order. This includes the exchange of payment information such as bank details, card number, date of validity, CVC code, and details of the financial situation.

•  

  Revocation: The Data Principal has the right to revoke Consent to the handling of personal data at any time with RazorPay. A revocation shall not affect personal data that must be processed, used, or transmitted in accordance with contractual payment processing obligations.

 

27. Legal basis for the processing (DPDP Act and GDPR Equivalents)

 

Processing operations are based on the following legal grounds:

• Consent: Art. 6(1) lit. a GDPR serves as the legal basis for processing operations for which we obtain Consent for a specific processing purpose.

• Performance of a Contract: Art. 6(1) lit. b GDPR serves as the basis when processing is necessary for the performance of a contract or for carrying out pre-contractual measures (e.g., supply of goods or services, inquiries).

• Legal Obligation: Art. 6(1) lit. c GDPR serves as the basis if our company is subject to a legal obligation by which processing of personal data is required, such as for the fulfillment of tax obligations.

• Vital Interests: Art. 6(1) lit. d GDPR serves as the basis in rare cases where processing is necessary to protect the vital interests of the Data Principal or another natural person (e.g., passing on information to a hospital).

• Legitimate Interests (DPDP Act Legitimate Use): Art. 6(1) lit. f GDPR serves as the basis if processing is necessary for the purposes of the legitimate interests pursued by our company or by a third party, except where such interests are overridden by the fundamental rights and freedoms of the Data Principal.

 

28. The legitimate interests pursued by the Data Fiduciary or by a third party

 

Where processing is based on legitimate interests (Art. 6(1) lit. f GDPR), our legitimate interest is to carry out our business in favor of the well-being of all our employees and the shareholders. The European legislator considered that a legitimate interest could be assumed if the Data Principal is a client of the Data Fiduciary.

 

29. Period for which the personal data will be stored (Statutory Retention)

 

The criteria used to determine the period of storage of personal data is the respective statutory retention period. After expiration of that period, the corresponding data is routinely deleted, as long as it is no longer necessary for the fulfillment or the initiation of a contract.

 

30. Provision of personal data as statutory or contractual requirement; Requirement necessary to enter into a contract; Obligation of the Data Principal; possible consequences of failure to provide such data

 

•  

  Requirement: The provision of personal data is partly required by law (e.g., tax regulations) or can also result from contractual provisions. It may be necessary to conclude a contract that the Data Principal provides us with personal data.

•  

  Consequences of Non-Provision: The non-provision of the necessary personal data would have the consequence that the contract with the Data Principal could not be concluded.

•  

  Clarification: Before providing personal data, the Data Principal should contact an employee to clarify whether the provision of the personal data is required by law or contract, and the consequences of non-provision.

 

31. Existence of automated decision-making

 

As a responsible company, we do not use automatic decision-making or profiling.