Skip to content
GrowhtOS
Sign inGet started free

Privacy Policy

Last updated: 2026-05-24

This Privacy Policy explains how GrowhtOS (“we”, “us”, “our”) collects, uses, shares, and safeguards information when you use our website at growhtos.com and our hosted services (the “Service”). By using the Service, you agree to this policy.

1. Who we are

GrowhtOS is a software-as-a-service platform that helps creators, brands, and agencies plan, generate, schedule, publish, and analyse content across Instagram, Facebook and TikTok. GrowhtOS is operated by BMB OTOMOTİV GIDA İTHALAT İHRACAT DIŞ TİCARET LİMİTED ŞİRKETİ, a private limited company registered in Türkiye, with registered office at Merkez Mah. Salihpaşa Cad. No:15 İç Kapı No:34, Gaziosmanpaşa, 34093 İstanbul, Türkiye (the “Company”, “we”, “us”). The Company is the data controller for personal data processed via the Service. Contact us at privacy@growhtos.com.

2. Information we collect

2.1 Information you provide

  • Account information: name, email address, password (hashed), language and theme preference.
  • Billing information: processed by Stripe; we store subscription status, plan, and the last 4 digits of your payment method, never full card numbers.
  • Content you create: posts, captions, scheduled drafts, AI prompts, generated outputs, uploaded media.
  • Support correspondence: the contents of emails or messages you send us.

2.2 Information from connected social accounts

When you connect a social account via OAuth, we receive (and store encrypted) the OAuth access and refresh tokens, plus profile data the platform exposes:

  • Instagram & Facebook (Meta Graph API): account ID, username, profile picture, follower/following counts, page insights, media metadata, comments on your posts.
  • TikTok: open ID, display name, avatar, video list metadata, and (with your permission) post-publishing tokens.

We do not store your social-network password. Tokens are encrypted at rest using AES-256-GCM and are only decrypted in memory when needed to call the platform’s API on your behalf.

2.3 Automatically collected

  • Device & usage: IP address, browser, OS, page views, feature usage, errors. Used for security and product analytics.
  • Cookies: see our Cookie Policy.

3. How we use information

  • Provide, maintain, and improve the Service.
  • Authenticate you and protect your account.
  • Process your subscription, including billing via Stripe.
  • Generate AI content based on your prompts (we send prompt text and minimal context to our AI provider — see §6).
  • Publish posts, fetch analytics, and retrieve comments via the platforms you have connected.
  • Send transactional emails (e.g. password reset, weekly report ready, post-publish failure).
  • Detect and prevent fraud, abuse, and security incidents.
  • Comply with legal obligations.

4. Legal bases (GDPR)

  • Contract: processing necessary to deliver the Service you signed up for.
  • Legitimate interests: product improvement, security, analytics in aggregate.
  • Consent: where we ask for it, e.g. non-essential cookies, marketing email, optional integrations.
  • Legal obligation: tax, accounting, responding to lawful requests.

5. Sharing & sub-processors

We do not sell your personal data. We share it only with vetted sub-processors who help us run the Service:

ProviderPurposeRegion
Supabase (Postgres + Storage)Database & media hostingEU / global
StripePayments, subscriptionsUS / global
Google AI (Gemini)AI text generationUS / global
Meta Platforms (Graph API)Instagram & Facebook integrationUS / global
TikTok (Open Platform)TikTok integrationUS / global
Vercel / RailwayApplication hostingUS / global
Upstash (Redis)Job queue, rate limitingUS / global

We also disclose information when required by law, to enforce our Terms, or to protect the rights, property, or safety of our users or third parties.

6. AI processing

When you use AI tools, the prompt text and any context you supply is sent to our AI provider (currently Google Gemini) for inference. We do not allow our provider to use your prompts to train their models. Generated outputs are stored in your account’s content library.

7. International transfers

Some sub-processors are located outside the EEA, UK, or your country. Where required, transfers are protected by Standard Contractual Clauses or equivalent safeguards.

8. Retention

  • Account data: kept while your account is active; deleted within 30 days of account closure (longer for legal/tax).
  • Content & AI history: kept until you delete it or close your account.
  • Logs: retained up to 90 days, then deleted or anonymised.
  • Billing records: retained 7 years per accounting requirements.

9. Your rights

Depending on your jurisdiction (GDPR, UK GDPR, CCPA, others) you may have the right to:

  • Access the personal data we hold about you.
  • Correct inaccurate data.
  • Request deletion (see Data Deletion).
  • Restrict or object to certain processing.
  • Export your data in a portable format.
  • Withdraw consent at any time, where processing is based on consent.
  • Lodge a complaint with your local supervisory authority.

To exercise any right, email privacy@growhtos.com.

10. Children

The Service is not directed to anyone under 16. We do not knowingly collect data from children.

11. Security

We use HTTPS everywhere, encrypted database connections, AES-256-GCM for OAuth tokens at rest, bcrypt password hashing, rate limiting, role-based access control, and Content-Security-Policy headers. See our Security page.

12. Public creator profiles

If enabled for your account, GrowhtOS may publish a public profile page for you at growhtos.com/creators/<your-handle> and list you in our creator directory (organised by niche and region) so that search engines and AI assistants can discover you. These pages display only non-sensitive information you provided or that is already public: your display name, headline/bio, niche, city/country, the services you list, links to your public social profiles, and a selection of your already-public posts. We never publish your email, password, private analytics, or connected-account tokens. This is enabled by default to help you get discovered. You can turn it off at any time from Settings → Discovery, which removes your page and de-lists you from the directory. Deleting your account also removes the profile. Once removed, the page no longer appears on our site, though third-party search engines may retain a cached copy for a period outside our control.

13. Changes

We will post any updates to this policy on this page and update the “Last updated” date. For material changes we will notify you by email or in-app.

14. Contact

Privacy questions: privacy@growhtos.com
General: support@growhtos.com

Privacy Policy | GrowhtOS