Skip to main content

    Privacy Policy

    Last updated: May 8, 2026

    GrowthMatic ("we", "us") provides a SaaS product that helps founders identify prospective customers, generate marketing assets, and run outbound email campaigns. This page explains every category of data we touch, every sub-processor that touches it, how long we keep it, and your rights over it.

    Who we are (data controller)

    GrowthMatic is owned and operated by:

    Dream Ops B.V.
    Hamerstraat 3D
    1135GA Edam
    The Netherlands
    Chamber of Commerce: 42047001
    Email: [email protected]

    For EU/UK GDPR purposes, Dream Ops B.V. is the data controller for personal data collected from operators using the Service. For outreach you initiate, see "Controller / processor for outreach data" below — you are the controller; we are the processor.

    Data we collect from you (operators)

    • Email + password. The bcrypt hash of your password — we never see plaintext after submission.
    • Account timestamps. Account creation time, last login time, and the IP address of your last login (security and anti-abuse).
    • Workspace contents. The websites you ingest, plus the ICPs, clusters, targets, and outreach drafts the platform extracts from them. Per-workspace, scoped at the database row level to the workspace owner.
    • BYO-SMTP credentials. If you configure your own outbound SMTP server, the password is encrypted with AWS KMS before we store it. We cannot read the plaintext after the encrypt step, even ourselves.
    • Outreach drafts. Drafts you generate, the targets they're addressed to, the responses you record.

    Data we collect about prospects you target

    • Email addresses from public web sources you direct us to (Reddit, Hacker News, Bluesky, Lobsters, dev.to, YouTube, RSS, manual entry). These are stored per-workspace — an email found for your workspace is not shared with or reused by any other customer's workspace. (Only non-personal company facts, such as a domain's email-format pattern, are reused platform-wide.)
    • Enriched business contacts (only if you connect your own enrichment key). When you add your own Hunter.io or Apollo.io API key, we use it under your account/quota to find a business email for an enrichable target. The resulting contact (name, business email, title, company) is stored only in your workspace, used for your outreach, and is never shared with or reused by any other workspace. We do not store or redistribute Hunter/Apollo data beyond your workspace's own licensed use. Only non-personal company facts (e.g. a domain's industry, or an email-format pattern like "first.last@") may be reused platform-wide.
    • Public profile content — Reddit posts, Hacker News stories + comments, Bluesky posts, Lobsters stories, dev.to articles, YouTube videos, RSS feed items where they match your keywords.
    • Engagement on emails you send: clicks (via tracked links on growthmatic.app), bounces (via SES), complaints (via SES), unsubscribes.
    • We do NOT track email opens. Pixel tracking is unreliable, increasingly blocked, and erodes trust. The platform doesn't ship with open tracking and never will.

    Data we collect automatically

    • Server access logs. HTTP method, path, status, response duration. Request bodies are NOT logged.
    • Standard web request data. IP address, user-agent — used for rate limiting and abuse detection.
    • Cloudflare-edge analytics. Cloudflare provides CDN/DNS/proxy and runs its own infrastructure-level analytics for performance and security. We do not pull these into application logs.
    • Marketing-site analytics (Google Analytics 4). The public marketing pages load Google Analytics 4 (gtag.js), which collects aggregate visit data — pages viewed, approximate location, device/browser. Used to understand traffic, not to profile individuals; no advertising or cross-site retargeting pixels, and GA4 does not run inside your authenticated workspace.

    Sub-processors

    • Amazon Web Services (AWS). Hosting (EC2), database (RDS PostgreSQL), email transport (SES), AI inference (Bedrock — Anthropic Claude models). Region: us-east-1 (US East).
    • Anthropic. Claude models invoked through AWS Bedrock for ICP extraction, content generation, and personalization scoring. Bedrock keeps inference data within AWS-managed infrastructure.
    • Cloudflare. CDN, DNS, edge security, Turnstile bot-challenge on signup.
    • Google (Analytics). Google Analytics 4 measures aggregate marketing-site traffic (gtag.js). Marketing pages only — it doesn't run inside your authenticated workspace. Webfonts are self-hosted, so no font requests reach Google.
    • haveibeenpwned.com. Password breach checking during signup. Only the first 5 characters of your password's SHA-1 hash are sent — k-anonymity. We never send the password.
    • Your configured SMTP provider (if any) — you choose this; we relay through it on your behalf.

    How long we keep data

    • Account data: until you delete your account.
    • Workspace data: until you delete the workspace — cascades to clusters, targets, drafts.
    • Email send audit log: indefinitely (compliance reporting).
    • Suppression lists: indefinitely. Recipients who unsubscribe stay unsubscribed even if you delete the workspace and recreate. This is intentional — it protects them, not us.
    • Server access logs: 7 days.
    • Failed signup attempts: 30 days (anti-abuse rate limiting).
    • Email-verification + password-reset tokens: stored as SHA-256 hashes; expire 24 hours after issue. The raw token only exists in your inbox.

    How we use your data

    We process your data only to deliver the product you asked for — extracting an ICP from your website, mining sources for matching signals, generating marketing assets, and sending outreach you've reviewed and approved. We do not sell your data. We do not share it with third parties for marketing purposes. We do not use your workspace content to train any external model.

    Email we send on your behalf

    We set the recipient, subject, and body you reviewed; sign with our DKIM key; and route Reply-To back to your account email so prospects reply directly to you. Every outreach footer includes an unsubscribe link. Hard bounces and complaint reports are automatically added to your workspace's suppression list, so a flagged address cannot be re-emailed without explicit operator removal.

    Controller / processor for outreach data

    For outreach you initiate through GrowthMatic, you are the data controller and we are the processor. You are responsible for ensuring you have lawful basis for the outreach (legitimate interest is the typical basis for B2B cold outreach in the EU/EEA — verify for your jurisdiction). We provide the unsubscribe mechanism; you're responsible for honoring it (which our suppression system enforces automatically). We cannot retract emails already sent on your behalf — they live in recipients' inboxes outside our control.

    The same controller/processor split applies to contacts you enrich with your own Hunter.io / Apollo.io key: you are the controllerof those contact records and we are the processor, holding them scoped to your workspace only. They are deleted with your workspace/account on the normal retention schedule above.

    Your rights (GDPR Articles 15–22, CCPA)

    If you reside in the EEA, UK, Switzerland, or California, you have the right to access, rectify, erase, restrict processing of, object to the processing of, or receive a portable export of your personal data, and to lodge a complaint with your local data protection authority.

    Two of these rights are self-service from your account settings:

    • Erasure (Article 17). Request account deletion from Account → Danger zone → Delete account. Your account is locked immediately and scheduled for permanent deletion 30 days later. Until that date, you can cancel via the link emailed to you; after that date the deletion is irreversible. On hard deletion we anonymize audit logs (your user ID is removed; the audit trail remains for compliance) and email send history (sender identity anonymized; recipient + content kept). Suppression lists are preserved indefinitely so recipients who unsubscribed stay unsubscribed even after your account is gone.
    • Portability (Article 20). Request a data export from Account → Your data → Download my data. We build a ZIP containing every row of your account + owned-workspace data in both JSON and CSV formats. The archive is uploaded to AWS S3 (private, encrypted, 7-day retention); we email you a 24-hour signed download URL. If the URL expires before you download, you can refresh it from the same page.

    For other rights, or for any of the above where the self-service flow doesn't fit, email [email protected]. We respond within 30 days (usually within a few business days).

    Data breaches

    If we become aware of a breach involving your personal data, we will notify affected users within 72 hours, with what we know at the time and what we're doing about it. Subsequent updates as the investigation proceeds.

    Cookies

    We set a single session cookie when you sign in (HttpOnly, SameSite=Lax, Secure in production). The public marketing pages also load Google Analytics 4, which sets its own first-party analytics cookies (e.g. _ga) to measure aggregate traffic. No advertising or cross-site retargeting cookies, and no analytics cookies inside your authenticated workspace.

    Children

    GrowthMatic is not intended for users under 18. We do not knowingly collect data from minors. If you believe a minor has signed up, contact us and we'll delete the account.

    Changes to this policy

    Material changes: 30 days advance notice via email to registered users. Minor clarifications get a new "Last updated" date here without separate notification.

    Contact

    Questions, requests, or complaints: [email protected].

    This is GrowthMatic's good-faith description of how it handles data, not legal advice. If you operate in a regulated industry or have specific compliance obligations, consult a lawyer. We will re-review this policy with legal counsel before public launch.