Privacy Policy

Last updated: May 31, 2026

This Privacy Policy explains how Get Grown (the “Service”) collects, uses, and protects your personal data when you use getgrown.co and deardesigners.getgrown.co. It is written to comply with the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG).

1. Controller

Ivan Vasin (sole proprietor / Freiberufler)
c/o COCENTER GmbH
Koppoldstr. 1
86551 Aichach, Germany
Email: hello@getgrown.co
Privacy requests: hello@getgrown.co

Full legal notice: /legal-notice (English) · /impressum (German).

2. Data we process

2.1 Anonymous calculator usage

When you use the rate calculator without signing in, we store one row per calculation containing only financial inputs (monthly expenses, tax rate, target margin, billable hours, current rate) and the computed result. No user identifier is attached — anonymous rows cannot be traced back to you. Used solely to compute aggregate market benchmarks.

2.2 Account data (when you sign in)

• Email sign-in: email address only. We send a magic link / one-time code — there is no password.
• Session cookies managed by our auth provider (Supabase).

2.3 Project data (when you create projects)

• Projects: project name, optional client name, hourly rate or fixed price, currency, status.
• Time entries: duration, description, optional client-facing description, billable flag, payment status, date.
• Estimates & phases: hours estimated per role, phase names, notes.
• Payments: amount, date, invoice count, notes; for Stripe-routed payments also the Stripe session ID.
• Planned blocks: weekly schedule entries (date, start/end hour, notes).
• Teams: team name, member display names, invitation tokens.
• Client share links: generated tokens, optional client name, sharing flags.

2.4 Browser storage (localStorage)

We store technically necessary preferences locally: locale, currency, active tab, draft calculator inputs, anonymous free-credit counter, running timer state. No personal data is stored in cookies beyond the sidebar UI state (7-day expiry, non-sensitive).

2.5 Analytics

Vercel Web Analytics — first-party, cookieless aggregate usage statistics (pageviews, top pages, referrers, custom conversion events). No tracking cookies, no cross-site identifiers, no session recording, no per-user profiles. Personal data is not collected; pageviews are aggregated server-side.

Because Vercel Web Analytics is cookieless and does not store information on your device for tracking purposes, it falls outside the consent requirement of TTDSG § 25 — no cookie banner is necessary.

2.6 Google sign-in & Google Calendar (optional)

You may sign in with your Google account. When you do, we receive only your email address, name and profile picture from Google to create and identify your account — the same data as email sign-in, nothing more.

Calendar (opt-in only): if — and only if — you explicitly turn on the calendar connection, we additionally request read-only access to your calendar events (calendar.events.readonly). We use it for a single purpose: to read the title, date and time of your events so we can surface them in your work journal as suggested time entries. We do not modify, create or delete any calendar event, and we do not access any other Google data (Gmail, Drive, Contacts, etc.).

Calendar data is processed only to populate the journal; the access (refresh) token is stored encrypted by Supabase so the connection persists until you revoke it. You can revoke access at any time in your Google Account → Third-party access, or by disconnecting the calendar inside Get Grown. We never sell Google user data, never use it for advertising, and never transfer it to anyone except the infrastructure sub-processors listed in section 4.

Limited Use disclosure. Get Grown's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements.

3. Legal bases (Art. 6 GDPR)

• Contract (Art. 6(1)(b)): account, projects, time entries, payments, teams, share links — required to provide the service you signed up for.
• Legitimate interest (Art. 6(1)(f)): anonymous calculator data, security logs, abuse prevention.
• Consent (Art. 6(1)(a)): AI features that send text to Anthropic on your explicit action — rewriting of work-log descriptions and the in-app AI help assistant. (Vercel Web Analytics is cookieless and needs no consent — see 2.5.)
• Legal obligation (Art. 6(1)(c)): tax records retained per German commercial law (HGB §257, AO §147 — 6 to 10 years).

4. Sub-processors

We rely on the following third-party services to operate Get Grown. A data processing agreement (DPA) under Art. 28 GDPR is in place with each.

Service	Purpose	Region	Transfer basis
Supabase Inc.	Database hosting, authentication, file storage	EU (Frankfurt)	EEA — no transfer
Vercel Inc.	Hosting, CDN, serverless functions, access logs, cookieless web analytics	USA	SCCs + EU-US DPF
Google LLC	Google sign-in (OAuth) and, only if you opt in, read-only Google Calendar access	USA	SCCs + EU-US DPF
ImprovMX SAS	Email forwarding for hello@getgrown.co → our inbox	France (EU)	EEA — no transfer
Resend.com (Drest, Inc.)	Transactional email delivery (account notifications, share-link emails)	USA	SCCs + EU-US DPF
Stripe Payments Europe	Payment processing (only when you check out)	EU (Ireland)	EEA — no transfer
Anthropic PBC	AI rewriting of work-log descriptions, and the in-app AI help assistant (only when you trigger them)	USA	SCCs

Sensitive note on Anthropic: when you use the "AI Rewrite" feature on a work log, the description text is sent to Anthropic's servers in the USA for processing. The text may contain client and project context. We do this only on your explicit click; we never auto-rewrite. If you prefer to keep descriptions in-house, simply do not click the rewrite button.

AI assistant ("Ask AIvan") — two modes:

• Not signed in (public help widget): only the question text and your interface language are sent to Anthropic — no account ID, email or stored project data. If you have entered numbers into the calculator in that session, those calculator values may be sent with the question so the answer can reference them; nothing is read from an account, because there is none.
• Signed in (in-app coach): to give advice grounded in your own situation, when you open the assistant and send a message we send Anthropic a snapshot of your account context together with the question. This can include your calculator inputs and rate, your project names, client names, payment totals, and a display name derived from your email. This happens only when you actively open the assistant and ask — never in the background.

In both cases the data is processed in the USA (under the safeguards in section 8) solely to generate an answer, and is not used to build a profile of you. It is an automated assistant (clearly labelled as AI); for anything important, write to hello@getgrown.co.

5. Storage duration

• Account & project data: until you delete your account.
• Anonymous calculator entries: 90 days, then automatically purged.
• Tax-relevant records (payments, invoices): 10 years (German tax law).
• Aggregate analytics (Vercel): up to 12 months, no per-user identifiers.
• Server logs: rotating, max 30 days at Vercel.

6. Your rights (Art. 15–22 GDPR)

You have the right to:

• Access (Art. 15) — get a copy of all data we hold on you.
• Rectification (Art. 16) — correct inaccurate data.
• Erasure (Art. 17) — delete your account and all associated data; use the in-app "Delete Account" button or email hello@getgrown.co.
• Restriction (Art. 18) — limit processing.
• Portability (Art. 20) — download your data as JSON.
• Object (Art. 21) — object to processing based on legitimate interest.
• Withdraw consent (Art. 7(3)) — for processing based on consent (notably AI rewriting via Anthropic), at any time by emailing us; withdrawal does not affect prior processing.

We respond to requests within 30 days. There is no fee unless requests are manifestly unfounded or excessive.

7. Right to complain (Art. 77 GDPR)

You may lodge a complaint with the data protection authority of your habitual residence, place of work, or place of the alleged infringement. The supervisory authority responsible for Get Grown (Aichach, Bavaria) is:

Bayerisches Landesamt für Datenschutzaufsicht (BayLDA)
Promenade 18, 91522 Ansbach, Germany
www.lda.bayern.de

8. International transfers

Where we transfer personal data outside the EEA (notably to Vercel, Anthropic and Resend in the USA), we rely on:

• EU Commission's Standard Contractual Clauses (SCCs);
• where available, the EU-US Data Privacy Framework;
• Transfer Impact Assessments where required.

9. Security

All traffic is encrypted via HTTPS/TLS. Database access uses row-level security policies so users can only read their own data. Session tokens are stored in HttpOnly cookies. Personalausweis copies submitted for service-address verification are encrypted at rest at our virtual-office provider (Anschrift.net / COCENTER GmbH).

10. Changes to this policy

We may update this policy as the service evolves. The "Last updated" date at the top reflects the latest revision. Material changes will be notified via email or an in-app banner.