Privacy Policy
Last updated: May 10, 2025 · Effective date: May 10, 2025
This Privacy Policy explains how Grow Contact LLC (“Grow,” “we,” “us,” or “our”) collects, uses, discloses, and protects personal data in connection with our AI-powered recruiting platform and website at grow.contact. We are incorporated in Iceland and process data subject to the General Data Protection Regulation (GDPR) and, where applicable, the California Consumer Privacy Act (CCPA).
Contents
1. Who we are
Data Controller: Grow Contact LLC, registered in Iceland.
Contact: gudmundur@grow.contact
Grow provides an AI-powered talent operating system that helps companies source candidates, conduct async screening, run AI-assisted interviews, and predict hiring outcomes. As the data controller, Grow determines the purposes and means of processing personal data on the platform. Where Grow processes candidate data on behalf of its business customers, those customers are the data controller and Grow acts as a data processor under a separate Data Processing Agreement (DPA).
2. Data we collect
2.1 Account and registration data
When you create a Grow account or request a demo, we collect information you provide directly:
- Full name and professional title
- Work email address and password (hashed)
- Company name and size
- Billing name and address (processed by our payment provider)
2.2 Candidate profile data
If you use Grow to manage recruiting, you or the platform may collect the following data about candidates:
- Name, contact details, and professional history (resume / LinkedIn profile)
- Application materials, cover letters, and portfolio links
- Async screening responses (video, text, or code submissions)
- Interview transcripts and associated metadata
- AI-generated scores, summaries, and competency assessments
- Predicted outcomes such as offer acceptance and retention scores
Business customers are responsible for ensuring they have a lawful basis to collect and share candidate data with Grow.
2.3 Communication data
Our platform can send and receive email on your behalf using our email infrastructure provider. We store:
- Outbound and inbound email content and metadata (to, from, subject, timestamp)
- Email open and click events for sequence tracking
- Candidate reply content
2.4 Meeting and recording data
When you use the Interview Copilot feature, Grow integrates with video-conferencing platforms via Recall.ai. This involves:
- Audio and video recordings of interviews (with participant consent)
- Real-time transcription of interview audio
- Metadata such as meeting ID, participants, and duration
- AI-generated suggestions and post-interview scorecards derived from recordings
You are responsible for informing interview participants that recordings may occur and obtaining appropriate consent before enabling this feature.
2.5 Usage and technical data
We automatically collect certain data when you use our platform or visit our website:
- IP address and approximate geographic location (country/region)
- Browser type, operating system, and device type
- Pages viewed, clicks, and session duration
- Referral URLs and UTM campaign parameters
- Error logs and performance diagnostics
3. How we use your data
We use personal data for the following purposes:
- Providing, operating, and maintaining the Grow platform and its features
- Processing account registrations, managing subscriptions, and handling billing
- Enabling AI-powered sourcing, screening, interview assistance, and analytics features
- Sending transactional emails (account confirmations, password resets, billing receipts)
- Sending product-related communications where you have opted in
- Improving and training our AI models on aggregate, anonymized patterns — never on individual identifiable data without consent
- Detecting and preventing fraud, abuse, and security incidents
- Complying with legal obligations under Icelandic law and the GDPR
- Enforcing our Terms of Service and protecting our rights and property
- Responding to lawful requests from competent authorities
We do not sell personal data to third parties. We do not use candidate data for purposes unrelated to the services you have engaged us to provide.
4. Legal bases for processing (GDPR)
Where the GDPR applies, we rely on the following legal bases for processing personal data:
| Processing activity | Legal basis |
|---|---|
| Account creation and service delivery | Performance of a contract (Art. 6(1)(b)) |
| Billing and payment processing | Performance of a contract (Art. 6(1)(b)) |
| Security, fraud prevention, and abuse detection | Legitimate interests (Art. 6(1)(f)) |
| Product analytics and improvement | Legitimate interests (Art. 6(1)(f)) |
| Marketing communications to existing customers | Legitimate interests (Art. 6(1)(f)) |
| Marketing to new contacts who have opted in | Consent (Art. 6(1)(a)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
| Interview recordings with candidate consent | Consent (Art. 6(1)(a)) |
| Processing special category data (if applicable) | Explicit consent (Art. 9(2)(a)) |
Where we rely on legitimate interests, you have the right to object to that processing. Please contact us at gudmundur@grow.contact to exercise that right.
5. Sub-processors and third parties
Grow uses the following third-party sub-processors to operate the platform. Each processor is bound by a data processing agreement consistent with GDPR requirements.
| Processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database hosting, authentication, and file storage | USA (EU region available) |
| Resend, Inc. | Transactional email delivery | USA |
| Recall.ai | Meeting bot integration, recording, and transcription | USA |
| OpenRouter, Inc. | AI model routing and inference | USA |
| Vercel, Inc. | Website and application hosting | USA / Global edge |
We may also disclose data to: (a) professional advisors such as lawyers and accountants under confidentiality obligations; (b) law enforcement or regulators where required by law; (c) a successor entity in the event of a merger, acquisition, or sale of assets, subject to standard data protection commitments.
6. International data transfers
Grow is incorporated in Iceland, which is part of the European Economic Area (EEA). Our sub-processors are predominantly based in the United States. Where we transfer personal data outside the EEA, we rely on appropriate safeguards under GDPR Chapter V, including:
- European Commission Standard Contractual Clauses (SCCs) incorporated into our sub-processor agreements
- Adequacy decisions where applicable
- Supplementary technical and organizational measures where required
You may request a copy of the relevant transfer safeguards by contacting us at gudmundur@grow.contact.
7. Data retention
We retain personal data only as long as necessary for the purposes described in this policy, or as required by law.
| Data category | Retention period |
|---|---|
| Active account data | Duration of account plus 30 days after deletion request |
| Candidate profiles and screening data | Duration of customer subscription plus 90 days |
| Interview recordings and transcripts | 90 days after interview date, or earlier on request |
| Email communication logs | 12 months from collection |
| Billing and invoice records | 7 years (Icelandic accounting law) |
| Server logs and usage analytics | 90 days |
| Backup data | 30 days after the primary data deletion cycle |
After the applicable retention period, data is securely deleted or anonymized so that it can no longer be attributed to an identified individual.
8. Your rights
8.1 Rights under the GDPR (EEA and UK residents)
If you are located in the EEA or the United Kingdom, you have the following rights with respect to your personal data:
- Right of access (Art. 15): request a copy of the personal data we hold about you
- Right to rectification (Art. 16): correct inaccurate or incomplete data
- Right to erasure (Art. 17): request deletion of your data where no legal basis for retention exists
- Right to restriction (Art. 18): limit how we process your data while a dispute is pending
- Right to data portability (Art. 20): receive your data in a machine-readable format
- Right to object (Art. 21): object to processing based on legitimate interests or for direct marketing
- Rights related to automated decision-making (Art. 22): not to be subject to solely automated decisions with significant legal effect without human review
- Right to withdraw consent: where processing is based on consent, you may withdraw at any time without affecting prior processing
You also have the right to lodge a complaint with the Icelandic Data Protection Authority (Persónuvernd) at www.personuvernd.is.
8.2 Rights under the CCPA (California residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act:
- Right to know: request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell
- Right to delete: request deletion of your personal information, subject to certain exceptions
- Right to opt out of sale: we do not sell personal information; this right is not currently applicable
- Right to non-discrimination: we will not discriminate against you for exercising your CCPA rights
- Right to correct: request correction of inaccurate personal information
- Right to limit use of sensitive personal information: limit our use of sensitive personal information to what is necessary for the service
To submit a CCPA request, email us at gudmundur@grow.contact with the subject line “CCPA Request.” We will respond within 45 days.
8.3 How to exercise your rights
To exercise any of the rights above, contact us at gudmundur@grow.contact. We may ask you to verify your identity before acting on a request. We will respond within 30 days (or as required by applicable law). If your request is complex or numerous, we may extend the period by a further 60 days and will notify you accordingly.
If you are a candidate whose data is processed by a Grow customer, please direct your request to that customer (your prospective employer), who is the data controller for that processing.
10. Data security
We implement technical and organizational measures appropriate to the risk, including:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
- Access controls with role-based permissions and multi-factor authentication for team members
- Regular security reviews and dependency patching
- Logging and monitoring of access to personal data
- Incident response procedures with data breach notification to supervisory authorities within 72 hours where required
No security measures are 100% effective. If you believe your account has been compromised, contact us immediately at gudmundur@grow.contact.
11. Children's privacy
Grow is a B2B platform intended for use by businesses and their employees. We do not knowingly collect personal data from individuals under the age of 16. If you believe a child has provided data to us, contact us immediately and we will take steps to delete it.
12. Changes to this policy
We may update this Privacy Policy from time to time. We will notify registered users by email and update the “Last updated” date at the top of this page. Continued use of the platform after the effective date of a revised policy constitutes acceptance of the updated terms. For material changes, we will provide at least 30 days’ advance notice where required by law.
13. Contact us
For any questions, concerns, or requests related to this Privacy Policy or our data practices, contact our Data Protection contact: