GROWSTART AI - DATA PROCESSING & SECURITY TERMS
| Document Title | Data Processing and Security Terms |
|---|---|
| Issued By | HEX64 InfoSolutions Private Limited |
| Platform | GrowStart AI (growstart.ai) |
| Version | 1.0 |
| Effective Date | 30.06.2026 |
| Jurisdiction | Republic of India |
| Primary Framework | Digital Personal Data Protection Act, 2023; IT Act, 2000; IT (SPDI) Rules, 2011 |
| Read with | Terms and Conditions; Privacy Policy; DPDP Compliance Notice |
These Data Processing and Security Terms ("DPT") govern the processing of Customer Data by HEX64 InfoSolutions Private Limited as Data Processor on behalf of Users who are Data Fiduciaries under the Digital Personal Data Protection Act, 2023. They form part of the binding agreement between the Company and the User. These Terms should be read alongside the Privacy Policy, Terms and Conditions, and DPDP Compliance Notice.
1 SCOPE, PURPOSE AND APPLICABILITY
1.1.These Data Processing and Security Terms ("DPT" or "these Terms") are issued by HEX64 InfoSolutions Private Limited ("the Company"), the operator of the GrowStart AI platform at https://growstart.ai/ ("the Platform"), and govern the relationship between the Company and Users in respect of the processing of Customer Data.
1.2.These Terms apply specifically where a User uploads, inputs, or otherwise makes available Customer Data to the Platform for the purpose of using any of the following Features:
•the Lead Manager, in respect of lead contact data and interaction history;
•the Email Campaign Builder, in respect of customer email lists and associated personal data;
•the WhatsApp Campaigns feature, in respect of contact lists and campaign audience data;
•the AI Chat Assistant, in respect of personal data submitted by End Customers in the course of automated chat interactions;
•the GBP Optimizer, in respect of business profile data accessed via OAuth from Google Business Profile;
•the Review Reply Generator, in respect of review content (which may contain personal data of reviewers) submitted by the User;
•any other Feature through which the User submits or enables the processing of third-party personal data.
1.3.These Terms are issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 ("SPDI Rules"), and the Information Technology Act, 2000.
1.4.These Terms are incorporated into and form part of the Terms and Conditions of Service. In the event of conflict between these Terms and the main Terms and Conditions on a data processing matter, these Terms shall prevail.
2 DEFINITIONS
In these Terms, the following definitions apply in addition to the definitions in the Terms and Conditions:
•"Applicable Data Protection Law" means the DPDP Act, the IT Act, 2000, the SPDI Rules, and all other applicable Indian laws and regulations relating to personal data protection, as amended from time to time.
•"Customer Data" means all personal data of a User's customers, leads, End Customers, or other third parties that is uploaded, inputted, or otherwise transferred into the Platform by or on behalf of the User, or that is collected by the Platform at the User's direction (including through the AI Chat Assistant).
•"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data transmitted, stored, or otherwise processed under these Terms.
•"Data Fiduciary" means the User, who determines the purposes and means of processing Customer Data.
•"Data Processor" means the Company, which processes Customer Data on behalf of and under the instructions of the User (Data Fiduciary).
•"Data Principal" means the individual whose personal data forms part of the Customer Data.
•"Processing" means any operation performed on Customer Data, including collection, recording, storage, use, disclosure, AI inference, and deletion.
•"Sub-Processor" means any third party engaged by the Company to process Customer Data on behalf of the User, as listed in Schedule 1 to these Terms.
3 ROLES AND RESPONSIBILITIES
3.1.The User as Data Fiduciary
As Data Fiduciary, the User is solely responsible for:
•determining the purposes for which Customer Data is collected and processed;
•ensuring that Customer Data is collected lawfully and with all necessary consents from Data Principals under Applicable Data Protection Law;
•providing all required notices to Data Principals regarding the collection and processing of their personal data, including disclosure that their data may be processed by third-party AI services;
•ensuring that the uploading and processing of Customer Data through the Platform is legally permissible in the User's jurisdiction;
•responding to all rights requests from Data Principals in relation to Customer Data;
•ensuring that all Customer Data uploaded to the Platform is accurate and up to date;
•ensuring that sensitive personal data (as defined under Applicable Data Protection Law) is not uploaded to the Platform unless strictly necessary and only where explicit consent from the relevant Data Principal has been obtained;
•ensuring compliance with Applicable Data Protection Law in all respects with regard to Customer Data.
3.2.The Company as Data Processor
As Data Processor, the Company will:
•process Customer Data only on the documented instructions of the User and only to the extent necessary to deliver the Feature requested by the User;
•not process Customer Data for any purpose other than delivering the Platform's services to the User;
•not use Customer Data for the Company's own commercial purposes, including marketing, advertising, or analytics beyond what is necessary to deliver the Platform's services;
•implement and maintain appropriate technical and organisational security measures as described in Section 7 of these Terms;
•ensure that persons authorised to process Customer Data are bound by appropriate confidentiality obligations;
•assist the User, to the extent reasonably practicable, in fulfilling the User's obligations to respond to rights requests from Data Principals, in accordance with Section 9 of these Terms;
•notify the User of any Data Breach affecting Customer Data in accordance with Section 10 of these Terms;
•engage Sub-Processors only in accordance with Section 6 of these Terms;
•delete or return Customer Data upon termination of the User's account or written request, in accordance with Section 11 of these Terms.
4 PROCESSING ACTIVITIES
4.1.The following table sets out the specific processing activities conducted by the Company as Data Processor, the categories of Customer Data involved, the purpose of processing, and the Sub-Processors engaged:
| Processing Activity | Categories of Customer Data | Purpose | Legal Basis (Processor) | Sub-Processor |
|---|---|---|---|---|
| Lead Manager AI Follow-up Generation | Lead names, contact numbers, email addresses, lead source, lead status, interaction notes | Generating personalised follow-up messages for the User's leads | User's documented instruction | Anthropic, PBC (AI inference) |
| Email Campaign Builder | Customer email addresses, names, tags, segmentation data uploaded by User | Generating personalised bulk email campaign content on User's instruction | User's documented instruction | Anthropic, PBC (AI inference) |
| WhatsApp Campaigns | Contact names, phone numbers, campaign audience lists uploaded by User | Generating campaign content; facilitating campaign distribution as instructed by User | User's documented instruction | Anthropic, PBC (AI inference) |
| AI Chat Assistant - End Customer Interactions | Queries submitted by End Customers; names or contact details if voluntarily provided; interaction logs | Generating real-time responses to End Customer queries on the User's behalf | User's documented instruction | Anthropic, PBC (AI inference) |
| GBP Optimizer- Business Profile Data | Business name, address, category, services, operating hours, images as uploaded or OAuth-accessed from Google | AI-assisted optimisation and auto-posting of Google Business Profile | User's documented instruction; OAuth consent | Anthropic, PBC (AI inference); Google LLC (GBP API) |
| Review Reply Generator | Google review text (may contain reviewer names, review content) pasted by User | Generating professional reply content for User's review responses | User's documented instruction | Anthropic, PBC (AI inference) |
4.2.The Company will not process Customer Data in a manner inconsistent with the purposes set out in the table above without obtaining further documented instructions from the User or, where required by Applicable Data Protection Law, without an independent legal basis for doing so.
4.3.Where the Company receives a request or direction from a government authority or regulator to process or disclose Customer Data in a manner not covered by the User's instructions, the Company will:
•promptly notify the User of such request to the extent permitted by law; and
•co-operate with the User in determining an appropriate response, within the bounds of applicable legal requirements.
5 LAWFUL BASIS AND DOCUMENTED INSTRUCTIONS
5.1.The Company processes Customer Data as a Data Processor solely on the basis of the User's instructions. The User's instructions are constituted by:
•the User's acceptance of these Terms and the Terms and Conditions of Service, which together document the scope, purpose, and nature of the processing;
•the User's specific actions on the Platform including uploading a customer list, enabling the AI Chat Assistant, or triggering an AI content generation request which constitute real-time processing instructions;
•any additional written instructions provided by the User to the Company via grievance@growstart.ai , which shall be documented and retained.
5.2.If the Company is of the view that a User's instruction would require the Company to act in a manner that violates Applicable Data Protection Law, the Company will notify the User of that concern and may decline to act on the instruction. The Company shall not be liable for any consequence of declining to follow an unlawful instruction.
5.3.The User represents and warrants that the instructions it provides to the Company for processing Customer Data are lawful and in compliance with Applicable Data Protection Law, and that the User has the authority to give such instructions.
6 SUB-PROCESSORS
6.1.Authorisation:
The User hereby provides general authorisation to the Company to engage the Sub-Processors listed in Schedule 1 to these Terms for the purposes and processing activities described therein. The User's acceptance of these Terms constitutes the User's documented consent to the engagement of such Sub-Processors.
6.2.Sub-Processor Obligations:
The Company will ensure that each Sub-Processor is bound by data processing obligations that are equivalent in substance to those imposed on the Company under these Terms. The Company remains responsible to the User for the performance of each Sub-Processor's obligations to the extent that the Company has directed the Sub-Processor's processing activities.
6.3.Cross-Border Sub-Processing – Anthropic
Anthropic, PBC is engaged as a Sub-Processor for AI inference processing. Anthropic is incorporated in the United States of America. Customer Data transmitted to Anthropic's API for AI processing constitutes a cross-border transfer of personal data outside India. The User consents to this cross-border transfer by accepting these Terms and using the Platform's AI-powered Features. The User is responsible for ensuring that such transfer is lawful in relation to Customer Data that the User has collected and holds as Data Fiduciary.
6.4.Changes to Sub-Processors
The Company will provide not less than fourteen (14) days' advance written notice to the User before engaging any new Sub-Processor or making a material change to the processing activities of an existing Sub-Processor. Notice will be provided through the Platform or by email to the User's registered email address. If the User objects to a new Sub-Processor, the User may terminate their Subscription without penalty by written notice to the Company within the fourteen-day notice period. Continued use of the Platform after the notice period constitutes acceptance of the new Sub-Processor.
Schedule 1 - Approved Sub-Processors
| Sub-Processor | Jurisdiction | Processing Activity | Data Categories Processed |
|---|---|---|---|
| Anthropic, PBC | United States of America | AI inference - generates AI outputs from User prompts and Customer Data inputs | User prompts; Customer Data (leads, email lists, review text, business data); End Customer chat queries |
| Cloud Infrastructure Provider (Mumbai) | India (Mumbai) | Hosting, storage, and infrastructure services for all Platform data | All Platform data, including User Account data and Customer Data at rest |
| Razorpay Software Pvt. Ltd. | India | Payment processing and subscription management | Transaction metadata; payment method details (held by Razorpay, not shared with Company) |
| Google LLC (GBP API) | United States of America | Google Business Profile API access via OAuth for GBP Optimizer and auto-post features | Google Business Profile data accessed via OAuth; post content submitted by Platform |
7 TECHNICAL AND ORGANISATIONAL SECURITY MEASURES
7.1.The Company implements and maintains appropriate technical and organisational measures to ensure a level of security appropriate to the risk of processing Customer Data. These measures are designed to meet the requirements of the SPDI Rules and the DPDP Act and include the measures set out in the table below.
| Security Domain | Measures Implemented |
|---|---|
| Encryption in Transit | All data transmitted between the User's device and the Platform is encrypted using TLS 1.2 or higher. All API communications with third-party service providers (including Anthropic's API and Razorpay) are conducted over encrypted channels. |
| Encryption at Rest | Personal data and Customer Data stored on the Platform's Mumbai-based cloud infrastructure is encrypted at rest using AES-256 or equivalent industry-standard encryption. |
| Access Controls | Access to personal data and Customer Data is restricted to authorised personnel on a role-based, need-to-know basis. Access privileges are reviewed periodically. Administrative access requires multi-factor authentication. |
| Authentication Security | User passwords are stored using bcrypt or equivalent one-way hashing with salt. Plaintext passwords are never stored. Brute-force protections and account lockout mechanisms are implemented. |
| Infrastructure Security | The Platform is hosted on managed cloud infrastructure in Mumbai, India. Infrastructure-level security controls, including firewalls, intrusion detection, and vulnerability patching, are maintained in accordance with the cloud provider's security standards. |
| API Security | All API endpoints are protected by authentication tokens and rate limiting. OAuth tokens for Google Business Profile integration are stored encrypted and scoped to the minimum permissions required for the Feature. |
| Vulnerability Management | The Company conducts periodic vulnerability assessments and security reviews of the Platform. Critical security patches are applied promptly upon identification. |
| Data Minimisation | The Company transmits to Anthropic's API only the minimum data necessary to generate the requested AI output. Account credentials, payment data, and OAuth tokens are never transmitted to Anthropic. |
| Employee Confidentiality | All employees, contractors, and personnel with access to personal data are bound by confidentiality obligations. Personnel with access to personal data receive data protection awareness training. |
| Incident Response | The Company maintains an internal incident response procedure for personal data breaches, including containment, assessment, notification, and post-incident review steps, consistent with DPDP Act requirements. |
7.2.The Company reserves the right to update, modify, or replace security measures from time to time, provided that any replacement measures provide an equivalent or higher level of protection than those replaced.
7.3.The security measures described in this Section apply to the Company's own infrastructure. Security measures applicable to Anthropic's API processing, Google's GBP API, and Razorpay's payment processing infrastructure are the responsibility of the respective Sub-Processors and are governed by their own security frameworks and certifications.
7.4.The User acknowledges that no security system is impenetrable. The Company's security obligations under these Terms are obligations of means (implementing reasonable measures), not of result (guaranteeing the prevention of all breaches). The Company shall not be liable for Data Breaches arising from circumstances beyond its reasonable control, including failures of Sub-Processors or infrastructure providers, sophisticated cyberattacks that overcome reasonable security measures, or User-side security failures.
8 DATA MINIMISATION AND PURPOSE LIMITATION
8.1.The Company will process only such Customer Data as is strictly necessary for the delivery of the Feature requested by the User. The Company will not request or encourage Users to upload Customer Data in excess of what is required for the relevant Feature.
8.2.In particular, the following data minimisation principles are applied to Anthropic API calls:
•Only the content of the User's prompt which may include Customer Data to the extent provided by the User is transmitted to Anthropic. No additional User Account data, payment data, OAuth credentials, or unrelated personal data is transmitted.
•The Company does not intentionally transmit sensitive personal data to Anthropic. Users are instructed not to include sensitive personal data in prompts unless strictly necessary.
•The Company does not use Customer Data processed through the Platform to train, fine-tune, or improve its own AI models.
8.3.The Company will not retain Customer Data beyond the periods specified in Section 11 of these Terms and in the Privacy Policy, and will not repurpose Customer Data for uses inconsistent with these Terms.
9 ASSISTANCE WITH DATA PRINCIPAL RIGHTS
9.1.The User, as Data Fiduciary, is responsible for responding to rights requests from Data Principals (including requests for information, correction, erasure, and grievance redressal) in relation to Customer Data.
9.2.The Company will, to the extent reasonably practicable and within the limits of its technical capabilities as Data Processor, provide the User with reasonable assistance in responding to such rights requests, including:
•confirming what Customer Data is held within the Platform at a given time;
•providing the User with a data extract of Customer Data held on the Platform upon written request;
•correcting or deleting specific records of Customer Data within the Platform upon the User's written instruction;
•providing information about the technical infrastructure and security measures relevant to a Data Principal's inquiry.
9.3.Where a Data Principal contacts the Company directly with a rights request in relation to Customer Data (as opposed to the User's own data), the Company will promptly notify the User and refer the request to the User for handling. The Company is not the Data Fiduciary for Customer Data and cannot independently fulfil rights requests in respect of Customer Data.
9.4.The Company will not charge the User for reasonable assistance with Data Principal rights requests. Requests that are excessive, repetitive, or technically complex may be subject to additional charges by agreement.
10 DATA BREACH NOTIFICATION AND RESPONSE
10.1.In the event of a Data Breach affecting Customer Data, the Company will:
•notify the User without undue delay, and in any event within seventy-two (72) hours of becoming aware of the Data Breach (to the extent reasonably practicable), by written communication to the User's registered email address;
•provide, in the initial notification or as soon as the information is available, the following details: the nature of the Data Breach; the categories and approximate number of Data Principals and Customer Data records affected; the likely consequences of the Data Breach; and the measures taken or proposed to address the Breach.
10.2.The Company will co-operate with the User in investigating the Data Breach and will provide such information as is within the Company's possession and control to assist the User in:
•notifying the Data Protection Board of India, if required under the DPDP Act;
•notifying affected Data Principals, if required or appropriate;
•implementing remedial measures to prevent recurrence.
10.3.Notwithstanding the above, the Company's breach notification obligations under these Terms are in addition to, and do not limit, the Company's own regulatory obligations to report data breaches to the Data Protection Board of India in accordance with the DPDP Act.
10.4.The Company shall not be liable for Data Breaches:
•caused by the User's own security failures, including weak credentials, unauthorised sharing of access credentials, or the User's failure to update software or systems;
•arising from vulnerabilities in Sub-Processors' systems that are beyond the Company's reasonable control;
•arising from force majeure events as defined in the Terms and Conditions.
11 RETENTION AND DELETION OF CUSTOMER DATA
11.1.The Company will retain Customer Data for no longer than is necessary to deliver the Feature for which the data was uploaded, or as otherwise required by Applicable Data Protection Law.
11.2.The following retention periods apply to Customer Data:
| Customer Data Category | Retention Period | Deletion Trigger |
|---|---|---|
| Lead pipeline data (Lead Manager) | Duration of active account + 30 days post-termination | Account deletion; User deletion request |
| Email and WhatsApp campaign lists | Duration of active account + 30 days post-termination | Account deletion; User deletion request |
| AI Chat Assistant interaction logs | 90 days from date of interaction | Automatic expiry; or account deletion |
| Google review text (Review Reply Generator) | Not retained - processed in session only | Not stored beyond the generation session |
| GBP profile data (via OAuth) | Duration of OAuth authorisation; deleted upon OAuth revocation or account deletion | OAuth revocation; account deletion |
11.3.Upon the termination of a User's account or upon receipt of a valid written deletion request, the Company will:
•delete or anonymise all Customer Data held within the Platform within thirty (30) days of the termination or request date, except where retention is required by Applicable Data Protection Law;
•take reasonable steps to procure deletion of Customer Data transmitted to Sub-Processors, to the extent permitted by each Sub-Processor's data retention policies;
•provide the User with written confirmation of deletion upon request.
11.4.Anthropic's data retention: Data transmitted to Anthropic's API for processing is subject to Anthropic's API data retention policy. The Company does not control Anthropic's independent data retention practices. The Company will use commercially reasonable efforts to ensure that Anthropic does not retain Customer Data beyond the periods required for inference processing, in accordance with the Company's API usage agreement with Anthropic.
12 USER'S OBLIGATIONS AND WARRANTIES AS DATA FIDUCIARY
12.1.The User represents, warrants, and undertakes to the Company that:
•all Customer Data uploaded to the Platform has been lawfully collected by the User in compliance with Applicable Data Protection Law;
•the User has obtained all necessary consents from Data Principals to enable the processing activities described in these Terms, including the cross-border transfer of Customer Data to Anthropic's API in the United States;
•the User has made all required disclosures to Data Principals about the processing of their personal data, including that their data may be processed by AI systems;
•the User will not upload Sensitive Personal Data to the Platform (including financial account details, health data, biometric data, or government identification numbers) unless the User has obtained explicit consent from the relevant Data Principals and has notified the Company;
•the User will ensure that any Customer Data uploaded to the Platform is accurate and that it will promptly correct or delete inaccurate Customer Data;
•the User's instructions to the Company for the processing of Customer Data are and will remain lawful;
•the User will comply with all applicable laws governing commercial communications, including the Telecom Commercial Communications Customer Preference Regulations, 2018, in connection with WhatsApp and email campaigns.
12.2.The User indemnifies and holds harmless the Company from and against all claims, losses, damages, regulatory penalties, costs, and expenses arising from the User's breach of any warranty or obligation in this Section 12 or arising from the User's failure to comply with Applicable Data Protection Law as Data Fiduciary.
13 AUDIT AND COMPLIANCE
13.1.The Company will make available to the User, upon reasonable written request and no more than once per calendar year, such information as is reasonably necessary to demonstrate the Company's compliance with its obligations as Data Processor under these Terms.
13.2.The User may request, and the Company will co-operate with, a security assessment or audit of the Company's data processing activities, provided that:
•the User gives not less than thirty (30) days' advance written notice;
•the audit is conducted during normal business hours and in a manner that does not unreasonably disrupt the Company's operations;
•the audit scope is limited to the Company's processing of Customer Data under these Terms;
•the costs of the audit are borne by the User, unless the audit reveals a material breach of these Terms by the Company.
13.3.The Company may satisfy its audit obligations by providing the User with a current third-party security certification or audit report (such as ISO 27001 or SOC 2, if applicable) in lieu of a bespoke audit, provided such certification covers the relevant processing activities.
14 TERM AND TERMINATION
14.1.These Terms take effect on the date the User accepts the Terms and Conditions and continue for the duration of the User's Subscription to the Platform.
14.2.These Terms automatically terminate upon the termination of the User's Subscription or account, for any reason. Termination of these Terms does not affect:
•any accrued rights or obligations of either party;
•the User's indemnification obligations under Section 12;
•the Company's data deletion obligations under Section 11, which survive termination.
14.3.Clauses relating to confidentiality, security obligations in respect of retained data, limitation of liability, indemnification, and governing law survive termination of these Terms.
15 LIMITATION OF LIABILITY
15.1.The Company's liability in connection with any Data Breach, failure to comply with these Terms, or any other claim arising under these Terms is subject to the limitation of liability provisions set out in Clause 11 of the Terms and Conditions of Service.
15.2.In particular, the Company shall not be liable for:
•Data Breaches or processing failures caused by the User's own negligence, including failures to maintain secure credentials, failure to promptly revoke OAuth access upon suspicion of compromise, or uploading unlawfully obtained Customer Data;
•any regulatory penalty, fine, or sanction imposed on the User as Data Fiduciary by any data protection authority;
•any claim by a Data Principal against the User arising from the User's failure to comply with its obligations as Data Fiduciary;
•any processing failure attributable to a Sub-Processor beyond the Company's reasonable control.
16 GOVERNING LAW
16.1.These Terms are governed by the laws of the Republic of India. Any dispute arising under these Terms shall be resolved in accordance with the dispute resolution provisions in Clause 16 of the Terms and Conditions of Service.