PRIVACY POLICY – GROWSTART AI
| Document Title | Privacy Policy |
|---|---|
| Issued By | HEX64 InfoSolutions Private Limited |
| Platform | GrowStart AI (growstart.ai) |
| Version | 1.0 |
| Effective Date | 24.06.2026 |
This Privacy Policy describes how HEX64 InfoSolutions Private Limited collects, uses, stores, shares, and protects your personal data when you use the GrowStart AI platform. Please read this policy carefully. By using the Platform, you consent to the practices described herein.
1 ABOUT THIS POLICY AND THE COMPANY
1.1.This Privacy Policy is published by HEX64 InfoSolutions Private Limited ("the Company", "we", "us", or "our"), the entity responsible for operating the GrowStart AI platform accessible at https://growstart.ai/ ("the Platform"). The Company is registered under the Companies Act, 2013, with its registered office at B-23, Sector 63, Noida, Gautam Buddha Nagar, Uttar Pradesh - 201301, India.
1.2.This Privacy Policy governs the collection, use, storage, sharing, and protection of personal data in connection with the Platform. It is issued in compliance with the Digital Personal Data Protection Act, 2023 ("DPDP Act"), the Information Technology Act, 2000, the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and all other applicable Indian data protection and privacy laws.
1.3.This Privacy Policy forms part of the Company's overall legal framework, which includes the Terms and Conditions of Service, AI Disclaimer, Cookie Policy, Data Processing and Security Terms, DPDP Compliance Notice, and associated documents. All such documents are incorporated by reference and should be read together
1.4.This Privacy Policy applies to:
•all individuals who access, register on, or use the Platform in any capacity ("Users");
•all personal data submitted to or generated on the Platform, including business data, User Content, and Customer Data;
•all Features and services offered through the Platform.
1.5.This Privacy Policy does not apply to:
•the personal data practices of third-party platforms linked to or integrated with the Platform (including Google LLC, Meta Platforms, Inc., and Razorpay Software Private Limited), which are governed by their own privacy policies;
•the End Customers of Users, whose data is processed by the Company as a Data Processor acting on the User's instructions, as further described in Section 8 of this Policy.
2 KEY DEFINITIONS
For the purposes of this Privacy Policy, the following terms have the meanings assigned below:
•"Customer Data" means personal data of a User's customers, leads, or other third parties that is uploaded, inputted, or otherwise transferred to the Platform by the User.
•"Data Fiduciary" means the entity that determines the purpose and means of processing personal data, as defined under the DPDP Act.
•"Data Principal" means the individual to whom personal data relates, as defined under the DPDP Act.
•"Data Processor" means an entity that processes personal data on behalf of and under the instructions of a Data Fiduciary, as defined under the DPDP Act.
•"End Customer" means a customer or third party of the User who interacts with the Platform's Features (in particular the AI Chat Assistant) or whose personal data is processed through the Platform.
•"Personal Data" means any data about an individual who is identifiable by or in relation to such data, as defined under the DPDP Act.
•"Processing" means any operation or set of operations performed on personal data, including collection, recording, organisation, storage, use, disclosure, and deletion.
•"Sensitive Personal Data" includes financial data, health data, biometric data, caste or tribal origin, religious or political beliefs, sexual orientation, and any other category designated as sensitive under applicable law.
•All other capitalised terms have the meanings assigned to them in the Terms and Conditions of Service.
3 PERSONAL DATA WE COLLECT
3.1.The Company collects personal data through the following means: (a) directly from the User at the time of registration and Platform use; (b) automatically through the User's interaction with the Platform; (c) from third-party platforms via OAuth or API integration; and (d) from the User's own customers through Features such as the AI Chat Assistant.
3.2.The categories of personal data collected, the specific data elements within each category, the purpose of collection, and the legal basis for processing are set out in the table below:
| Category of Data | Specific Data Elements | Purpose | Legal Basis |
|---|---|---|---|
| Account & Registration Data | Name, email address, mobile number, business name, business category, password (hashed) | Account creation, authentication, communication | Consent; Contract performance |
| Business Profile Data | Business description, services offered, operating hours, address, images, pricing | GBP optimisation, content generation, AI Chat Assistant training for the User's business | Consent; Contract performance |
| Usage & Activity Data | AI call logs, Feature usage, session data, prompts submitted, outputs generated | Service delivery, usage analytics, abuse prevention, AI model performance monitoring | Legitimate interest; Contract performance |
| Payment Data | Transaction ID, subscription plan, payment status (card/bank details held solely by Razorpay) | Subscription management, billing, tax invoicing | Contract performance; Legal obligation |
| Technical & Device Data | IP address, browser type, device type, operating system, referrer URL, session identifiers | Security, fraud prevention, platform performance, cookie analytics | Legitimate interest; Consent (cookies) |
| OAuth Access Tokens | Google Business Profile OAuth credentials and access tokens | GBP integration, automated posting, profile optimisation | Consent; Contract performance |
| Customer Data (Third-Party) | Lead names, contact details, email lists, chat interactions — uploaded by the User | Lead management, email campaigns, WhatsApp campaigns, AI Chat Assistant | Data Processor acting on User's instruction |
| Communications Data | Support queries, grievance submissions, email correspondence | Customer support, grievance resolution, record-keeping | Contract performance; Legal obligation |
3.3.The Company does not intentionally collect Sensitive Personal Data from Users in the ordinary course of Platform use. If a User or their End Customer inadvertently submits Sensitive Personal Data through a text prompt, lead upload, or AI chat interaction, the Company will process such data solely to the extent necessary to deliver the requested Feature and will not use it for any other purpose.
3.4.The Platform is not directed at individuals under the age of eighteen (18) years. The Company does not knowingly collect personal data from minors. If the Company becomes aware that a minor has provided personal data, such data will be deleted promptly. If you believe a minor has submitted data to the Platform, please contact grievance@growstart.ai.
4 PURPOSES OF PROCESSING
4.1.The Company processes personal data for the following purposes:
a.Service Delivery
•Creating and maintaining your User Account.
•Providing access to and operating all Features of the Platform.
•Generating AI-powered content, campaigns, scripts, and responses based on your inputs.
•Managing your lead pipeline, email campaigns, WhatsApp campaigns, and customer chat.
•Processing Google Business Profile optimisation and automated posting via OAuth.
b.Subscription and Payment Management
•Processing Subscription Fees and renewals through Razorpay
•Issuing tax invoices under the CGST Act, 2017.
•Managing plan upgrades, downgrades, and cancellations.
c.Platform Improvement and AI Performance
•Analysing aggregated, anonymised usage data to improve Platform performance and Features.
•Monitoring AI call volumes, Feature usage patterns, and error rates.
•Conducting internal research and development to enhance AI-generated output quality.
d. Security, Fraud Prevention, and Compliance
•Detecting, preventing, and investigating fraud, misuse, and security incidents.
•Enforcing the Terms and Conditions and acceptable use policies.
•Complying with legal obligations, court orders, and regulatory requirements.
•Maintaining audit logs and records as required by applicable law.
e.Communications and Support
•Responding to support queries, grievances, and user feedback.
•Sending transactional communications, including account notifications and billing alerts.
•Sending product updates, new Feature announcements, and service communications (from which Users may opt out).
f.Legal and Regulatory Obligations
•Complying with applicable laws, including the DPDP Act, IT Act, GST laws, and any lawful request from a competent government authority.
•Establishing, exercising, or defending legal claims.
4.2.The Company will not process personal data for purposes materially different from those stated above without obtaining fresh consent from the User, unless otherwise permitted under applicable law.
5 LAWFUL BASIS FOR PROCESSING
5.1.Under the DPDP Act, personal data may be processed on the basis of consent or for certain legitimate uses. The Company's processing activities are grounded in the following lawful bases:
•Consent: For data collected at registration, data used for marketing communications, cookie-based tracking (where applicable), and cross-border transfers to Anthropic for AI processing. Consent is obtained at the time of account creation and Platform use. Users may withdraw consent at any time, subject to the consequences described in Section 10.
•Performance of Contract: Processing necessary to deliver the Platform's services to the User under the Terms and Conditions, including service delivery, subscription management, and billing.
•Legal Obligation: Processing required to comply with Indian laws, including tax invoicing, data retention, and responses to lawful government orders.
•Legitimate Interests: Processing for security, fraud prevention, abuse detection, Platform analytics (using anonymised data), and internal record-keeping, where such interests are not overridden by the User's fundamental rights.
5.2.Where consent is the lawful basis, the User has the right to withdraw consent at any time by contacting grievance@growstart.ai. Withdrawal of consent will not affect the lawfulness of processing carried out before withdrawal. However, withdrawal of consent for certain processing activities may impair or disable specific Features of the Platform.
6 AI PROCESSING - ANTHROPIC AND CROSS-BORDER DATA TRANSFER
The AI capabilities of the GrowStart AI Platform are powered by the Claude large language model developed and operated by Anthropic, PBC, a company incorporated in the United States of America. When you use any AI-powered Feature of the Platform, your inputs including business descriptions, customer data, prompts, and review text are transmitted to Anthropic's API infrastructure for processing. This constitutes a cross-border transfer of personal data outside India.
6.1.Nature of the Transfer. When a User submits a prompt, customer list, business description, review, or any other input to an AI-powered Feature of the Platform, that input is transmitted to Anthropic's API for the purpose of generating an AI-powered output. This transmission involves the transfer of data to infrastructure operated by Anthropic in the United States of America.
6.2.Data Minimisation. The Company transmits only the information strictly necessary to generate the requested output. The Company does not transmit User Account credentials, payment data, or OAuth tokens to Anthropic.
6.3.Anthropic's Data Practices. Anthropic processes data transmitted to its API in accordance with its own API usage policies and privacy terms. The Company has entered into appropriate data processing arrangements with Anthropic. Users are encouraged to review Anthropic's privacy practices at https://www.anthropic.com/privacy.
6.4.Cross-Border Transfer Compliance. The Company processes cross-border transfers to Anthropic on the basis of User consent obtained at the time of account creation and Platform use. The Company will comply with any restrictions on cross-border transfers imposed by the Central Government under Section 16 of the DPDP Act, as and when such restrictions take effect.
6.5.Customer Data and AI Processing. Where a User uploads Customer Data to the Platform (including through the Lead Manager, Email Campaign Builder, or WhatsApp Campaigns), such Customer Data may also be transmitted to Anthropic's API for AI processing. The User is responsible for ensuring that such cross-border processing of Customer Data is lawful and that appropriate consents have been obtained from the relevant Data Principals.
6.6.Storage vs Processing. While AI inference processing occurs through Anthropic's US-based infrastructure, all data generated on and stored by the Platform is retained on cloud infrastructure located in Mumbai, India, unless the User explicitly exports data to a third-party destination.
7 SHARING OF PERSONAL DATA
7.1.The Company does not sell, rent, or trade personal data to third parties for commercial purposes. Personal data is shared only in the circumstances described below:
7.2.Third-Party Service Providers. The Company shares personal data with carefully selected third-party service providers (Data Processors) who assist in delivering the Platform's services. These providers process personal data solely on the Company's instructions and are bound by appropriate contractual obligations. The Company's key third-party service providers and the data shared with each are set out in the table below:
| Third Party | Role | Data Shared | Location |
|---|---|---|---|
| Anthropic, PBC | AI Model Provider (Data Processor) | User prompts, business data, Customer Data submitted to AI features | United States of America |
| Razorpay Software Pvt. Ltd. | Payment Gateway (Data Processor) | Transaction metadata; payment details held by Razorpay | India |
| Google LLC | Third-Party Platform (OAuth) | OAuth tokens; GBP profile data accessed via API | United States of America |
| Cloud Infrastructure Provider | Hosting & Storage (Data Processor) | All Platform data - stored in Mumbai, India | India (Mumbai) |
| Analytics Service Provider | Usage Analytics (Data Processor) | Anonymised / aggregated usage data, device and session data |
7.3.Legal and Regulatory Disclosure. The Company may disclose personal data to government authorities, regulators, courts, or law enforcement agencies where required to do so by applicable law, court order, or lawful regulatory direction. The Company will endeavour to notify affected Users of such disclosures where permitted by law.
7.4.Business Transfers. In the event of a merger, acquisition, restructuring, sale of business, or similar corporate transaction involving the Company, personal data held by the Company may be transferred to the successor entity. Users will be notified of any such transfer in advance, and the transferee will be required to honour this Privacy Policy or provide a substantially similar level of protection.
7.5.Professional Advisors. The Company may share personal data with its legal advisors, auditors, and accountants where strictly necessary for the provision of professional advice and services, subject to appropriate confidentiality obligations.
7.6.No Sale of Data. The Company does not engage in the sale of personal data as defined under any applicable law. Data shared with Anthropic is shared for the sole purpose of AI processing, not commercial exploitation of the data by Anthropic.
8 CUSTOMER DATA - THE COMPANY'S ROLE AS DATA PROCESSOR
8.1.Where a User uploads Customer Data to the Platform including lead lists, customer email addresses, customer names, or any other personal data of the User's own customers the Company acts solely as a Data Processor processing that Customer Data on behalf of the User (who is the Data Fiduciary).
8.2.In its capacity as Data Processor for Customer Data, the Company:
•processes Customer Data only as instructed by the User and only to the extent necessary to deliver the requested Feature;
•does not use Customer Data for the Company's own marketing, analytics, or commercial purposes;
•implements appropriate technical and organisational security measures to protect Customer Data;
•does not share Customer Data with third parties other than Anthropic (for AI processing) and the cloud infrastructure provider (for storage), both of whom act as sub-processors;
•deletes or returns Customer Data upon the User's written request or upon termination of the User's account, subject to applicable legal retention obligations.
8.3.The User, as Data Fiduciary for Customer Data, is solely responsible for:
•the lawful collection of Customer Data and obtaining all necessary consents from Data Principals;
•ensuring that the uploading and processing of Customer Data through the Platform is permitted under applicable law;
•responding to rights requests from Data Principals in relation to Customer Data;
•making all required disclosures to Data Principals regarding the processing of their data.
8.4.AI Chat Assistant End Customer Data. Where the User deploys the AI Chat Assistant on their business interface, End Customers may interact with the assistant and in doing so provide personal data. The User is the Data Fiduciary with respect to such data. The Company processes such data as a Data Processor solely to deliver the AI Chat Assistant Feature. The User must ensure that End Customers are made aware of the automated nature of the chat assistant and the processing of their personal data.
8.5.Further details of the Company's obligations and rights as Data Processor are set out in the Data Processing and Security Terms, which form part of this Agreement.
9 DATA RETENTION
9.1.The Company retains personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by applicable law, whichever is longer.
9.2.The following indicative retention periods apply:
| Category of Data | Retention Period | Basis |
|---|---|---|
| Account and Registration Data | Duration of active account + 3 years post-termination | Legal obligation; Dispute resolution |
| Payment and Transaction Records | 8 years from date of transaction | GST/tax law obligations |
| Customer Data uploaded by Users | Until deletion request or account termination + 30 days | Data Processor obligation; User instruction |
| Usage and Activity Logs | 12 months from date of activity | Security; Legitimate interest |
| Support and Grievance Communications | 3 years from date of communication | Legal obligation; Dispute resolution |
9.3.Upon expiry of the applicable retention period, personal data will be securely deleted or anonymised so that the individual is no longer identifiable. Anonymised or aggregated data derived from personal data may be retained indefinitely for statistical and analytical purposes.
9.4.Notwithstanding the above, the Company may retain personal data for a longer period where necessary to comply with a legal hold, ongoing litigation, regulatory investigation, or lawful direction from a competent authority.
10 YOUR RIGHTS AS A DATA PRINCIPAL
10.1.Under the DPDP Act, you have the following rights with respect to your personal data. These rights may be exercised by submitting a written request to grievance@growstart.ai. The Company will respond to valid requests within thirty (30) days.
| Right | Description | How to Exercise |
|---|---|---|
| Right to Information | Know what personal data is held, the purposes of processing, and the identity of Data Fiduciary and Data Processors | Email grievance@growstart.ai |
| Right to Correction | Correct inaccurate or outdated personal data held about you | Account settings or email to grievance@growstart.ai |
| Right to Erasure | Request deletion of personal data where it is no longer necessary for the purpose for which it was collected, subject to legal retention requirements | Email grievance@growstart.ai or delete account |
| Right to Grievance Redressal | Submit complaints regarding processing of your personal data to the Company's Grievance Officer, and thereafter to the Data Protection Board of India | Email grievance@growstart.ai |
| Right to Withdraw Consent | Withdraw consent to processing at any time, where processing is consent-based. Withdrawal may affect availability of certain Features. | Email grievance@growstart.ai |
| Right to Nomination | Nominate another individual to exercise rights on your behalf in the event of death or incapacity | Email grievance@growstart.ai |
10.2.Identity Verification. The Company may require you to verify your identity before fulfilling a rights request, in order to protect personal data from unauthorised access or disclosure.
10.3.Limitations. Certain rights may be limited or unavailable where:
•the processing is required by applicable law;
•the data is required for the establishment, exercise, or defence of legal claims;
•the exercise of the right would adversely affect the rights of other persons;
•the processing is necessary to protect national security, public order, or the sovereignty of India.
10.4.Grievance Escalation. If you are dissatisfied with the Company's response to a rights request, you may escalate your complaint to the Data Protection Board of India once constituted, in accordance with the DPDP Act.
11 DATA SECURITY
11.1.The Company implements appropriate technical and organisational security measures to protect personal data against unauthorised access, disclosure, alteration, or destruction. These measures include, but are not limited to:
•encryption of personal data in transit using industry-standard TLS/SSL protocols;
•encryption of stored data at rest;
•access controls and role-based permissions restricting access to personal data to authorised personnel only;
•regular security assessments and vulnerability monitoring;
•secure password hashing and credential management;
•data centre security measures applicable to the cloud infrastructure provider in Mumbai, India.
11.2.The Company's security practices are designed to meet the requirements of the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011, and the DPDP Act.
11.3.Personal Data Breach. In the event of a personal data breach that is likely to result in harm to Data Principals, the Company will:
•notify the Data Protection Board of India as required under the DPDP Act;
•notify affected Users in a timely manner where required by law or where notification is necessary to enable the User to take protective measures;
•take all reasonable steps to contain and mitigate the breach.
11.4.No security system is impenetrable. While the Company takes all reasonable precautions to protect personal data, it cannot guarantee absolute security. Users are responsible for maintaining the confidentiality of their own credentials and for promptly reporting any suspected security incident to grievance@growstart.ai.
12 COOKIES AND TRACKING TECHNOLOGIES
12.1.The Platform uses cookies and similar tracking technologies to enhance User experience, measure Platform performance, and support security functions. Details of the types of cookies used, their purposes, and how to manage cookie preferences are set out in the Company's Cookie Policy, which is available on the Platform and is incorporated into this Privacy Policy by reference.
12.2.By using the Platform, you consent to the use of cookies in accordance with the Cookie Policy. You may withdraw consent to non-essential cookies at any time through the cookie preference settings available on the Platform. Withdrawal of consent to essential cookies may affect the functionality of the Platform.
13 CHILDREN'S PRIVACY
13.1.The Platform is not designed for, directed at, or intended to be used by individuals under the age of eighteen (18) years. The Company does not knowingly collect personal data from minors.
13.2.If the Company becomes aware that it has inadvertently collected personal data from a minor, such data will be deleted without undue delay. If you are a parent or guardian and believe your child has submitted personal data to the Platform, please contact grievance@growstart.ai.
14 MARKETING COMMUNICATIONS AND OPT-OUT
14.1.With your consent, the Company may send you communications regarding new Features, Platform updates, promotional offers, and service information. Such communications will be sent to the email address registered with your User Account.
14.2.You may opt out of marketing communications at any time by:
•clicking the unsubscribe link included in any marketing email;
•updating your communication preferences in your account settings; or
•writing to grievance@growstart.ai.
14.3.Opting out of marketing communications will not affect the receipt of transactional communications that are essential to the delivery of the Platform's services (such as billing notifications, account security alerts, and policy update notices).
15 THIRD-PARTY PLATFORMS AND LINKS
15.1.The Platform integrates with and references third-party services including Google Business Profile and Meta's WhatsApp platform. The Company is not responsible for the privacy practices or data handling of any third-party service. Your use of third-party services is subject to their own terms and privacy policies, which you should review independently.
15.2.When you grant OAuth access to your Google Business Profile, the processing of your Google account data is also subject to Google's Privacy Policy (https://policies.google.com/privacy). The Company's access is limited to the permissions expressly granted by you.
16 CHANGES TO THIS PRIVACY POLICY
16.1.The Company reserves the right to update or amend this Privacy Policy at any time to reflect changes in the law, Platform features, or data processing practices. The revised Privacy Policy will be published on the Platform with an updated effective date.
16.2.Where changes are material, the Company will provide advance notice through the Platform or by email to the registered address. Your continued use of the Platform after the revised Privacy Policy takes effect constitutes your acceptance of the amended Policy.
16.3.The Company recommends that Users periodically review this Privacy Policy to remain informed of any updates.
17 GRIEVANCE OFFICER AND CONTACT DETAILS
17.1.In accordance with the DPDP Act and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, the Company has designated a Grievance Officer to address complaints and queries regarding the processing of personal data.
| Designation | Grievance Officer |
|---|---|
| Company | HEX64 InfoSolutions Private Limited |
| grievance@growstart.ai. | |
| Registered Office | B-23, Sector 63, Noida, Gautam Buddha Nagar, Uttar Pradesh - 201301, India |
| Response Time | Within thirty (30) days of receipt of a valid complaint or request |
17.2.You may also approach the Data Protection Board of India (once constituted under the DPDP Act) if you are dissatisfied with the Company's handling of your complaint.
By using the GrowStart AI Platform, you acknowledge that you have read and understood this Privacy Policy and consent to the collection, use, and processing of your personal data as described herein. This Privacy Policy was last updated on 25.06.2026.
Google API Services — Limited Use
GrowStart AI’s use and transfer to any other application of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Information obtained from a User’s Google Business Profile is used solely to provide and improve the user-facing features the User has authorised (such as Google Business Profile optimisation and automated posting); is not transferred to others except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger or acquisition; is not used or transferred for advertising purposes; is not sold; and is not used to train generalised or non-personalised artificial-intelligence or machine-learning models.