Data Protection

GDPR Compliance

We take the General Data Protection Regulation seriously. This page details how we protect the rights of users in the European Economic Area and the United Kingdom.

Last updated: January 2025~7 min read

GDPR at a Glance

⚖️Lawful basis for all processing

✅Data subject rights honored

⏱️30-day response guarantee

🌍SCCs for international transfers

🚨72-hour breach notification

👤Designated Data Protection Officer

1. Our Commitment to GDPR

GrowSEB is committed to full compliance with the General Data Protection Regulation (EU) 2016/679 for all users in the European Economic Area (EEA) and the United Kingdom. We apply GDPR principles globally as a baseline for data protection, meaning all our users benefit from these standards.

Lawfulness, Fairness & Transparency

We process data lawfully, fairly, and in a transparent manner

Purpose Limitation

Data is collected for specified, explicit, and legitimate purposes only

Data Minimization

We collect only the minimum data necessary for each purpose

Accuracy

We take reasonable steps to ensure personal data is accurate and up-to-date

Storage Limitation

Data is retained only as long as necessary for the processing purpose

Integrity & Confidentiality

Appropriate security measures protect against unauthorized access

2. Data Controller

Legal Entity

Laabam One Business Solutions Pvt Ltd

Platforms Covered

growseb.com (marketing site) and app.growseb.com (SaaS platform)

Data Protection Officer (DPO)

dpo@growseb.com

Location

India

3. Legal Basis for Processing

Under Article 6 of the GDPR, we process personal data based on the following legal grounds:

Contractual Necessity (Art. 6(1)(b))

Processing necessary to perform our contract with you — including account management, delivery of SEO tools, subscription fulfillment, and SEB Wallet operations.

Examples: Account creation, tool usage, billing, project management

Legitimate Interest (Art. 6(1)(f))

Processing necessary for our legitimate interests, balanced against your rights. We conduct legitimate interest assessments to ensure this balance.

Examples: Analytics, fraud prevention, platform security, service improvement

Consent (Art. 6(1)(a))

Processing based on your freely given, specific, informed, and unambiguous consent. You can withdraw consent at any time without affecting prior processing.

Examples: Marketing emails, non-essential cookies, optional analytics

Legal Obligation (Art. 6(1)(c))

Processing necessary to comply with legal requirements, such as financial record-keeping, tax reporting, and responding to lawful government requests.

Examples: Invoice retention, tax records, regulatory compliance

4. Your Rights Under GDPR

If you are located in the EEA or UK, the GDPR grants you the following rights over your personal data:

Right of Access

Art. 15

Request a complete copy of all personal data we hold about you, free of charge

Right to Rectification

Art. 16

Have inaccurate or incomplete personal data corrected without undue delay

Right to Erasure

Art. 17

Request deletion of your personal data ("right to be forgotten") when no longer necessary

Right to Restriction

Art. 18

Restrict processing of your data while we verify accuracy or assess objection requests

Right to Portability

Art. 20

Receive your data in a structured, commonly used, machine-readable format (JSON/CSV)

Right to Object

Art. 21

Object to processing based on legitimate interest, including profiling; we must stop unless compelling grounds exist

Withdraw Consent

Art. 7(3)

Withdraw consent for marketing and non-essential cookies at any time, without affecting prior lawful processing

Lodge a Complaint

Art. 77

File a complaint with your local Data Protection Authority if you believe your rights have been violated

5. How to Exercise Your Rights

Submit a Request

Email our Data Protection Officer at dpo@growseb.com with your request. Include your account email and specify which right(s) you wish to exercise.

Identity Verification

For security, we may ask you to verify your identity. This typically involves confirming details associated with your account.

Processing

We will acknowledge your request within 72 hours and provide a substantive response within 30 days.

Extension (if needed)

In complex cases, we may extend the response period by an additional 60 days. We will inform you of any extension and the reasons within the initial 30-day period.

No fee required: We do not charge a fee for processing GDPR rights requests. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to act on such requests.

6. Data Sub-Processors

We use the following third-party sub-processors to operate our platform. Each has been vetted for GDPR compliance and appropriate security standards:

Sub-Processor	Location	Purpose	Safeguards
Digital Ocean	US	Cloud hosting, managed databases, app infrastructure	SCCs, SOC 2
AWS Cognito	US	User authentication and identity management	SCCs, ISO 27001
Razorpay	India	Payment processing (Indian users)	PCI DSS Level 1
PayPal	US	Payment processing (international users)	SCCs, PCI DSS
Zepto Mail	India	Transactional email delivery	DPA, encryption
Vercel	US	Static website hosting (growseb.com)	SCCs, SOC 2

We maintain Data Processing Agreements (DPAs) with all sub-processors. You may request copies of relevant DPAs by contacting our DPO.

7. International Data Transfers

As some of our sub-processors are located outside the EEA, personal data may be transferred internationally. We ensure such transfers are lawful through the following mechanisms:

Standard Contractual Clauses (SCCs)

EU-approved contractual terms ensuring adequate data protection for transfers to countries without an adequacy decision.

Adequacy Decisions

Where the European Commission has determined a country provides an adequate level of data protection.

Additional Safeguards

Supplementary technical and organizational measures including encryption in transit and at rest, access controls, and security audits.

8. Data Retention Under GDPR

We apply the principle of storage limitation — personal data is retained only as long as necessary for the specified purpose:

Data Category	Retention Period	Legal Basis
Account data	Lifetime of account + 30 days	Contractual necessity
SEO project data	Lifetime of account + 30 days	Contractual necessity
Payment & invoices	7 years after transaction	Legal obligation (tax)
Support tickets	3 years after resolution	Legitimate interest
Analytics data	26 months (anonymized)	Legitimate interest
Marketing consent	Until consent withdrawn	Consent
Server logs	90 days	Legitimate interest

For full retention details, see our Privacy Policy.

9. Data Breach Notification

In compliance with Articles 33 and 34 of the GDPR, we have established a robust breach notification protocol:

Detection & Assessment

Immediate

Our security systems continuously monitor for unauthorized access. Upon detection, the incident response team assesses the scope, nature, and risk within hours.

Supervisory Authority Notification

Within 72 hours

If a breach is likely to result in a risk to the rights and freedoms of natural persons, we notify the relevant supervisory authority within 72 hours of becoming aware.

User Notification

Without undue delay

If a breach is likely to result in a high risk to your rights and freedoms, we will notify affected users without undue delay via email and platform notification.

Remediation & Review

Ongoing

We implement corrective measures, document the breach, conduct a post-incident review, and update security procedures as needed.

10. Data Protection Impact Assessments

In accordance with Article 35 of the GDPR, we conduct Data Protection Impact Assessments (DPIAs) before implementing new features or processing activities that may result in a high risk to data subjects. This includes:

AI-powered tools that process user-submitted content and website data
New sub-processor integrations or changes to existing data flows
Features involving profiling or automated decision-making
Large-scale processing of personal data or sensitive categories

DPIAs are reviewed and approved by our Data Protection Officer before any high-risk processing activity commences.

11. Supervisory Authority

If you believe that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or the place of the alleged infringement.

Common Supervisory Authorities

Ireland: Data Protection Commission (DPC)

France: Commission Nationale de l'Informatique et des Libertés (CNIL)

Germany: Federal Commissioner for Data Protection (BfDI)

UK: Information Commissioner's Office (ICO)

We encourage you to contact us first at dpo@growseb.com so we can attempt to resolve your concern directly.

12. Updates to This Page

We review and update this GDPR compliance page periodically to reflect changes in our processing activities, sub-processors, or regulatory requirements. Significant changes will be communicated via:

Updated "Last updated" date on this page
Email notification to registered EEA/UK users
Platform banner notice for material changes

13. Contact Our Data Protection Officer

For any GDPR-related questions, data subject access requests, or concerns about our data processing practices:

DPO Email: dpo@growseb.com

Privacy Team: privacy@growseb.com

Contact page: growseb.com/contact

Data Controller: Laabam One Business Solutions Pvt Ltd, India

Response time: We acknowledge all GDPR requests within 72 hours and provide a substantive response within 30 calendar days.

Related Policies