Privacy Policy

The data controller responsible for the processing of personal data on this website within the meaning of the General Data Protection Regulation (GDPR) is:

Growth Studios GmbH
Adalperostrasse 29
85737 Ismaning
Germany

Represented by the Managing Directors Ivan Karajica and Felix Arnold.
Email: hello@growthstudios.io

Data Protection Officer: We have not appointed a data protection officer because, due to our size and structure, we are not legally required to do so (§ 38 BDSG). For data protection inquiries, please contact us directly at hello@growthstudios.io.

We process personal data of our users only to the extent necessary to provide a functional website, our content, and our services. Processing takes place either with the user's consent (Art. 6(1)(a) GDPR) or on another legal basis listed in Art. 6(1) GDPR.

When you access our website, our hosting provider automatically collects information transmitted by your browser:

• IP address (anonymized/truncated)
• Date and time of the request
• Name and URL of the requested file
• Referrer URL
• Browser type and version, operating system

Legal basis: Art. 6(1)(f) GDPR (legitimate interest in technically reliable provision and security of the website).
Retention: Log files are deleted automatically after a maximum of 30 days.

This website is hosted by Vercel Inc., 340 S Lemon Ave #4133, Walnut, CA 91789, USA. Technically necessary data is transferred to and processed by Vercel.

Third-country transfer: Processing may occur in the USA. Vercel is certified under the EU-U.S. Data Privacy Framework. Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR are also in place.
Legal basis: Art. 6(1)(f) GDPR.

For security reasons and to protect the transmission of confidential content (such as inquiries you send to us), this website uses SSL or TLS encryption. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser bar.

When SSL/TLS encryption is activated, the data you transmit to us cannot be read by third parties.

We use cookies and comparable technologies to ensure functionality, analyse usage, and enable marketing. To collect and manage your consent we use the consent management platform Cookiebot provided by Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark. Cookiebot stores an anonymous, unique consent key together with the timestamp of your consent for 12 months in order to honour your choice on future visits and to provide proof of consent.

Legal basis: § 25(2)(2) TDDDG and Art. 6(1)(f) GDPR.
Withdrawal: You can withdraw or change your consent at any time using the "Manage cookie settings" button below or in the website footer.

Functional cookies / local storage: In addition to cookies managed via Cookiebot, we store strictly necessary information locally in your browser to provide basic comfort functions. In particular, we use a cookie or local storage entry named theme which stores your preferred display mode (light/dark) for 12 months. This entry is stored exclusively on your device and does not transmit any personal data to us or to third parties.
Legal basis: § 25(2)(2) TDDDG (strictly necessary for the comfort function explicitly requested by the user).

We use Google Tag Manager by Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. Google Tag Manager itself does not set cookies or process personal data, but it triggers other tags which may do so. Tags are loaded only based on your consent (Google Consent Mode v2).

Legal basis: Art. 6(1)(a) GDPR (consent).

This website uses Google Analytics 4 (GA4), a web analytics service of Google Ireland Limited. We have activated IP anonymization and implemented Google Consent Mode v2: as long as no consent for statistics cookies is given, only anonymous cookieless pings are transmitted (gcs=G100, npa=1). Cookies are set only after consent.

Retention: up to 14 months.
Third-country transfer USA: Google LLC is certified under the EU-U.S. Data Privacy Framework; Standard Contractual Clauses (Art. 46 GDPR) apply additionally.
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent).

We use the Meta Pixel by Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland to measure visitor interactions, evaluate the reach of our advertising campaigns, and serve personalized ads on Meta services (Facebook, Instagram).

Third-country transfer USA: Meta Platforms Inc. is certified under the EU-U.S. Data Privacy Framework; Standard Contractual Clauses (Art. 46 GDPR) apply additionally. Please note that according to the European Court of Justice, transfers to the USA may still entail risks (e.g. access by US authorities).
Legal basis: Art. 6(1)(a) GDPR and § 25(1) TDDDG (consent). The Meta Pixel is loaded only after your explicit consent to marketing cookies.

A joint controllership agreement (Art. 26 GDPR) is in place with Meta.

When you contact us via the contact form or by email, the information you provide is stored to process the request.

Legal basis: Art. 6(1)(b) GDPR (pre-contractual measures) or Art. 6(1)(f) GDPR (legitimate interest in answering inquiries).
Retention: Data is deleted as soon as it is no longer required, subject to statutory retention obligations.

On our website we offer the Efficiency Quick Check, a free online tool for an initial assessment of efficiency potential in your company. If you complete the Quick Check and request the report by email, we process the following data:

• First and last name
• Email address
• Company / organisation
• Your answers to the Quick Check questions, the resulting score and the calculated waste value
• Language version (de/en)

This data is used exclusively to send you the personalised report by email and, on request, to offer further consultation.

Processor Resend: For the technical delivery of the report email we use the email API service Resend provided by Resend, Inc., 2261 Market Street #5039, San Francisco, CA 94114, USA. Resend processes the transmitted data (recipient email, name, email content) on our behalf solely for the purpose of delivery. A data processing agreement (DPA) pursuant to Art. 28 GDPR is in place with Resend.

Third-country transfer USA: As Resend is based in the USA, a transfer to a third country occurs. Resend is certified under the EU-U.S. Data Privacy Framework; Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR apply additionally. Please note that, in the view of the European Court of Justice, residual risks may remain for transfers to the USA (e.g. access by US authorities).

Legal basis: Art. 6(1)(b) GDPR (performance of pre-contractual measures at your request) and Art. 6(1)(a) GDPR (consent to receive the report by email).
Retention: Data entered in the Quick Check will be deleted as soon as it is no longer required for sending the report and any subsequent communication, at the latest after 12 months. Statutory retention obligations remain unaffected.
Withdrawal: You can withdraw your consent at any time by emailing hello@growthstudios.io.

Further information on Resend's data processing: resend.com/legal/privacy-policy.

On our contact page we offer the option of booking a free initial consultation directly online via Google Calendar Appointment Scheduling. The corresponding booking dialog is loaded into a modal window as an iframe from calendar.google.com. The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA).

Click-to-load: The Google iframe is loaded only when you actively click the "Select appointment" button. As long as you do not click this button, no data is transmitted to Google and no Google cookies are set.

Data processed when the iframe is loaded: IP address, browser and device information (user agent), referrer URL, timestamp of the request, and, where applicable, information from an existing Google account if you are logged in to Google in your browser. In this context, Google sets cookies including NID for recognition and security purposes.

Data processed when an actual booking is made: name, email address, selected appointment time, and any optional notes you provide in Google's booking dialog. This data is sent directly to Google and added as an event in our Google Calendar account.

Purpose: To provide a convenient self-service way for you to schedule a free initial consultation, and to manage these appointments in our calendar.

Legal basis: Loading the iframe and setting Google cookies takes place exclusively after your active, informed consent by clicking the corresponding button (§ 25(1) TDDDG in conjunction with Art. 6(1)(a) GDPR). The subsequent processing of your booking data is based on Art. 6(1)(b) GDPR (performance of pre-contractual measures at your request) and on our legitimate interest in efficient appointment coordination (Art. 6(1)(f) GDPR).

Third-country transfer USA: When you use the Google Calendar Appointment Scheduling feature, personal data is transferred to Google LLC in the USA. Google LLC is certified under the EU-U.S. Data Privacy Framework (DPF), providing an adequate level of data protection within the meaning of Art. 45 GDPR. In addition, Google has implemented EU Standard Contractual Clauses pursuant to Art. 46(2)(c) GDPR for its services. We point out that, in the view of the European Court of Justice, residual risks may remain for transfers to the USA (in particular access by US authorities).

Retention: At Google, your data is stored in accordance with Google's retention and deletion policies. Appointments created in our Google Calendar account are deleted as soon as they are no longer required for arranging and conducting the initial consultation, at the latest 12 months after the appointment. Statutory retention obligations remain unaffected.

Alternative without Google: You are not obliged to use Google's booking dialog. You can alternatively contact us via the contact form on the contact page or by email at hello@growthstudios.io without any data being transmitted to Google.

For more information on Google's data processing, please see Google's privacy policy at: policies.google.com/privacy.

On the subdomain app.growthstudios.io we operate a passwordless customer portal. Signed-in users can, among other things, review their onboarding progress, access shared documents, and stay in touch with their contact at Growth Studios.

Authentication (magic link): Sign-in is passwordless and exclusively based on single-use email links. After you enter your email address we send you a one-time link via our processor Resend (Resend, Inc., San Francisco, USA), with whom we have a data processing agreement pursuant to Art. 28 GDPR. The transfer to the USA is safeguarded by EU Standard Contractual Clauses (Art. 46(2)(c) GDPR). The link is valid for 24 hours and can only be used once.

Data processed: email address, name (if provided), timestamp of the last sign-in, portal role (customer, team member, administrator), session tokens, and portal content (e.g. onboarding input, notes, uploaded files). Server logs are retained for up to 30 days for security and operational purposes.

Hosting & storage location: The application is operated on Vercel (Vercel Inc., USA); the database is hosted at Neon (Neon, Inc.) in the Frankfurt (EU-Central-1) region. File uploads are stored via Vercel Blob in the Frankfurt (fra1) region. We have data processing agreements in place with all three providers pursuant to Art. 28 GDPR; any unavoidable transfers to the USA (e.g. support or request routing by Vercel) are covered by EU Standard Contractual Clauses.

Purpose: Providing a secure workspace for existing customers to collaborate during and after onboarding, and to transparently reflect project progress.

Legal basis: Processing is based on Art. 6(1)(b) GDPR (performance of the contract or pre-contractual measures) and Art. 6(1)(f) GDPR (our legitimate interest in an efficient collaboration with our customers).

Retention: Your portal account remains active for as long as a customer relationship exists. After the end of the engagement we delete personal portal data at the latest 12 months afterwards, unless statutory retention obligations apply. You may request deletion of your account at any time by email.

No indexing: All pages of the customer portal are excluded from search engines via noindex headers. Content is only accessible to authenticated users.

You have the following rights regarding your personal data:

• Right of access (Art. 15 GDPR)
• Right to rectification (Art. 16 GDPR)
• Right to erasure (Art. 17 GDPR)
• Right to restriction of processing (Art. 18 GDPR)
• Right to data portability (Art. 20 GDPR)
• Right to object (Art. 21 GDPR)
• Right to withdraw consent (Art. 7(3) GDPR)

To exercise your rights, please contact us at hello@growthstudios.io. You also have the right to lodge a complaint with a supervisory authority (Art. 77 GDPR). The competent authority for us is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach, Germany.

Right to object to direct marketing (Art. 21(2) GDPR): If your personal data is processed for direct marketing purposes, you have the right to object at any time to the processing of your personal data for such marketing. If you object to processing for direct marketing purposes, your personal data will no longer be processed for these purposes.

No automated decision-making (Art. 22 GDPR): We do not use your personal data for automated decision-making (including profiling) that produces legal effects concerning you or significantly affects you in a similar way. The score calculated by the Quick Check is for informational purposes only and does not result in any automated decisions.

Obligation to provide data (Art. 13(2)(e) GDPR): The provision of your personal data is neither legally nor contractually required. You are not obliged to provide us with personal data. However, without this data we may not be able to provide certain functions (e.g. delivery of the Quick Check report or response to a contact request) or only to a limited extent.

Our website contains links to our profiles on the following social networks:

• Instagram – Meta Platforms Ireland Limited, Merrion Road, Dublin 4, Ireland
• LinkedIn – LinkedIn Ireland Unlimited Company, Wilton Place, Dublin 2, Ireland

These are simple hyperlinks; no plugins are embedded. Data is only transferred to the respective providers once you actively click the link and visit the provider's site. We have no influence on the data processing carried out by these platforms; their respective privacy policies apply.

We reserve the right to amend this privacy policy in order to comply with current legal requirements or to reflect changes to our services. The current version applies to your next visit.