Privacy Policy

Last updated: March 21, 2026

1. Who We Are

GrowthMap (“we”, “us”, or “our”) is a growth intelligence tool that helps indie developers and solopreneurs reach their first 1,000 customers. Our service is operated by Jordan Kennedy. You can reach us at our contact page.

2. Information We Collect

We collect only what we need to provide you with your growth report. This includes:

• Your email address, used to create your account and deliver your report.
• The product URL(s) you submit, along with any additional context you provide about your product.
• Payment information processed securely through Lemon Squeezy. We never store your credit card details directly.
• Behavioral analytics data collected by PostHog, including pages visited, features used, and in-app navigation patterns. Analytics are collected without cookies and without your IP address. For a random 20% of sessions, an anonymized session recording may be captured to help us understand how people use the product (all form inputs and text are masked). See Section 8 for full details.

3. Legal Basis for Processing (GDPR)

If you are located in the European Economic Area (EEA), United Kingdom, or Switzerland, we process your personal data under the following legal bases:

• Contract performance (Article 6(1)(b) GDPR): Processing your email, product URL, and product description is necessary to generate and deliver the growth report you purchased.
• Legitimate interest (Article 6(1)(f) GDPR): We collect anonymized behavioral analytics (no cookies, no IP address, no persistent identifiers) to improve our product and understand how it is used. Because this data cannot reasonably be linked back to you, it may not constitute personal data under GDPR. You can object to this processing at any time by contacting us.

4. How We Use Your Information

We use the information you provide to generate and deliver your personalized growth report, communicate with you about your purchase, improve our product and analysis pipeline, and prevent fraud and abuse. We do not sell your personal information to third parties. We do not use your data to train AI models.

5. Third-Party Services (Sub-Processors)

To deliver your report, we share data with the following trusted third-party services, each acting as a data processor on our behalf:

• Supabase (USA): Database storage and user authentication. Stores your account, reports, and purchase records.
• Anthropic (USA): AI analysis via the Claude API. Processes your product data and competitor information to generate report insights.
• Lemon Squeezy (USA): Payment processing. Handles your payment details securely. We never see or store your full card number.
• Resend (USA): Transactional email delivery. Receives your email address to send account and report-related communications.
• PostHog (USA): Product analytics and session recording. Receives anonymized behavioral data (page views, feature usage, navigation). No cookies are used. Your IP address is not transmitted. Session recordings are captured for approximately 20% of sessions with all form inputs and visible text masked. Data is stored in PostHog’s US datacenter. PostHog Privacy Policy.
• Cloudflare (USA): Hosting and content delivery. Routes and serves web requests.
• DataForSEO (USA): SEO data and keyword intelligence. Receives your product domain to fetch SEO metrics.
• Brave Search (USA): Web search API. Used to discover newsletters, podcasts, and outreach targets relevant to your product category.
• PodcastIndex (USA): Podcast discovery API. Used to find relevant podcasts for outreach opportunities.

Each sub-processor has its own privacy policy and data handling practices. We maintain Data Processing Agreements with our sub-processors where required.

6. International Data Transfers

Our service and sub-processors are primarily based in the United States. If you are located in the EEA, UK, or Switzerland, your data will be transferred to and processed in the United States. We ensure appropriate safeguards for these transfers, including reliance on the EU-US Data Privacy Framework where applicable, Standard Contractual Clauses (SCCs), and our sub-processors’ own compliance certifications. By using our service, you acknowledge this transfer.

7. Data Retention

We retain your report data for as long as your account is active so you can access it from your dashboard. Purchase records are retained for 7 years for tax and accounting compliance. If you request account deletion, we will remove your personal data and reports within 30 days, except where retention is required by law (e.g., financial records).

8. Cookies and Analytics

Authentication cookies. We use a single secure session cookie to keep you logged in. This cookie is strictly necessary for the service to function and does not track you across other websites. You can disable cookies in your browser settings, though this will prevent you from logging in and accessing your reports.

Product analytics (PostHog). We use PostHog to understand how people use GrowthMap. Our analytics implementation is designed with privacy in mind:

• No cookies: Analytics data is stored only in memory for the duration of your session. Nothing is written to your browser storage.
• No IP address: Your IP address is explicitly excluded from all analytics events before they are sent.
• No PII: Email addresses, product URLs, and report IDs are stripped from all analytics events.
• Session recording: Approximately 20% of sessions are recorded to help us understand how people navigate the product. All form inputs and visible text are masked before recording. Recordings are stored in PostHog’s US datacenter.
• Objection: You can object to analytics data collection at any time by contacting us via our contact page.

9. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request corrections to inaccurate or incomplete data.
• Erasure: Request deletion of your personal data (“right to be forgotten”).
• Data portability: Receive your data in a structured, machine-readable format (JSON). You can export your data from your dashboard at any time.
• Restriction: Request that we limit how we process your data.
• Objection: Object to processing based on legitimate interest.
• Withdraw consent: Where processing is based on consent, you can withdraw it at any time.

To exercise any of these rights, use the data management options in your dashboard or contact us. We will respond to your request within 30 days.

10. Right to Lodge a Complaint

If you are located in the EEA or UK, you have the right to lodge a complaint with your local Data Protection Authority (DPA) if you believe we have not handled your personal data in accordance with applicable law. A list of EU DPAs can be found on the European Data Protection Board website.

11. Security

We take reasonable technical and organizational measures to protect your information from unauthorized access or disclosure. All data is transmitted over HTTPS. Passwords are never stored in plain text. That said, no system is perfectly secure, and we cannot guarantee absolute security.

12. Children

GrowthMap is not intended for use by anyone under the age of 16 (or 13 in jurisdictions where that is the applicable age of digital consent). We do not knowingly collect personal information from children. If you believe we have inadvertently collected information from a child, please contact us immediately.

13. Changes to This Policy

We may update this privacy policy from time to time. When we do, we will update the “Last updated” date at the top. For material changes, we will notify you by email if we have your address. Continued use of the service after changes constitutes acceptance of the updated policy.

14. Contact

Questions about this policy or your data? Reach us through our contact page.