Privacy policy

1 · Scope & who we are

GrowYu is a tele-CRM operated by Team OmAk Pvt. Ltd. ("GrowYu", "we", "us"), an Indian company with its registered office in Bengaluru. This policy applies to visitors of growyu.com, customers of GrowYu workspaces, and the end-customers whose data GrowYu customers process through the service.

When you (a GrowYu customer) put your end-customer’s data into the service, you are the data fiduciary and GrowYu is your data processor. This policy covers our processing as a fiduciary (your data, the data of your team members signed into your workspace) and as a processor (your end-customers’ data). The boundary is called out throughout.

2 · Data we collect

2.1 · As data fiduciary (yours)

• Account data: name, work email, phone number, role, workspace ID, password hash, MFA factors.
• Billing data: business name, GSTIN, billing address, last 4 digits of card or UPI handle, invoices.
• Product telemetry: pages visited, features used, error events, device + browser metadata, IP for security auditing.
• Support communications: tickets, chat transcripts, call recordings if you call our sales/support line (with prior notice).

2.2 · As data processor (your end-customers’)

• Contact records you upload or capture (name, phone, email, custom fields).
• Call metadata and recordings made through the service.
• WhatsApp / SMS / email messages sent or received within the service.
• Lead source metadata from your connected integrations.

Plain English. The leads, calls, and messages your team works with belong to you — GrowYu just runs the system that holds them.

3 · How we use it

We use the data described above to:

• provide and operate the GrowYu service, including dialing, lead capture, AI features, and reports;
• authenticate users, prevent abuse, and detect security incidents;
• send service notifications, billing communications, and (if you’ve opted in) the GrowYu Brief newsletter;
• improve the product through aggregate, de-identified analytics — never by inspecting your end-customer records;
• comply with Indian law, including the DPDP Act 2023, IT Act 2000, and applicable tax regulations.

We do not train AI models on your call recordings or messages without explicit, per-workspace opt-in. The default is off. We do not sell, rent, or trade personal data — ever.

4 · When we share data

We share personal data only in these cases:

• Sub-processors who operate parts of our infrastructure under written DPAs — AWS (India regions), our SMS & WhatsApp telephony partners, our payments processor. Current sub-processor list available in our DPA.
• Your authorised integrations — Zapier, your accounting software, your website’s CRM webhook. You control these toggles.
• Legal compliance — when required by an order from an Indian court, regulator, or government agency under due process.
• Corporate transactions — in the event of a merger or acquisition, with successor obligations identical to those in this policy.

5 · Data residency & transfer

All customer data, including call recordings and lead records, is stored in AWS Mumbai (ap-south-1) with disaster-recovery replication to AWS Hyderabad (ap-south-2). No customer data is replicated outside India. Some operational metadata (e.g. service logs without personal data) may transit through CDN edge nodes globally, with appropriate safeguards.

6 · Retention & deletion

While your workspace is active, we retain data as long as you instruct us to. When you close your workspace, we soft-delete all data for 30 days (during which you can restore) and then permanently erase it within 60 days. Audit logs and billing records are retained for 7 years to meet tax and regulatory obligations.

End-customers of GrowYu customers exercising erasure rights should contact the GrowYu customer directly — we cannot delete records on behalf of a customer without their instruction.

7 · Your rights under DPDP

Under India’s Digital Personal Data Protection Act, 2023, you have the right to:

• Access the personal data we hold about you.
• Correct or update inaccurate or out-of-date data.
• Erase data we hold about you (subject to legal retention requirements).
• Withdraw consent for marketing communications at any time.
• Nominate another person to exercise these rights in case of incapacity or death.
• Lodge a grievance with our grievance officer (below) and, if unresolved, with the Data Protection Board of India.

8 · Cookies & tracking

We use a minimal set of cookies — see our separate Cookie policy for the full list. We do not use third-party advertising cookies. We do use product analytics cookies (first-party) to understand which features work, with no identifying data attached.

9 · Security

See our security overview for the full posture. Highlights: AES-256 at rest, TLS 1.3 in transit, role-based permissions, 100% audit-logged admin actions, 72-hour breach disclosure window.

10 · Children

GrowYu is a business product and is not directed at children under 18. We do not knowingly collect data from minors. If a GrowYu customer collects data on minors through their own end-customers (e.g. a coaching institute capturing student records), that customer is responsible for parental consent under DPDP.

11 · Updates to this policy

We’ll post updates here and email workspace owners at least 30 days before material changes take effect. The version number and date at the top of this page always reflect the current version.

12 · Grievance officer

Under the DPDP Act and IT Rules, our grievance officer is:

Anjali Pratap · Grievance Officer
Team OmAk Pvt. Ltd. · 4th floor, Indiranagar 100ft Road, Bengaluru 560038
Email: grievance@growyu.com · Response within 7 days as required.