Privacy Policy

Account information. When you sign up, we collect your name, email address, and authentication identifiers from Supabase Auth (our authentication provider). If you sign in with a federated identity provider (e.g., Google), we receive your name, email, and avatar URL from that provider.

Organization & profile data. We store the workspace or organization you create or join, your role, billing tier, the agents you have enabled, and onboarding preferences you provide.

Content you provide.We store the conversations you have with the assistant, the structured records (“nodes”) the assistant creates on your behalf, files you upload to the Knowledge Base, and any prompts, instructions, or documents you supply.

Connected-service data.If you connect Google Workspace, we receive an OAuth refresh token from Google and data returned by the specific Google APIs you authorize. See “Google user data” below for the exact scopes and how each one is used.

Billing information. If you subscribe to a paid plan, Stripe collects and stores your payment details. We receive only a customer identifier, subscription status, plan tier, and high-level event metadata from Stripe. We do not see or store full card numbers.

Technical & usage telemetry. We collect standard log data (IP address, browser type, request paths, timestamps, error stack traces) and product analytics (page views, feature usage, performance metrics) to operate, debug, and improve the Service. Session replays are masked to exclude form inputs and elements marked as containing personal data.

When you connect a Google account, you grant GrowthAF.ai access to specific OAuth scopes. The table below lists each scope we request, the user-facing capability it enables, and how the resulting data is handled.

Limited Use of Google user data

GrowthAF.ai’s use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. In particular:

• We use Google user data only to provide and improve the features the user has requested.
• We do not transfer Google user data to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with notice to users.
• We do not use Google user data for advertising, including retargeting, personalized, or interest-based advertising.
• We do not allow humans to read Google user data unless (a) we have the user’s affirmative agreement for specific messages, (b) it is necessary for security purposes such as investigating abuse, (c) it is necessary to comply with applicable law, or (d) the data has been aggregated and anonymized and is used for internal operations.
• We do not use Google user data, or data derived from it, to develop, improve, or train generalized AI or machine-learning models. Data sent to model providers (Anthropic, OpenAI) is sent under terms that prohibit those providers from using it to train their generalized models.

Revoking Google access

You can disconnect Google at any time from Settings → Google Workspace inside GrowthAF.ai, which revokes our OAuth tokens and deletes them from our database. You can also revoke access directly at myaccount.google.com/permissions.

What Magnus is.Magnus is an optional meeting assistant that joins a Google Meet call as a labeled participant and records the conversation. It is off by default. Nothing happens on any meeting unless you click “have Magnus sit in” on that specific meeting’s row in your GrowthAF.aicalendar surface. There is no “join every meeting” toggle.

How participants see it. When Magnus joins, it appears in the meeting as a named participant labeled “Magnus (recording for <your name>)”. Anyone in the meeting can see Magnus is there and what it is doing.

What gets recorded and stored. Magnus captures the audio transcript of the call. The transcript, along with meeting metadata (start time, end time, participants) and a short assistant-generated summary, is stored in your GrowthAF.ai workspace so the assistant can extract follow-up tasks and draft replies. We do not retain the raw audio file after transcription.

Two-party-consent jurisdictions. Some U.S. states and several countries require every participant to consent to being recorded. When GrowthAF.aidetects a participant who is located in one of those jurisdictions and there is no recorded consent on file, the attach is blocked. The currently covered states are California, Illinois, Florida, Maryland, Massachusetts, Montana, New Hampshire, Pennsylvania, and Washington. If you operate across borders, you are responsible for the disclosure you give your meeting guests before clicking “have Magnus sit in.”

How long we keep it.Meeting transcripts and their derived records (summaries, draft tasks) are retained for 30 days by default and then deleted automatically. An organization administrator can extend retention — never shorten it below 30 days — from Settings → Privacy inside GrowthAF.ai. The append-only audit log of when a meeting was attached, transcribed, processed, and deleted is kept for the same retention window.

How to delete a meeting. If you are a GrowthAF.aiuser, open the meeting in the product and choose “Delete this meeting.” The deletion cascades through our database, the vector store, downstream task records, and the model-provider caches; the deletion-completion event is written to the audit log within 24 hours.

If you are not a GrowthAF.ai user. If you were a participant in a meeting that Magnus recorded and you want the transcript and derived records deleted, submit a request at growthaf.com/privacy/delete-request. You do not need to create an account. We confirm the request with the organizer of the meeting before deleting, and we honor the deletion within the 24-hour window above.

We use the information described above to:

• provide, operate, and maintain the Service;
• execute the actions you request (drafting an email, scheduling a meeting, summarizing a document, generating a deck, and so on);
• authenticate you, manage your account, and provide customer support;
• process subscription payments and prevent fraud;
• monitor and improve the reliability, performance, and security of the Service — including detecting and investigating errors and abuse;
• communicate with you about your account, product changes, and service announcements; and
• comply with legal obligations and enforce our terms.

We do not sell personal information. We do not use Google user data, or content you store in GrowthAF.ai, to train generalized AI models.

If you are in the European Economic Area, the United Kingdom, or another jurisdiction with similar law, we process your information on the following legal bases: (a) performance of our contract with you (to deliver the Service you signed up for); (b) our legitimate interests in operating, securing, and improving the Service, where those interests are not overridden by your rights; (c) compliance with legal obligations; and (d) your consent — for example, when you connect a third-party account such as Google Workspace.

We share information only as needed to operate the Service or as required by law. We use the following sub-processors:

We may also disclose information (a) to comply with a lawful subpoena, court order, or similar legal demand we believe in good faith to be valid; (b) to protect the rights, property, or safety of GrowthAF, Inc., our users, or others; and (c) in connection with a merger, acquisition, financing, or sale of assets, in which case we will provide notice before your information becomes subject to a different privacy policy.

We use industry-standard safeguards to protect your information. These include encryption in transit (TLS), encryption at rest for our primary database, row-level security policies in Postgres that scope data to the organization that owns it, access controls for staff, audit logging, and least-privilege service credentials.

No system is perfectly secure. If we become aware of a security incident that affects your personal information, we will notify you and any regulators as required by applicable law.

We retain your account information, conversations, and content for as long as your account is active or as needed to provide the Service. If you delete your account, we delete or anonymize the associated personal information within 30 days, except where we are required to retain it for legal, accounting, or fraud-prevention purposes (for example, invoice records may be retained for the period required by tax law).

Google OAuth tokens are deleted from our database immediately when you disconnect Google in Settings or when you delete your account.

Depending on where you live, you may have the right to: (a) access the personal information we hold about you; (b) correct inaccurate information; (c) delete your personal information; (d) object to or restrict certain processing; (e) request portability of your information in a machine-readable format; and (f) withdraw consent you previously provided.

You can exercise most of these rights directly inside the product — disconnecting third-party integrations, editing or deleting conversations and knowledge-base entries, and deleting your account. For anything you cannot accomplish inside the product, email us at hello@growthaf.com and we will respond within the timeframes required by applicable law.

If you are in the EEA or the UK, you have the right to lodge a complaint with your local data-protection authority.

GrowthAF.aiis an AI assistant. When you interact with the assistant, your messages, the assistant’s working context, and any tool inputs and outputs necessary to complete your request are sent to our model provider (Anthropic) for inference. Embeddings of Knowledge Base content are generated through OpenAI’s API. Both providers contractually commit not to use customer data submitted via their APIs to train their generalized models.

AI output can be inaccurate or incomplete. You are responsible for reviewing what the assistant produces — especially before sending an email, modifying a calendar event, or making a financial or legal decision based on its output.

We are based in the United States, and our sub-processors operate from the United States and the European Union. When we transfer personal information outside your country, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses, where applicable.

The Service is not directed to children under 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us at hello@growthaf.com and we will delete it.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or through a prominent notice in the product before the change takes effect. The “Last updated” date at the top of this page always reflects the current version.

If you have questions about this Privacy Policy or how we handle your information, or if you want to exercise any of the rights described above, email hello@growthaf.com. You can also write to GrowthAF, Inc., Attn: Privacy.