A→Z+1 · Growis Client Portal

Draft — under legal review. This version is published for transparency and may change.

Privacy Policy — A→Z+1 Client Portal

*Prepared 10 July 2026. Covers portal.growis.ch only (separate from the growis.ch website policy).*

1. Who we are

Growis AG, [registered address], Lucerne, Switzerland ("Growis", "we") operates the A→Z+1 client portal at portal.growis.ch (the "Portal").

For account data of Portal users, Growis is the data controller. For content our clients place in their workspace (projects, drafts, files, comments), Growis acts as processor on behalf of the client; that processing is governed by the Data Processing Agreement between Growis and the client.

Privacy contact: [privacy@growis.ch — create this alias]. Data protection lead: [name — the internal privacy owner].

2. What data we process

Account data: name, business e-mail address, language preference, authentication data (magic-link e-mail events, Google/Microsoft sign-in identifiers, TOTP enrollment status, passkey public keys — never your passwords), profile role.

Workspace content: projects, milestones, deliverable drafts and versions, comments (including quoted text passages), form questions and answers, uploaded files and their metadata, brand-voice profiles, help articles.

Approval signatures: when you approve a deliverable you type your full name; we record that name with the timestamp, your IP address, and browser identifier as an electronic signature record.

Activity data: an audit log of actions in your workspace (who did what, when — e.g. uploads, approvals, comments, file views, AI queries), used for the project timeline, security, and evidence of sign-off.

AI interaction data: questions you ask the workspace assistant and drafts generated with AI assistance are processed by our AI infrastructure (Section 5) and logged.

Technical data: connection and security logs (IP addresses, user-agent) at our hosting and security providers; error diagnostics (Sentry) with personal data scrubbed where feasible.

3. Purposes and legal bases

4. Where your data lives

Primary data residency is Switzerland: the Portal database, file storage, and search indexes run in Zurich (Supabase, AWS eu-central-2). AI text generation runs on Swiss infrastructure (Infomaniak, Switzerland). The application itself is delivered through Cloudflare's global network; e-mail is sent via Resend.

5. AI transparency (EU AI Act & nFADP)

The Portal includes AI features: a workspace assistant (chat) and AI-assisted drafting.

6. Processors and sub-processors

ProviderRoleLocation/Region
SupabaseDatabase, auth, storage, functionsZurich, Switzerland (AWS)
CloudflareHosting, CDN, DDoS/WAFGlobal network (US company)
InfomaniakAI inferenceSwitzerland
ResendTransactional e-mail[US company; EU sending region configured]
SentryError monitoringEU (Germany) region
Google / MicrosoftOptional sign-in (OAuth)Per your account
LinearInternal work tracking (issue titles may contain deliverable names)US
Calendly / FathomMeeting scheduling / call summaries shown on your timelineUS
HubSpotClient relationship records (company name, business contact e-mail)[US/EU — check portal setting]
SocialPilotSocial-media metrics retrieval for reportingUS
Google (GA4)Website analytics retrieval (only if client connects GA4)US/EU
GitHubSource code hosting (no client data)US

Current list also published at [trust page URL — to be created]. We will notify clients of sub-processor changes per the DPA.

7. International transfers

Where providers process data outside Switzerland/EEA (Cloudflare, Resend, Linear, Calendly, Fathom, HubSpot, SocialPilot, Google), transfers rely on the EU Standard Contractual Clauses with the Swiss addendum, per the signed DPAs. [Attach/confirm via DPA tracker.]

8. Retention

Workspace content is retained for the duration of the client engagement and handed over/deleted at offboarding per the DPA ([default: deletion 90 days after contract end — confirm]). Audit logs and signature records: [retain 10 years for evidentiary purposes — lawyer to confirm]. Account data: deleted upon account removal, subject to the above.

9. Your rights

Under the nFADP and, where applicable, the GDPR you may request access, rectification, deletion, restriction, portability, and object to processing: contact [privacy@growis.ch]. If your data is in a client workspace, we may redirect your request to that client (the controller). You may complain to the FDPIC (Switzerland) or your local EU supervisory authority.

10. Security (summary)

Encryption in transit (TLS 1.3, HSTS) and at rest; database-enforced client isolation (row-level security, tested continuously); mandatory two-factor authentication for Growis staff; signed, expiring file links; upload content scanning; audit logging; captcha and rate limiting on authentication; EU/Swiss data residency by default.

11. Changes

We will post updates here and notify workspace administrators of material changes.


Open points for the lawyer: entity name & address; EU Art. 27 representative (Swiss company targeting EU clients — likely needed); retention periods; e-signature clause cross-reference with Terms; cookie statement (the Portal sets only strictly necessary auth cookies — confirm no consent banner needed); Infomaniak no-training confirmation.

Terms of Use · Sign in