Legal

Privacy Policy

Last updated: 2026-05-12

1. Introduction

GrowthMom ("we", "our", "us") is an AI-first operator for your business, operated from France. This policy explains what we collect, how we use it, and the guarantees we offer about per-user isolation and your connected tools.

The short version: each user gets an isolated sandbox. OAuth tokens for your connected tools live with our integration partner, not on our servers. Your conversations, files and memory live in your sandbox. We do not use any of it to train AI models.

2. What we collect

Account information

  • Email address
  • Name and profile picture (if provided via Google sign-in)
  • The Supabase identifier for your account

Your sandbox

When you sign up we provision a personal sandbox (powered by E2B) under your account. Inside it live:

  • Conversations with the operator
  • Files the operator creates or that you upload (decks, charts, drafts, notes)
  • The memory file the operator writes to and that you can read and edit
  • Skills (text files describing workflows the operator can run)

Sandboxes auto-pause after inactivity to control cost and resume when you next interact. Their content is private to your account.

Connected tools

When you connect a third-party service (Gmail, Calendar, Stripe, Linear, Notion, PostHog and so on), the OAuth consent and resulting tokens are handled by Composio, our integration partner. We hold an administrative key with Composio to start consent flows and to expose the right tools to your sandbox via MCP. Your access tokens themselves are never stored on GrowthMom application servers.

When the operator reads from or acts through a connected tool, that tool's API may receive the data necessary to fulfil the call (the email it's drafting, the issue title it's creating, the customer it's looking up).

Usage analytics

We use PostHog (hosted in the EU) to collect product analytics: pages visited, features used, errors. We use it to improve the product. We do not use third-party tracking cookies for advertising.

Billing

Payments are processed by Stripe. We store a Stripe customer identifier and your subscription state. We never see or store your card details.

3. How we use your information

  • Provide and operate GrowthMom: dashboard, operator, sandbox, integrations
  • Route reasoning requests to large language model providers (see section 4)
  • Charge fees and surface usage
  • Send important service updates and respond to support requests
  • Improve the product, with usage data anonymised where possible

4. AI providers and how prompts are routed

The operator reasons by calling large language models. We route those calls through Vercel AI Gateway, which forwards them to the model provider you (or the default for that task) selected. Providers currently include:

  • OpenAI (GPT family)
  • Anthropic (Claude family)
  • Google (Gemini family)
  • Moonshot AI (Kimi)
  • Mistral
  • Z.AI (GLM)

A model call typically includes the operator's system prompt, your recent conversation and the relevant context the operator pulled from your tools. Each provider's privacy terms apply to data they receive. We choose providers that do not use API traffic to train their models. We do not use your data to train AI models ourselves.

5. Data sharing and subprocessors

We do not sell or rent your personal data. We share data with these subprocessors:

  • Supabase (EU): authentication and database
  • E2B: per-user sandbox runtime
  • Composio: OAuth and MCP integrations with third-party tools
  • Vercel AI Gateway: routing of model calls
  • OpenAI, Anthropic, Google, Moonshot AI, Mistral, Z.AI: the model providers behind the gateway
  • Stripe: payment processing
  • PostHog (EU): product analytics

We may also disclose data when required by law or to protect the rights, property or safety of GrowthMom, our users or the public.

6. Data security

  • All traffic is encrypted in transit (HTTPS / TLS)
  • Sensitive credentials are encrypted at rest with a server-side key
  • Each user's sandbox is isolated from every other user's sandbox
  • OAuth tokens for your connected tools are stored at Composio, not on our servers
  • Database access uses row-level security so users can only read their own rows

No system is perfectly secure. We follow industry best practice but cannot guarantee absolute security.

7. Data retention

  • Active accounts: data is retained while your account is active
  • Closed accounts: sandbox and associated data are deleted within 30 days of closure
  • Billing records: retained for the period required by tax and accounting law in France

You can request immediate deletion of your sandbox and account by contacting us.

8. Your rights (GDPR)

If you are in the European Union, you have the right to:

  • Access a copy of the personal data we hold about you
  • Rectify inaccurate data
  • Erase your data
  • Port your data to another provider in a structured format
  • Object to certain processing activities
  • Withdraw consent to optional processing at any time

To exercise these rights, contact us at contact@growthmom.io. You also have the right to lodge a complaint with the French data protection authority (CNIL).

9. Cookies

We use essential cookies for:

  • Authentication and session management
  • Remembering preferences (theme, sidebar state)

PostHog (EU-hosted) may set cookies for anonymous product analytics. We do not use third-party tracking cookies for advertising.

10. Children's privacy

GrowthMom is not intended for users under 18. We do not knowingly collect data from children.

11. Changes to this policy

We may update this policy. We will notify you by email of significant changes. The "Last updated" date at the top indicates the latest revision.

12. Contact

For privacy-related questions or requests, contact us at contact@growthmom.io.

← Back to homeTerms of service →