GrowthCat

Legal

Data Processing Agreement

Last updated: May 21, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between GrowthCat and app owners ("Controller") who use the GrowthCat service to process personal data subject to the GDPR, UK GDPR, or equivalent legislation. It satisfies the requirements of Article 28 of Regulation (EU) 2016/679 (GDPR).

By using GrowthCat to process personal data of EU/EEA or UK data subjects, you (the Controller) agree to the terms of this DPA. This DPA is incorporated into and subject to the GrowthCat Terms of Service.

1. Definitions

  • "Controller" means the app owner who determines the purposes and means of processing personal data through the GrowthCat service.
  • "Processor" means GrowthCat, which processes personal data on behalf of the Controller.
  • "Personal Data" has the meaning given in Article 4(1) GDPR.
  • "Processing" has the meaning given in Article 4(2) GDPR.
  • "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
  • "Sub-processor" means any third party engaged by GrowthCat to carry out processing activities on behalf of the Controller.
  • "Standard Contractual Clauses" or "SCCs" means the European Commission's standard contractual clauses for the transfer of personal data to third countries adopted by Commission Decision 2021/914/EU.

2. Scope and Nature of Processing

GrowthCat processes personal data on behalf of the Controller solely to provide the GrowthCat service. The subject matter, duration, nature, purpose, and categories of data are as follows:

Subject matter

Referral campaign analytics, promo code attribution, conversion tracking, and payout calculation for the Controller's mobile application(s).

Duration

For as long as the Controller uses the GrowthCat service, or until earlier deletion as specified in Section 10.

Nature of processing

Collection, storage, aggregation, analysis, and transmission of campaign attribution and analytics data via the GrowthCat SDK, API, and backend service. GrowthCat's frontend proxy layer strips end-user IP addresses and User-Agent strings before forwarding requests to the GrowthCat backend; those identifiers are not transmitted to or stored by GrowthCat on behalf of the Controller.

Purpose

To provide promo code attribution, campaign performance analytics, conversion tracking, commission calculation, payout operations, and related features as described in the GrowthCat documentation.

Types of personal data actually processed

The following is an accurate description of the personal data categories GrowthCat processes on behalf of Controllers:

  • App user identifiers: Pseudonymous user IDs supplied by the Controller's application via the GrowthCat SDK or API. These are opaque identifiers; GrowthCat does not receive names, email addresses, or other directly identifying information about the Controller's end users unless explicitly passed by the Controller.
  • Promo code interaction events: Records of promo code validation attempts (successful and failed), promo code claims, and promo code redemptions, each associated with a pseudonymous app user ID, a timestamp, a campaign identifier, and an event type.
  • Subscription and conversion events: In-app subscription purchase and renewal events received from RevenueCat webhooks on behalf of the Controller, associated with a pseudonymous user ID and a product identifier. Refund state, net and gross revenue figures, and renewal metadata are included where provided by RevenueCat or the relevant app store.
  • Aggregated country and locale data: Country codes and locale identifiers derived from SDK event metadata. These are surfaced in analytics as aggregate counts per country or locale (e.g. "42 clicks from DE") and are not associated with individual user identifiers in the data returned to the Controller's dashboard.
  • Paywall and checkout funnel events: Anonymised counts of paywall views, checkout starts, and checkout cancellations per campaign, where instrumented by the Controller using the GrowthCat SDK.
  • Influencer account data: Name, email address, country, and Stripe Connect account identifiers for influencers who sign up on GrowthCat. This data is processed as part of the payout workflow.

Data GrowthCat does NOT collect on behalf of Controllers

  • End-user IP addresses (stripped by the frontend proxy before reaching the GrowthCat backend).
  • End-user browser User-Agent strings (stripped by the frontend proxy).
  • End-user names, email addresses, or contact details (unless explicitly passed by the Controller).
  • Payment card details (handled exclusively by Stripe).
  • Third-party behavioural advertising data (GrowthCat does not integrate with advertising networks or behavioural tracking services).

Categories of data subjects

End users of the Controller's application(s) who interact with GrowthCat-tracked promo codes, referral links, or campaign attribution flows.

3. Controller Instructions

GrowthCat shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by EU or Member State law applicable to GrowthCat. GrowthCat shall inform the Controller of such a legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's documented instructions are set out in these Terms, this DPA, and the GrowthCat service configuration as implemented by the Controller. Instructions may be updated via the GrowthCat service configuration; GrowthCat will implement such changes within a reasonable timeframe.

4. Data Minimisation and Privacy by Design

GrowthCat applies the following technical measures to minimise the personal data processed on behalf of Controllers:

  • Proxy header stripping: The GrowthCat Next.js frontend proxy forwards only the following request headers to the GrowthCat backend: accept, accept-language, content-type, cookie, x-growthcat-key, and x-growthcat-workspace. All other headers, including x-forwarded-for and user-agent, are stripped.
  • Aggregated analytics: Country and locale breakdowns in the analytics dashboard represent aggregate counts and are not linked to individual user identifiers.
  • Pseudonymous identifiers: End-user attribution is keyed on opaque app-user IDs supplied by the Controller, not on names or email addresses.
  • No third-party behavioural trackers: GrowthCat does not embed third-party advertising pixels, behavioural tracking SDKs, or data-broker integrations in its service.

5. Confidentiality

GrowthCat shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to personal data is limited to personnel who need access to fulfil the purposes described in this DPA.

6. Security Measures

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, GrowthCat implements appropriate technical and organisational measures including:

  • Encryption of personal data in transit (TLS) and at rest;
  • Authentication controls and access restrictions for personnel;
  • Ability to restore access to personal data in a timely manner following a physical or technical incident;
  • Regular testing and evaluation of the effectiveness of technical and organisational measures;
  • Frontend proxy controls that prevent unnecessary personal data (IP, User-Agent) from reaching the backend.

7. Sub-processors

The Controller provides general authorisation for GrowthCat to engage the following categories of sub-processors. Current sub-processors include:

  • Stripe, Inc. — Payment processing, Stripe Connect payout infrastructure, and billing management. Stripe processes payment credentials and payout account details on behalf of the Controller and influencers. Stripe's DPA and SCCs are available at stripe.com/legal/dpa.
  • RevenueCat — In-app subscription event processing. RevenueCat receives subscription purchase and renewal webhook events from app stores on behalf of the Controller and forwards them to GrowthCat for attribution. RevenueCat's privacy terms are available at revenuecat.com/privacy.
  • Cloud infrastructure and hosting providers — Servers, databases, and content delivery infrastructure used to operate the GrowthCat backend and frontend services.
  • Communications providers — Transactional email and notification delivery.

GrowthCat will inform the Controller of any intended addition or replacement of sub-processors at least 14 days in advance by updating this DPA, giving the Controller the opportunity to object. GrowthCat imposes data protection obligations on sub-processors equivalent to those in this DPA and remains liable for their performance.

8. Data Subject Rights Assistance

GrowthCat shall, taking into account the nature of the processing, assist the Controller in fulfilling its obligations to respond to data subject requests under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). GrowthCat shall promptly notify the Controller if it receives a data subject request relating to data for which the Controller is controller, without responding to that request except on documented instructions.

Because end-user attribution in GrowthCat is keyed on pseudonymous app-user IDs supplied by the Controller, the Controller is best placed to link a data subject's identity to the relevant app-user ID before requesting deletion or access from GrowthCat.

9. Personal Data Breach Notification

GrowthCat shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting data processed under this DPA. Notification shall include, to the extent then known:

  • The nature of the breach and approximate number of data subjects and records affected;
  • The likely consequences of the breach;
  • Measures taken or proposed to address the breach and mitigate adverse effects.

Where not all information is available at the time of notification, GrowthCat will provide it in phases as it becomes available.

10. Deletion and Return of Data

Upon termination of the GrowthCat service relationship, GrowthCat shall, at the Controller's choice, delete or return all personal data processed under this DPA within a reasonable timeframe, and delete existing copies unless EU or Member State law requires retention. GrowthCat may retain anonymised or aggregated data that cannot reasonably be re-identified.

Controllers wishing to exercise this right should submit a request through the GrowthCat support channels, clearly identifying the data to be deleted or returned and the relevant app(s).

11. Audits and Inspections

GrowthCat shall make available all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits, including inspections, conducted by the Controller or a mandated auditor, provided that such audits are conducted with reasonable prior written notice, no more than once per calendar year, and do not unreasonably interfere with GrowthCat's operations. Audit costs are borne by the Controller unless the audit reveals a material non-compliance by GrowthCat.

12. International Data Transfers

GrowthCat primarily processes data using infrastructure within the European Union and/or United States. Where processing involves a transfer of personal data to a country outside the EEA or UK without an adequacy decision, the parties agree that such transfer is subject to the Standard Contractual Clauses (Module 2: Controller to Processor, Commission Decision 2021/914/EU), incorporated by reference into this DPA. For UK transfers, the UK IDTA (International Data Transfer Addendum) applies.

For transfers to the United States, GrowthCat relies on SCCs and, where applicable, the EU-U.S. Data Privacy Framework. Stripe's cross-border transfers are governed by Stripe's own DPA and SCCs.

13. Data Protection Impact Assessments

GrowthCat shall assist the Controller in ensuring compliance with Articles 35 and 36 GDPR (DPIAs and prior consultation), taking into account the nature of the processing and the information available to GrowthCat. Given that GrowthCat processes only pseudonymous identifiers, aggregated analytics, and subscription event data on behalf of Controllers (without IP addresses, User-Agent strings, or directly identifying end-user information), the inherent risk level of GrowthCat's processing activities is generally low. Controllers should nonetheless conduct their own DPIA assessment where required by applicable law.

14. Governing Law

This DPA shall be governed by the laws applicable to the main GrowthCat Terms of Service, except that provisions relating to the Standard Contractual Clauses are governed by the laws specified therein.

15. Contact

Questions relating to this DPA should be directed through the support channels available within the GrowthCat platform, clearly marked as a GDPR/DPA matter. For data breach notifications, please also use these channels and mark the message as urgent.

View Privacy Policy · View Terms of Service