Skip to main content
Book a call
File · WL-PRIVACY-2026/Privacy
← Home

Privacy · Grovant

Privacy policy

How we collect, store, and use personal information. Plain language wherever possible. The lawyered version is the version that controls. We keep them close.

Last updatedMay 17, 2026·Plain language · the lawyered version controls
  1. I

    Article §

    What we collect

    We only collect what we need to run the engagement, reply to a brief, or comply with the law. Two categories: data you hand us, and data your browser hands us automatically.

    Provided directly

    • Name, email, phone, company on contact, audit, and book-a-call forms.
    • Billing and payment information when an engagement starts.
    • Project briefs, brand assets, and references you share with the practice lead.
    • Communication records: email threads, shared docs, call notes, and Slack-channel transcripts where applicable.

    Collected automatically

    • Device + browser data (IP address, user agent, viewport) for analytics and abuse prevention.
    • Usage events: pages visited, link clicks, scroll depth, time on page.
    • Approximate location (country + region) derived from your IP. We don't store precise location.
  2. II

    Article §

    Why we hold it

    Every piece of personal data we collect maps to one of these purposes. Anything else is out of scope.

    • Delivering the work: engagement scoping, project execution, reporting, and senior-to-senior handoff.
    • Replying to inbound briefs, audit requests, and call bookings inside one business day.
    • Billing, invoicing, and tax compliance for the jurisdictions where we operate.
    • Securing the platform: fraud detection, rate limiting, and abuse and bot prevention.
    • Improving the site and content with aggregated, anonymized analytics.
    • Communicating about engagement updates and (only with your explicit opt-in) Journal newsletters.
  3. III

    Article §

    Third-party processors we use

    Some data is handled by named, contracted service providers. Each is bound by a Data Processing Agreement (DPA). No personal data is sold to anyone. Full stop.

    • Google Tag Manager + Analytics 4Site analytics, event trackingUS / EU
    • Calendly30-minute call schedulingUS
    • Payload CMSContent management, form intakeSelf-hosted
    • RailwayApplication hosting, logsUS
    • Neon (Postgres)Primary data storeUS / EU
    • Resend / SendGridTransactional email deliveryUS / EU
    • CloudflareCDN, DDoS protectionGlobal

    Standard Contractual Clauses (SCCs) cover transfers out of the EEA / UK where the processor isn't already in a country with an adequacy decision.

  4. IV

    Article §

    Cookies and tracking

    We use the minimum cookies needed to make the site work and to understand how people read the Journal. No third-party advertising trackers run on this site.

    • Essential. Session cookies for form CSRF protection and accepted-cookies state. Cannot be disabled without breaking the site.
    • Analytics. Google Analytics 4 via Google Tag Manager. Anonymized IP, no cross-site behavioral profiles, retention capped at 14 months.
    • Embed. Calendly drops a session cookie on the /book-a-call page to remember your selection if you reload mid-booking.

    You can clear or block cookies in your browser at any time. Doing so may break form submissions and analytics-dependent features.

  5. V

    Article §

    How long we keep it

    • Engagement records. Duration of the engagement plus 24 months, unless earlier deletion is requested.
    • Contact form submissions. 12 months from submission if no engagement results.
    • Billing and tax records. 7 years (statutory retention).
    • Analytics. 14 months in anonymized form, then purged.
    • Backups. Rolling 30-day encrypted backups; deletion requests are honored in the next backup-rotation cycle.
  6. VI

    Article §

    Your rights

    Depending on where you live, you have one or more of the rights below. We honor all of them inside 30 days from the date of a verified request.

    • Access. A copy of the personal data we hold about you.
    • Rectification. Correction of inaccurate or incomplete data.
    • Erasure. Deletion of your personal data, subject to legal-retention exceptions.
    • Portability. Your data in a structured, machine-readable format.
    • Restriction. Limit how we process your data in specific circumstances.
    • Objection. Object to processing for direct marketing or legitimate-interest purposes.
    • Withdraw consent. Where processing is based on consent, you can revoke it at any time.

    To exercise any right, email [email protected]. We verify ownership before responding and reply within 30 days, as required by GDPR, CCPA, PIPEDA, and the Australian Privacy Act.

    Jurisdiction-specific notes

    • GDPR · EU/EEA/UK. Right to lodge a complaint with your supervisory authority if a dispute remains unresolved.
    • CCPA / CPRA · California. Right to know, right to delete, right to opt out of sale (we do not sell), right to non-discrimination for exercising rights.
    • PIPEDA · Canada. Right to file a complaint with the Office of the Privacy Commissioner of Canada.
    • Australian Privacy Act. Right to lodge a complaint with the Office of the Australian Information Commissioner.
  7. VII

    Article §

    Children's privacy

    The site and the engagements are built for businesses. We don't direct any service at people under 18 and we don't knowingly collect data from them. If a parent or guardian believes a child has submitted information to us, email [email protected] and we'll delete it within five business days.

  8. VIII

    Article §

    Security posture

    Defense in depth. No method of transmission is unbreakable; we apply the controls below as our standing baseline.

    • TLS 1.3 in transit. AES-256 at rest on every database and object store we own.
    • Strict CSP, HSTS preload, frame-ancestors locked, X-Content-Type-Options nosniff.
    • Role-based access. Staff see only the data needed to deliver their part of an engagement.
    • Quarterly access reviews; immediate revocation when a teammate rotates off an engagement.
    • Automated dependency scanning, SAST on every PR, secret-leak detection.
    • Encrypted backups, geographically separated. Disaster-recovery drills twice a year.
    • Incident-response SLA: 72-hour notification to affected parties from confirmation of breach.
  9. IX

    Article §

    International transfers

    We operate from one country but our processors and audience are global. We rely on the safeguards below for any cross-border transfer of personal data.

    • Standard Contractual Clauses (SCCs) under EU Commission Decision 2021/914 for processors outside the EEA.
    • UK International Data Transfer Addendum where the SCCs need to be ported.
    • Reliance on adequacy decisions (e.g. UK, Switzerland, EU–US Data Privacy Framework) where applicable.
    • Where adequacy doesn't apply and SCCs aren't enough, we apply supplementary measures such as encryption with customer-managed keys, pseudonymization, or contractual prohibitions on government data requests.
  10. X

    Article §

    Changes to this policy

    We update this policy when our practices, technologies, or the law changes. Material changes get a banner on the site and (for active engagements) an email. The “last updated” date in the masthead always reflects the most recent revision. Continued use of the site after a revision counts as acceptance of the updated policy.

Contact · privacy officeReply in 1 business day

EU / UK representative

Same email, with [GDPR] in the subject line. We route to the data-protection lead within one business day.

See also · Terms of serviceSend the brief