Privacy Policy

Last updated: March 23, 2026

1. Controller

The data controller for the data collected through Growly ("Service") is the operator of this application. You can contact us at the address or email provided at the end of this policy.

2. Data we collect

We collect and process the following data:

  • Account data: User ID, email (if you provide it), hashed password (if set), and settings including notification and consent preferences.
  • Threads connection: AES-256-GCM encrypted OAuth access token and refresh token, token expiry timestamp, Threads user ID, username, display name, profile picture URL, account status, and last publish time. We do not store your Threads password.
  • Content and scheduling: Posts (text, scheduled time, status, media URLs), slots, slot times, and any tags you create.
  • Engagement data: Post metrics (likes, views, replies, reposts, quotes) fetched from the Threads API on your behalf, stored in published post records and an engagement heatmap used to power posting-time recommendations.
  • AI features data: When you use AI post suggestions, your post content, account biography, and writing style/brand preferences are sent to Google's Gemini AI (via Firebase AI) to generate post ideas. This data is processed by Google and is subject to Google's data processing terms. We do not use your content to train AI models.
  • Audit log: Records of actions such as connecting or disconnecting a Threads account, for security and operations. We do not use this to profile you.
  • Session: A session cookie (threads_session) — an httpOnly JWT valid for 7 days — to keep you signed in. On staging environments, an additional dev_auth cookie may be set.

3. Lawful basis

  • Contract / necessity: Account data, Threads connection, content, scheduling, and session data are necessary to provide the Service.
  • Consent: Service emails (e.g. token expiry notifications), marketing communications, and analytics are based on your consent. You can withdraw consent at any time in Settings.
  • Legitimate interest: The audit log is retained for security and operational purposes for 12 months.

4. Retention

  • Account and content: Retained until you delete your account or request erasure.
  • Session: 7 days; cleared when you log out.
  • Audit log: Retained for 12 months. We do not use it to profile you.

5. Subprocessors

We use the following subprocessors to run the Service:

  • Supabase — Database (EU/US). Privacy Policy.
  • Redis (Redis Cloud) — Job queue for scheduled publishing.
  • Resend — Transactional email. Privacy Policy.
  • Vercel — Hosting and edge delivery. Privacy Policy.
  • Meta / Threads — OAuth authentication and Threads API. Meta Privacy Policy.
  • Google Firebase / Gemini AI — AI-powered post suggestion generation (Google Gemini AI) and behaviour analytics (Firebase Analytics). Your post content and biography may be sent to Google's Gemini AI when you use AI features. Firebase Analytics is only activated with your explicit consent. Firebase Privacy Policy.

Where data is transferred outside the EEA, we rely on appropriate safeguards (e.g. Standard Contractual Clauses) as required by applicable law.

6. Cookies & analytics

We use one essential cookie, threads_session, to keep you signed in. It is an httpOnly JWT cookie strictly necessary for the Service to function.

With your consent, we activate Firebase Analytics (Google) to collect anonymised behavioural data — such as page visits and feature interactions — to understand how the product is used and improve it. Firebase Analytics may set its own first-party cookies (_ga, _ga_*) and use device identifiers for this purpose.

You can give or withdraw analytics consent at any time:

  • Before signing in — use the cookie banner shown on public pages.
  • After signing in — toggle "Help improve the product with anonymised usage data" under Settings → Privacy & consent.

If you choose "Essential only" in the cookie banner, no analytics cookies are set and Firebase Analytics is never activated for your session.

7. Your rights (GDPR)

You have the right to:

  • Access — Request a copy of your data (use "Export my data" in Settings).
  • Rectification — Update your email and consent preferences in Settings.
  • Erasure — Delete your account and all associated data via "Delete my account" in Settings.
  • Restrict processing — In certain cases, request that we limit how we use your data.
  • Data portability — Receive your data in a machine-readable format (JSON/ZIP export).
  • Object — Object to processing based on legitimate interest.
  • Withdraw consent — Turn off service emails, marketing, or analytics in Settings at any time.
  • Complain — Lodge a complaint with a supervisory authority in your country of residence.

To exercise these rights, use the in-app options in Settings or contact us. We will respond within the time required by applicable law.

8. Contact

For privacy requests or questions, contact the data controller at support@growly.social. If we designate a data protection officer (DPO), their contact will be published here.

9. Third-party services

When you publish a post, we transmit your content to the Meta/Threads API on your behalf. Once content leaves our systems and reaches Meta's API, it is subject to Meta's own privacy practices and policies. We are not responsible for how Meta/Threads handles your content after it reaches their API.

10. Security

OAuth tokens are encrypted at rest using AES-256-GCM before being stored in the database. We apply technical and organizational measures appropriate to the risk. However, no system is completely secure, and we cannot guarantee absolute security of your data.

11. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the "Last updated" date at the top of this page. Continued use of the Service after the updated date constitutes acceptance of the revised policy.

12. Promotional use of public profile data

By connecting your Threads account to Growly, you grant us a non-exclusive, royalty-free licence to use the following publicly available data from your Threads profile for marketing and promotional purposes:

  • Profile picture — displayed on the Growly landing page, in promotional emails, and in other marketing materials to illustrate real user adoption.
  • Threads user ID and username — may appear alongside your profile picture for attribution and credibility purposes.
  • Published posts — example posts from your Threads account may be displayed in product screenshots, demos, or marketing materials to illustrate how the Service works.

We will only use data that is publicly visible on Threads. We will not use private drafts, failed posts, or any unpublished content for promotional purposes. You may opt out of promotional use at any time by contacting us at support@growly.social — we will remove your data from active marketing materials within a reasonable timeframe.

This use is based on our legitimate interest in promoting the Service (Article 6(1)(f) GDPR). You have the right to object to this processing at any time.

13. AI features

Growly offers AI-powered post suggestion features. By enabling or using these features, you consent to your post content, account biography, and style preferences being sent to Google's Gemini AI for processing. AI-generated content is provided for informational and creative assistance purposes only. We do not guarantee the accuracy, appropriateness, or fitness of AI-generated suggestions for any particular purpose. You are solely responsible for reviewing, editing, and any consequences of publishing AI-generated content to Threads.

AI features are processed under your consent (Article 6(1)(a) GDPR). You can stop using AI features at any time; no data is retained by the AI provider beyond the scope of a single request.