GrowthCode is an addressability management platform that delivers maximum signal for digital advertising stakeholders

GROWTHCODE LLC

Platform Privacy Policy

Effective Date: April 1, 2026

Version 1.0

Who this policy is for

This Platform Privacy Policy governs how GrowthCode processes personal data in connection with its identity resolution and signal enrichment services. It applies to publishers, SSPs, DSPs, identity partners, data licensors, joint controllers, and all other business counterparties. If you are an individual — a website visitor, consumer, or job applicant — see the GrowthCode Privacy Notice at growthcode.io/privacy.

1. Who We Are

GrowthCode LLC is a New York-incorporated data infrastructure company. We help publishers create, manage, and optimize first-party data signals, and we help buyers build and maintain their own identity solutions.

GrowthCode operates exclusively as an independent data controller. We are not a processor, sub-processor, or service provider for any counterparty’s data. Every party that works with GrowthCode does so under a controller-to-controller relationship. This position is foundational to how we contract, process data, and structure our legal obligations.

For questions about this policy:

GrowthCode LLC — Privacy Officer

privacy@growthcode.io

growthcode.io/platform-privacy

47 East 88th Street, New York, New York 10128

2. Scope of This Policy

This policy covers all personal data GrowthCode processes through its identity resolution platform, including data received from publishers, ID partners, data licensors, and joint controllers. It describes the categories of data processed, the purposes and legal bases for processing, how data is shared, retention periods, cross-border transfer mechanisms, and counterparty obligations.

This policy is incorporated by reference into the GrowthCode Data Processing Addendum (DPA) and Terms of Service. In the event of any conflict between this policy and the executed DPA, the DPA controls.

This policy does not cover data GrowthCode collects from visitors to growthcode.io, from business contacts, or from job applicants. Those processing activities are covered in the GrowthCode Privacy Notice at growthcode.io/privacy.

3. Personal Data We Process

GrowthCode processes the following categories of personal data through its platform:

Data category Description

Hashed email addresses (HEMs) SHA-256 hashed email addresses received from publishers or derived from publisher first-party data. Used as the primary matching signal for identity resolution and GrowthCode Plus enrichment.

GrowthCode Identity IDs (GCIDs) GrowthCode’s proprietary pseudonymous identifier, minted via the GrowthCode Prebid ID module or server- to-server integration. The GCID is GrowthCode’s own identifier. No other party’s registration or consent framework covers GCID minting.

Universal IDs. Third-party pseudonymous identifiers minted or retrieved on behalf of publishers, including UID2, ID5, LiveRamp RampID, Yahoo ConnectID, Criteo ID, Epsilon Core ID, Hadron ID, and Panorama ID. See DPA Annex III for the current partner list and categorization.

Mobile advertising IDs (MAIDs) Apple IDFA and Google GAID signals received from publisher integrations or ID partner networks.

CTV IDs Connected TV device identifiers received periodically from publisher or partner integrations.

Cookie identifiers Browser cookie values associated with publisher page sessions, used for GCID resolution and bid request enrichment.

Page visitation data URLs and content category data collected through the GrowthCode JavaScript tag on publisher properties. Categorized by Synthesi (LLM sub-processor) for audience segment construction.

Audience segment data Interest and behavioral segments derived from page visitation data and GCID activity. Delivered to publishers and advertisers for advertising activation.

Bid request metadata OpenRTB bid request fields including domain, placement, floor price, and timestamp, used for enrichment and reporting.

What GrowthCode does not process

GrowthCode does not process raw (unhashed) email addresses, names, postal addresses, phone numbers, government IDs, health data, financial account data, biometric data, precise geolocation, immigration status, or data about children under 13. GrowthCode does not process EU personal data except through explicit controller-to-controller agreements that require a valid legal basis in the originating jurisdiction.

4. How We Process Data and Why

4.1 GCID Minting and Resolution

GrowthCode mints its proprietary GCID via its Prebid ID module deployed client-side on publisher pages, or via server-to-server integration. The GCID is stored as a cookie or local storage value and resolved on return visits to identify the user’s record in the Identity Graph. The GCID is GrowthCode’s proprietary asset and is not shared with any counterparty without a separate data licensing agreement.

4.2 Hashed Email Resolution

GrowthCode resolves HEMs through a waterfall methodology using publisher-provided signals, Universal ID partner APIs, and licensed data graph lookups. Resolved HEMs are linked to the GCID in the Identity Graph. HEM resolution is the primary service mechanism for GrowthCode Plus.

4.3 Universal ID Minting and Management

GrowthCode mints and manages third-party Universal IDs on behalf of publisher clients, either as the registered publisher with the applicable ID company or as a technical delivery agent where the publisher holds the direct relationship. GrowthCode manages ID freshness by retrieving IDs from the Identity Graph where valid or minting refreshed IDs as required. The current list of Universal ID partners is maintained in DPA Annex III.

4.4 Bid Request Enrichment

GrowthCode inserts resolved identity signals — GCIDs, Universal IDs, HEMs, MAIDs, and contextual metadata — into OpenRTB bid requests via Prebid. This is the GrowthCode Graph & Enrich service and is the primary revenue mechanism for publisher clients. Enrichment occurs in real time at the bid request stage.

4.5 Identity Graph Construction and Maintenance

GrowthCode builds and maintains a persistent cross-site, cross-domain Identity Graph linking GCIDs to resolved HEMs, Universal IDs, MAIDs, and audience segment data. The Identity Graph is GrowthCode’s core proprietary asset. It is retained for one year and one day from the date of last activity and survives termination of individual publisher agreements. GrowthCode retains all rights to the Identity Graph regardless of what raw inputs a counterparty contributed.

4.6 Audience Segmentation

GrowthCode creates interest and behavioral audience segments derived from page visitation data and GCID activity. Segments are delivered to publishers and advertisers for advertising activation through GrowthCode Insights and Insights+. Segment construction uses Synthesi for URL categorization; Synthesi operates as a sub-processor under GrowthCode’s instructions and GrowthCode’s consent basis covers that activity.

4.7 Data Selling and Licensing

GrowthCode sells and licenses GCIDs, resolved Universal IDs, HEMs, MAIDs, audience segments, and enriched Identity Graph records to third parties for advertising, marketing, and identity resolution purposes. This constitutes a “sale” of personal information under CCPA. GrowthCode discloses this activity in its DPA Section 14 and in this policy. Counterparties receiving data under a licensing agreement are independent controllers of that data and are responsible for their own legal basis.

4.8 Data Matching with Joint Controllers and Data Partners

GrowthCode conducts data matching with joint controller partners (currently InMobi and Acxiom, per DPA Addendum B) and with third-party identity graphs. Matching involves exchanging identity signals to enrich GrowthCode’s graph and enable partner-level activation. Each joint controller arrangement is governed by a separate sub-addendum specifying the allocation of data protection responsibilities.

5. Legal Basis for Processing

5.1 EU and UK Processing

For personal data originating from the EU, UK, or Switzerland, GrowthCode processes only under explicit controller-to-controller agreements that specify a valid legal basis in the originating jurisdiction. GrowthCode does not receive EU personal data except where the transmitting party has confirmed a lawful basis for transmission.

GrowthCode’s processing activities map to the IAB Transparency and Consent Framework (TCF v2.2) as follows:

Processing activity TCF basis and Purpose

GCID minting and resolution Consent — TCF Purposes 1 and 3

HEM resolution and graph linkage. Consent — TCF Purposes 1 and 3

Universal ID minting (GrowthCode’s own) Consent — TCF Purposes 1 and 3

Bid request enrichment (technical delivery) TCF Special Purpose 2 (no consent required for the technical act);underlying identity data under Purposes 1 and 3

Identity Graph construction Consent — TCF Purpose 3

Audience segmentation Consent — TCF Purpose 3

Data selling and licensing Consent — TCF Purpose 3

Platform security and fraud prevention TCF Special Purpose 1 (no consent required)

Product improvement (aggregate only) Legitimate Interest — TCF Purpose 10

GrowthCode’s GVL registration is pending. Until registration is complete, GrowthCode processes EU personal data only where the transmitting publisher or partner holds and passes a valid TCF consent signal and where a signed controller-to-controller DPA is in place. See DPA Annex IV for the full jurisdiction-by-jurisdiction consent standard framework.

5.2 US Processing

For US personal data, GrowthCode processes under the opt-out framework applicable in each state. GrowthCode honors Global Privacy Control (GPC) signals at the publisher level where technically feasible. GrowthCode does not process data where a valid opt-out signal has been received and matched to an active identity record.

GrowthCode’s US processing constitutes a “sale” or “sharing” of personal data under CCPA and applicable state laws. Counterparties are responsible for passing valid consent and opt-out signals to GrowthCode. GrowthCode’s obligations for responding to consumer rights requests are set out in Section 9 of this policy.

6. Identity Graph and GCID Ownership

Proprietary asset statement

The GrowthCode Identity Graph, all GCIDs, derived signals, and graph outputs are proprietary assets of GrowthCode LLC. No counterparty acquires any rights to the Identity Graph, GCIDs, or derived data by virtue of contributing raw inputs, participating in enrichment, or executing a DPA or order form with GrowthCode. Post-termination, GrowthCode retains the Identity Graph and all derived data regardless of the inputs contributed by the counterparty.

No agreement with GrowthCode grants a counterparty the right to use GrowthCode data to build a competing product, enrich the counterparty’s own identity graph, or re-license GrowthCode-derived signals without an explicit data licensing agreement. Any such use requires a separate written agreement and is not implied by the DPA or order form.

7. Consent Signal Handling

7.1 TCF v2.2 Signal Processing

GrowthCode processes TCF v2.2 consent strings transmitted in bid requests. Where a valid TCF consent string is present and GrowthCode’s declared Purposes are consented, GrowthCode processes the associated identity signals. Where consent is absent or withdrawn for GrowthCode’s Purposes, GrowthCode does not mint or transmit GCIDs or enrich the associated bid request for that user on that domain.

Consent operates at the domain level. Withdrawal of consent on one publisher’s domain does not automatically propagate to other publisher domains where independent consent was collected. This is a structural characteristic of the TCF framework. GrowthCode’s Identity Graph retention practices in relation to cross-publisher consent withdrawal are subject to ongoing counsel review. See DPA Section 3.6.

7.2 GPP and US Privacy Signal Processing

GrowthCode processes IAB Global Privacy Platform (GPP) strings and US Privacy strings where present in bid requests. GrowthCode honors opt-out signals transmitted via GPP for applicable US jurisdictions. The full jurisdiction-by-jurisdiction signal processing framework is specified in DPA Annex IV.

7.3 Counterparty Obligations on Consent

Publishers and counterparties transmitting personal data to GrowthCode are responsible for:

Deploying a CMP that collects valid consent or opt-out signals before GrowthCode’s tag or API is called
Passing valid TCF consent strings, GPP strings, or US Privacy strings with each bid request
Not transmitting EU personal data to GrowthCode without a valid legal basis for transmission
Maintaining records of consent for the period required by applicable law
Notifying GrowthCode if a counterparty becomes aware that consent was not validly obtained for data already transmitted

8. How We Share Platform Data

8.1 Publisher Clients

GrowthCode shares resolved identity signals — GCIDs, Universal IDs, HEMs, audience segments — with publisher clients as part of the GrowthCode Graph & Enrich and GrowthCode Plus services. Publishers receive signals for their own domains only. Cross-publisher signal sharing does not occur without a separate data licensing agreement.

8.2 Demand-Side Partners

GrowthCode inserts identity signals into OpenRTB bid requests delivered to SSPs and DSPs as part of the bid enrichment service. Demand-side partners receive enriched bid requests and are independent controllers of the signals they receive. GrowthCode does not control downstream use of signals after delivery to a demand-side partner.

8.3 Universal ID Partners

GrowthCode exchanges identity signals with Universal ID partners (UID2, ID5, LiveRamp, Yahoo, Criteo, Epsilon, Hadron, Panorama) to mint and refresh partner IDs. The current categorization of each partner as sub-processor or independent controller is maintained in DPA Annex III. Where a partner is categorized as an independent controller, that partner’s own privacy policy governs its use of received signals.

8.4 Joint Controllers

GrowthCode shares identity signals with joint controller partners (currently InMobi and Acxiom) under the terms of DPA Addendum B and the applicable sub-addendum. Each joint controller sees only its own sub-addendum. The allocation of data protection responsibilities for each joint controller arrangement is documented in the relevant sub-addendum.

8.5 Data Licensees

GrowthCode sells and licenses Identity Graph data to third parties under separate data licensing agreements. Data licensees are independent controllers of licensed data. GrowthCode’s data licensing activity is disclosed in DPA Section 14. The current list of data licensors is maintained in DPA Annex III.

8.6 Sub-processors

GrowthCode uses sub-processors to provide infrastructure, development tooling, and data processing services. Sub-processors operate under GrowthCode’s instructions and GrowthCode’s legal basis covers their processing. The current sub-processor list is maintained in DPA Annex III. GrowthCode will notify counterparties of material sub-processor changes as specified in the DPA.

8.7 Prohibited Sharing

GrowthCode does not:

Share publisher-identifiable data with a competing publisher without explicit written authorization
Share personal data with government agencies except as required by law, court order, or subpoena
Sell personal data to entities in foreign adversary countries as defined in US law (China, Russia, North Korea, Iran)
Share personal data with law enforcement outside of court orders or subpoenas
Use counterparty data to build a competing product or enrich GrowthCode’s Identity Graph in ways not authorized by the applicable DPA

9. Data Subject Rights and Consumer Requests

9.1 How Counterparties Pass Rights Requests

Publishers and other counterparties that receive consumer rights requests — deletion, access, correction, or opt-out — related to data GrowthCode may hold should forward verified requests to GrowthCode at privacy@growthcode.io. GrowthCode will process verified requests within 45 days.

9.2 Deletion Request Matching Limitation

Important operational limitation

GrowthCode matches deletion requests against hashed email addresses (HEMs) only. GrowthCode cannot match a deletion request submitted with one email address against Identity Graph records associated with a different email address the same consumer may hold. If no HEM match is found, GrowthCode will issue a no-match notice. The consumer’s data is not deleted if identity cannot be confirmed. This limitation is disclosed in the GrowthCode Privacy Notice at growthcode.io/privacy.

9.3 Consumer Rights Portal

Individual consumers may submit deletion and opt-out requests directly to GrowthCode at growthcode.io/privacy or by emailing privacy@growthcode.io. A self-service portal is in development. GrowthCode responds to verified requests within 45 days.

10. Data Retention

Data type

Retention period

Identity Graph records (GCIDs, HEMs, Universal IDs, MAIDs)

One year and one day from date of last activity. Survives termination of individual publisher agreements.

Audience segment data

90 days from last active use, unless a shorter period is specified in the applicable publisher agreement.

Bid request logs

90 days.

Page visitation data (pre-categorization)

30 days. Categorized output retained as part of the audience segment.

Rights request records

5 years (compliance obligation).

Contractual and DPA records

Duration of the agreement plus 7 years.

On termination of a publisher agreement, GrowthCode deletes publisher-specific configuration data and ceases active processing for that publisher’s domains within 30 days. The Identity Graph records built from multi-publisher activity are retained as described above. Counterparties may request accelerated deletion of publisher-specific data by contacting privacy@growthcode.io.

11. Cross-Border Data Transfers

GrowthCode is headquartered in the United States. Its primary infrastructure is hosted in the US East Coast region (DigitalOcean). All platform data is processed in the United States.

For personal data received from the EU, UK, or Switzerland, GrowthCode relies exclusively on Standard Contractual Clauses (Module One, controller-to-controller) as the transfer mechanism. GrowthCode does not rely on the EU-US Data Privacy Framework. The SCCs are incorporated into the GrowthCode DPA.

GrowthCode does not process EU, UK, or Swiss personal data except where a signed controller-to-controller DPA incorporating Module One SCCs is in place with the transmitting party. Counterparties that transmit EU personal data to GrowthCode without a signed DPA are in breach of their own GDPR obligations and GrowthCode’s contractual requirements.

12. Security

GrowthCode’s technical and organizational security measures are described in detail in DPA Annex II and in the GrowthCode Written Information Security Program (WISP). The WISP is available to qualified counterparties under NDA upon request.

Security measures include encryption of data in transit and at rest, role-based access controls, network segmentation, vulnerability management, security monitoring and alerting, incident response procedures, and vendor security assessments. GrowthCode’s infrastructure is hosted on DigitalOcean (US East Coast, primary) and is being expanded to a West Coast region for redundancy.

In the event of a personal data breach, GrowthCode will notify affected counterparties as required by applicable law and as specified in DPA Section 9.

13. Counterparty Obligations

Every counterparty that transmits personal data to GrowthCode represents and warrants that it:

Has a signed DPA with GrowthCode in place before any live data transmission begins
Has a lawful basis for transmitting each category of personal data to GrowthCode
Has deployed a compliant CMP and is passing valid consent or opt-out signals with each bid request
Has disclosed to data subjects that their data may be shared with GrowthCode for identity resolution purposes
Is not transmitting data about children under 13 or other special categories of sensitive data
Will notify GrowthCode promptly if it learns that data transmitted to GrowthCode was not validly collected or consented
Will forward verified consumer rights requests relating to GrowthCode-held data to privacy@growthcode.io

A counterparty that transmits data to GrowthCode without a signed DPA, without a valid consent basis, or in violation of any representation above bears sole responsibility for the resulting regulatory and legal exposure.

14. Prohibited Data Categories

Counterparties must not transmit the following to GrowthCode under any circumstances:

Raw (unhashed) email addresses, names, postal addresses, or phone numbers
Government-issued identification numbers (SSNs, driver’s licenses, passport numbers, tax IDs)
Health, medical, or pharmaceutical data
Financial account numbers or credit data
Biometric data
Precise geolocation data (radius ≤ 1,850 feet)
Data about individuals known or believed to be under 13 years of age
Sexual orientation, gender identity, immigration status, or union membership
Data originating from users in China, Russia, North Korea, or Iran

GrowthCode may immediately suspend data transmission from any counterparty that transmits prohibited data categories and may terminate the applicable DPA and order form on written notice.

15. Updates to This Policy

GrowthCode updates this policy when its data processing practices change or when legal requirements change. The effective date at the top of this document reflects the most recent revision. Version history is maintained at growthcode.io/platform-privacy.

This policy is updated independently of the GrowthCode Privacy Notice. Changes to one document do not automatically update the other. When this policy is updated, GrowthCode will notify counterparties with signed DPAs by email to the contact address specified in the applicable order form. Material changes will be effective 30 days after notification unless a shorter period is required by law.

The current version of this policy is always the version incorporated by reference into the GrowthCode DPA. Counterparties should check growthcode.io/platform-privacy to confirm they are reviewing the current version before relying on any provision.

16. Contact

Privacy Officer: privacy@growthcode.io

Platform Privacy Policy: growthcode.io/platform-privacy

Privacy Notice (individual rights): growthcode.io/privacy

Opt-out: growthcode.io/do-not-sell-or-share-my-personal-information

Mailing address: GrowthCode LLC, 47 East 88th Street, New York, New York 10128

For EU and UK data subjects and counterparties with GDPR-related inquiries, contact privacy@growthcode.io.

GrowthCode LLC | Platform Privacy Policy | Version 1.0 | Effective April 1, 2026