Privacy Policy

GROWTHCODE LLC

Privacy Notice

Effective Date: April 1, 2026

Version 2.3


Who this notice is for

This Privacy Notice applies to individuals: website visitors, business contacts, job applicants, and consumers seeking to exercise data rights. If you are a publisher, SSP, DSP, identity partner, or other business counterparty, see the GrowthCode Platform Privacy Policy at growthcode.io/legal/platform-privacy-policy.


1. Who We Are

GrowthCode LLC is a New York-incorporated data infrastructure company. We help publishers create, manage, and optimize first-party data signals, and we help buyers build and maintain their own identity solutions. We operate as an independent data controller. We are not a processor or service provider for the personal data described in this notice.

GrowthCode meets the definition of a “data broker” under California Civil Code § 1798.99.80 (the California Delete Act) and the California Consumer Privacy Act (CCPA) as amended by CPRA. GrowthCode is in the process of completing registration with the California Privacy Protection Agency (CPPA). Until registration is complete, consumers may submit deletion and opt-out requests directly to GrowthCode using the process in Section 7.

For questions about this notice, contact us at:


GrowthCode LLC

Attn: Privacy Officer

privacy@growthcode.io

www.growthcode.io/privacy


2. Scope of This Notice

This notice applies to individuals worldwide. The rights available to you depend on your location. EU and UK residents have rights under GDPR. US residents have rights under CCPA, state privacy laws, and the California Delete Act as applicable. This notice covers three categories of individuals and their data:


Who you are                                            What this notice covers

Website visitor                     Data collected when you visit growthcode.io


Business contact                     Professional contact data collected through sales, marketing, and events


Consumer (data subject)     Personal data processed through GrowthCode’s identity infrastructure, including your rights as a data subject and

                                                    data broker opt-out rights


Job applicant                     Application data collected through our careers process


3. Data We Collect and Why

3.1 Website Data

When you visit growthcode.io, we collect:

  • IP address, browser type, operating system, referring URL, and pages viewed
  • Cookie identifiers and session data
  • Form submissions, including demo requests and newsletter sign-ups


We use this data to operate and improve the website, respond to inquiries, and measure traffic. We do not use website analytics data to build advertising profiles or to enrich our identity graph.


Analytics and tracking on growthcode.io:

  • Google Analytics: traffic measurement and site performance. Data is processed under Google’s terms. You can opt out at tools.google.com/dlpage/gaoptout.
  • HubSpot: CRM and marketing automation. Data collected through forms is stored in HubSpot and used for sales follow-up and marketing communications.


3.2 Business Contact Data

When you interact with GrowthCode as a business contact — by filling out a contact form, downloading a resource, attending an event, or speaking with our sales team — we collect your name, employer, job title, email address, and phone number. We use this data to respond to your inquiry, conduct sales outreach, and send marketing communications you can opt out of at any time.

We do not sell business contact data. We share it with HubSpot (our CRM provider) and with other vendors listed in Section 6. We retain business contact data for three years from the date of last interaction, unless you request deletion earlier.


3.3 Consumer Identity Data (Data Broker Processing)

GrowthCode operates as an independent data controller of pseudonymous identity data. This includes:

  • GrowthCode Identity IDs (GCIDs) — pseudonymous identifiers generated from hashed email addresses and device signals
  • Universal ID partner signals received from publishers and ID partners (including UID2, RampID, Yahoo ConnectID, and others listed in the GrowthCode Platform Privacy Policy)
  • Hashed email addresses (HEMs) received from publishers or derived from publisher first-party data
  • Behavioral and contextual signals associated with pseudonymous identifiers


We use this data to provide identity resolution and signal enrichment services to our publisher and demand-side clients. We do not use this data to build consumer credit files, insurance profiles, or employment screening reports. We do not process health data, government identification numbers, or financial account numbers.


Our sources for consumer identity data include publisher clients who have integrated the GrowthCode tag or API, ID partner networks, and data licensors listed in our DPA Annex III. All sources are required by contract to have a lawful basis for sharing data with GrowthCode.


3.4 Job Applicant Data

If you apply for a position at GrowthCode, we collect the information you provide in your application, including your resume, contact information, and employment history. We use this data only to evaluate your application and to communicate with you about the hiring process. We do not share applicant data with third parties other than our applicant tracking system provider. We retain applicant data for two years from the date of application.


4. Legal Basis for Processing

For US residents, we process personal data as described in this notice, with rights as specified in Section 7. For individuals in the EU, UK, or other jurisdictions with formal legal basis requirements, our basis for each processing activity is:


Processing activity Legal basis

Website analytics                                                    Legitimate interests (site operation and improvement); consent for non-essential cookies


Business contact data                                            Legitimate interests (sales and marketing); contract performance for existing clients

Consumer identity data (pseudonymous)            Consent under TCF v2.2 where required; legitimate interests for frequency capping and fraud

                                                                                   prevention where permitted


Job applicant data                                           Pre-contractual steps at your request


5. Cookies and Tracking on growthcode.io

We use the following categories of cookies on growthcode.io:


Category                                     Purpose                                           Examples

Essential                                      Required for the site to function. Cannot be disabled.               Session management, security tokens


Analytics                              Count visits and measure site performance.                        Google Analytics


Functional / CRM                      Enable CRM integration and personalized follow-up.                 HubSpot


You can manage cookie preferences using our consent tool (link in the site footer). You can also opt out of Google Analytics at tools.google.com/dlpage/gaoptout. We honor the Global Privacy Control (GPC) signal. When we detect a GPC signal from your browser, we treat it as an opt-out of analytics and functional cookies on growthcode.io.


We do not use advertising or retargeting cookies on growthcode.io.


6. How We Share Data

6.1 Service Providers

We share personal data with service providers who process it on our behalf under contractual restrictions. Current providers include:

  • Google LLC — analytics (Google Analytics)
  • HubSpot, Inc. — CRM and marketing automation
  • DigitalOcean, LLC — cloud infrastructure (US East Coast, primary)
  • Atlassian Pty. Ltd. — project management and collaboration tools
  • Google LLC — productivity suite (Google Workspace)


6.2 Consumer Identity Data Sharing

GrowthCode shares pseudonymous consumer identity data (GCIDs and associated signals) with publisher clients, demand-side partners, and Universal ID partner networks as part of our identity resolution services. This sharing constitutes a “sale” or “sharing” of personal data under CCPA and similar state laws. You have the right to opt out. See Section 7 for how to exercise that right.


We do not share consumer identity data with data brokers for purposes unrelated to advertising and identity resolution. We do not share consumer identity data with government agencies except as required by law.


6.3 Business Transfers

If GrowthCode is involved in a merger, acquisition, or asset sale, personal data may be transferred as part of that transaction. We will notify affected individuals as required by applicable law.


6.4 Legal Compliance

We may disclose personal data when required by law, court order, or regulatory demand, or when we believe disclosure is necessary to protect the rights, property, or safety of GrowthCode or others.


7. Your Rights

7.1 Rights Available to All US Residents

Regardless of your state of residence, you may:

  • Opt out of the sale or sharing of your personal data
  • Use the Global Privacy Control signal to exercise your opt-out automatically

To opt out of the sale or sharing of your personal data, visit growthcode.io/do-not-sell-or-share-my-personal-information or email privacy@growthcode.io with the subject line “Do Not Sell or Share My Personal Information.” These rights apply to all US residents, regardless of state.


7.2 Rights Available to Residents of States with Comprehensive Privacy Laws

Residents of California, Colorado, Connecticut, Virginia, Texas, Oregon, Montana, and other states with comprehensive privacy laws have additional rights, which may include:

  • Right to know what personal data we hold about you
  • Right to access a copy of your personal data
  • Right to correct inaccurate personal data
  • Right to delete your personal data
  • Right to data portability
  • Right to appeal our decision on a rights request


The specific rights available to you depend on your state of residence and on what data GrowthCode processes about you.


7.3 California-Specific Rights

California residents have rights under CCPA as amended by CPRA, including the right to opt out of the sale or sharing of personal data, the right to limit use of sensitive personal information, and the right to non-discrimination for exercising your rights.

GrowthCode meets the California data broker definition under Civil Code § 1798.99.80 and is completing registration with the CPPA. During the registration period, you may submit deletion and opt-out requests directly to GrowthCode using the process in Section 7.5. Once GrowthCode is registered, deletion requests may also be submitted through the CPPA’s centralized deletion mechanism.


California Delete Act — Important limitation

GrowthCode matches deletion requests against hashed email addresses only. We cannot match a request submitted with one email address against data associated with a different email address you may hold. If we cannot verify a match, we will send you a no-match notice within 45 days. Your data is not deleted if identity cannot be confirmed. If you believe GrowthCode holds data about you under a different identifier, contact the publisher whose site you used to provide your data, and ask them to submit a publisher-level deletion request to GrowthCode.


7.4 How to Submit a Rights Request

To exercise any right described in this section:


Channel Details

            Email                                   privacy@growthcode.io


           Web portal                           growthcode.io/privacy — portal coming soon; email requests accepted in the interim

Authorized agent Requests submitted by an authorized agent must include written authorization signed by you. Email the signed authorization with the request.


We respond to verified requests within 45 days. If we need more time (up to 90 days total), we will notify you within the initial 45-day window. We will not discriminate against you for exercising any right under this notice.

If we deny your request, we will tell you the reason. Some state laws give you the right to appeal. To appeal, email privacy@growthcode.io with the subject line “Privacy Request Appeal” and include your original request reference number.


7.5 Global Privacy Control (GPC)

GrowthCode honors the Global Privacy Control signal. When we detect a GPC signal from your browser on growthcode.io, we treat it as a valid opt-out of the sale or sharing of your personal data and disable non-essential analytics and functional cookies for that session. GPC opt-outs apply to website data only. For opt-out rights related to consumer identity data processed through our identity infrastructure, submit a request using the process in Section 7.4.


8. Sensitive Data

GrowthCode does not intentionally process the following categories of sensitive personal data:

  • Health or medical data
  • Financial account numbers or credit data
  • Government-issued identification numbers (SSN, driver’s license, passport)
  • Precise geolocation data
  • Biometric data
  • Immigration status
  • Data about children under 13


If you believe GrowthCode has received sensitive data about you in error, contact privacy@growthcode.io and we will investigate and remediate.


9. Data Retention


Data type Retention period

Website analytics (Google Analytics)                                      Up to 26 months (per Google Analytics default retention)


Business contact data (HubSpot)                                      3 years from last interaction, or until deletion request


Consumer identity data (GCIDs, HEMs, signals)              90 days from last active use, unless a shorter period is specified in the

                                                                                                     applicable publisher agreement


Job applicant data                                                             2 years from application date


Rights request records                                                             5 years (compliance obligation)



10. Cross-Border Data Transfers

GrowthCode is headquartered in the United States. Our primary infrastructure is hosted in the US East Coast region (DigitalOcean). If you are located outside the United States, your personal data may be transferred to and processed in the United States.

For personal data received from the EU, UK, or other opt-in jurisdictions, GrowthCode relies on Standard Contractual Clauses (Module One, controller-to-controller) as the transfer mechanism. We do not rely on the EU-US Data Privacy Framework. We do not process EU personal data except through explicit controller-to-controller agreements that require a valid legal basis in the originating jurisdiction.


11. Security

GrowthCode maintains technical and organizational measures designed to protect personal data against unauthorized access, loss, or disclosure. These measures include encryption in transit and at rest, role-based access controls, security monitoring, and incident response procedures. Security documentation is available under NDA upon request for qualified counterparties.


In the event of a data breach affecting your personal data, we will notify you as required by applicable law.


12. Children

GrowthCode’s services are not directed at children under 13. We do not knowingly collect personal data from children under 13. If we learn that we have received personal data from a child under 13, we will delete it promptly. Contact privacy@growthcode.io if you believe we have received a child’s data.


13. Updates to This Notice

We update this notice when our data practices change or when legal requirements change. The effective date at the top of this document reflects the most recent revision. We maintain version history at growthcode.io/privacy. Material changes will be communicated by posting an updated notice and, where required, by direct notification.


This notice is updated independently of the GrowthCode Platform Privacy Policy. Changes to one document do not automatically change the other. Check the effective date on each document to confirm you are reviewing the current version.


14. Contact

Privacy Officer: privacy@growthcode.io

Website: growthcode.io/privacy

Phone: (646) 926-2150

Mailing address: GrowthCode LLC, 47 East 88th Street, New York, New York 10128


For EU and UK data subjects, our designated contact for data protection inquiries is privacy@growthcode.io.



GrowthCode LLC | Privacy Notice | Version 2.3 | Effective April 1, 2026