Short version: We collect only what we need to run Growtsy. We never sell your data. You can export or delete everything anytime. Payments are handled by Paddle — we never see your card. Questions: hello@growtsy.com.
Growtsy ("we", "us", "our") operates growtsy.com, an AI-powered optimization tool for Etsy sellers. This Privacy Policy explains how we collect, use, store, and protect personal data when you use our service.
Growtsy is operated by an independent developer based in Istanbul, Türkiye. All payments are processed by Paddle, Inc. (our Merchant of Record), headquartered in the United States.
For privacy inquiries, contact: hello@growtsy.com.
We use personal data to:
We do not sell your personal data. We do not use your content to train AI models without your explicit consent.
If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases under Article 6 of the GDPR:
| Purpose | Legal basis |
|---|---|
| Delivering the service you requested (account, analyses, payments) | Performance of a contract — Art. 6(1)(b) |
| Product improvement, fraud prevention, service security | Legitimate interest — Art. 6(1)(f) |
| Marketing communications (if you opt in) | Consent — Art. 6(1)(a) |
| Tax, accounting, legal recordkeeping | Legal obligation — Art. 6(1)(c) |
You may withdraw consent at any time by emailing hello@growtsy.com, without affecting the lawfulness of processing before withdrawal.
We retain personal data only as long as necessary for the purposes described above, as follows:
| Data category | Retention period |
|---|---|
| Account and profile data | Until you delete your account, then removed within 30 days |
| Uploaded product images (Photo Studio, Listing, VisualKit) | Stored in Supabase Storage for up to 90 days to enable Library access, then automatically deleted. Deleted immediately if you remove the item. |
| Generated outputs (titles, tags, descriptions, generated images) | Stored as long as the parent Library item exists; deleted with the item |
| Usage logs and analytics | 12 months, then aggregated and de-identified |
| Billing and payment records | Retained by Paddle per their policy and applicable tax law (typically 7–10 years) |
| Support correspondence | 24 months after the last interaction |
When you delete your account, we irreversibly delete or anonymize your personal data within 30 days, except where retention is required by law (e.g., tax records) or to resolve disputes.
We share personal data only with the following sub-processors, each bound by contractual confidentiality and data protection obligations:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, image storage | EU (Frankfurt) |
| Vercel | Web hosting and serverless functions | Global (primary: US) |
| Anthropic (Claude API) | Text analysis and generation | United States |
| fal.ai (FLUX Kontext Pro) | AI image generation | United States |
| Paddle | Payments, subscriptions, invoicing (Merchant of Record) | United States |
| Google Workspace | Support email infrastructure | Global |
Each sub-processor has its own privacy policy. We review them periodically. We do not sell your personal data to any party.
Some of our sub-processors are located outside the EEA, the UK, and Türkiye (primarily the United States). When we transfer your personal data outside these jurisdictions, we rely on appropriate safeguards.
For transfers from the EEA or UK, we rely on:
For users in Türkiye, your personal data may be transferred to sub-processors located outside Türkiye (primarily in the United States and the European Economic Area). Under Article 9 of the Turkish Personal Data Protection Law No. 6698 (KVKK), as amended by Law No. 7499 (March 2024), we rely on the following grounds for international transfers in the absence of a Personal Data Protection Board ("Kurul") adequacy decision for the destination country:
The countries where your data may be processed include the United States (Anthropic, fal.ai, Vercel, Paddle), Germany / EEA (Supabase Frankfurt region), and globally (Google Workspace for support email). You can request a copy of the Standard Contracts in place by emailing hello@growtsy.com.
You may exercise your rights under KVKK Article 11 (information, access, correction, deletion, etc.) by emailing the same address. We will respond within 30 days.
Where local data protection law requires specific safeguards, we apply equivalent protections to those described above.
We apply industry-standard technical and organizational measures to protect personal data, including:
No method of transmission or storage is 100% secure. If we become aware of a personal data breach affecting your data, we will notify the relevant supervisory authority within 72 hours (per GDPR Article 33) and notify you without undue delay where required by GDPR Article 34.
You have the following rights regarding your personal data:
If you are a California resident, you have the right to:
If you are located in Türkiye, you have the following rights under Article 11 of the Personal Data Protection Law (KVKK):
Most actions can be performed directly in the app: Settings → Account to export or delete your data. For any other request, email hello@growtsy.com with the subject "Privacy Request". We will respond within 30 days (GDPR / KVKK) or 45 days (CCPA) of verified receipt.
We use only strictly necessary cookies required for authentication and to maintain your session. We do not use advertising cookies, cross-site tracking, or third-party analytics that profile individual users. Because we use only essential cookies, no consent banner is required under the ePrivacy Directive for our first-party use.
Third-party services we embed (e.g., Paddle checkout) may set their own cookies when you interact with them. Please refer to their privacy policies.
Content you submit (listing URLs, product images, descriptions, keywords) is transmitted to our AI sub-processors (Anthropic and fal.ai) to generate the requested output. Our contractual arrangements with these providers prohibit the use of your content for their model training, and input/output data is not retained by them for longer than is necessary to provide the service (typically under 30 days).
AI outputs are provided as recommendations. You are responsible for reviewing AI-generated content before publishing to Etsy or using commercially.
If you upload a photo that contains an identifiable person's face, our system performs binary face detection only — it identifies whether a face is present in the image (so the area can be cropped or framed appropriately during generation), but it does not extract, store, transmit, or generate any of the following:
The face-detection signal is a single boolean value passed to the prompt-construction logic. The original photograph is processed solely to deliver the photo-generation feature you requested. We do not use facial information to identify you or any other person, and we do not share it with third parties beyond the AI sub-processors necessary to deliver the requested output.
If you do not wish to upload photos containing identifiable persons, you can simply use product-only photographs. If a photo containing a person's face is uploaded, you confirm under Section 8.4 of our Terms of Service that you have any necessary permissions from the depicted person.
For users located in the European Union, we provide the following transparency disclosure under Article 50 of Regulation (EU) 2024/1689 (AI Act), as it begins to apply on 2 August 2026:
For full details, see Section 8.6 of our Terms of Service.
Growtsy is not intended for children. We do not knowingly collect personal data from users under 13 (United States) or under 16 (European Economic Area and United Kingdom). If we learn that we have collected personal data from a child without verified parental consent, we will delete it promptly. If you believe a child has provided us with personal data, email hello@growtsy.com.
We may update this Privacy Policy to reflect changes in our practices or legal requirements. If changes are material, we will notify you by email or via an in-app notification at least 30 days before they take effect. The "Last updated" date at the top of this page always reflects the current version.
Growtsy is operated by an independent developer based in Istanbul, Türkiye.
Privacy questions, requests, or complaints: hello@growtsy.com. We aim to respond within 72 hours.
EEA / UK residents may also lodge a complaint with their national data protection authority. A list of EU authorities is available at edpb.europa.eu.
Türkiye residents may lodge a complaint with the Personal Data Protection Authority (Kişisel Verileri Koruma Kurumu) at kvkk.gov.tr, after first applying to us under KVKK Article 13.