Growthdesk
Try it live free

See the machine work on your own site.

Privacy

Privacy Policy

Last updated: 6 May 2026

Growthdesk B.V. (hereinafter "Growthdesk", "we", "us") values your privacy and handles your personal data with care. This privacy policy explains which personal data we process when you log in to a Growthdesk application via Single Sign-On (SSO), for what purposes we do so, on what legal basis, how long we retain that data and what rights you have.

1. Data controller

Growthdesk B.V.
Hofplein 20, 3032 AC Rotterdam, the Netherlands
Email: hello@growthdesk.nl
Phone: +31 6 8739 6305

2. When this policy applies

This policy applies to the processing of personal data that takes place when you log in to a Growthdesk application via our identity and access solution. You can log in directly with your email address and password, or via an external identity provider as described below.

3. What data we process

The data we receive depends on the OpenID Connect scopes (consent scopes) you grant during sign-in. The following categories may be involved:

  • Identifier (required) — a unique user id for your account, so the application can recognise your session.
  • Profile data — first name, last name, display name, username, profile picture, gender, date of birth, locale, timezone and the timestamp of your most recent profile update.
  • Email address — your email address and whether it has been verified.
  • Phone number — your phone number and whether it has been verified.
  • Postal address — the postal address you have configured.
  • Session renewal (refresh token) — if you consent, the application receives a token that lets it renew your session without you having to log in again.
  • Roles and authorisations — the roles assigned to you within the project (and, where relevant, other projects) of the application you log in to.
  • Organisation data — the organisation you belong to, including id, name and primary domain.
  • Organisation metadata — additional fields configured by your organisation that are attached to your user account (e.g. cost centre, department, employee number).
  • Access restrictions — restrictions that ensure only users from a specific organisation domain or specific organisation can sign in.

In addition to the data shared via the scopes above, we record:

  • IP address, browser and device characteristics (user-agent) and timestamps of sign-in attempts, for security and fraud detection;
  • successful and failed authentications, session ids and (hashed) tokens;
  • second-factor methods you have configured (e.g. TOTP, WebAuthn, email or SMS OTP).

4. Logging in via an external identity provider

You can also log in via an external identity provider. We currently support, in principle:

  • Google
  • Microsoft / Azure AD
  • Apple
  • GitHub and GitHub Enterprise
  • GitLab and self-managed GitLab
  • LinkedIn
  • generic OpenID Connect providers
  • generic JWT providers
  • LDAP / Active Directory
  • SAML 2.0 providers

When you use an external identity provider, that provider shares a limited set of data with us — typically your user id, name, email address and, where applicable, a profile picture. That exchange is also subject to the privacy terms of the external provider.

5. Purpose and legal basis

  • Authentication and authorisation — to grant you access to the Growthdesk application you log in to and to assign the appropriate rights and roles. Legal basis: performance of the contract (Art. 6(1)(b) GDPR).
  • Security — to detect and prevent abuse, unauthorised access and fraud. Legal basis: our legitimate interest in providing a secure service (Art. 6(1)(f) GDPR).
  • Legal obligations — e.g. to respond to lawful requests from competent authorities. Legal basis: legal obligation (Art. 6(1)(c) GDPR).

6. Retention periods

  • Account and profile data: for as long as your account is active. After your account is deleted, this data is removed within 30 days, except where we are legally required to retain it for longer.
  • Sign-in logs (IP, user-agent, timestamp, outcome): 90 days.
  • Session and refresh tokens: until the session expires, you log out, or the tokens are revoked.

7. Sub-processors

For identity and access management we use Zitadel (Zitadel Inc.). The instance used for your account is hosted in a data centre within the European Economic Area. A data-processing agreement compliant with Art. 28 GDPR is in place with Zitadel.

8. Transfers outside the EEA

Our primary processing takes place within the EEA. When you log in via an external identity provider that operates (also) outside the EEA — for instance Google, Microsoft, Apple or GitHub — a transfer outside the EEA may occur. Any such transfer takes place exclusively on the basis of the standard contractual clauses approved by the European Commission or a comparable appropriate safeguard.

9. Security

We implement appropriate technical and organisational measures to protect your personal data against loss or unlawful processing, including TLS encryption for all traffic, industry-standard password hashing, regular updates and audits, limited and logged access for our team, and separated production and development environments.

10. Cookies during sign-in

During sign-in we place strictly necessary functional session cookies that are required for the sign-in flow to work (for example to manage your session and CSRF protection). Strictly necessary cookies do not require consent under Article 5(3) of the ePrivacy Directive (and the corresponding national implementations).

11. Your rights

Under the GDPR you have the right to:

  • access your personal data;
  • rectify data that is inaccurate;
  • erase your data ("right to be forgotten");
  • restrict processing;
  • object to processing;
  • receive your data in a commonly used format ("data portability");
  • withdraw consent that you have previously given.

Send your request to hello@growthdesk.nl. We respond within four weeks of receipt.

12. Complaints

If you have a complaint about how we handle your data, we would like to hear about it so we can resolve it as quickly as possible. You also have the right to lodge a complaint with your national data protection authority. In the Netherlands this is the Autoriteit Persoonsgegevens, available at autoriteitpersoonsgegevens.nl.

13. Changes

We may amend this privacy policy from time to time, for example when our services or the applicable laws and regulations change. The most recent version is always published on this page; the top of the page indicates when the policy was last updated.

14. Contact

Questions about this privacy policy or the processing of your personal data?
Email: hello@growthdesk.nl
Phone: +31 6 8739 6305