Your data, handled with care
We keep this simple and transparent: secure infrastructure, payments handled by Stripe, and full control over your data — including export and deletion.
Encryption in transit & at rest
All traffic to and from the platform is served over HTTPS/TLS (the same padlock security your bank uses). Your data is encrypted as it travels between your browser and our infrastructure, and our managed Postgres database (Supabase) encrypts stored data at rest by default.
Trusted infrastructure
Your account and project data live in a secure managed database, walled off so each account sees only its own data.
Secure authentication
Sign-in, sessions, and password resets are handled by Supabase Auth. We never store your password — it's hashed and managed by the auth provider.
PCI-compliant payments
Card payments are processed by Stripe, which meets the highest bank-card security standard (PCI-DSS Level 1). Your card details go directly to Stripe and never touch our servers.
Least-privilege access
Sensitive operations run server-side with scoped service credentials. Internal admin areas are gated and not accessible to regular accounts.
Built for global compliance
We support data subject rights worldwide and design the product around data minimization — we only collect what we need to run the service.
For everyday users
The short version, in plain words — no jargon needed:
- Your data is encrypted — scrambled so no one else can read it.
- You can export all your data and permanently delete your account anytime from your dashboard.
- Card payments are handled by Stripe, so we never see or store your card number.
Built to pass your vendor review
Governments, school districts, universities, and nonprofits vet vendors carefully. Here's our compliance posture — and the documents your procurement team can request.
Accessibility (WCAG 2.1 AA / ADA / 508)
The platform is built toward WCAG 2.1 AA (the accessibility laws US governments & schools must follow) — we design and test against these standards and can provide a VPAT (an accessibility report) / Accessibility Conformance Report on request. Generate your own with our free Accessibility Statement & VPAT tool.
GDPR, CCPA/CPRA & global privacy
We honor data-subject rights worldwide — access, export, correction, and deletion — and sign a Data Processing Agreement (DPA, a data-protection contract) on request for organizations that need one.
Data residency & retention
Application and database infrastructure is hosted in the United States. We practice data minimization, and your data is removed immediately when you delete your account from your dashboard (or on request).
Payments & PCI
All card payments are processed by Stripe (PCI-DSS Level 1); optional cryptocurrency payments are processed by NOWPayments. We never see or store full card numbers.
Documents available on request
Email hello@growmywebsite.com and we'll turn these around quickly so you can complete your purchase.
- Data Processing Agreement (DPA)
- VPAT / Accessibility Conformance Report (ACR)
- Subprocessor list & security overview (this page)
- W-9 and vendor onboarding forms
- Invoicing by PO / ACH for annual plans
- Security & privacy questionnaire responses
Where we stand — stated honestly
Government procurement runs on trust. So we draw a hard line: here's what's genuinely in place today, and what we're still working toward. We will never claim a certification we haven't earned.
In place today
- Encryption in transit (HTTPS/TLS) and at rest
- US-based application & database hosting
- SAML 2.0 SSO (Enterprise; self-serve where your identity provider is supported, assisted setup otherwise)
- Two-factor authentication (TOTP) you can turn on for your account
- Role-based access with team roles & approval steps before publish
- Append-only, tamper-evident audit log — cryptographically chained, verifiable, and exportable
- Built toward WCAG 2.1 AA — VPAT available on request
- Self-serve full data export & account deletion from your dashboard (GDPR/CCPA rights)
- DPA signed on request
On our roadmap — not yet in place
- SOC 2 Type II — targeted; not yet audited
- ISO 27001 — targeted; not yet certified
- FedRAMP authorization — long-term; not yet in process
- Organization-wide enforced MFA (admin-mandated) — self-serve MFA is live today
- SCIM auto-provisioning & Microsoft Entra / Okta directory sync
- US-only region locking & per-agency isolated tenancy
- SAM.gov vendor registration & versioned LTS release track
If your agency requires any of these before purchase, email us — we'll tell you honestly where each item stands and whether we can meet your timeline.
You're in control of your data
Wherever you are in the world, you can access, export, correct, or delete your data.
Access & export your data
Download a full export of your account data — projects, audits, content, leads, backlinks, competitors, prompts, reviews, contacts, activity log and more — as a single JSON file, any time from your dashboard.
Delete your account
Delete your account yourself, any time, from your security settings — no email required. We cancel any active billing, remove the data you own, and delete your login immediately.
Correct & control
Update your account details directly, and contact us to correct or restrict processing of any personal information we hold.
To make any data request, email hello@growmywebsite.com or see our Privacy Policy.
Our subprocessors
The trusted providers we rely on to deliver the service. We choose vendors with strong security and compliance track records.
| Provider | Purpose |
|---|---|
| Vercel | Application hosting & global CDN |
| Supabase | Database & authentication |
| Stripe | Card payment processing |
| NOWPayments | Cryptocurrency payment processing (optional) |
| Anthropic | AI processing (audits & content) |
| Resend | Transactional email delivery |
| PostHog | Privacy-respecting product analytics |
This page is a plain-language summary of our security and data practices and is not legal advice. We update it as the platform evolves.
Grow with a platform you can trust
Create your free site in minutes — no credit card, and you own and export everything you build.