Data Processing Agreement (DPA)

Last updated October 6, 2025

This Data Processing Agreement ("DPA") forms part of the GrowPanel Terms of Service or Subscription Agreement ("Agreement") entered into between the customer ("Customer", "you", "your") and GrowPanel ApS, a Danish company with CVR 39137259 and registered office at Sortedam Dossering 55, Copenhagen Ø, Denmark ("GrowPanel", "we", "us", "our").

This DPA sets out the terms and conditions under which GrowPanel will process Personal Data on behalf of the Customer. Both parties may be referred to collectively as the "Parties" and individually as a "Party".

Unless explicitly stated otherwise, terms in the Agreement are incorporated into this DPA. In case of conflict between this DPA and the Agreement, this DPA prevails solely regarding the Processing of Personal Data.

1. Definitions

1.1 Terms used herein have the following meanings:

  • "Personal Data": Any information relating to an identified or identifiable natural person, including:

    • Account users: names, email addresses
    • End customers: names, emails, MRR movements, subscription details, and other optional metadata imported via billing sources or integrations

  • "Processing": Any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.

  • "Controller": Customer, determining purposes and means of Processing Personal Data.

  • "Processor": GrowPanel, processing Personal Data on Customer's behalf.

  • "Subprocessor": Third-party engaged by GrowPanel to process Personal Data.

  • "Data Subject": Individual whose Personal Data is processed.

  • "Data Protection Laws": Applicable privacy and data protection laws including GDPR, Danish Data Protection Act, CCPA, and other relevant legislation.

2. Roles and Responsibilities

2.1 Controller and Processor Roles

  • Customer is the Controller of Personal Data submitted to GrowPanel.
  • GrowPanel is the Processor, processing Personal Data solely on Customer's documented instructions.

2.2 Customer Responsibilities

  • Obtain and maintain lawful basis for collecting and sharing Personal Data.
  • Ensure accuracy and completeness of Personal Data.
  • Provide all necessary instructions to GrowPanel for Processing.
  • Publish privacy notices reflecting Processing performed by GrowPanel.
  • Maintain records of consents obtained from Data Subjects where required by law.

2.3 GrowPanel Responsibilities

  • Process Personal Data only as instructed by Customer and as required to provide the Services.
  • Maintain technical and organizational measures to ensure data security.
  • Assist Customer in complying with Data Subject rights under applicable Data Protection Laws.
  • Notify Customer of any data incidents, security breaches, or legal requests affecting Personal Data.

3. Purpose and Nature of Processing

GrowPanel processes Personal Data for the following purposes:

  1. Data Aggregation and Reporting: Collect, organize, and aggregate billing data from sources such as Stripe, spreadsheets, or other connected platforms.
  2. Analytics and Metrics: Provide charts, dashboards, and reports, including MRR, ARR, ARPA, churn, LTV, cashflow, cohort analysis, and other metrics.
  3. Scheduled Notifications and Reports: Deliver emails and notifications, including AI-generated summaries.
  4. AI-based Chat and Forecasting: Allow Customer to interact with their data via AI chat, provide AI-powered summaries, and make predictive forecasts.
  5. Integrations: Provide connections to third-party platforms (e.g., Google Sheets, Zapier, Make, n8n) per Customer instructions.
  6. Support and Maintenance: Enable support services, helpdesk interactions, and troubleshooting.
  7. Legal and Regulatory Compliance: Comply with applicable laws and regulations regarding Personal Data.

4. Categories of Personal Data

  • Account Users: name, email.
  • End Customers: name, email, MRR movements, subscription details.
  • Optional Metadata: custom fields, tags, or metadata imported via Stripe, Google Sheets, or other integrations.

5. Categories of Data Subjects

  • Customer account users and administrators.
  • End customers from billing sources whose data is imported into GrowPanel.

6. Subprocessors

6.1 GrowPanel may engage subprocessors to assist in providing the Service. A current list of subprocessors is maintained at growpanel.io/subprocessors.

6.2 GrowPanel ensures Subprocessors comply with data protection obligations. 6.3 Customer may object to a new Subprocessor within 30 days. GrowPanel will attempt to remediate objections or, if not possible, Customer may terminate affected services.

7. Security Measures

GrowPanel maintains appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption of data in transit and at rest.
  • Access control and authentication mechanisms for internal staff.
  • Audit logging and monitoring of system access and data processing.
  • Regular internal security assessments, vulnerability scans, and penetration testing where feasible.
  • Policies and training for personnel handling Personal Data to maintain confidentiality.
  • Procedures to ensure ongoing integrity, availability, and confidentiality of Personal Data.

8. Data Subject Rights

GrowPanel will assist Customer in fulfilling Data Subject requests, including:

  • Access, rectification, erasure, restriction of Processing, objection, and portability.
  • Requests may be forwarded to Customer if legally required.
  • Assistance includes technical measures to retrieve, export, or delete data as requested.

9. Personal Data Incidents

  • GrowPanel will notify Customer without undue delay of any accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Personal Data.

  • Notification will include:

    • Description of the incident.
    • Categories and approximate number of Data Subjects affected.
    • Measures taken or planned to address the incident.

  • GrowPanel will assist Customer in mitigating any adverse effects.

10. Data Retention, Return, and Deletion

  • Personal Data will be retained only as long as necessary for service provision.
  • Upon termination or expiration, GrowPanel will delete or return all Personal Data, unless retention is legally required.
  • Temporary backups or copies will also be deleted unless legally mandated.

11. Cross-Border Transfers

  • Personal Data may be transferred outside the EEA only to subprocessors providing adequate safeguards (e.g., Standard Contractual Clauses).
  • Transfers will comply with applicable Data Protection Laws.

12. Audits and Inspections (revised)

  • Customer may request documentation of GrowPanel's technical and organizational security measures with reasonable notice.
  • GrowPanel will cooperate in providing evidence of compliance with this DPA and applicable Data Protection Laws.
  • GrowPanel may allow technical security assessments or penetration tests, under confidentiality obligations, with limitations to protect operational security.
  • Findings from such assessments will be addressed promptly and in good faith.

13. Liability

  • GrowPanel is liable only for damages caused by non-compliance with this DPA or Customer instructions.
  • Customer indemnifies GrowPanel for obligations related to lawful basis, accuracy, and consent for data processing.

14. Term and Termination

  • This DPA is effective throughout the term of the Agreement.
  • Obligations regarding confidentiality, security, and data subject rights survive termination.

15. Governing Law and Jurisdiction

  • This DPA is governed by Danish law.
  • Disputes are subject to the jurisdiction of the courts in Copenhagen, Denmark.

Annex 1 – Details of Processing

Nature and Purpose

  • Import and organize billing data, produce dashboards, analytics, reports, AI summaries, chat, and forecasts.
  • Support Customer instructions and integrations.

Duration

  • Throughout the Agreement or until deletion is requested.

Types of Data

  • Account user names and emails.
  • End customer names, emails, MRR movements, and optional metadata.

Categories of Data Subjects

  • Customer account users.
  • End customers tracked in billing sources or integrations.
Gallery image
We'd love to know how you use our site and where you came from, to keep service high and prices low. Read our cookie policy.