Security and compliance

Last updated January 13, 2026

GrowPanel is designed to securely handle your subscription and billing data. This page explains our security practices, data handling policies, and compliance information.

Data access and permissions

What data GrowPanel accesses

GrowPanel connects to your billing platforms with read-only access. We import:

  • Customer information (name, email, country, metadata)
  • Subscription data (plans, status, dates)
  • Invoice and payment history
  • Plan and pricing information

What we don't access

GrowPanel does not have access to:

  • Full payment card numbers (only last 4 digits)
  • Bank account details
  • Raw payment credentials
  • Write access to create or modify subscriptions
  • Ability to charge customers

Permission details by platform

PlatformConnection methodAccess level
StripeOAuthRead-only (no write permissions)
ChargebeeAPI keyRead-only key recommended
RecurlyAPI keyRead-only key recommended
Google SheetsOAuthAccess to sheets you authorize
Custom APIYour API keyYou control what data you send

Data storage and encryption

Encryption in transit

All data transmitted to and from GrowPanel is encrypted using TLS 1.2 or higher:

  • HTTPS for all web traffic
  • Encrypted webhook payloads
  • Secure API communications

Encryption at rest

  • Account database (Supabase): Encrypted at rest using AES-256 with secure key management
  • Analytics database (ClickHouse): Protected by network isolation and access controls
  • Encrypted backups for account data

Data centers and EU hosting

GrowPanel is a Danish company (GrowPanel ApS), and all customer data is stored in the European Union:

  • Account database hosted in EU West (Supabase)
  • Analytics database hosted in Amsterdam, Netherlands
  • SOC 2 certified data centers
  • Physical security controls
  • Redundant power and networking

Application code runs on global edge nodes for performance, but all persistent data storage remains within the EU, subject to European data protection regulations.

Authentication and access control

User authentication

GrowPanel supports secure authentication methods:

MethodSecurity features
Email/passwordStrong password requirements, bcrypt hashing
Google Sign-InOAuth 2.0, Google's security infrastructure
Microsoft Sign-InOAuth 2.0, Microsoft's security infrastructure

Session security

  • Sessions expire after 3 days of inactivity
  • Secure, HTTP-only cookies with SameSite protection
  • Content Security Policy (CSP) to prevent script injection
  • Strict Transport Security (HSTS) enforced

Role-based access control

GrowPanel offers three permission levels:

RoleCapabilities
OwnerFull access including billing, team management, data deletion
AdminFull access to data and settings, billing, can invite team members
Read-onlyView reports and data, no configuration access

See Team management for details.

API security

API key management

  • API keys are hashed (SHA-256) before storage (not stored in plaintext)
  • Keys can be regenerated or revoked at any time
  • Email notifications sent when new API keys are created

Rate limiting

API requests are rate limited to prevent abuse:

  • Per-minute and per-day limits
  • Graceful degradation with 429 responses
  • Contact support for limit increases

See API documentation for details.

Third-party integrations

Slack and Microsoft Teams

When you connect Slack or Teams:

  • GrowPanel requests minimal permissions (posting only)
  • We cannot read your messages or access files
  • Connections can be revoked at any time

Webhook security

Outgoing webhooks to your systems:

  • Sent over HTTPS only
  • Can include signature headers for verification
  • Retry with exponential backoff on failure

Data retention

Active accounts

While your account is active:

  • All imported data is retained
  • Historical data is preserved for reporting
  • You can request data deletion at any time

Account deletion

When you delete your account:

  • Your data is deleted from production systems within 30 days
  • Backups are purged according to retention schedules
  • Data is not recoverable after deletion

Data export

You can export your data at any time:

  • CSV exports from reports
  • API access for bulk data retrieval
  • No export fees or restrictions

Privacy

What we collect

GrowPanel collects:

  • Account information (email, name)
  • Usage data (pages viewed, features used)
  • Billing data from connected sources

What we don't collect

  • We don't sell your data
  • We don't use your data for advertising
  • We don't share individual customer data with third parties

Cookies

GrowPanel uses:

  • Essential cookies for authentication
  • Analytics cookies (can be disabled)
  • No third-party advertising cookies

Compliance

GDPR

GrowPanel is designed to support GDPR compliance:

  • Data minimization - We only collect data necessary for the service
  • Right to access - Export your data at any time
  • Right to deletion - Request account and data deletion
  • Data processing - We process data only as instructed

For EU customers, contact support for:

  • Data Processing Agreement (DPA)
  • Information about sub-processors
  • Data transfer mechanisms

PCI DSS

GrowPanel is not a payment processor and does not handle or store full payment card data. We receive only limited card information (last 4 digits, expiration) from your billing platform.

Security practices

Development

  • Code reviews for all changes
  • Automated security scanning
  • Dependency vulnerability monitoring
  • Secure development guidelines

Operations

  • Regular security assessments
  • Monitoring and alerting
  • Incident response procedures
  • Access logging and auditing

Employee access

  • Background checks for team members
  • Least-privilege access principles
  • Regular access reviews
  • Security awareness training

Incident response

Reporting security issues

If you discover a security vulnerability, please report it to:

Email: [email protected]

We commit to:

  • Acknowledging reports within 48 hours
  • Providing regular updates on resolution
  • Not pursuing legal action for good-faith security research

Breach notification

In the event of a data breach:

  • Affected customers will be notified within 72 hours
  • We will provide details of what data was affected
  • We will share remediation steps taken

Frequently asked questions

Is my data safe with GrowPanel?

Yes. GrowPanel uses industry-standard security practices including encryption, access controls, and regular security assessments. We only request read-only access to your billing data.

Can GrowPanel charge my customers?

No. GrowPanel has read-only access to your billing platforms. We cannot create subscriptions, modify billing, or charge customers.

Can I use GrowPanel if I'm in the EU?

Yes. GrowPanel supports GDPR requirements. Contact support for a Data Processing Agreement if needed.

How do I delete my data?

Go to Account → Danger Zone → Delete Account to delete your account, or contact support. Your data will be removed within 30 days.

Who can access my data?

Only authenticated team members with appropriate roles can access your GrowPanel account. Our staff can access account data only for support purposes with your permission.

Contact

For security questions or concerns:

Security team: [email protected]

General support: Use the support widget or email [email protected]

Gallery image
We'd love to know how you use our site and where you came from, to keep service high and prices low. Read our cookie policy.