Privacy Policy
How we collect, use, and protect your data in compliance with UK GDPR
EU Data Centres
All data stored in secure EU-based data centres (Helsinki, Finland)
Encryption
AES-256 encryption at rest and TLS 1.3 in transit
GDPR Compliant
Fully compliant with UK GDPR and Data Protection Act 2018
Your Control
Access, export, or delete your data at any time
Introduction
Grove Financial Ltd ("Grove", "we", "us", or "our") is committed to protecting your privacy and handling your data in an open and transparent manner.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our financial planning and analysis platform and services. It also explains your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Grove Financial Ltd is the data controller for the personal data we process. For financial data processed on behalf of our customers, we act as a data processor, and our customers remain the data controllers.
1. What Information We Collect
Account Information
When you create an account or subscribe to Grove, we collect:
- Company name and registration details
- Contact name, email address, and phone number
- Billing information (processed securely by Stripe)
- Account preferences and settings
Financial Data
On behalf of our customers (as data processor), we may process financial information including:
- Budget and forecast data
- Revenue, expense, and headcount figures
- Financial models and scenario plans
- Reports and dashboards
- Imported data from connected accounting systems
Technical Data
When you use our platform, we automatically collect:
- IP address and device information
- Browser type and version
- Usage patterns and feature interactions
- Error logs and diagnostic data
2. How We Use Your Data
We process your personal data for the following purposes and legal bases:
Contract Performance
- Providing and maintaining the Grove platform
- Processing your subscription and payments
- Sending service-related communications
- Providing customer support
Legitimate Interests
- Improving and developing our services
- Analysing usage to enhance user experience
- Protecting against fraud and security threats
- Sending relevant product updates (you may opt out)
Legal Obligations
- Complying with tax and accounting requirements
- Responding to legal requests from authorities
- Maintaining records as required by law
3. Data Security and Storage
EU Data Centres
All Grove data is stored in secure, EU-based data centres operated by Hetzner Online GmbH in Helsinki, Finland. We do not transfer your data outside the European Economic Area unless required to do so by law or with your explicit consent, and where appropriate safeguards (such as Standard Contractual Clauses) are in place.
Security Measures
We implement comprehensive security measures including:
- Tenant isolation: Per-tenant Docker containers and DuckDB instances ensure complete data separation
- Encryption at rest: AES-256 encryption for all stored data
- Encryption in transit: TLS 1.3 for all data transmission
- Access controls: Role-based access with multi-factor authentication
- Regular audits: Penetration testing and security assessments
- Incident response: Security monitoring and incident response procedures
4. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of subscription + 2 years |
| Financial data | As directed by customer (data controller) |
| Billing records | 7 years (legal requirement) |
| Technical logs | 90 days |
| Marketing preferences | Until consent is withdrawn |
When data is no longer required, we securely delete or anonymise it in accordance with our data retention procedures.
5. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data in certain circumstances.
Right to Restrict Processing
Request limitation of how we use your data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or marketing.
To exercise any of these rights, please contact us at privacy@grove.financial. We will respond to your request within one month.
6. Cookies and Tracking
We use cookies and similar technologies to provide and improve our services. For full details, see our Cookie Policy.
7. Data Sharing and Sub-processors
We may share your personal data with the following sub-processors:
- Hetzner Online GmbH -- Cloud hosting, Helsinki, Finland
- Cloudflare, Inc. -- CDN, DDoS protection, and DNS
- Stripe, Inc. -- Payment processing and billing
- Resend -- Transactional email delivery
We do not sell your personal data to third parties for marketing purposes.
8. International Data Transfers β Data Privacy Framework
Grove is committed to safeguarding personal data when it is transferred internationally. Where personal data is transferred from the European Economic Area (EEA), the United Kingdom, or Switzerland to the United States or other countries outside the EEA, we rely on the following mechanisms:
- EU-US Data Privacy Framework (DPF): For transfers of personal data from the EEA to the US, we rely on the EU-US Data Privacy Framework, as applicable, or ensure our US-based sub-processors participate in the DPF.
- UK Extension to the EU-US DPF: For transfers from the UK, we rely on the UK Extension to the EU-US Data Privacy Framework.
- Swiss-US Data Privacy Framework: For transfers from Switzerland, we rely on the Swiss-US Data Privacy Framework.
- Standard Contractual Clauses (SCCs): Where the DPF does not apply, we use the European Commission's Standard Contractual Clauses (as supplemented for UK transfers by the UK International Data Transfer Addendum) as our lawful transfer mechanism.
You may request a copy of the relevant transfer safeguards by contacting us at privacy@grove.financial.
9. California Privacy Rights (CCPA/CPRA)
This section applies to California residents and supplements the information in this Privacy Policy. It describes the rights you have under the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (collectively, "CCPA").
Categories of Personal Information
In the preceding 12 months, we have collected the following categories of personal information:
- Identifiers: Name, email address, IP address, account credentials.
- Commercial information: Subscription plan, billing and payment history.
- Internet/electronic activity: Browsing history on our site, feature usage, log data.
- Professional information: Job title, company name, role within your organisation.
- Inferences: Preferences and usage patterns derived from the above.
Your CCPA Rights
As a California resident, you have the right to:
Right to Know
Request disclosure of the categories and specific pieces of personal information we have collected about you.
Right to Delete
Request deletion of personal information we have collected from you, subject to certain exceptions.
Right to Correct
Request correction of inaccurate personal information that we maintain about you.
Right to Opt-Out of Sale/Sharing
Direct us not to sell or share your personal information. Grove does not sell personal information.
Right to Limit Use of Sensitive Data
Limit the use and disclosure of sensitive personal information to what is necessary.
Right to Non-Discrimination
Not receive discriminatory treatment for exercising your CCPA rights.
Sale and Sharing of Personal Information
Grove does not sell your personal information as defined under the CCPA. We do not share personal information for cross-context behavioural advertising purposes.
How to Exercise Your Rights
To exercise your CCPA rights, you may submit a verifiable consumer request by emailing privacy@grove.financial with the subject line "CCPA Request". You may also designate an authorised agent to submit a request on your behalf. We will verify your identity before fulfilling any request and respond within 45 days (or up to 90 days with notice for complex requests).
Financial Incentives
We do not offer financial incentives or price differences in exchange for the retention or sale of personal information.
10. US State Privacy Laws
In addition to California, several US states have enacted comprehensive privacy legislation. If you are a resident of one of the following states, you may have additional rights:
| State | Law | Key Rights |
|---|---|---|
| Virginia | VCDPA | Access, correction, deletion, data portability, opt-out of targeted advertising, sale, and profiling |
| Colorado | CPA | Access, correction, deletion, data portability, opt-out of targeted advertising, sale, and profiling |
| Connecticut | CTDPA | Access, correction, deletion, data portability, opt-out of targeted advertising and sale |
| Utah | UCPA | Access, deletion, data portability, opt-out of targeted advertising and sale |
To exercise rights under any of these state privacy laws, please contact us at privacy@grove.financial. We will process your request in accordance with the applicable state law. If your request is denied, you may appeal the decision by replying to our response with the subject line "Privacy Appeal".
Universal Opt-Out Signals
We honour Global Privacy Control (GPC) signals and other legally recognised universal opt-out mechanisms. When we detect a GPC signal from your browser, we treat it as a valid opt-out request for the sale or sharing of personal information under applicable state laws.
Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:
- Email: privacy@grove.financial
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.