Privacy Policy
How we collect, use, and protect your data in compliance with UK GDPR
EU Data Centres
All data stored in secure EU-based data centres (Helsinki, Finland)
Encryption
AES-256 encryption at rest and TLS 1.3 in transit
GDPR Compliant
Fully compliant with UK GDPR and Data Protection Act 2018
Your Control
Access, export, or delete your data at any time
Introduction
Grove Financial Ltd ("Grove", "we", "us", or "our") is committed to protecting your privacy and handling your data in an open and transparent manner.
This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our financial planning and analysis platform and services. It also explains your rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
Grove Financial Ltd is the data controller for the personal data we process. For financial data processed on behalf of our customers, we act as a data processor, and our customers remain the data controllers.
1. What Information We Collect
Account Information
When you create an account or subscribe to Grove, we collect:
- Company name and registration details
- Contact name, email address, and phone number
- Billing information (processed securely by Stripe)
- Account preferences and settings
Financial Data
On behalf of our customers (as data processor), we may process financial information including:
- Budget and forecast data
- Revenue, expense, and headcount figures
- Financial models and scenario plans
- Reports and dashboards
- Imported data from connected accounting systems
Technical Data
When you use our platform, we automatically collect:
- IP address and device information
- Browser type and version
- Usage patterns and feature interactions
- Error logs and diagnostic data
2. How We Use Your Data
We process your personal data for the following purposes and legal bases:
Contract Performance
- Providing and maintaining the Grove platform
- Processing your subscription and payments
- Sending service-related communications
- Providing customer support
Legitimate Interests
- Improving and developing our services
- Analysing usage to enhance user experience
- Protecting against fraud and security threats
- Sending relevant product updates (you may opt out)
Legal Obligations
- Complying with tax and accounting requirements
- Responding to legal requests from authorities
- Maintaining records as required by law
3. Data Security and Storage
EU Data Centres
All Grove data is stored in secure, EU-based data centres operated by Hetzner Online GmbH in Helsinki, Finland. We do not transfer your data outside the European Economic Area unless required to do so by law or with your explicit consent, and where appropriate safeguards (such as Standard Contractual Clauses) are in place.
Security Measures
We implement comprehensive security measures including:
- Tenant isolation: Per-tenant Docker containers and DuckDB instances ensure complete data separation
- Encryption at rest: AES-256 encryption for all stored data
- Encryption in transit: TLS 1.3 for all data transmission
- Access controls: Role-based access with multi-factor authentication
- Regular audits: Penetration testing and security assessments
- Incident response: Security monitoring and incident response procedures
4. Data Retention
We retain your personal data only for as long as necessary to fulfil the purposes for which it was collected and to comply with legal obligations.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of subscription + 2 years |
| Financial data | As directed by customer (data controller) |
| Billing records | 7 years (legal requirement) |
| Technical logs | 90 days |
| Marketing preferences | Until consent is withdrawn |
When data is no longer required, we securely delete or anonymise it in accordance with our data retention procedures.
5. Your Rights
Under UK GDPR, you have the following rights regarding your personal data:
Right of Access
Request a copy of the personal data we hold about you.
Right to Rectification
Request correction of inaccurate or incomplete data.
Right to Erasure
Request deletion of your data in certain circumstances.
Right to Restrict Processing
Request limitation of how we use your data.
Right to Data Portability
Receive your data in a structured, machine-readable format.
Right to Object
Object to processing based on legitimate interests or marketing.
To exercise any of these rights, please contact us at privacy@grove.financial. We will respond to your request within one month.
6. Cookies and Tracking
We use cookies and similar technologies to provide and improve our services. For full details, see our Cookie Policy.
7. Data Sharing and Sub-processors
We may share your personal data with the following sub-processors:
- Hetzner Online GmbH -- Cloud hosting, Helsinki, Finland
- Cloudflare, Inc. -- CDN, DDoS protection, and DNS
- Stripe, Inc. -- Payment processing and billing
- Resend -- Transactional email delivery
We do not sell your personal data to third parties for marketing purposes.
Contact Us
If you have any questions about this Privacy Policy or wish to exercise your rights, please contact us:
- Email: privacy@grove.financial
You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.