Legal

Privacy Policy

How GrowBridge collects, uses, and protects your data — including the limited information we receive when you choose Sign in with Google.

Last updated: May 29, 2026GrowBridge LLChello@growbridge.io

1 · Who we are

GrowBridge LLC

GrowBridge provides software (the “Service”) that helps growers operate controlled-environment agriculture (CEA) hardware they already own. This Privacy Policy explains what personal information we collect, how we use it, and the choices you have.

Operator: GrowBridge LLC. This policy applies to the marketing site at growbridge.io and to the GrowBridge product app at app.growbridge.io.

Questions about this policy or your data? Email hello@growbridge.io.

2 · What we collect

The data behind your account

Account & authentication

  • Email address, name, and profile picture URL provided by your sign-in provider (see § 3 Sign in with Google).
  • Authentication state managed by Clerk (sessions, device, sign-in time).
  • Your GrowBridge role (grower, admin, owner) and account status.

Grow profile & operational data

  • Hardware vendors, room/zone labels, crop type, and growth stage you choose to enter.
  • Sensor readings (temperature, humidity, VPD, EC, VWC, pH, etc.) that we pull from your hardware vendor’s public API on your behalf.
  • API credentials you connect to GrowBridge to enable hardware integrations, encrypted at rest.

Forms & communications

  • Messages you submit through /contact,/feedback, and/connect (your email, name, and message body).
  • Email correspondence you send to hello@growbridge.io.

Marketing analytics (no PII)

  • Page views, UTM source/medium/campaign, click events, and form-submit events flow through Google Tag Manager and Google Analytics 4.
  • We deliberately keep personally identifiable information out of thedataLayer (see apps/marketing/lib/analytics.ts for the exact event shape).

We do not sell, rent, or trade your personal information.

3 · Required Google disclosure

Sign in with Google

When you choose Sign in with Google to access the GrowBridge product app at app.growbridge.io, our authentication provider Clerk completes the standard OAuth 2.0 flow with Google on our behalf. The Google consent screen lists exactly what we request, and that is all we receive.

Scopes we request

Standard sign-in scopes only:

ScopePurpose
openidAuthenticate your Google Account (OpenID Connect identifier)
https://www.googleapis.com/auth/userinfo.emailYour Google email address
https://www.googleapis.com/auth/userinfo.profileYour Google display name and profile picture URL

From these scopes Google returns: a stable Google account identifier (thesubclaim), your email address, your display name, and your profile picture URL.

How we use this Google data

  • Authenticate you and create or recognize your GrowBridge account.
  • Establish and maintain your authenticated session onapp.growbridge.io.
  • Display your name, email, and profile picture in the GrowBridge app UI (sidebar, account page).
  • Send you operational, account, and security email at the address Google returned.

What we do NOT do with Google data

  • We do not use Google user data for advertising or to build advertising profiles.
  • We do not sell, rent, or trade Google user data.
  • We do not access Gmail, Google Calendar, Google Drive, Google Contacts, Google Photos, Google Workspace data, or any other Google product. Our application does not request scopes for those products.
  • Our use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

If we ever expand to additional Google scopes, the OAuth consent screen will be updated and re-verified by Google before any new scope is requested, and this policy will be updated accordingly.

Where this data is stored

  • Clerk — stores the Google account identifier, email, name, and profile picture URL as part of your Clerk user record so we can keep you signed in.
  • GrowBridge application database (Neon Postgres) — stores the minimum profile fields required to operate the Service, typically your email, display name, a stable user ID, and your grow profile data.

Subprocessors

We use a small set of contracted subprocessors to operate the Service. None of them are authorized to use your data for their own purposes:

SubprocessorPurpose
ClerkOAuth 2.0 authentication and session management
VercelHosting for the marketing site and product dashboard
RailwayHosting for the GrowBridge API (FastAPI)
NeonManaged Postgres application database
ResendTransactional email (account, contact, beta-access notifications)

Your choices & controls

  • Revoke GrowBridge’s access to your Google Account at any time at myaccount.google.com/permissions.
  • Delete your GrowBridge account and associated data by emailing hello@growbridge.io. Revoking Google access does not by itself delete the GrowBridge account record.

4 · Marketing site & cookies

How growbridge.io works

  • Google Tag Manager + Google Analytics 4 power aggregate visit and conversion analytics. We capture page paths, UTM parameters, click events, and form-submit events through adataLayerconfigured in apps/marketing/lib/analytics.ts. We do not place email addresses, names, or other personally identifiable information into thedataLayeror GA4.
  • First-touch UTM attributionis held in your browser’s sessionStorage for the current visit only.
  • Cookies consist of those strictly necessary for the site to function plus the analytics cookies set by Google Tag Manager and Google Analytics. We do not run advertising pixels in the marketing site source.
  • Contact, feedback, and hardware-request forms deliver your submission to GrowBridge through Resend (transactional email) so our team can respond. We retain the message and your email address only for as long as needed to handle your request.

5 · Retention, security, contact

How we look after your data

Retention

We keep your account information for as long as your GrowBridge account is active. Sensor data and grow-profile content are retained until you delete the relevant rooms, zones, or your account. Backups follow standard rolling retention windows on our hosting and database providers.

Security

Authentication is handled by Clerk over HTTPS; OAuth refresh tokens are managed by Clerk and do not enter the GrowBridge application database. Hardware API credentials are encrypted at rest. The Service is delivered exclusively over HTTPS.

Children

GrowBridge is not directed to children under 13, and we do not knowingly collect personal information from children under 13. If you believe we have, contact us and we will delete it.

International users

GrowBridge currently operates servers and subprocessors based in the United States. If you sign in from outside the U.S., your data will be transferred to and processed in the U.S.

Changes to this policy

We may update this Privacy Policy as the Service evolves. Material changes are reflected by an updated Last updated date at the top of this page and, where appropriate, by a notice in the GrowBridge app.

Contact

Questions about this policy or your data? Email hello@growbridge.io.

6 · Linked Terms of Service

This policy is part of our Terms

This Privacy Policy is part of and incorporated into the GrowBridge Terms of Service. Where the two documents address the same topic, both apply together.