Privacy Policy

1. Data Controller

Responsible for data processing in connection with this website and the services offered is:

David Proga
Simple.Grow
c/o Impressumservice Dein-Impressum
Stettiner Strasse 41, 35410 Hungen, Germany
+49 (0) 174 6629095
david.proga@simplegrow.io

2. Subject of This Privacy Policy

This Privacy Policy explains how personal data is processed when using the Simple.Grow service. Simple.Grow is a service offering that provides and manages AI Employees – AI agents that handle defined tasks in day-to-day consulting operations – for consulting firms in the DACH region. Data of end customers of the managed companies may also be processed in this context.

3. Types of Data Processed

When using Simple.Grow, the following categories of personal data may be processed:

• Contact data (name, phone number, email address)
• Address data
• Project data (e.g., information about the planned project)
• Communication records
• Appointment booking information
• Review and feedback data

The specific types of data processed depend on the functional scope of the automation systems activated by the customer.

4. Purpose of Processing

Personal data is processed for the following purposes:

• Content creation and optimization (e.g., LinkedIn posts, specialist articles, reports)
• Research and analysis (e.g., market research, competitive analyses)
• Automated reports and KPI tracking
• Automated customer communication and appointment scheduling
• Process optimization and workflow automation
• AI assistance and decision support
• Inquiry processing and support

5. Legal Basis for Processing

For our own processing activities (e.g., via this website or for customer support), we rely on the following legal bases under Art. 6 GDPR:

• Art. 6(1)(a) GDPR (consent, e.g., when expressing interest via contact form)
• Art. 6(1)(b) GDPR (performance of a contract)
• Art. 6(1)(c) GDPR (legal obligation, e.g., documenting an advertising objection)
• Art. 6(1)(f) GDPR (legitimate interest)

Regarding the processing of end customer data by our clients:

Simple.Grow merely provides the technical means. The legal responsibility for compliance with all data protection obligations towards end customers lies exclusively with the respective business or company using Simple.Grow. This includes in particular the information obligations under Art. 13/14 GDPR and the existence of a valid legal basis for each data processing activity.

6. Data Processing on Behalf

Insofar as we process personal data of end customers on behalf of businesses/companies (e.g., as part of automated contact processes), this is done on the basis of a Data Processing Agreement pursuant to Art. 28 GDPR. Simple.Grow will never independently use or disclose personal data to third parties unless a legal obligation exists or the customer has expressly consented.

7. Data Disclosure

Personal data is only disclosed to third parties if this is necessary for the performance of the contract or if a legal obligation exists. Disclosure for advertising purposes or outside the processes defined in the agreement does not take place.

8. Services and Infrastructure Used

8.1 n8n (n8n.io)

For process automation and integration, we use n8n, a GDPR-compliant open-source automation platform. We exclusively use the self-hosted version on a Hetzner server with a German server location – not the n8n cloud variant. A Data Processing Agreement (DPA) pursuant to Art. 28 GDPR exists with Hetzner Online GmbH.

• Hosting: Self-hosted on Hetzner infrastructure, server location Germany
• No n8n Cloud: Only the open-source version is used. No data is transferred to n8n GmbH or their cloud services
• Data encryption: All transmitted data is protected via HTTPS; sensitive data can additionally be stored encrypted
• Access restrictions: Strict access controls via API keys and role management
• Transparent processing: Workflows document data flows in detail
• No disclosure to third parties: n8n processes data only within defined workflows, entirely on our own infrastructure

8.2 Trigger.dev (trigger.dev)

For orchestrating and executing background tasks, we use Trigger.dev, an open-source platform for managing AI workflows and automations. We exclusively use the self-hosted version (Self-Hosted via Docker) on a Hetzner server with a German server location – not the Trigger.dev cloud variant.

• Hosting: Self-hosted on Hetzner infrastructure, server location Germany
• No Trigger.dev Cloud: Only the open-source version is used. No data is transferred to Trigger.dev Inc. or their cloud services
• Data encryption: All transmitted data is protected via HTTPS
• Access restrictions: Strict access controls via API keys and role management
• Task orchestration: Trigger.dev orchestrates the AI Employees (e.g., content creation, research, reports) and logs all processing steps
• No disclosure to third parties: Trigger.dev processes data only within defined tasks, entirely on our own infrastructure

8.3 Supabase

For data storage and database infrastructure, we use Supabase, a GDPR-compliant open-source platform as an alternative to proprietary database solutions.

• Server location: Exclusively EU and/or Germany-based servers
• Data encryption: Encryption at rest (AES-256) and in transit (TLS 1.2+)
• Row Level Security (RLS): Granular access control at the database level
• SOC 2 Type II certified: Regularly audited security standards
• No disclosure to third parties: Data is stored exclusively within the scope of the agreed processing
• Data minimization: Only data required for the respective purpose is stored

8.4 Large Language Models (AI Models)

Simple.Grow uses the Large Language Model Claude (Anthropic) via AWS Bedrock EU Inference Profiles as a programming interface (API). Simple.Grow places particular emphasis on data protection and GDPR compliance.

• EU processing: AI processing is carried out exclusively via AWS Bedrock EU Inference Profiles with server location Frankfurt am Main (EU). Customer data demonstrably does not leave the EU. No transfer of personal data to third countries takes place.
• Data processing via the API: When using the AI model via the API, the data required for processing the request is transmitted to AWS Bedrock EU. This data is processed exclusively to generate the desired response and is not used for other purposes. Data provided via the API is not used for training AI models.
• No permanent storage: No personal data is permanently stored with the AI provider as part of the API usage. Temporary caching for processing occurs exclusively in the EU (Frankfurt) and is deleted after a maximum of 24 hours.
• Data-minimizing implementation: Simple.Grow ensures that only the minimum necessary data is transmitted to the API. Sensitive or personal data is anonymized or pseudonymized before transmission.

No use of the web interface: Simple.Grow exclusively uses the API interface, not the AI provider's web interface. All interactions occur via the API and are subject to the above-mentioned safeguards.

8.5 AI Regulation (EU AI Act)

Simple.Grow observes the requirements of Regulation (EU) 2024/1689 (AI Regulation / EU AI Act) in the development, provision, and operation of its AI systems.

• Risk classification: The AI systems used are classified as general-purpose AI with limited risk. They are not high-risk AI systems within the meaning of Art. 6 EU AI Act.
• Transparency (Art. 50): AI-generated content is labeled as such. The User is transparently informed about the use of AI models, their functionality, and limitations.
• AI Literacy (Art. 4): As part of each AI Employee setup, Simple.Grow provides a documented AI Literacy Introduction covering the use of the system, the approval workflow, and the User's review obligations.
• Human Oversight (Art. 14): All AI systems are equipped with an approval workflow that ensures no outputs enter business operations without human review.
• No prohibited practices (Art. 5): Simple.Grow does not deploy AI systems that fall under the prohibited practices of Art. 5 EU AI Act (e.g., social scoring, subliminal manipulation, exploitation of vulnerabilities).

The detailed regulation of the division of responsibilities between Simple.Grow (Provider) and the User (Deployer) under the EU AI Act can be found in the Terms and Conditions (§9.5–9.11).

8.6 Contact Form (/brief)

Via the contact form at simplegrow.io/en/brief, interested parties can get in touch as part of a direct marketing campaign (personal letters). The following data is collected:

• Required fields: Company name, name, expression of interest (Yes/No)
• Optional fields: Phone number, email address

Purpose and Legal Basis

• For "Yes, interested": The data is processed to make contact and arrange a non-binding conversation about AI Employee services. Legal basis: Art. 6(1)(a) GDPR (consent through active selection in the form).
• For "No, not interested": The response is documented as an advertising objection pursuant to Art. 21 GDPR. Legal basis: Art. 6(1)(c) GDPR (fulfillment of a legal obligation).

Recipients and Processing

Form data is processed via a Vercel Serverless Function (see section 8.7) and forwarded internally. No permanent storage of form data takes place in a database.

Retention Period

• Expression of interest ("Yes"): Data is retained for a maximum of 3 years or until consent is withdrawn.
• Advertising objection ("No"): The response is retained permanently to ensure no further contact is made.

Spam Protection

A honeypot method is used to protect against automated submissions. An invisible form field is used that regular users do not fill out. No external services (such as Google reCAPTCHA) are integrated.

8.7 Vercel (vercel.com)

For website hosting and the provision of API routes, we use Vercel, a cloud platform for static websites and serverless functions.

• Hosting: Static website hosting via Vercel's edge network (global CDN)
• Data processing: Vercel processes server logs (IP addresses, access times) as part of hosting. Personal customer data is not stored on Vercel
• Headquarters: Vercel Inc., USA. Data transfer based on EU Standard Contractual Clauses and the EU-US Data Privacy Framework

8.8 Cal.com (cal.com)

For appointment scheduling, we use Cal.com, an open-source scheduling solution.

• Data processed: Name, email address, and selected time slot when booking a Discovery Call or Needs Assessment appointment
• Purpose: Appointment scheduling and calendar synchronization
• Data protection: Cal.com processes data exclusively for appointment management. Cal.com's privacy policy is available at cal.com/privacy
• Deletion: Appointment booking data is deleted 7 days after the appointment takes place

9. Retention Period

Personal data is retained only as long as necessary for the respective purposes or as required by statutory retention obligations. Automatically stored communication data (e.g., WhatsApp dialogs or meeting minutes) is regularly reviewed and deleted after the relevant periods expire.

10. Rights of Data Subjects

Data subjects have the right to:

• Access to their stored data (Art. 15 GDPR)
• Rectification of inaccurate data (Art. 16 GDPR)
• Erasure (Art. 17 GDPR)
• Restriction of processing (Art. 18 GDPR)
• Data portability (Art. 20 GDPR)
• Objection to processing (Art. 21 GDPR)

Requests can be directed to the contact details provided above.

11. Customer Responsibility

Simple.Grow assumes no responsibility whatsoever for any data protection violations arising from improper or non-GDPR-compliant use by the business/company. It is exclusively the User's responsibility to inform their customers in a timely and transparent manner about the use of Simple.Grow and to ensure compliance with all legal requirements.

12. Changes to This Privacy Policy

We reserve the right to amend this Privacy Policy as needed, e.g., to adapt it to new legal requirements or technical developments. The current version is always available on our website.

Data Processing Agreement (DPA)

The complete Data Processing Agreement (DPA) pursuant to Art. 28 GDPR is available as a separate document: www.simplegrow.io/en/dpa

The DPA governs the processing of personal data on behalf of the customer, including technical and organizational measures (TOMs), sub-processor list, deletion periods, and notification obligations in case of data breaches.

As of: March 12, 2026