Data Processing

DATA PROCESSING ADDENDUM

Last Updated: December 2025

This Data Processing Addendum (“Addendum” or “DPA”) forms part of the Growthifi Privacy Policy and the Growthifi Terms & Conditions (the “Agreement”). This Addendum governs Growthifi LLC’s (“Growthifi,” “we,” “us,” or “our”) processing of Personal Data on behalf of Clients (“Client,” “you”) in connection with the Services. This Addendum applies only to the extent Growthifi processes Client Data on behalf of Client as a Data Processor or Service Provider under applicable Data Protection Laws. This DPA is incorporated into the Agreement and is effective upon Client’s first use of the Services.

1. DEFINITIONS

“Account Users”

Individuals authorized by Client to access the Services.

“Client Data”

Personal Data processed by Growthifi on behalf of Client through the Services, including contact records, message content, metadata, CRM data, opt-in/opt-out records, logs, and workflow/automation outputs.

“Data Controller” / “Business”

The entity determining the purposes and means of processing. Client is the Data Controller of Client Data.

“Data Processor” / “Service Provider”

The entity processing Personal Data on behalf of the Controller. Growthifi is the Data Processor with respect to Client Data.

“Data Protection Laws”

All applicable privacy and data protection laws, including:

  • GDPR & UK GDPR
  • EU ePrivacy Directive
  • California Consumer Privacy Act (CCPA/CPRA)
  • Virginia, Colorado, Connecticut, Utah, and other U.S. state privacy laws
  • Any successor or equivalent regulations
“Personal Data”

Any information relating to an identifiable natural person, as defined by applicable law.

“Processing”

Any operation performed on Personal Data (collecting, storing, using, transmitting, etc.).

“Sub-processor”

Any third party engaged by Growthifi to process Client Data on its behalf.

“Services”

Growthifi’s CRM, messaging, automation, AI, API, hosted tools, and agency services.

Other capitalized terms not defined here have the meanings given in the Agreement.

2. ROLES & PROCESSING SCOPE

2.1 Roles of the Parties
  • Client is the Data Controller / Business.
  • Growthifi is the Data Processor / Service Provider.
  • Growthifi processes Client Data only on documented instructions from Client.
2.2 Client Obligations

Client will:

  • Comply with all Data Protection Laws.
  • Obtain all legally required consents (TCPA/CTIA/GDPR/etc.).
  • Maintain legally adequate privacy notices.
  • Respond to Data Subject Requests.
  • Ensure lawful collection and use of Client Data.
  • Not upload PHI or health data (Growthifi is not HIPAA-compliant).
  • Maintain accuracy and lawfulness of the Client Data it provides.

Client remains solely responsible for:

  • Lead sources
  • Contact list quality
  • Consent integrity
  • Message content
  • Lawful processing of end-user data
2.3 Growthifi’s Processing of Client Data

Growthifi will:

  • Process Client Data only per Client instruction
  • Implement industry-standard security measures
  • Maintain confidentiality
  • Assist Client with compliance requests where feasible
  • Delete or return Client Data upon termination
  • Process only what is necessary to provide the Services

Growthifi will not:

  • Sell or share Client Data for advertising purposes
  • Use Client Data for Growthifi’s own marketing
  • Determine the purposes or means of Client Data processing
  • Use Client Data to train AI models without explicit permission

3. DETAILS OF PROCESSING

Subject matter: Processing of Client Data via the Services.

Duration: Duration of Client’s use of the Services plus any retention under policy.

Purpose: Provision of CRM, messaging, automation, analytics, AI features, and support services.

Nature of processing: Storage, routing, sending, receiving, analytics, workflows, automation, segmentation, logs.

Categories of Data Subjects:

  • Client’s Account Users
  • Client’s contacts, leads, customers, subscribers, and end-users

Types of Personal Data: May include, at Client discretion:

  • Names, phone numbers, emails
  • Message content (SMS/MMS/RCS/WhatsApp/email)
  • Tags, segments, custom fields
  • Opt-in/opt-out records
  • Device, network, routing metadata
  • CRM activity and conversation history

Client determines the scope and categories of Personal Data used.

4. DATA SUBJECT REQUESTS (DSRs)

4.1 Client Responsibility for Requests

Client is responsible for responding to:

  • Access requests
  • Correction
  • Deletion
  • Opt-out
  • Restriction
  • Portability
  • CCPA/CPRA requests
  • GDPR rights

Growthifi provides tools to support Client in fulfilling these rights.

4.2 Growthifi’s Assistance

Where Client cannot access data directly, Growthifi will assist:

  • At Client’s request
  • Where technically feasible
  • Without undue delay
  • At Client’s cost if significant effort is required
4.3 Direct Requests to Growthifi

If a Data Subject contacts Growthifi:

  • Growthifi will not respond except to redirect them to Client
  • Growthifi will notify Client unless prohibited by law
4.4 Government or Law Enforcement Requests

If Growthifi receives a legal demand for Client Data:

  • Growthifi will redirect the request to Client where permitted
  • Growthifi may provide Client’s basic contact details
  • Growthifi will notify Client unless legally forbidden

5. SUB-PROCESSORS

5.1 Authorization

Client authorizes Growthifi to engage Sub-processors necessary for providing the Services. Sub-processors are categorized, but names are not publicly disclosed. Categories may include:

  • Cloud hosting & infrastructure providers
  • Telecom carriers & SMS/MMS/RCS messaging aggregators
  • Email delivery infrastructure
  • Security, logging, and monitoring providers
  • Payment processors
  • Analytics, fraud detection, and performance tools
  • AI inference or model-hosting infrastructure
  • Backup and disaster recovery vendors
5.2 Requirements for Sub-processors

Growthifi ensures Sub-processors:

  • Are bound by written data protection obligations
  • Implement industry-standard security controls
  • Process Client Data only as needed to provide services
5.3 Changes to Sub-processors

Growthifi may update Sub-processors and will maintain a non-public registry available to Clients upon request and under NDA when necessary.

6. SECURITY MEASURES

Growthifi maintains industry-standard technical and organizational measures, including:

  • Encryption in transit (TLS) and at rest
  • Role-based access controls
  • Multi-factor authentication
  • Network and log monitoring
  • Intrusion detection & anomaly detection
  • Annual penetration testing
  • SOC-2 aligned internal controls
  • Least-privilege access
  • Data redundancy and backups

Security obligations align with Growthifi’s Privacy Policy and Terms.

7. INTERNATIONAL TRANSFERS

Where required:

  • Growthifi relies on the EU Standard Contractual Clauses (SCCs) (incorporated by reference).
  • UK GDPR transfers use the UK International Data Transfer Addendum.
  • Swiss transfers follow FDPA requirements.
  • Growthifi will implement supplementary safeguards where appropriate.

8. DATA RETURN & DELETION

Upon termination:

  • Growthifi may delete Client Data after 30 days per retention policy
  • Backups are wiped on scheduled cycles
  • Client may export data prior to termination
  • Growthifi may retain data where required by law, carrier policy, regulatory requirements, or fraud prevention

9. TELECOM, MESSAGING & INDUSTRY COMPLIANCE

Client assumes all responsibility for:

  • TCPA, CTIA, A2P 10DLC compliance
  • Email anti-spam compliance (CAN-SPAM, CASL)
  • Consent and opt-in recordkeeping
  • Lawful selection of contacts
  • Message content, segmentation, and automations

Growthifi does not guarantee message delivery and is not responsible for carrier blocking, filtering, or audits.

10. LIABILITY

Liability under this Addendum is subject to the Limitation of Liability in the Agreement.

Client will indemnify Growthifi for:

  • Violations of law
  • Consent failures
  • Data misuse
  • Carrier fines
  • Opt-in/opt-out violations
  • Claims arising from Client Data

11. RELATIONSHIP TO THE AGREEMENT

Except as amended by this Addendum:

  • The Agreement remains in full force.
  • In case of conflict, this Addendum controls with respect to data protection obligations.
  • No third-party beneficiaries are created by this Addendum.

12. GOVERNING LAW

This Addendum is governed by the same jurisdiction as the Agreement (Commonwealth of Pennsylvania), unless superseded by mandatory Data Protection Laws.

13. ANNUAL REVISION

Growthifi may revise this Addendum annually or more frequently as required by law or system updates.

14. LEGAL EFFECT

This Addendum becomes binding upon Client’s use of the Services and requires no separate signature.

Growthifi unifies your CRM, automations, & multi-channel messaging with an AI intelligence layer — creating a high-performance engine built on 10+ years of mobile marketing expertise.

Solutions

All-in-one Growth Platform

Sales Enablement Services

Advertising Services

API Suite

© 2026 Growthifi - All Rights Reserved.