Privacy policy

Last updated: 2026-05-16

Summary

GrowthFriction is operated by Paulo de Vries (sole proprietor, Netherlands). We collect minimum data needed to provide the audit service, never sell personal data, and comply with GDPR (EU/UK) and CCPA (California).

What we collect

• Site URLs you audit: stored to provide the audit + show history (Pro tier). Not associated with personal identifiers unless you create an account.
• Email (optional): only if you sign up for an account. Used for login, billing, and weekly regression alerts (opt-out anytime).
• Usage analytics: aggregated, anonymized signals via Plausible (cookieless, no cross-site tracking), Cloudflare Web Analytics (cookieless RUM for Core Web Vitals), Google Analytics 4 (Consent Mode v2 with default DENY for ad-storage + analytics-storage until you accept the cookie banner; IP anonymization on), and Microsoft Clarity (session recordings with automatic PII masking — passwords, payment fields, sensitive form data never captured). Each linked policy: Plausible · Cloudflare · Google · Microsoft Clarity.
• Payment data (Pro tier): processed by Stripe; we never see your card number. See Stripe's privacy policy.

What we do NOT collect

• Browsing data outside GrowthFriction.com
• Social-media profile data
• IP addresses beyond temporary security/rate-limit logs (auto-purged after 7 days)
• Personal data of visitors to sites you audit (we only access the URLs you submit)

Third-party services

The third-party services we use, each with their own privacy policy:

• Cloudflare: DNS, CDN, registrar. See Cloudflare privacy.
• Plausible: privacy-first analytics.
• Cloudflare Web Analytics: cookieless real-user monitoring for Core Web Vitals.
• Google Analytics 4 + Google Search Console: aggregated visitor analytics + organic-search query data. Consent Mode v2 default DENY until cookie acceptance; IP anonymization enabled.
• Microsoft Clarity: session recordings + heatmaps with automatic PII masking. Passwords, payment fields, and sensitive form data are never captured.
• Stripe: payment processing (Pro tier only).

AdSense / advertising

GrowthFriction currently does NOT run third-party advertising. If we add Google AdSense in the future, this section will be updated to disclose Google's use of cookies/identifiers for personalized ads, with link to How Google uses data from partner sites.

Cookies

GrowthFriction uses essential cookies only (session, auth, CSRF). No tracking cookies. No third-party advertising cookies. EU/UK visitors see a cookie banner per ePrivacy Directive compliance.

Your rights (GDPR + CCPA)

• Right to access your data (email [email protected])
• Right to deletion (we'll remove all stored audits + account within 30 days)
• Right to portability (we export your audit history as JSON on request)
• Right to object to processing
• Right to withdraw consent (cookie banner allows reversal anytime)

To exercise any of these rights, email [email protected]. We respond within 30 days.

Data retention

• Free-tier audits: stored 90 days then auto-deleted
• Pro-tier audit history: stored for active subscription + 90 days post-cancellation
• Account data: deleted within 30 days of account-deletion request
• Billing records: retained for 7 years per tax law (Netherlands)

Children

GrowthFriction is not intended for users under 13 (COPPA) or under 16 in the EU (GDPR child data). We do not knowingly collect data from minors.

Changes to this policy

We'll notify Pro-tier subscribers via email + post a prominent notice on this page for any material changes. Continued use after changes constitutes acceptance.

Contact

Privacy questions or requests: [email protected]