GDPR (General Data Protection Regulation)

A quick overview of GDPR and the ways in which Growee is complying.

The General Data Protection Regulation (GDPR) provides consistent standards across the EU to protect the rights of its citizens for how their personal data is being used. It went into effect on May 25, 2018 and applies to all companies that uses personal data from EU citizens.

We fully support the GDPR and think it’s a good thing to treat customers and their data with care and respect. Our mission is to help companies like yours manage their time off more efficiently and that requires a fair and secure use of personal data that was given with full consent and transparency.

An overview of GDPR

GDPR replaced the existing EU privacy directive 95/46/EC, which was in place for over 20 years. The GDPR strengthens and expands the privacy rights of individuals and impacts any company that processes the personal data of EU citizens.

For example, if you have employees based in the EU then the GDPR applies to you.

The Data Protection Principles set forth in the GDPR include requirements such as:

  • Personal data collected must be processed in a fair, legal, and transparent way and should only be used in a way that a person would reasonably expect.
  • Personal data should only be collected to fulfil a specific purpose and it should only be used for that purpose. Organizations must specify why they need personal data when they collect it.
  • Personal data should be held no longer than necessary to fulfil its purpose.
  • People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and that their data be updated, deleted, restricted, or moved to another organization.

We’d encourage you to consult with your legal counsel for the most complete understanding of the GDPR.

Your rights under the GDPR

Under the GDPR you have a number of rights. Here we have described how Growee satisfies those rights.

Right to be informed

This document, alongside our Terms give you complete visibility of how we use your personal data in Growee.

Right of access and data portability

Please gen in contact if you would like to receive a report of the data we hold on you.

Right of rectification

Growee allows both company owner users and the employees to update inaccurate or incomplete personal data. Individuals can manage their own personal data via their own profile page.

Right to be forgotten

We make it easy for you to delete your account which removes all personal data from our database. In order to fully delete your account, please reach out to us and we will delete all the data associated with your account from our admin tools. This action is non-recoverable. 

Right to restrict processing

As a user of Growee, you have control over how your data is used.

  • Sensitive data such as phone numbers, salary and contract related information is encrypted end to end by us and is optional to use at the moment, meaning that you can save it optionally for each employee in case you want to benefit from a centralized source of information about your company employees.
  • If you wish not to receive emails from us, you can turn them off by unsubscribing to our default newsletter

Growee uses role based permissions to ensure that all users can only perform the actions they need to perform and to restrict the amount of data that each individual has access to. For example the Employee role cannot approve, reject holidays or see other member documents.

Right to object

If you would like to object to how your personal data is being used, please get in contact with us at

Rights of automated decision making and profiling

Growee does not perform any automated decision making or profiling of our users.

Security and Data Management

We take considerable efforts to protect your data and have outlined our security practices in a separate article. As specified in Terms & Conditions all the data is encrypted upon transport and sensitive data is encrypted end to end so only users with the right role can decrypt it and have access to it.


Under the GDPR, a sub-processor is any business that may process your data as a side effect of using the Leave Dates service. 

Here is our list of our current sub-processors:

  • Amazon is used for cloud hosting
  • Stripe is used for payment processing
  • Flare is used for error tracking
  • Sengrid is used for email distribution

 If you have any questions or concerns regarding GDPR and Growee, please get in contact at