Privacy Policy

Name: Epic Growth
Address: MT
Price range: €€€

Last updated: March 2026

1. Data Controller

Epic Growth Company Limited ("we", "our", "us"), a company registered in Malta, is the data controller responsible for your personal data collected through epicgrowth.com.

For privacy-related enquiries, please use our contact form and select "AI Governance / Data Rights".

2. Data We Collect

Information you provide: name, email address, company name, and message content submitted via our contact form or login page.

Analytics data (with consent): We use Google Analytics 4 (GA4) to understand how visitors interact with our site. GA4 sets cookies including _ga and _gid to distinguish unique users and sessions. These cookies are only set after you provide consent via our cookie banner. If you decline, no analytics cookies are placed.

Essential cookies: If you log in to our dashboard, we set an epic-session httpOnly cookie for authentication. This is strictly necessary and does not require consent.

3. Legal Basis for Processing

We process your personal data under the following legal bases:

Consent — for analytics cookies (GDPR Art. 6(1)(a))
Legitimate interest — to respond to contact form enquiries and improve our services (GDPR Art. 6(1)(f))
Contract performance — to provide dashboard access and services you have requested (GDPR Art. 6(1)(b))

4. How We Use Your Data

We use your data to respond to enquiries, deliver services you have requested, improve our website experience, and comply with legal obligations. We never sell your personal data to third parties.

4a. AI Agents & Data Processing

Our dashboard provides AI-powered funding journey agents (Discovery, Coordination, Preparation, Tracking, Compliance) that help businesses identify and apply for grants. When you use these agents:

Company profile data (name, sector, employee count, turnover, location, project details) is provided voluntarily. For signed-in users, this data is stored in our PostgreSQL database (GCP, EU) with a local storage working copy. For guest users, it remains in browser local storage only. Profile data is sent to our AI provider only during active chat sessions to generate relevant responses.
Chat interactions are processed in real-time via our AI provider. Full conversation content is not stored on our servers.
Audit metadata — we log minimal event data (agent name, event type, timestamp, and a truncated summary of your query) to a server-side audit log. This is required by our AI Constitution for transparency and auditability, and is retained for 12 months.

The legal basis for audit logging is legitimate interest (GDPR Art. 6(1)(f)) — specifically, regulatory compliance with the EU AI Act's transparency and auditability requirements.

For full details on how our agents are governed, see our AI Governance page.

5. Sub-processors & Third Parties

We share personal data with the following service providers:

Anthropic (Anthropic PBC, US) — AI language model provider powering our funding journey agents. User queries and company profile context are sent during active chat sessions. Anthropic does not use this data for model training.
Google Analytics (Google LLC, US) — website analytics, only with your consent
Google Cloud Platform (Google LLC, EU) — application hosting, PostgreSQL database, and AI agent audit logs. All server-side data is stored exclusively in the EU (Belgium).
Gmail API (Google LLC) — sending transactional emails (magic links, contact form responses)

6. International Data Transfers

All server-side data (database, audit logs, application hosting) is stored in the EU via Google Cloud Platform (region Belgium). Your data does not leave the EU for storage purposes.

Some sub-processors receive data via API calls during active sessions: Anthropic (US) for AI agent responses, Google Analytics (US) for website analytics (with consent only), and Gmail API for transactional emails. These transfers are governed by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) to ensure an adequate level of data protection.

7. Data Retention

Contact form submissions are retained for up to 24 months unless you request earlier deletion. Authentication tokens expire after 7 days. Analytics data is retained in Google Analytics for 14 months (the default GA4 retention period). AI agent audit logs are retained for 12 months as required by our AI Constitution, then permanently deleted.

For signed-in users, company profile and workspace data is stored in our database and can be deleted from the dashboard. A local storage working copy persists until cleared. For guest users, all data remains in browser local storage only and persists until you clear it manually or clear your browser data.

8. Your Rights

Under GDPR, you have the right to:

Access the personal data we hold about you
Rectify inaccurate data
Request erasure of your data
Restrict or object to processing
Data portability — receive your data in a structured, machine-readable format
Withdraw consent at any time (e.g. via the Cookie Settings link in our footer)

To exercise these rights, use our contact form and select "AI Governance / Data Rights". We will respond within 30 days.

9. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the Information and Data Protection Commissioner (IDPC), Malta's supervisory authority under GDPR.

10. Contact

For privacy-related questions, please use our contact form and select "AI Governance / Data Rights". For details on how our AI agents are governed, see our AI Governance page.