Last Updated: 13 June 2026
1.1 This Privacy Policy explains how Faithful Foundations Limited, company number 15721077, registered office Unit 26 Silicon Business Centre, 28 Wadsworth Road, Perivale, UB6 7JZ, London, UK, trading as Grow by Systems (Grow by Systems, we, us or our), collects, uses, shares, stores, and protects personal data in connection with our website at www.growbysystems.com, our CRM, our software, our platform, and our CRM access, onboarding, setup, marketing, consulting, retainer, commission-based, and business growth services.
1.2 This Privacy Policy is intended to meet transparency requirements under the UK GDPR, Data Protection Act 2018, EU GDPR-style requirements where applicable, PECR and similar electronic marketing and cookie rules where applicable, and general international privacy expectations for business-facing services.
1.3 This Privacy Policy does not replace any privacy notice that our Customers are required to provide to their own contacts, leads, prospects, customers, employees, contractors, or end users.
2.1 The organisation responsible for this Privacy Policy is Faithful Foundations Limited, trading as Grow by Systems.
2.2 Our details are:
· Legal business name: Faithful Foundations Limited
· Trading name / brand: Grow by Systems
· Company number: 15721077
· Registered office: Unit 26 Silicon Business Centre, 28 Wadsworth Road, Perivale, UB6 7JZ, London, UK
· Website: www.growbysystems.com
· Contact email: [email protected]
· Data protection contact: [email protected]
3.1 This Privacy Policy explains how Grow by Systems collects, uses, shares, stores, and protects personal data in connection with our website, business enquiries, CRM access, setup, onboarding, consulting, marketing, business growth services, retainers, commission-based services, and related activities.
3.2 This Privacy Policy generally applies to personal data that Grow by Systems processes as controller, including website visitors, business customers, prospects, account users, representatives, suppliers, professional contacts, and individuals who communicate with us directly.
3.3 For personal data that Customers upload into the CRM about their contacts, leads, prospects, end customers, employees, contractors, or other data subjects, the Customer’s own privacy notice will usually apply. In that context, Grow by Systems will usually process the data as processor or service provider on behalf of the Customer under Schedule 1 — Data Processing Terms.
3.4 This Privacy Policy should be read together with our Terms and Conditions, Schedule 1 — Data Processing Terms, and any applicable Order or proposal.
4.1 Business customer data means personal data relating to our Customers, prospective Customers, account users, administrators, billing contacts, decision-makers, and representatives. We usually process this data as controller for business administration, contracting, billing, support, marketing, analytics, service improvement, security, and legal compliance.
4.2 End-customer/contact data means personal data that a Customer uploads, imports, syncs, collects, generates, or processes through the CRM about contacts, leads, prospects, customers, end users, subscribers, patients, clients, donors, employees, contractors, or other individuals. We usually process this data as processor on the Customer’s behalf.
4.3 The Customer is responsible for its own privacy notices, consent mechanisms, lawful basis, marketing permissions, suppression handling, unsubscribe handling, cookie/tracking disclosures, and responses to privacy rights requests for end-customer/contact data.
4.4 Individuals whose data is held by one of our Customers should usually contact that Customer first regarding privacy rights, marketing opt-outs, or campaign complaints. We may refer such requests to the relevant Customer where permitted by law.
5.1 Grow by Systems may act as controller for our own business administration, sales, marketing, website, billing, account management, support, analytics, service improvement, security, legal compliance, supplier management, and record-keeping activities.
5.2 Grow by Systems may act as processor where we process Customer Personal Data on behalf of the Customer through the CRM, setup, onboarding, campaign configuration, marketing, consulting, retainer, commission-based, or business growth services.
5.3 The Customer will usually act as controller for personal data relating to its own contacts, leads, prospects, customers, end users, employees, contractors, and CRM users, and is responsible for ensuring that its instructions to us are lawful.
5.4 In some circumstances, a party’s role may differ depending on the service, data flow, jurisdiction, or legal context. The parties should confirm role allocation in the relevant Order, Schedule 1 — Data Processing Terms, or separate agreement where necessary.
6.1 We may collect personal data directly from business customers, prospective customers, users, account administrators, business owners, directors, employees, contractors, suppliers, and other business contacts, including:
· name, business name, role, job title, business address, billing address, email address, telephone number, messaging handle, and contact preferences;
· account login details, user IDs, permissions, authentication details, and security information;
· business information, industry, website, service requirements, package selections, proposals, Orders, statements of work, onboarding information, and customer support communications;
· billing information, invoice details, payment status, payment method identifiers, transaction references, bank transfer details, payment provider references, and tax information;
· call, meeting, email, message, form, support, and feedback records;
· usage data, device data, log data, IP address, browser type, approximate location, platform events, diagnostics, security records, and analytics data;
· marketing preferences, opt-ins, opt-outs, consent records, and communication engagement data; and
· information provided for commission tracking, reporting, dispute resolution, contract performance, legal compliance, or business administration.
7.1 Customers may upload or generate personal data in the CRM and related Services. This may include:
· contacts, leads, prospects, customers, end users, booking contacts, form submitters, subscribers, reviewers, and related records;
· names, business names, job titles, email addresses, telephone numbers, addresses, social media handles, communication preferences, and identifiers;
· CRM notes, tags, pipelines, opportunities, appointment records, calendar data, form submissions, funnel and website activity, booking records, and customer journey data;
· SMS, email, voicemail, AI chat, call, review request, and marketing campaign data;
· consent, opt-in, unsubscribe, suppression, and marketing preference records where the Customer uses the CRM to store them;
· transaction and payment-related data inside the CRM, such as transaction references, payment status, order details, invoice status, purchase information, product or service details, and related reporting fields;
· financial tracking, commission tracking, attribution, performance reporting, campaign analytics, and usage data; and
· any other personal data the Customer chooses to upload, connect, generate, or instruct us to process through the Services.
7.2 Customers must not upload special category data, criminal offence data, highly sensitive data, children’s data, or regulated data unless expressly approved by us in writing and unless appropriate legal bases, safeguards, notices, consents, and contractual terms are in place.
8.1 For CRM access-only services, we may process account data, business user data, CRM Data, Customer-uploaded contacts, leads, prospects, customer records, communications, funnel data, website/form data, calendar data, pipeline data, payment-related data, reporting data, usage data, support data, analytics data, and security logs.
8.2 We process this data to provide access to the CRM, maintain accounts, enable features, support users, process billing, apply usage limits, monitor security, manage support, improve the Services, comply with law, enforce our Terms, and administer our business.
9.1 Where we provide setup, onboarding, consulting, marketing, retainer, commission-based, or business growth services, we may process additional personal data and CRM Data necessary to provide those Services, including campaign data, customer records, business contacts, marketing lists, funnel data, advertising information, CRM configuration data, automation data, reporting data, performance data, and communications with the Customer and its team.
9.2 We may use this data to configure the CRM, build funnels, create automations, manage campaigns, provide consulting, prepare reports, support business growth services, calculate commissions, monitor performance, troubleshoot issues, and deliver agreed Services.
10.1 Financial or transaction-related data may be processed inside the CRM or through Customer transactions for tracking, reporting, billing, payment status, sales pipeline management, commission calculations, attribution, and agreed service purposes.
10.2 Grow by Systems does not access Customer financial data outside the CRM unless specifically provided by the Customer, required for agreed Services, required for commission tracking, required for payment administration, required to resolve a dispute, or required by law.
10.3 Payment card processing is generally handled by payment providers. We do not intend to store full card numbers unless expressly stated and technically necessary through an approved payment provider arrangement.
11.1 For commission-based or hybrid services, we may process CRM Data, transaction-related data, sales data, attribution data, lead source data, campaign data, reporting data, and communications needed to calculate, verify, audit, dispute, evidence, invoice, and administer commissions.
11.2 Commission-related data may be retained for longer than ordinary account data where necessary for legal, accounting, tax, audit, contractual, dispute, fraud prevention, or commission verification purposes.
12.1 We may use payment providers such as payment providers, banks, direct debit providers, and other payment providers added in future to process payments, verify payment status, issue invoices, manage subscriptions, handle refunds, process chargebacks, prevent fraud, and maintain accounting records.
12.2 Payment providers and banks process personal data in accordance with their own terms and privacy notices. They may act as independent controllers for some activities, such as fraud prevention, regulatory compliance, transaction processing, and payment account administration.
13.1 Our website, CRM, and related Services may use cookies, pixels, tags, scripts, SDKs, local storage, device identifiers, server-side tracking, CRM/platform tracking, analytics tools, Meta Pixel, advertising tools, attribution tools, security tools, and similar technologies.
13.2 These technologies may be used for functionality, security, authentication, fraud prevention, analytics, advertising, attribution, reporting, user preferences, service improvement, performance monitoring, campaign tracking, and measuring the effectiveness of our website and marketing.
13.3 The tools used may change over time. We may add, remove, replace, or change tracking technologies and providers, subject to applicable cookie, privacy, consent, and transparency requirements.
13.4 We will provide information about the main categories of cookies, pixels, analytics tools, advertising tools, CRM/platform tracking technologies, and similar technologies we use through this Privacy Policy, our cookie banner, cookie preference centre, cookie table, or other appropriate notice.
14.1 We may use personal data to:
· provide, operate, maintain, secure, and improve the website, CRM, platform, and Services;
· create and manage accounts, subscriptions, trials, Orders, proposals, invoices, payments, renewals, support requests, and service communications;
· deliver CRM access, onboarding, setup, automation, funnel, marketing, consulting, retainer, commission-based, and business growth services;
· configure, send, monitor, report on, or support campaigns where instructed by the Customer;
· track financial or transaction-related data inside the CRM for reporting, billing, commission, attribution, or service purposes where relevant;
· calculate, verify, audit, dispute, evidence, invoice, and report commissions or performance-based fees where applicable;
· manage Suppression Records, unsubscribes, opt-outs, complaints, bounce records, blocked contacts, and do-not-contact records;
· use cookies, analytics, pixels, attribution, and tracking technologies as described in this Privacy Policy;
· monitor usage, diagnose issues, maintain security, prevent fraud, enforce Terms, investigate misuse, and comply with provider requirements;
· generate, analyse, and use Usage Data, aggregated data, anonymised data, de-identified data, diagnostics, and analytics for security, reporting, service improvement, benchmarking, and business purposes;
· send service, administrative, legal, security, billing, and operational communications;
· send marketing communications to business contacts where permitted by law;
· comply with legal, regulatory, tax, accounting, security, sanctions, export-control, provider, and contractual obligations; and
· establish, exercise, defend, resolve, or evidence legal, contractual, payment, compliance, customer, provider, or commission-related claims and disputes.
15.1 Where we act as controller, we rely on one or more lawful bases under UK GDPR depending on the processing activity. These may include:
· Contractual necessity: creating and administering accounts; providing Services; processing Orders; communicating about Services; billing and payment administration; customer support; managing subscriptions and cancellation.
· Legitimate interests: business-to-business communications; service improvement; analytics; security; fraud prevention; managing overdue accounts; enforcing terms and payment obligations; managing supplier and provider relationships; commission verification; keeping business records; marketing to business contacts where lawful and appropriate.
· Consent: certain marketing communications, cookies, pixels, tracking technologies, or optional features where consent is required. Consent may be withdrawn where applicable.
· Legal obligation: tax, accounting, company law, data protection, regulatory, sanctions, fraud prevention, law enforcement, court, and compliance obligations.
· Vital interests: rarely, where processing is necessary to protect someone’s life or physical safety.
· Public task: unlikely to apply to our ordinary business activities unless specifically confirmed by legal advice.
15.2 Where we act as processor, the Customer is responsible for identifying and documenting the lawful basis for its processing and for issuing lawful instructions to us.
16.1 Where we rely on legitimate interests, we consider whether our interests are overridden by the rights and freedoms of the individuals concerned. Our legitimate interests may include operating a B2B SaaS and services business, providing and improving the Services, communicating with business contacts, securing our platform, preventing misuse, maintaining business records, managing unpaid invoices, enforcing contracts and payment obligations, managing commissions, and protecting legal rights.
16.2 Individuals may object to processing based on legitimate interests in certain circumstances, including direct marketing. We will consider objections in accordance with applicable law.
17.1 We rely on contractual necessity where processing is necessary to enter into or perform a contract with a Customer or an individual acting in a business capacity, including account creation, subscription administration, service delivery, support, billing, cancellation, and contractual communications.
17.2 If required information is not provided, we may be unable to provide the relevant Services.
18.1 We rely on consent where required, including for certain electronic marketing communications and certain cookies, pixels, or tracking technologies. Where we rely on consent, you may withdraw consent at any time using the method provided or by contacting us.
18.2 Withdrawal of consent does not affect processing carried out before withdrawal, processing based on another lawful basis, or processing required for legal, contractual, security, accounting, tax, dispute, or compliance reasons.
19.1 We may process personal data where necessary to comply with legal obligations, including tax, accounting, company law, data protection law, PECR, regulatory requests, court orders, sanctions screening, fraud prevention obligations, and record-keeping obligations.
20.1 We use third-party technology providers, infrastructure providers, hosting providers, communications providers, email providers, SMS/telephony providers, voicemail providers, AI providers, analytics providers, advertising/pixel providers, payment providers, banks, support providers, security providers, professional advisers, and other suppliers to provide and improve the Services.
20.2 Where we act as processor for Customer Personal Data, third-party providers that process that data on our behalf may be subprocessors under Schedule 1 — Data Processing Terms.
20.3 Third-party providers may process personal data in the UK, EEA, United States, or other countries. International transfers will be addressed using appropriate safeguards where required by applicable data protection law.
20.4 We may add, remove, replace, or change providers over time, subject to applicable privacy, data protection, transparency, and contractual requirements. Where legally required, we will update disclosures or provide notice of material subprocessor changes.
21.1 We are based in the United Kingdom and serve Customers worldwide. Personal data may be transferred to, accessed from, or processed in countries outside the UK, including where we or our providers use international infrastructure, support teams, payment providers, analytics tools, communications providers, AI providers, or integrations.
21.2 Where required by applicable data protection law, international transfers will be protected using appropriate safeguards, which may include UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, EU Standard Contractual Clauses, transfer risk assessments, contractual commitments, technical and organisational measures, or another lawful transfer mechanism.
21.3 Customers using the Services internationally are responsible for ensuring that their own use of the Services, campaigns, contact lists, transfers, and instructions comply with laws applicable to them and their contacts.
22.1 We may share personal data with:
· our employees, contractors, consultants, and authorised personnel who need access for the purposes described in this Privacy Policy;
· third-party technology providers, infrastructure providers, communications providers, AI providers, analytics providers, payment providers, banks, and integrations used to provide or support the Services;
· professional advisers, insurers, auditors, accountants, tax advisers, lawyers, and compliance consultants;
· regulators, law enforcement, courts, government authorities, and other parties where required by law or necessary to protect rights, safety, security, or legal interests;
· prospective buyers, investors, funders, advisers, or counterparties in connection with a business sale, merger, restructuring, financing, asset transfer, or similar transaction, subject to appropriate confidentiality protections; and
· Customers and their authorised users in relation to CRM Data and account data associated with that Customer.
22.2 We do not sell personal data in the ordinary meaning of selling personal data for money. Certain advertising, analytics, or tracking activities may be treated as “sharing”, “targeted advertising”, or similar concepts under some privacy laws, depending on the applicable law and configuration. Where such laws apply, we will provide any legally required opt-out or preference mechanism.
23.1 We retain personal data only for as long as reasonably necessary for the purposes described in this Privacy Policy, the Terms, Schedule 1 — Data Processing Terms, the applicable Order, and our legal, accounting, tax, security, contractual, operational, provider, sanctions, fraud prevention, and dispute-resolution requirements.
23.2 Customer data may be retained for up to 6 months after cancellation in case the Customer returns.
23.3 Data may be deleted earlier upon written request, unless retention is required or reasonably necessary for legal, accounting, tax, fraud prevention, dispute resolution, contractual, backup, security, audit, regulatory, provider, sanctions, export-control, suppression, or commission-based purposes.
23.4 Suppression Records, unsubscribe records, blocked-recipient records, do-not-contact records, complaint records, consent evidence, and related compliance records may be retained for as long as necessary to honour opt-outs, evidence consent, prevent unlawful re-contact, comply with law, comply with provider rules, protect deliverability, and manage complaints.
23.5 For commission-based services, relevant data may be retained for longer where necessary to calculate, verify, audit, dispute, or evidence commissions.
23.6 Backup copies may remain for a limited period in protected backup systems and will be deleted or overwritten in accordance with backup cycles, unless retention is required for legal, security, dispute, compliance, provider, suppression, or commission-related purposes.
23.7 We may provide further information about specific retention periods in our Terms, customer notices, proposals, account settings, cookie notices, or other relevant documentation where appropriate.
24.1 We use reasonable technical and organisational measures designed to protect personal data against unauthorised access, loss, misuse, alteration, disclosure, or destruction. These measures may include appropriate access controls, confidentiality controls, account security controls, provider-management controls, and other technical and organisational safeguards suitable for the nature of the Services.
24.2 No system, platform, transmission, or storage method is completely secure. Customers are responsible for configuring their accounts securely, controlling user access, protecting credentials, using available security features, and ensuring their own devices, networks, users, and connected accounts are secure.
25.1 Customers are responsible for personal data they upload to the CRM or instruct us to process. This includes ensuring that contacts, leads, prospects, customers, and end users receive legally compliant privacy notices and that the Customer has a valid lawful basis for each processing activity.
25.2 Customers are responsible for marketing consent, opt-ins, unsubscribe handling, suppression lists, do-not-contact requests, data accuracy, data minimisation, retention, and compliance with UK, EU, US, California, and other local laws where applicable to their own campaigns and recipients.
25.3 If we receive a request or complaint from an individual relating to Customer-controlled CRM Data, we may refer the request to the relevant Customer unless legally required to respond directly.
26.1 We may send marketing communications to business contacts where permitted by law, including where we have consent, where there is an existing business relationship, or where we rely on legitimate interests for business-to-business marketing, subject to applicable opt-out rights.
26.2 You can opt out of our marketing communications at any time using the unsubscribe link, by replying to the message where appropriate, or by contacting [email protected]. We may still send service, transactional, security, billing, legal, and account-related messages.
26.3 Customers using the Services to send marketing communications are responsible for complying with PECR, UK GDPR, EU GDPR-style requirements, CAN-SPAM, TCPA, state privacy laws, and other laws that apply to their recipients and campaigns.
27.1 Cookies and similar technologies may be used on our website, CRM, and related Services for functionality, security, authentication, analytics, advertising, attribution, reporting, service improvement, preference management, fraud prevention, and campaign measurement.
27.2 Categories may include strictly necessary technologies, functional technologies, analytics technologies, advertising and attribution technologies, security technologies, service improvement technologies, and CRM/platform tracking technologies.
27.3 Non-essential cookies and similar technologies will be managed in accordance with applicable law, which may require consent or, in limited cases where legally available, a clear and simple means of objecting. You may be able to manage preferences through our cookie consent tool, browser settings, device settings, or platform controls.
27.4 We may add, remove, replace, or change cookies, pixels, analytics tools, advertising technologies, CRM/platform tracking technologies, and similar technologies over time. Where required, we will update this Privacy Policy, cookie notices, cookie tables, consent banners, or preference tools.
27.5 Blocking or disabling certain cookies or technologies may affect website, CRM, analytics, advertising, attribution, reporting, security, or platform functionality.
27.6 Where required, we will provide further information about cookies and similar technologies through our cookie banner, cookie preference centre, cookie table, or other appropriate notice.
28.1 Depending on the applicable law and our role, individuals may have rights to:
· access personal data;
· request correction of inaccurate or incomplete personal data;
· request deletion of personal data;
· request restriction of processing;
· object to processing, including direct marketing and certain processing based on legitimate interests;
· request data portability where applicable;
· withdraw consent where processing is based on consent; and
· complain to a supervisory authority.
28.2 To exercise rights in relation to personal data for which Grow by Systems is controller, contact [email protected]. We may need to verify identity and request further information before responding.
28.3 To exercise rights in relation to data controlled by one of our Customers, individuals should contact that Customer directly. If we receive such a request, we may forward it to the Customer or provide reasonable assistance in accordance with Schedule 1 — Data Processing Terms in our Terms and Conditions.
28.4 Rights are subject to legal limitations and exceptions. We may retain or continue processing data where permitted or required by law, including for legal, accounting, tax, fraud prevention, security, dispute, contractual, or commission-related purposes.
29.1 We are a UK-based B2B provider. We do not state that we are subject to any particular US state privacy law unless and until this is legally confirmed. However, where a US state privacy law applies to our processing, individuals may have rights such as the right to know, access, correct, delete, obtain a copy of personal data, opt out of certain processing, opt out of sale or sharing, opt out of targeted advertising, limit use of sensitive personal information, or appeal a decision.
29.2 We do not knowingly sell personal data for money. Some analytics, advertising, pixel, attribution, or tracking activities that we undertake as controller may be considered “sale”, “sharing”, “targeted advertising”, or “cross-context behavioural advertising” under certain US state laws depending on the technology used and the applicable law. Where such laws apply, we will provide any required “Do Not Sell or Share” or equivalent opt-out mechanism.
29.3 We do not intend to sell or share Customer Personal Data that we process as processor or service provider on behalf of Customers. Where applicable, we will provide or support any required opt-out rights in relation to sale, sharing, targeted advertising, or cross-context behavioural advertising.
29.4 We do not knowingly sell or share personal data of individuals under 16. Our Services are not directed at children.
29.5 Requests may be sent to [email protected]. We may need to verify the request and may respond in accordance with the law that applies to the particular request.
30.1 Our Services are intended for businesses and self-employed business owners only and are not directed at children. We do not knowingly collect personal data from children through our website or Services.
30.2 Customers must not upload children’s data to the CRM or use the Services to target children unless expressly approved by us in writing and unless all required legal safeguards, consents, notices, and contractual arrangements are in place.
31.1 The Services may include automation and AI chat features that assist with communication, workflow, routing, reporting, content generation, customer engagement, and service improvement. These features may be provided by third-party AI providers.
31.2 We do not intend to make solely automated decisions about individuals that produce legal or similarly significant effects through our own controller processing unless specifically disclosed.
31.3 AI outputs may be inaccurate, incomplete, biased, unsuitable, non-compliant, or unexpected. Customers are responsible for their own use of automation and AI tools, including ensuring transparency, human oversight, fairness, accuracy, lawful basis, appropriate prompts, compliance review, and any applicable sector-specific requirements.
31.4 Customers must not use AI features for unlawful, harmful, deceptive, discriminatory, regulated, high-risk, medical, legal, financial, eligibility, employment, housing, credit, insurance, or similarly significant decision-making purposes unless expressly approved in writing and unless all required legal safeguards are in place.
32.1 We maintain processes to identify, assess, and respond to security incidents and personal data breaches. Where legally required, we will notify affected Customers, regulators, or individuals in accordance with applicable law.
32.2 Where we act as processor and become aware of a personal data breach affecting Customer Personal Data, we will notify the Customer without undue delay in accordance with Schedule 1 — Data Processing Terms. The Customer is responsible for assessing and making any controller notifications to regulators or affected individuals unless the law requires otherwise.
33.1 Our website, CRM, communications, or Services may contain links to third-party websites, platforms, payment providers, integrations, or services. Those third parties are responsible for their own privacy practices. You should review their privacy notices and terms before using them.
34.1 We may update this Privacy Policy from time to time to reflect changes in law, regulation, guidance, Services, technology, providers, cookies, tracking tools, data practices, or business operations.
34.2 The updated version will be posted on our website with a revised “Last updated” date. Where required by law or where changes are material, we may provide additional notice.
35.1 If you have questions about this Privacy Policy or wish to exercise privacy rights, contact us at [email protected] or write to Faithful Foundations Limited, Unit 26 Silicon Business Centre, 28 Wadsworth Road, Perivale, UB6 7JZ, London, UK.
35.2 Individuals in the UK have the right to complain to the Information Commissioner’s Office. The ICO can be contacted through its website at ico.org.uk.