GrowSmarter — Startup Validation & Founder Operating System

Effective date: 22 March 2026

GrowSmarter is committed to protecting your privacy and handling personal information responsibly. This Privacy Policy explains how we collect, use, store, and disclose personal information in compliance with the Privacy Act 2020 (New Zealand) and its thirteen Information Privacy Principles. Please read this policy carefully. By using our website or engaging our services, you acknowledge that you have read and understood it.

1. ABOUT US AND OUR PRIVACY OFFICER

This Privacy Policy is issued by:

Grant Ian Jennings trading as GrowSmarter

Email: grant.jennings@growsmarter.net

Website: growsmarter.net

Grant Ian Jennings is the Privacy Officer for GrowSmarter and is responsible for overseeing compliance with the Privacy Act 2020. All privacy enquiries and requests should be directed to hello@growsmarter.net, clearly marked "Privacy".

2. PERSONAL INFORMATION WE COLLECT

We may collect the following categories of personal information:

2.1 Contact information: your name, email address, phone number, and business or trading name.

2.2 Engagement and application information: information about your startup, its stage of development, business model, goals, challenges, funding status, and team, provided through website forms or in the course of a consulting engagement.

2.3 Payment information: billing and transaction information processed through Stripe. We do not store full payment card details on our own systems; this information is held securely by Stripe under PCI-DSS Level 1 certification. Bank account details provided for direct transfer payments are retained only as necessary for accounting purposes.

2.4 Communications: records of emails, form submissions, messages, and other correspondence between us, including the content of those communications.

2.5 Website usage data: information collected automatically when you visit our website, including your IP address, browser type and version, device type, pages visited, time spent on pages, and referring URLs, collected through cookies and analytics tools.

2.6 Professional and business information: information about your investors, cap table, business metrics, customer base, and commercial operations shared during the course of a consulting engagement.

3. HOW WE COLLECT PERSONAL INFORMATION

We collect personal information:

• Directly from you, when you complete a form on our website (including the apply form, Founder Diagnostic, or guide download forms), contact us by email, or enter into a Statement of Work.

• In the course of providing consulting services, including through working sessions, shared documents, and email and meeting communications.

• Automatically, through our website's analytics tools and cookies when you visit the Website. See section 11 for further information about cookies.

• Through Stripe, when you make a payment for a Digital Product or deposit payment for Services.

• Through MailerLite, if you subscribe to our newsletter or marketing communications.

We collect only the personal information reasonably necessary for the purposes described in this policy (Information Privacy Principle 1). Where practicable, we collect information directly from you (Information Privacy Principle 2).

4. HOW WE USE YOUR PERSONAL INFORMATION

We use personal information for the following purposes (Information Privacy Principle 10):

4.1 Delivering Services and Digital Products: to provide consulting services under a Statement of Work, to deliver Digital Products purchased through the Website, and to fulfil our contractual obligations to you.

4.2 Communication: to respond to enquiries, provide updates on your engagement, send invoices, and communicate about your account and our services.

4.3 Payment processing: to process payments for Digital Products and Services, to issue invoices, and to maintain financial records as required by law.

4.4 Marketing: to send newsletters, resources, and promotional communications about GrowSmarter products and services. We will only send marketing communications with your consent, and you may withdraw consent and unsubscribe at any time by clicking the unsubscribe link in any email or contacting us at grant.jennings@growsmarter.net.

4.5 Improving our website and services: to understand how our website is used, to identify areas for improvement, to develop new products and services, and to measure the effectiveness of our marketing.

4.6 Legal compliance and risk management: to comply with our legal obligations under New Zealand law, to maintain business records, to protect our legal rights, and to respond to legal proceedings.

We will not use personal information for a purpose that is incompatible with the purpose for which it was collected without your consent or as otherwise permitted by the Privacy Act 2020 (Information Privacy Principle 10).

5. DISCLOSURE OF PERSONAL INFORMATION

We do not sell personal information to third parties for their own marketing purposes. We may disclose personal information in the following circumstances:

5.1 Service providers: to third-party providers who assist us in operating our website and delivering our services, as described in section 6. These providers are authorised to use personal information only as necessary to perform services on our behalf.

5.2 Professional advisors: to our lawyers, accountants, insurers, or other professional advisors where reasonably necessary for the conduct of our business.

5.3 Legal requirements: where we are required or authorised by law, court order, or a regulatory authority with jurisdiction to disclose personal information, we will disclose only what is required and will notify you where we are permitted to do so.

5.4 Business transfer: in the event of a sale, merger, or transfer of all or part of our business, personal information may be disclosed to the purchaser or transferee as part of due diligence or transfer. We will notify affected individuals before their information is transferred to a new controller with a materially different privacy policy.

6. THIRD-PARTY SERVICE PROVIDERS

We use the third-party service providers listed below, which may hold, access, or process personal information on our behalf. Information may be transferred to, and processed in, countries outside New Zealand (see section 8). We take reasonable steps to ensure that these providers handle personal information in a manner consistent with the Privacy Act 2020.

6.1 Squarespace (United States) — website hosting, content management system, and online form submission processing. Privacy policy: squarespace.com/privacy

6.2 Stripe (United States) — payment processing and financial transaction records, including credit and debit card data. Stripe is certified to PCI-DSS Level 1. Privacy policy: stripe.com/privacy

6.3 MailerLite (Lithuania / European Union) — email marketing platform, newsletter management, and subscriber management. MailerLite operates under the EU General Data Protection Regulation (GDPR). Privacy policy: mailerlite.com/legal/privacy-policy

6.4 Figma (United States) — collaborative design tool used for creating visual materials for internal use and client projects. Privacy policy: figma.com/privacy

6.5 Atlassian Jira (United States / Australia) — project management and issue-tracking tool used to manage client engagements. Privacy policy: atlassian.com/legal/privacy-policy

6.6 Atlassian Confluence (United States / Australia) — documentation and knowledge-base platform used to manage engagement materials and internal documentation. Privacy policy: atlassian.com/legal/privacy-policy

6.7 Synthesia (United Kingdom) — AI-powered video creation platform used for producing educational and marketing video content. Privacy policy: synthesia.io/legal/privacy

6.8 Carta (United States) — equity management and cap table platform used in connection with capital readiness consulting engagements. Privacy policy: carta.com/legal/privacy

6.9 Nano Banana (United States) — productivity and task management platform used for internal operations and engagement management. Privacy policy available at the provider's website.

6.10 Google Analytics (United States) — website traffic analytics and reporting. You may opt out of Google Analytics tracking by installing the Google Analytics Opt-out Browser Add-on (tools.google.com/dlpage/gaoptout). Privacy policy: policies.google.com/privacy

7. ARTIFICIAL INTELLIGENCE TOOLS

7.1 GrowSmarter uses the following AI tools to support content creation, research, internal operations, and service delivery:

• Claude by Anthropic (United States) — used for business research, writing assistance, code generation, and service delivery support;

• ChatGPT by OpenAI (United States) — used for content development, research, and operational support.

7.2 We are aware that inputs to AI tools may be retained and processed by the AI provider in accordance with that provider's terms of service and privacy policy. Accordingly, we take care to avoid inputting personal information about identifiable individuals, or client Confidential Information, into AI tools without: (a) ensuring that the relevant AI provider's privacy settings are configured to minimise data retention where possible; and (b) where applicable, the informed consent of the relevant individual or client.

7.3 If you are a consulting client, you may discuss with us at the outset of your engagement what information (if any) you consent to being processed through AI tools during the engagement. This can be recorded in your Statement of Work.

7.4 The AI tools we use are governed by their respective privacy policies. Links to those policies are available at: anthropic.com/legal/privacy and openai.com/policies/privacy-policy.

8. CROSS-BORDER DISCLOSURE

8.1 Because several of our service providers are headquartered overseas — primarily in the United States, United Kingdom, and European Union — your personal information may be transferred to, stored in, or processed in countries other than New Zealand. Some of those countries may not have privacy laws equivalent to New Zealand's Privacy Act 2020.

8.2 Before disclosing personal information to overseas recipients, we take reasonable steps in accordance with Information Privacy Principle 12 to ensure that the recipient will handle the information in a manner consistent with the Privacy Act 2020. These steps include reviewing the recipient's privacy policies and, where applicable, entering into data processing agreements or relying on recognised legal frameworks such as the EU Standard Contractual Clauses or equivalent mechanisms.

8.3 By using our website and services, you acknowledge that your personal information may be transferred overseas as described in this section.

9. DATA SECURITY

9.1 We implement reasonable technical and organisational security measures to protect personal information against unauthorised access, use, disclosure, alteration, or destruction. Our security measures include password protection of accounts and systems, limited staff access to personal information on a need-to-know basis, use of reputable, security-certified third-party service providers, and regular review of our data handling practices.

9.2 Payment card data is handled exclusively by Stripe under PCI-DSS Level 1 certification. We do not store, transmit, or have access to full card numbers.

9.3 Despite reasonable precautions, no method of electronic data transmission or storage is completely secure. We cannot guarantee the absolute security of personal information transmitted to or stored by us or our service providers. If you become aware of any actual or suspected security breach involving your personal information, please notify us immediately at grant.jennings@growsmarter.net.

9.4 If we become aware of a privacy breach that is likely to cause serious harm to one or more affected individuals, we will notify those individuals and the Privacy Commissioner as required under Part 6 of the Privacy Act 2020 as soon as practicable. We maintain a register of privacy breaches as required by the Privacy Act 2020.

10. RETENTION OF PERSONAL INFORMATION

10.1 We retain personal information only for as long as is necessary for the purposes for which it was collected, or as required by applicable law (Information Privacy Principle 9). We do not retain information for longer than is necessary.

10.2 The following minimum retention periods apply:

(a) Client engagement records (including communications, Statements of Work, Deliverables, and invoices): a minimum of seven (7) years following the end of the engagement, consistent with New Zealand business records requirements under the Companies Act 1993, the Tax Administration Act 1994, and generally accepted accounting practice.

(b) Marketing contact records and newsletter subscriptions: retained until you unsubscribe or request deletion.

(c) Website analytics data: retained in accordance with the default settings of Google Analytics (currently 26 months), unless adjusted in our account settings.

(d) Payment records: retained as required by the Inland Revenue Department of New Zealand and applicable financial record-keeping requirements.

10.3 When personal information is no longer required, it is securely deleted or permanently anonymised so that it can no longer be associated with an individual.

11. YOUR RIGHTS UNDER THE PRIVACY ACT 2020

11.1 Right of Access — Principle 6

11.1 You have the right to request access to personal information that GrowSmarter holds about you. To make an access request, please email grant.jennings@growsmarter.net with the subject line "Privacy Access Request" and sufficient information to enable us to identify the information requested. We will acknowledge your request within five (5) working days and respond within twenty (20) working days, as required by the Privacy Act 2020. We may need to verify your identity before releasing information. In limited circumstances we may decline to provide access, but we will tell you our reasons and advise you of your right to complain to the Privacy Commissioner.

11.2 Right of Correction — Principle 7

11.2 If you believe that personal information we hold about you is inaccurate, incomplete, out of date, or misleading, you may request that we correct it. Please email grant.jennings@growsmarter.net with the subject line "Privacy Correction Request" and details of the correction sought. We will respond within twenty (20) working days. If we do not agree to make the requested correction, we will notify you of our reasons in writing and of your right to request that a statement of the correction sought is attached to the information, and your right to complain to the Privacy Commissioner.

12. COOKIES AND TRACKING TECHNOLOGIES

12.1 Our website uses cookies and similar tracking technologies. Cookies are small data files placed on your device that help the website function and allow us to understand how it is used. We use:

• Session and functional cookies (Squarespace): necessary for the website to load and function correctly. These expire when you close your browser or after a short period.

• Analytics cookies (Google Analytics): used to collect anonymised and aggregated information about how visitors interact with our website, including pages visited, traffic sources, and time on site. This data is used to improve the website.

12.2 You can manage or disable cookies through your browser settings. Note that disabling cookies may affect the functionality of the website. For information on managing cookies in your browser, refer to your browser's help documentation. To opt out of Google Analytics, visit tools.google.com/dlpage/gaoptout.

13. CHILDREN'S PRIVACY

Our website and services are not directed at, and we do not knowingly collect personal information from, children under the age of 18. If you believe we have inadvertently collected personal information from a person under 18, please contact us at grant.jennings@growsmarter.net and we will take prompt steps to delete that information.

14. CHANGES TO THIS PRIVACY POLICY

We may update this Privacy Policy from time to time to reflect changes in our information handling practices, legal requirements, or the services we provide. We will post any updated policy on our website with a revised effective date. If we make material changes, we will take additional steps to notify affected individuals, such as sending an email to subscribed contacts or displaying a notice on the website. Your continued use of our website or services after the updated policy is posted constitutes acceptance of the revised policy.

15. PRIVACY COMPLAINTS

15.1 If you believe GrowSmarter has interfered with your privacy or has not handled your personal information in accordance with the Privacy Act 2020, please contact our Privacy Officer in the first instance at grant.jennings@growsmarter.net with the subject line "Privacy Complaint". We will acknowledge your complaint within five (5) working days and use reasonable endeavours to resolve it within twenty (20) working days.

15.2 If you are not satisfied with our response, or if we fail to respond within twenty (20) working days, you may make a complaint to the Office of the Privacy Commissioner of New Zealand:

Office of the Privacy Commissioner

PO Box 10094, Wellington 6143, New Zealand

Phone: 0800 803 909

Email: enquiries@privacy.org.nz

Website: privacy.org.nz

15.3 The Privacy Commissioner may investigate your complaint and, where appropriate, refer it to the Human Rights Review Tribunal. We will cooperate fully with any investigation by the Privacy Commissioner.

16. CONTACT US

For any questions, requests, or concerns about this Privacy Policy or our handling of personal information, please contact our Privacy Officer:

Privacy Officer — Grant Ian Jennings

GrowSmarter

57 Magma Crescent, Auckland 1072, New Zealand

Email: grant.jennings@growsmarter.net

Website: growsmarter.net

We aim to respond to all privacy enquiries within five (5) working days.

This Privacy Policy was drafted in accordance with the Privacy Act 2020 (New Zealand). GrowSmarter recommends that you review this policy periodically for any updates.