Legal
Privacy Policy
Last updated: June 2026
π
We collect only what we need
Papigrows collects the minimum data required to run your account and generate content. Customer data is encrypted at rest and in transit, payment details are handled entirely by Stripe, and we never sell your data or use it to train AI models. The processors we rely on are listed below.
1. Who we are
Papigrows is operated by Monti Labs AB, based in LidingΓΆ, Sweden. We build SEO and GEO content automation software. Contact: hello@papigrows.com.
2. Data we collect
- Account data: email address, organisation name, website URL.
- Usage data: articles generated, keywords, CMS connection metadata (no CMS credentials are stored β OAuth tokens are encrypted at rest).
- Billing data: handled exclusively by Stripe. We never see or store card numbers.
- Session data: cryptographically signed cookies stored in your browser.
3. How your data is stored
Account and usage data is held in a managed PostgreSQL database (Supabase). Backups are encrypted. Some of our processors operate infrastructure outside the EU/EEA; where that is the case, transfers are covered by the relevant safeguards (such as Standard Contractual Clauses) under the processor's data processing terms.
4. GDPR compliance
Papigrows processes personal data as a data processor under GDPR Art. 28. We offer a Data Processing Addendum (DPA) on request. Your rights:
- Right to access your data (export available on request)
- Right to erasure (contact us and we delete within 30 days)
- Right to portability
- Right to object to processing
5. Data retention
Active account data is retained for the lifetime of your subscription plus 30 days. After account deletion, backups are purged within 90 days.
6. Third-party processors
- Supabase (database hosting). DPA in place.
- Stripe (payments) β PCI-DSS Level 1 compliant.
- Anthropic (AI generation) β content processed transiently for article generation; not stored by Anthropic per their API terms.
- Resend (transactional email).
7. Cookies
We use one first-party session cookie (httpOnly, Secure, SameSite=Lax). No third-party tracking cookies. No advertising pixels.
8. Changes to this policy
Material changes will be communicated by email and displayed in the app changelog at least 14 days before taking effect.
9. Contact
For privacy-related requests: hello@papigrows.com