Privacy Policy.

This Privacy Policy explains how Garage Growth Labs collects, uses, shares, and protects information about you when you visit our website, fill in a form, sign up for an account, buy a service, or otherwise interact with us.

It applies to all four of our operating regions — US, UK, Canada, and Australia — and we've called out region-specific rights where they differ.

The "data controller" (the entity responsible for your data) is the Garage Growth Labs entity in your country. The header at the top of this page shows the entity for your current region. For specific data subject requests, contact hello@garagegrowthlab.com and we'll route you to the right entity.

Information you give us

• Contact details — your name, email, phone, business name, and the content of any message you send us.
• Project information — the kickoff brief, assets you upload (logo, photos, copy), domain and platform credentials you share for project work, and any feedback you submit.
• Account details — if you create a dashboard account, the data Clerk stores on our behalf (email, name, hashed password, optional avatar).
• Billing information — handled by Stripe. We don't store full card numbers; we receive a token plus the last four digits, card brand, and billing region.

Information we collect automatically

• Site usage — pages visited, time on page, referrer, screen size, browser, approximate location (country / region only) via Google Analytics 4 and optionally PostHog.
• Cookies — see §5 below.
• Server logs — IP address, request timestamps, user agent. We use these for security, debugging, and abuse prevention.

Information from third parties

• Ad platforms — when you click an ad of ours, the ad network may pass us a click identifier so we can attribute the conversion.

Under GDPR (UK + applicable to EU traffic) and equivalent regimes, we need a lawful basis for each use. Ours are:

• Contract performance — to deliver the services you bought from us (build your site, run your retainer, host your account).
• Legitimate interests — to operate, secure, and improve the studio; understand which marketing channels work; prevent fraud.
• Consent — for non-essential cookies, marketing email, and any optional features that require explicit opt-in.
• Legal obligation — for tax records, accounting, and responding to valid government requests.

Where we rely on consent (e.g., marketing email), you can withdraw it any time via the unsubscribe link in any email, or by emailing us.

We use cookies and similar technology for three purposes:

Essential

Required to make the site function — login session, country and theme preference, checkout flow, CSRF protection. These cannot be turned off.

Analytics

Google Analytics 4 and (optionally) PostHog tell us which pages are working and which aren't. We anonymize IP addresses where possible. You can opt out in your browser, via a Do Not Track signal, or by declining the cookie banner.

Marketing

Google Ads and Meta Pixel set cookies when you arrive from a paid campaign so we can measure the conversion. These only run after you accept the cookie banner.

You can clear cookies, block them in your browser, or use a privacy extension at any time. Blocking essential cookies may break parts of the site (notably checkout and dashboard).

We do not sell your personal information. We share it only with the small number of vendors we use to run the studio:

Each vendor is bound by a data processing agreement and standard contractual clauses where required. We review our vendor list at least annually.

We may also share information when legally required (court order, lawful subpoena), to protect our rights, or in connection with a business sale (in which case the buyer inherits this policy).

Because we operate in four countries and use global vendors, your data may be processed outside your home country. Where it leaves the UK or EU, we rely on Standard Contractual Clauses (SCCs) or equivalent approved mechanisms.

• Project files and account data — for the life of your account, plus up to 24 months after closure (so we can restore on request).
• Billing and tax records — 7 years (or as required by local tax law).
• Analytics — 14 months by default.
• Server logs — 90 days.
• Marketing email lists — until you unsubscribe.

You can request earlier deletion at any time, subject to legal retention requirements.

We use industry-standard security: TLS everywhere, hashed passwords (via Clerk), least- privilege access controls, encrypted backups, and quarterly security reviews. Payments go through Stripe, which is PCI-DSS Level 1 certified — we never see your full card number.

No system is bulletproof. If we ever experience a breach affecting your data, we'll notify you and the relevant regulator without undue delay, in line with our legal obligations.

Wherever you live, you have the right to:

• Access the personal data we hold about you;
• Correct data that's inaccurate or out of date;
• Delete data, subject to retention requirements;
• Export your data in a portable format;
• Object to certain processing (notably marketing); and
• Withdraw consent at any time for processing based on consent.

To exercise any right, email hello@garagegrowthlab.com. We'll respond within 30 days (and free of charge, except for clearly excessive or repeated requests).

Our services are not directed at children. We don't knowingly collect personal data from anyone under 16. If you believe we have, contact us and we'll delete it.

We may update this policy from time to time. The "Last reviewed" date at the top reflects the most recent change. For material changes, we'll email retainer clients and show a notice at the top of this page for at least 30 days.

Privacy questions and data-subject requests: hello@garagegrowthlab.com (subject line: "Privacy request"). We aim to respond within one business day and resolve within 30.