Growth Notes — Privacy Policy

Last updated: 17 April 2026

This Privacy Policy explains how The Ordinary Group ("Growth Notes", "we", "us", "our") collects, uses, and protects personal information when you use the Growth Notes platform ("Platform"). We are committed to handling your personal information in accordance with the Protection of Personal Information Act, 2013 ("POPIA") and, where applicable, the EU General Data Protection Regulation ("GDPR").

If you have any questions about this Policy or wish to exercise any of your rights, contact us at alfi@theordinary.group.

1. Who We Are

The Ordinary Group is the operator of Growth Notes, a B2B mentorship platform based in South Africa. For the purposes of POPIA, we are the "Responsible Party" for the personal information described in this Policy, except where we act as an "Operator" on behalf of a subscribing Organisation (see Section 4).

Information Officer: Alfi Email: alfi@theordinary.group

2. The Personal Information We Collect

The categories of personal information we process depend on your role on the Platform.

2.1 Account and Profile Information

When you create an account, we collect:

Name and email address
Password (stored as a hashed value; we never see your plaintext password)
Profile photo (optional)
Timezone and location
Professional context: current role, company, domain, discipline, career ladder, level, and track (Individual Contributor or People Manager)

For Mentors, we additionally collect:

Mentor bio and areas of expertise
LinkedIn and personal website URLs (optional)
Pricing tier selection
Availability patterns and capacity limits

2.2 Growth and Mentorship Data

Through your use of the Platform, we process:

Self-assessments of your capabilities and skills
Growth plans, including capabilities selected, target proficiency levels, priorities, and timeframes
Mentorship requests and engagement records
Session schedules, attendance, and external video meeting links
Session notes (private or public as marked)
Growth reports authored by Mentors, including qualitative feedback and proficiency assessments
Comments on growth reports from Team Leaders

2.3 Organisation and Billing Information

For Org Admins, we collect:

Organisation name and billing details
Credit purchase history and transaction records
Organisation structure (reporting relationships, team assignments)
Taxonomy scope configuration

2.4 Technical Information

We automatically collect:

IP address and approximate location derived from it
Browser type and version
Device information and operating system
Login timestamps and authentication events
Pages accessed and actions taken within the Platform
Session cookies and similar technologies

2.5 Communications

When you contact us or respond to Platform communications, we collect:

Emails, support requests, and related correspondence
Notification preferences and email engagement (opens, clicks) via our email provider

2.6 Information From Third Parties

If you sign in via Google OAuth, we receive the basic profile information Google provides (name, email, profile photo) subject to your Google permissions.

3. How We Use Personal Information

We process personal information for the following purposes:

3.1 To Provide the Platform

Create and maintain your account
Match Mentees with relevant Mentors based on capabilities, skills, career level, and track
Facilitate mentorship requests, engagements, cycles, and sessions
Track growth plan progress and deliver growth reports
Process credit purchases, allocations, and consumption
Send transactional notifications (session confirmations, reminders, growth report submissions, credit receipts)
Sync session bookings with your Google Calendar where you have authorised this

3.2 To Operate Organisational Features

Enable Team Leaders to view their direct reports' growth plans, engagements, and growth reports
Enable Org Admins to manage organisation structure, credit allocation, and taxonomy scope
Generate aggregate dashboards and reporting for each role

3.3 To Keep the Platform Safe and Working

Authenticate users and enforce access controls via Row-Level Security
Detect, investigate, and prevent fraud, abuse, or security incidents
Monitor Platform health and troubleshoot technical issues
Track no-show patterns and apply the graduated no-show policy
Handle disputes reported through the "Report an Issue" flow

3.4 To Communicate With You

Respond to your queries and support requests
Send service announcements and material updates to this Policy or our Terms
Send product updates and educational content where you have consented

3.5 To Improve the Platform

Analyse aggregate usage patterns to improve features and performance
Use anonymised data for benchmarking, product research, and (in anonymised form) marketing

3.6 To Meet Legal Obligations

Comply with applicable laws, regulations, court orders, and lawful requests from authorities
Retain financial records as required by tax and accounting law

4. Our Role: Responsible Party or Operator

For most of the personal information we process, we are the Responsible Party under POPIA. However, when your employer Organisation uses Growth Notes to manage employee development, some personal information is processed on behalf of your Organisation — for example, your growth plan, your manager's view of your progress, and your engagement records. In those cases, we act as an Operator (or "Processor" under GDPR) for your Organisation, which is the Responsible Party for that data.

What this means in practice:

Your Organisation decides what data is collected about you as an employee, for what purposes, and for how long within the Platform.
If you want to exercise your data subject rights over employee-related data (such as requesting access or correction), you should direct those requests to your Organisation in the first instance. We will support your Organisation in responding.
We process employee data strictly in line with our contract with the Organisation and will not use it for our own purposes beyond providing the service.

5. Lawful Basis for Processing

Under POPIA and GDPR, we rely on the following grounds for processing your personal information:

Consent: Where you have explicitly agreed, such as opting into marketing communications or allowing Google Calendar integration.
Contract: To perform our contract with you (if you are an individual user) or with your Organisation (where you use the Platform through an employer).
Legitimate interest: To operate, secure, and improve the Platform, provided this does not override your rights.
Legal obligation: To comply with laws that apply to us.

6. Who We Share Personal Information With

We share personal information only as needed to operate the Platform and only with recipients who are bound by appropriate confidentiality and data protection obligations.

6.1 Within Your Organisation

Your Team Leader can see your growth plan, engagements, and growth reports.
Your Org Admin can see organisation-level data including your role and engagement activity.
Mentors you engage with can see the information in your mentorship request and the context needed to mentor you.
Other users in your Organisation can see your Mentor profile if you have made yourself available as a Mentor.

6.2 Our Service Providers (Operators)

We use trusted third parties to deliver the Platform. Each is contractually bound to process your data only as we direct.

| Provider | Purpose | Location | |---|---|---| | Supabase | Hosting, database, authentication, file storage | Infrastructure regions as configured | | Paystack | Payment processing for credit purchases | South Africa | | Loops.so | Transactional email delivery | United States | | Google (Calendar, OAuth) | Optional calendar sync and sign-in | Global |

A current list of sub-processors is available on request via alfi@theordinary.group.

6.3 Legal and Safety Disclosures

We may disclose personal information where required by law, court order, or lawful request from a regulator, or where we reasonably believe disclosure is necessary to protect our rights, your safety, or the safety of others.

6.4 Business Transfers

If The Ordinary Group is involved in a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify you of any such transfer and of any choices you may have regarding your personal information.

6.5 What We Do Not Do

We do not sell your personal information. We do not share your personal information with advertising networks or data brokers.

7. International Transfers

Some of our service providers (such as Loops.so) process data outside South Africa. When we transfer personal information across borders, we ensure adequate protection through contractual safeguards (such as standard contractual clauses) or by using providers in jurisdictions recognised as providing adequate protection.

8. How Long We Keep Personal Information

We retain personal information only for as long as necessary for the purposes described above:

Active account data: Retained for the lifetime of your account.
After account deletion: Personal information is deleted within 30 days. Engagement and session records may be retained in anonymised form for aggregate analytics.
Growth reports after a user is deleted: The content is retained for the other party's records, but the deleted user's name is replaced with "Former User".
Financial and transaction records: Retained for 7 years to meet South African tax and accounting requirements.
Support communications: Retained for up to 3 years after resolution.
Backups: Personal information may persist in secure backups for a limited period after deletion, after which it is overwritten.

9. Your Rights

Under POPIA (and GDPR where applicable) you have the right to:

Access the personal information we hold about you.
Correct information that is inaccurate or incomplete.
Delete your personal information (the "right to erasure"), subject to our lawful retention obligations.
Object to processing based on legitimate interests or for direct marketing.
Withdraw consent where processing is based on consent, without affecting the lawfulness of processing before withdrawal.
Data portability: receive your data in a structured, machine-readable format (CSV export is available from within the Platform).
Lodge a complaint with the Information Regulator of South Africa (see Section 14) or, where GDPR applies, your local supervisory authority.

To exercise any of these rights, email alfi@theordinary.group. We will respond within a reasonable period, and in any event within 30 days. If you use the Platform through an employer Organisation, we may redirect certain requests to your Organisation where they are the Responsible Party.

10. Account Deletion

You can request account deletion at any time. On deletion:

Your personal identifying information (name, contact details, photo) is removed within 30 days.
Your professional context and growth plan data is anonymised.
Growth reports authored about you are anonymised (your name is replaced with "Former User").
Your contact record is removed from Loops.so and other third-party systems.
Financial records are retained as required by law but access is restricted.
You will receive confirmation when deletion is complete.

11. Security

We take personal information security seriously. The measures we take include:

Encryption of data in transit (TLS) and at rest.
Authentication managed by Supabase Auth, with support for Google OAuth and password-based sign-in.
Row-Level Security policies in our PostgreSQL database, ensuring each user can only access data they are authorised to see.
PCI-DSS compliant payment processing via Paystack — we do not store card details.
Access controls and audit logging on internal systems.
Regular review of our security practices.

No system is perfectly secure. If you believe your account has been compromised, contact us immediately at alfi@theordinary.group.

12. Cookies and Similar Technologies

We use cookies and similar technologies to operate the Platform — for example, to keep you signed in, remember your preferences, and understand how the Platform is used. You can control cookies through your browser settings. Disabling certain cookies may limit Platform functionality.

13. Children

Growth Notes is not directed to children under 18. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, contact us and we will delete it.

14. Changes to This Policy

We may update this Policy from time to time. If we make material changes, we will notify you by email or through the Platform before the changes take effect. The "Last updated" date at the top of this Policy indicates when it was last revised.

15. Complaints and Contact

If you have concerns about how we handle your personal information, contact us first at alfi@theordinary.group - we will take your concerns seriously and respond promptly.

You also have the right to lodge a complaint with the South African Information Regulator:

The Information Regulator (South Africa) Website: https://inforegulator.org.za Email: complaints.IR@justice.gov.za

If GDPR applies to your data, you can contact your local data protection authority.

The Ordinary Group Email: alfi@theordinary.group