Privacy Policy

Last updated: May 30, 2026

This Privacy Notice for Shotai, LLC ("we," "us," or "our") describes how and why we might access, collect, store, use, and/or share ("process") your personal information when you use our services ("Services"), including when you:

Visit our website at https://growro.com or any website of ours that links to this Privacy Notice.
Use GrowRo. GrowRo is a Chrome browser extension and companion web service operated by Shotai, LLC, a Delaware limited liability company. When a user shops at a supported online retailer through the extension, the retailer's affiliate network pays GrowRo a commission, and a share of that commission is credited to the user's balance for redemption as a Roblox gift card. A GrowRo account is required to use the Services; you create one with an email address and password, or by signing in with Google. We verify the email address before issuing your first gift card redemption so we can deliver the redemption code reliably. GrowRo is not affiliated with, endorsed by, or sponsored by Roblox Corporation.
Engage with us in other related ways, including any marketing or events.

Questions or concerns? Reading this Privacy Notice will help you understand your privacy rights and choices. We are responsible for making decisions about how your personal information is processed. If you do not agree with our policies and practices, please do not use our Services. If you still have any questions or concerns, please contact us at privacy@growro.com.

Summary of Key Points

This summary provides key points from our Privacy Notice; you can find more details about each topic in the relevant section below.

What personal information do we process? When you visit, use, or navigate our Services, we may process personal information depending on how you interact with us, the choices you make, and the products and features you use.

Do we process any sensitive personal information? No. We do not process sensitive personal information (such as racial origin, sexual orientation, religious beliefs, or biometric data).

Do we collect any information from third parties? Yes — we receive purchase confirmation events from affiliate networks. These contain a click identifier we generated, the order amount, and the commission paid. They do not contain customer names, emails, or payment details.

How do we process your information? We process your information to provide and administer the Services (record activations, match purchases to clicks, accrue and pay out the Robux gift card balance), to respond to user inquiries, for security and fraud prevention, to send you marketing emails you can opt out of at any time, and to comply with law.

In what situations and with which parties do we share personal information? We share personal information with our gift card vendor (Tremendous), our hosting provider (Fly.io), and the affiliate networks that mint our tracking links and report commissions.

How do we keep your information safe? We have appropriate technical and organizational processes and procedures in place to protect your personal information. However, no electronic transmission or storage technology can be guaranteed to be 100% secure.

What are your rights? Depending on where you are located, applicable privacy law may give you certain rights regarding your personal information.

How do you exercise your rights? The easiest way is to contact us at privacy@growro.com or via our contact page. We will consider and act upon any request in accordance with applicable data protection laws.

1. What information do we collect?

Personal information you disclose to us

In short: We collect personal information that you provide to us.

We collect the personal information that you voluntarily provide to us when you create a GrowRo account, sign in, redeem a Roblox gift card, or contact us.

Personal information provided by you is limited to:

Email address — collected at account creation. We use this address as your account identifier, to send a 6-digit verification code that confirms ownership of the address, to send transactional account email (password resets, security alerts, gift card delivery), and to deliver the gift card code via our fulfillment vendor (Tremendous) when you redeem.
Password — collected at account creation, change, or reset, if you choose the email + password sign-in method (rather than Google). Passwords are hashed at rest using argon2id (OWASP 2024 parameters) before being written to disk; we do not retain the plaintext password and cannot retrieve it for you. If you forget your password, you can reset it via the link sent to your verified email.
Authentication and session data. When you sign in we create a server-side session and issue you a cryptographically random session token (delivered as an httpOnly cookie for the website, or as a bearer token stored by the Chrome extension's service worker). We store a SHA-256 hash of this token, never the plaintext, alongside a sliding 1-year expiry, the User-Agent string of the device that signed in, and a HMAC-hashed form of the IP address (we do not store the raw IP). You can view your active sessions and sign out individual devices on the account page.
OAuth provider data, if you use social sign-in. See "How we handle social logins" below.

Social media login data. You can choose to register or sign in using your Google account (Sign in with Google). If you do, we receive your email address, Google account ID, and the display name and profile picture URL Google associates with your account. We use this information to identify you on subsequent sign-ins and to populate your GrowRo account; we do not receive your Google password, your Google Contacts, or any other Google data beyond what is necessary to complete the sign-in. The scopes we request are documented in our Third Parties section and in the Google OAuth consent screen you see when first authorizing GrowRo.

Google API limited use. GrowRo's use of information received from Google APIs (specifically, the Google Identity / Sign-in API) adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, we use Google-provided email, account ID, name, and profile picture solely to authenticate you and personalize your GrowRo account; we do not transfer this data to third parties for advertising, do not allow humans to read it except as described in Section 19 below, and do not use it to develop, improve, or train generalized AI/ML models.

Sensitive information. We do not process sensitive personal information.

Information automatically collected

In short: Some information — such as URLs of pages you visit on supported retailers, click events, and basic browser/device information — is collected automatically when you use the Services.

We automatically collect certain information when you use the Services. The information we collect includes:

URLs of pages on supported retailer domains. The Chrome extension reads the current URL on a fixed list of supported retailers (declared in the extension manifest, visible at chrome://extensions) so it can detect when you're at a checkout, the rate at the current store, and similar. It does not run on your bank, email, social media, or any other site outside that list.
Cart total, when shown on the page. On cart and checkout pages of supported retailers, the extension reads the visible total dollar amount so we can show you the Robux you'd earn on that order. This number stays in your browser; we do not transmit cart contents or item-level data to our servers.
Click events. When you click "Activate Robux Back" at a supported store, we send the retailer ID, your account's user ID, and the destination URL to our server so we can mint an affiliate-tracked link and record the click.
Cookies and similar tracking technologies. See our Cookie Notice for details.
Browser user-agent and similar diagnostic data. Our hosting provider (Fly.io) captures basic request metadata in edge logs for security and operational purposes; we do not store this in our application data.

Information collected from other sources

In short: Affiliate networks send us purchase confirmation events when a click we tracked converts to a sale.

Affiliate networks send us server-to-server notifications ("postback events") when a tracked click converts to a sale. These events contain the click identifier we originally generated, the order amount, and the commission paid. They do not contain customer names, email addresses, payment details, or any directly identifying personal information. We use this data to credit the Robux gift card balance of the user whose click produced the sale. Sources include affiliate networks listed under "When and with whom do we share personal information?" below.

2. How do we process your information?

In short: We process your information to provide, improve, and administer the Services, communicate with you, for security and fraud prevention, and to comply with law. We process your information only when we have a valid legal reason to do so.

We process your personal information for a variety of reasons, depending on how you interact with our Services, including:

To deliver and facilitate delivery of services to the user. We process your information to record activations, generate affiliate-tracked redirect URLs, receive and match purchase postbacks from affiliate networks, accrue your GrowRo balance, verify your saved email address by sending a 6-digit code to it, and issue Roblox gift cards via Tremendous when you redeem.
To fulfill and manage your orders. We process your information to issue and deliver Roblox gift cards when you redeem a balance tier.
To respond to user inquiries and offer support. We process your information to respond to your inquiries and resolve any issues you may have with the Services.
To send administrative information to you. We may process your information to send you details about the Services, changes to our terms and policies, and other similar information.
To send you marketing and promotional communications. If you have a GrowRo account, we may email you about new and featured stores, boosted Robux Back rates, and product news, in line with your email preferences. You can opt out at any time — see Section 11. Sign-in and redemption emails are not marketing and are always sent.
To protect our Services. We may process your information as part of our efforts to keep the Services safe and secure, including fraud monitoring and prevention.
To comply with our legal obligations. We may process your information where we believe it is necessary for compliance with applicable law.

3. What legal bases do we rely on to process your information?

In short: We only process your personal information when we have a valid legal reason to do so under applicable law.

If you are located in the EU or UK, this section applies to you.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on to process your personal information. We may rely on the following legal bases:

Consent. We may process your information if you have given us permission to use your personal information for a specific purpose. You can withdraw your consent at any time.
Performance of a contract. Our primary lawful basis. When you click "Activate Robux Back," you ask us to track your click and credit your GrowRo balance for any resulting purchase. We process the data necessary to deliver that.
Legitimate interests. We may process your information when reasonably necessary to achieve our legitimate business interests, such as fraud prevention, security, and the stand-down compliance audit log described in Section 15.
Legal obligations. We may process your information where necessary for compliance with our legal obligations, including responding to lawful requests from authorities.
Vital interests. We may process your information where necessary to protect your vital interests or the vital interests of another person.

If you are located in Canada, this section applies to you.

Under Canadian privacy law, we may process your information if you have given us specific permission (express consent) to use your personal information for a specific purpose, or in situations where your permission can be inferred (implied consent). You can withdraw your consent at any time by contacting us.

4. When and with whom do we share your personal information?

In short: We share information in specific situations described in this section and with the third parties listed below.

We may share your data with third-party vendors, service providers, and partners ("third parties") that perform services for us or require access to your data to complete the Services. We have contracts in place with our third parties that include data protection terms (or rely on their published Data Processing Agreements) and limit how they may use the data.

The third parties we share personal information with are:

Affiliate marketing programs. Networks that mint our tracking links and report sale events: eBay Partner Network, Sovrn Commerce, Impact, Awin, Rakuten Advertising, CJ Affiliate, and FlexOffers — subject to which networks have approved GrowRo at any given time. Information shared: click identifiers, the destination retailer URL, and an opaque user identifier. No email, name, or payment information is shared with these networks.
User account authentication. Google Sign-In (Google Identity) optionally authenticates you when you choose "Sign in with Google" at signup or sign-in. Google receives the fact that you authorized GrowRo; we receive from Google your email address, account ID, display name, and profile picture URL. Google's handling of your data is governed by the Google Privacy Policy.
Gift card fulfillment. Tremendous issues Roblox gift cards on our behalf at redemption time. We share your email address and the gift card amount only at the moment of redemption.
Hosting. Fly.io hosts our backend and stores our database. They host the data we write to disk (user accounts, sessions, transactions, redemptions, audit logs).
Transactional email delivery. Resend delivers transactional email on our behalf (account verification codes, password resets, security alerts, gift card redemption confirmations). When we send you such an email, your email address and the email contents are transmitted to Resend for delivery.
Email correspondence. Microsoft 365 hosts our admin@growro.com, privacy@growro.com, support@growro.com, partnerships@growro.com, and press@growro.com mailboxes. Emails you send us are stored in those mailboxes.
Legal-document hosting and consent management. Termly.io provided the attorney-template version of this Privacy Notice, our Terms of Service, and our Cookie Notice. Termly also operates the Consent Management Platform that powers the cookie-consent banner shown to visitors in regulated regions (European Economic Area, United Kingdom, Switzerland, Brazil); Termly's resource-blocker script loads on every page to enforce consent decisions. Termly receives standard web analytics (page views, browser type) when their script loads, and your consent choices when you submit them — Termly does not receive your account email or identifier.
Product analytics. PostHog Inc. processes event-level product-usage data we transmit (page views, autocaptured clicks, signup / activation / redemption events). We do not transmit your email, password, IP address, or session token. After you sign in we send your GrowRo user ID so events stitch across visits. In regulated regions (EEA, UK, Switzerland, Brazil), analytics scripts are blocked until you consent on the cookie banner. PostHog's handling is governed by the PostHog Privacy Policy.
Error monitoring. Functional Software, Inc. d/b/a Sentry receives server-side error reports when our backend throws an unhandled exception. We scrub request bodies, query strings, authentication headers, user emails, and IP addresses before transmission. Only the error stack trace and your GrowRo user ID (when known) are retained. Sentry's handling is governed by the Sentry Privacy Policy.
Encrypted offsite backup storage. Cloudflare, Inc. stores hourly encrypted snapshots of our application database via Cloudflare R2 for disaster recovery. Snapshots contain the same account data described in Section 1 above, server-side encrypted at rest with AES-256, with tiered retention from 24 hours (hourly snapshots) to 365 days (monthly snapshots). Cloudflare's handling is governed by the Cloudflare Privacy Policy.

We may also share your personal information in the following situations:

Business transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
Legal disclosure. We may share your information if compelled to do so by valid legal process (subpoena, court order) or where reasonably necessary to defend our legal rights.

We do not sell, rent, or share your personal information with advertisers, data brokers, or anyone else outside the categories above.

5. Do we use cookies and other tracking technologies?

In short: We may use cookies and similar tracking technologies to collect and store your information.

We use cookies and similar tracking technologies to operate and secure the Services. Specifically:

Strictly necessary storage in chrome.storage.local for your account's user ID and session bearer token, so the extension recognizes your account across sessions. The bearer token is the same kind of opaque random string our website stores in the growro_session httpOnly cookie — see Section 9 below for storage and hashing details.
Functional storage in chrome.storage.session for stand-down cooldown records (see Section 15).
Affiliate cookies set on the retailer's domain by the retailer's affiliate network after you click "Activate Robux Back." We do not set these cookies directly; the network's tracking redirect does. They tell the network that we referred you so the network can pay us the commission.

We use a product-analytics tool (PostHog) to understand how the Services are used and to measure conversion funnels. PostHog stores an anonymous identifier in your browser so that events from the same browser are grouped together. We do not use advertising cookies, retargeting cookies, social-media plug-in cookies, or cross-site behavioral tracking across third-party sites. In the European Economic Area, the United Kingdom, Switzerland, and Brazil, we show a consent banner before any analytics storage is created; in regions where consent is not required (including the United States and Canada), analytics initializes alongside the strictly necessary session cookie. Specific information about each technology and how to refuse cookies is set out in our Cookie Notice.

6. How GrowRo honors stand-down — what we won't do to your cookies

Some earlier rewards browser extensions silently overwrote whatever affiliate cookie was already on your retailer visit so they could collect the commission for themselves. That practice led to high-profile litigation in 2024 and prompted Google to update Chrome Web Store policy in 2025 to ban the behavior. GrowRo doesn't do it.

Specifically:

Detection. When you land on a supported retailer, the extension checks the URL and the previous page's address for markers showing another affiliate publisher already referred you (parameters like cjevent, irclickid, awc, afsrc=1; or known affiliate redirector domains like anrdoezrs.net, awin1.com, click.linksynergy.com).
Stand-down. If we detect another publisher's attribution, we pause Robux Back on that retailer for the rest of your browser session. The extension shows a slate-gray "paused" indicator instead of the activation banner. We do not offer a "use GrowRo anyway" override — overriding would mean the same attribution-overwrite behavior we exist not to do.
Emission. When you do activate through GrowRo, our outbound link includes the universal afsrc=1 stand-down parameter so any compliant downstream affiliate extension you have installed will pause itself on that retailer too.

We treat this as a privacy and integrity commitment, not just a legal one.

7. Is your information transferred internationally?

In short: Our servers are in the United States. We may transfer and process your information in countries other than your own.

Our application servers are located in the United States (Fly.io region sjc, San Jose, California). The third parties we share data with are located in the United States and the United Kingdom. If you are located in the European Economic Area (EEA), the United Kingdom (UK), Switzerland, or Canada, your personal information may be transferred to and processed in countries that do not have privacy laws as comprehensive as those in your home country.

European Commission's Standard Contractual Clauses. We rely on Standard Contractual Clauses for transfers of personal information from the EEA, UK, or Switzerland to the United States. Our third-party providers (Fly.io, Tremendous, the affiliate networks) similarly maintain SCC-based safeguards for such transfers under their published Data Processing Agreements.

8. How long do we keep your information?

In short: We keep your information only as long as necessary to deliver the Services or as required by law.

Anonymous user ID: kept indefinitely while the account is active so past activations remain matchable.
Transactions and redemptions: kept indefinitely while the account is active for earning history.
Email address: kept as long as the user has a non-zero balance or active redemption; deleted within 7 days of a verified deletion request to privacy@growro.com.
Email verification codes: deleted after use, or expired automatically after 10 minutes — whichever comes first.
Compliance audit log entries (stand-down events): retained up to 5,000 entries; older entries are pruned automatically.
Affiliate-network postback data: kept indefinitely while the account is active for reconciliation purposes.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize it.

9. How do we keep your information safe?

In short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. Among these: HTTPS-only transport via Let's Encrypt; passwords hashed with argon2id (OWASP 2024 parameters); per-session 256-bit random session tokens stored as SHA-256 hashes at rest (never as plaintext) with constant-time comparison; HMAC + shared-secret verification on every affiliate postback; data minimization (only opaque user IDs and click identifiers are shared with affiliate networks; your email, name, and password are not); session tokens stored only in httpOnly cookies and Chrome extension storage, never in URL query strings; HMAC-hashed IP addresses (not raw IPs) in session and audit-log records; sliding 1-year session expiry with full per-device revocation from the account page; production manifest hardening that drops localhost host-permissions and gates development endpoints behind an environment flag.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure, so we cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

10. Do we collect information from minors?

In short: We do not knowingly collect data from or market to anyone under 18.

The Services are intended only for users who are at least 18 years old. We do not knowingly collect, solicit data from, or market to anyone under 18 years of age, nor do we knowingly sell such personal information. By using the Services, you represent that you are at least 18 years old. If we learn that personal information from a user under 18 has been collected, we will deactivate the account and take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from someone under 18, please contact us at privacy@growro.com.

11. What are your privacy rights?

In short: Depending on where you live, you may have rights regarding your personal information including the right to access, correct, delete, or port your data.

In some regions (such as the EEA, UK, Switzerland, and Canada), you have certain rights under applicable data protection laws. These may include the right to (i) request access and obtain a copy of your personal information; (ii) request rectification or erasure; (iii) restrict the processing of your personal information; (iv) data portability where applicable; (v) not be subject to automated decision-making; and (vi) object to certain processing.

Self-service data export. You can download a portable copy of your account data at any time from the account page on growro.com (the "Download my data" button), which returns a JSON file containing your profile, sessions metadata, activations, transactions, redemptions, referrals, disputes, and security audit entries. Session token hashes and other users' personal data are intentionally excluded. This satisfies the GDPR Article 20 right to data portability and the equivalent right under US state privacy laws.

You can also exercise any of the rights above by emailing privacy@growro.com or visiting our contact page. We will consider and act upon any request in accordance with applicable data protection laws.

If you are located in the EEA or UK and you believe we are unlawfully processing your personal information, you also have the right to complain to your Member State data protection authority or the UK data protection authority.

If you are located in Switzerland, you may contact the Federal Data Protection and Information Commissioner.

Withdrawing your consent. If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time by contacting us. However, withdrawing your consent will not affect the lawfulness of the processing before its withdrawal nor the processing of your personal information conducted in reliance on lawful processing grounds other than consent.

Opting out of marketing emails. You can unsubscribe from GrowRo marketing emails at any time from the account page (Account → Email preferences) or by clicking the unsubscribe link at the bottom of any marketing email. You will be removed from the marketing list; we will still send service emails necessary for your account, such as sign-in security and gift card redemption confirmations.

Cookies and similar technologies. Most web browsers are set to accept cookies by default. If you prefer, you can usually choose to set your browser to remove cookies and to reject cookies. For further information, see our Cookie Notice.

12. Controls for Do-Not-Track and Global Privacy Control features

Most web browsers include a Do-Not-Track ("DNT") feature you can activate to signal your privacy preference not to have data about your online browsing activities monitored and collected. At this stage, no uniform technology standard for recognizing and implementing DNT signals has been finalized. As such, we do not currently respond to DNT browser signals.

Global Privacy Control (GPC). We recognize and honor Global Privacy Control signals. If you use a browser or extension that supports GPC, we treat the signal as a valid request to opt out of the sale or sharing of your personal information for targeted advertising under applicable US state privacy laws, including the California Consumer Privacy Act (CCPA). When we detect a GPC signal we automatically apply your opt-out preference without requiring you to take any additional action. For more information about GPC and how to enable it, visit globalprivacycontrol.org.

13. Do United States residents have specific privacy rights?

In short: If you are a resident of California, Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Kentucky, Maryland, Minnesota, Montana, Nebraska, New Hampshire, New Jersey, Oregon, Rhode Island, Tennessee, Texas, Utah, or Virginia, you may have the right to request access to and receive details about the personal information we maintain about you, correct inaccuracies, get a copy, or delete your personal information. These rights may be limited in some circumstances by applicable law.

Categories of personal information we collect

The table below shows the categories of personal information we have collected in the past twelve (12) months.

Category	Examples	Collected
A. Identifiers	Online identifier, account user ID, click identifier, email address, hashed password, hashed session token	YES
B. California Customer Records (CA Civil Code §1798.80)	Name, signature, SSN, address, phone, financial info, etc.	NO
C. Protected classifications	Gender, age, race, ethnicity, marital status, etc.	NO
D. Commercial information	Activation history, postback events, redemption history	YES
E. Biometric information	Fingerprints, voiceprints	NO
F. Internet or other electronic network activity	Browsing history on supported retailers, click events, interactions with retailer pages	YES
G. Geolocation data	Device location	NO
H. Audio, electronic, sensory data	Recordings, images	NO
I. Professional or employment-related	Work history, professional qualifications	NO
J. Education information	Student records	NO
K. Inferences from collected information	Profiles or summaries about preferences/characteristics	NO
L. Sensitive personal information	SSN, financial account login, precise geolocation, health, biometric, etc.	NO

Sources of personal information

Personal information is collected directly from you (email address you save in the GrowRo dashboard), automatically from your interaction with the Services (URLs of supported retailers, click events, browser metadata), and from affiliate networks (postback events). For details, see "What information do we collect?" above.

How we use and share personal information

Learn more in "How do we process your information?" and "When and with whom do we share your personal information?" above.

We have not sold or shared any personal information to third parties for a business or commercial purpose in the preceding twelve (12) months.

We have disclosed the following categories of personal information to third parties for a business purpose in the preceding twelve (12) months:

Category A. Identifiers
Category D. Commercial information
Category F. Internet or other electronic network activity information

The categories of third parties to whom we disclosed personal information are listed under "When and with whom do we share your personal information?" above.

Your rights under US state law

You have rights under certain US state data protection laws. These rights are not absolute, and in certain cases we may decline your request as permitted by law. They include:

Right to know whether we are processing your personal data.
Right to access your personal data.
Right to correct inaccuracies in your personal data.
Right to request the deletion of your personal data.
Right to obtain a copy of the personal data you previously shared with us.
Right to non-discrimination for exercising your rights.
Right to opt out of the processing of your personal data if it is used for targeted advertising, the sale of personal data, or profiling in furtherance of decisions that produce legal or similarly significant effects. (We do not engage in any of these activities.)

How to exercise your rights

To exercise these rights, contact us at privacy@growro.com or via our contact page. We will verify your identity (using the email associated with your account or other information you provide) and respond within the time required by applicable law.

Appeals

Under certain US state data protection laws, if we decline to take action regarding your request, you may appeal our decision by emailing privacy@growro.com. We will inform you in writing of any action taken or not taken in response to the appeal, including a written explanation of the reasons. If your appeal is denied, you may submit a complaint to your state attorney general.

California "Shine the Light" law

California Civil Code §1798.83 permits California residents to request, once per year and free of charge, information about categories of personal information (if any) we disclosed to third parties for direct marketing purposes in the preceding calendar year. We do not disclose personal information to third parties for direct marketing purposes.

14. Roblox trademark notice

GrowRo is not affiliated with, endorsed by, or sponsored by Roblox Corporation. Roblox, Robux, and the Roblox Tilt logo are trademarks of Roblox Corporation. Our use of "Roblox" and "Robux" across the GrowRo product and in this Privacy Policy is descriptive — we issue Roblox gift cards as the payout to users — and is intended as nominative fair use only. We do not use Roblox's logo, the "Now on Roblox" badge, or any Roblox avatar or character artwork in our marketing materials.

15. Stand-down behavior

When you visit a supported retailer, the GrowRo browser extension checks whether another affiliate publisher has already referred you. If we detect prior attribution (via affiliate URL parameters such as cjevent, irclickid, awc, or ranmid, or known affiliate redirector domains), we record a session-length cooldown for that retailer in your browser's session storage and display a "paused" indicator instead of an activation banner. The cooldown clears automatically when you close the browser. We do not override another publisher's affiliate cookie. Decisions to pause are recorded in a server-side compliance audit log (capped at 5,000 entries) and contain only your account's user ID, the retailer domain, and the type of signal we detected.

16. Do we make updates to this notice?

In short: Yes — we will update this notice as necessary to stay compliant with relevant laws.

We may update this Privacy Notice from time to time. The updated version will be indicated by an updated "Last updated" date at the top. Material changes will be posted on growro.com with an updated effective date before the new version takes effect. Registered users will additionally receive an email notification of material changes at their account email address before the changes take effect.

17. How can you contact us about this notice?

If you have questions or comments about this notice, you may email us at privacy@growro.com, call us at +1 (347) 450-0718, or contact us by post at:

Shotai, LLC
c/o Legalinc Corporate Services Inc.
131 Continental Dr, Suite 305
Newark, DE 19713, USA

18. How can you review, update, or delete your data?

You have the right to request access to the personal information we collect from you, details about how we have processed it, correct inaccuracies, or delete your personal information. To exercise any of these rights, please visit our contact page or email privacy@growro.com.

19. Chrome Web Store data-use disclosure

GrowRo's use of information received from Chrome APIs and the Chrome Web Store will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. Specifically:

We use the data we collect (your account email and hashed password, your account's user ID, the OAuth profile data Google provides when you sign in with Google, retailer activation events, and stand-down decisions) only to provide and improve the single user-facing purpose of the GrowRo extension — earning and redeeming Robux Back when you shop at supported retailers.
We do not transfer user data to third parties for serving personalized, retargeted, or interest-based advertisements, and we do not use it to determine creditworthiness or for any lending purpose.
We do not allow humans to read user data except (a) with the user's explicit consent, (b) for security purposes (e.g. investigating abuse), (c) to comply with applicable law, or (d) when the data is aggregated and used for internal operations in accordance with applicable privacy laws.
The only third-party data transfer occurs at gift card redemption: we send the user's email address and the chosen tier to Tremendous, our gift card fulfillment vendor, so that Tremendous can email the redemption code. This transfer is necessary to provide the single purpose of the extension and is disclosed in section 4 above.