Legal documents
Cookie Policy
Version v.1.0, effective September 15, 2025
1. Who we are and why this document exists
1.1. Who we are.
We are gro.now, an online platform for surveys, research, tests, contests, and other activities—a Kazakhstani company LLP "Gro.now" (BIN 241040012133), operating under the brand gro.now.
Details and contacts for LLP "Gro.now": Republic of Kazakhstan, Almaty, Bostandyk district, Satpaev St., 90/54, Apt. 5, index 050000; e-mail: hi@gro.now; website: https://gro.now/ (hereinafter referred to as "We", "gro.now").
Details and contacts for LLP "Gro.now": Republic of Kazakhstan, Almaty, Bostandyk district, Satpaev St., 90/54, Apt. 5, index 050000; e-mail: hi@gro.now; website: https://gro.now/ (hereinafter referred to as "We", "gro.now").
1.2. What this document is.
This Policy explains which cookies, SDKs, pixels, and similar technologies (hereinafter - Cookie) we use on the website https://gro.now/ (hereinafter – the Site) in the gro.now interfaces, for what purposes, and how you can manage your choices.
2. What we mean by 'Cookie'
2.1. By 'Cookie' we mean:
- cookie files (first-party and third-party);
- localStorage/SessionStorage;
- pixels/tags (including counters, web beacons);
- SDKs (in applications/bots);
- unique identifiers and technical markers (e.g., session tokens);
- limited device-/browser-signals for anti-fraud (e.g., user-agent, language, time zone, OS/browser version), without attempting to create a persistent 'digital fingerprint' beyond what is necessary.
2.2. We identify the following categories of Cookies
- 2.2.1. Strictly Necessary (Mandatory)
They ensure the operation and security of the Site: authorization, session maintenance, load balancing, protection against abuse, recording of consent. They cannot be disabled without degrading the service.
Example purposes: sessions (gro_session), CSRF, load balancing (lb_route), consent logging (gro_consent). - 2.2.2. Functional
They enhance convenience: saving language, auto-filling forms, providing tooltips. Disabling is possible, but some functions will become less convenient. - 2.2.3. Analytics and Performance
They help understand how pages and scenarios are used, and improve stability (errors, delays, navigation). By default, they are used in an implied-consent model; in opt-in regions, they are enabled only with active consent. - 2.2.4. Marketing/Attribution/Retargeting (if connected)
They assess campaign effectiveness, attribute traffic sources, and personalize offers. They are enabled based on an implied-consent model (except in regions with mandatory opt-in) and are always indicated in Appendix A. - 2.2.5. Anti-fraud and Data Integrity (research checks)
For protection against bots, multiple accounts, automated scripts, and ensuring uniqueness of participation in research/surveys (see Section 5). They are classified as strictly necessary in the context of the activity.
3. What we collect using Cookies
3.1. Depending on the category and scenario, the following may be processed:
- session/user identifiers within gro.now;
- technical parameters of the browser/device (user-agent, language, timezone, screen resolution) – primarily for compatibility and anti-fraud;
- navigation and interface events (transitions, clicks, load times, errors);
- UTM tags and referrers (marketing/attribution);
- activity participation markers (fact/stage/outcome, without reading content outside the scenario);
- pseudonymized device tags to prevent repeat participation.
3.2.
We do not collect sensitive data categories through Cookies and do not combine them with external profiles outside the purposes described here.
4. Linking Cookies to an account
When technical identifiers are linked to an account/contact, such data becomes personal. Your rights and our obligations under the corresponding personal data processing policy (access, deletion, restriction, etc.) apply to them.
5. Legal basis
5.1.
For strictly necessary and anti-fraud Cookies, the legal basis for processing is the performance of the user agreement/activity rules and/or the legitimate interest of gro.now to maintain the functionality, security, and quality of data.
5.2.
For functional, analytical, and marketing Cookies, the legal basis is your consent, expressed through conclusive actions (continuing to use the Site, navigating pages, logging in, submitting a form) or active consent (in opt-in regions).
5.3. Consent model.
- 5.3.1. On your first visit to the Site, we display a notification/banner with a link to this Policy.
- 5.3.2. The current version of the Site operates on a model without individual settings: By staying on the Site and using its functionality, you agree to the use of all Cookies we use, in the scope described in this Policy.
- 5.3.3. If you do not agree, you can: (i) leave the Site; (ii) restrict/delete Cookies in your browser settings; (iii) send us a request to minimize marketing tags for your browser.
- 5.3.4. We maintain a consent log (minimal metadata: date/time, banner/policy version, URL/channel, action type, hash of user-agent/IP within permissible limits). The log is stored for up to 3 years.
5.4. Regional clause.
In jurisdictions where prior active consent (opt-in) is required for non-strictly necessary Cookies (e.g., EU/EEA/UK), we display a localized banner/modal window with category management. In such a situation, the displayed version and the consent log are managed separately.
6. How to manage Cookies
6.1.
You can delete or block cookies in your browser settings. Instructions are available in your browser's help section (Chrome, Safari, Edge, Firefox, etc.).
6.2.
Clearing Cookies will log you out of your account, reset your preferences, and may limit the functionality of the Site.
6.3.
You can revoke consent for non-strictly necessary cookies by clearing our domain's cookies and not continuing to use the Site.
7. Recipients and third parties
7.1. Providers (sub-processors).
- 7.1.1. We may use providers for hosting/CDN, analytics, diagnostics, e-mail/SMS distribution, fraud protection, and activity partner-organizers (when required by the terms of a specific activity).
- 7.1.2. We use reliable third-party providers for analytics, data storage, email delivery, user authentication, and AI-based functions. Such providers may include:
- Google Analytics (https://policies.google.com/privacy),
- Yandex.Metrica (https://yandex.ru/legal/confidential/ru/),
- MongoDB Atlas (https://www.mongodb.com/legal/privacy/privacy-policy),
- Brevo (https://www.brevo.com/legal/privacypolicy/),
- Firebase Auth (https://policies.google.com/privacy),
- Google Gemini API (https://policies.google.com/privacy).
- 7.1.3. By default, partners are provided with aggregated/anonymized statistics. Personal data is transferred only when there is a legal basis and if it is necessary for the purpose.
7.2. Partners
- 7.2.1. Who they are. 'Partners' are external legal entities on whose behalf or in whose interest an activity (survey, product testing, promotion, prize draw, etc.) is conducted on our platform, as well as organizations with whom we jointly implement research projects. This includes:
- Research clients (brands/companies, NGOs, research agencies, academic institutions) who post activities on the platform;
- Co-organizers/partners for joint programs (co-branding);
- Marketing/media partners within a specific campaign (publishing an activity landing page, promotional materials);
- Partners for fulfilling activity conditions (e.g., issuers of gift certificates/vouchers, logistics operators for physical delivery of rewards), if this is explicitly provided for in the activity rules.
- 7.2.2. Role. The Partner's role depends on the specific activity:
- In a typical case, the Partner is an independent controller of the research results/aggregated data;
- In joint projects, a joint controllership arrangement is possible;
- In rare cases, a Partner may act as a processor for purposes defined by us (e.g., distributing rewards on our behalf). The specific role is reflected in the activity materials (description, rules) and/or in our contract with the Partner.
- 7.2.3. What we transfer by default. Only aggregated/anonymized metrics (reach, conversion, group breakdowns). Cookie identifiers and the behavior of a specific user are not transferred.
- 7.2.4. When transfer of personal data is possible. Only if it is necessary for the purpose of the activity and there is a basis (usually your consent or performance of the participation terms). We transfer the minimum set (e.g., e-mail for sending a certificate).
- 7.2.5. Partner tags/pixels. They are loaded selectively on activity landing pages and only with consent in the current mode (see section 5). The partner does not use data collected through our pages outside the activity.
- 7.2.6. Restrictions. There is no 'sale' of data; re-identification and merging with external databases without a separate basis/consent are prohibited. Marketing from the Partner is only with your separate consent.
- 7.2.7. Where Partners are listed. On the landing page/description of the specific activity and (if necessary) in its rules.
8. Cross-border transfer
If data is transferred outside your country, we ensure the protective measures stipulated by law. Details are in the corresponding policy on the processing of personal data.
9. Cookie processing periods
- 9.1. Session/security — up to 12 months;
- 9.2. Record of your consent – 3 years from the moment of obtaining consent;
- 9.3. Analytics – up to 24 months with subsequent aggregation/anonymization;
- 9.4. Marketing - up to 13 months or less;
- 9.5. Anti-fraud/quality of participation - up to 12 months after the end of the activity. Actual periods may differ depending on the provider/technology and legal requirements.
10. Changes to the Policy
10.1. Why and when we update
We review the Policy if there are changes in: the law, how the service works, the technologies used (e.g., new SDKs), the list of data recipients, or storage periods. Also, based on the results of security audits and user feedback.
10.2. What kind of changes there are
Minor (editorial): clarifications of wording, structural edits, correction of typos – we publish without a separate notification.
Substantial: new data categories/purposes, changes in legal grounds, expansion of the circle of recipients or cross-border transfers, changes in storage periods that affect your rights.
Substantial: new data categories/purposes, changes in legal grounds, expansion of the circle of recipients or cross-border transfers, changes in storage periods that affect your rights.
10.3. How we notify you
For substantial changes, we provide advance notice in the interface and/or by e-mail. Usually, no later than 3 calendar days before they take effect.
If the changes are related to security or a mandatory legal requirement, we may apply them immediately, notifying you in parallel.
If the changes are related to security or a mandatory legal requirement, we may apply them immediately, notifying you in parallel.
10.4. When changes take effect
The effective date is indicated in the Policy header. Use of the Site and the gro.now interfaces after publication means consent to the current version. If the law requires separate consent (e.g., for a new purpose), we will explicitly request it.
10.5. New purposes and consent
If a purpose incompatible with the original one arises, we will either process the data only in an anonymized form or obtain new consent. Consent can be withdrawn at any time.
10.6. Archive of versions
We keep an archive of previous versions of the Policy for at least 3 years. Upon request, we will provide the necessary version and explain how they differ.
11. Date and entry into force.
Policy Version: v.1.0 of September 15, 2025. The Policy is effective from the moment of publication, unless otherwise specified.