Grandhosting is built from the ground up with European data protection principles at its core. Here’s how we uphold your privacy.
Our Approach
The General Data Protection Regulation is the world’s strongest framework for protecting personal data. As a European company hosting European customers, we don’t just comply with GDPR — we embrace it as a design principle.
Every architectural decision we make, from where we place our servers to how we structure our database, considers data protection first. We collect only what we need, store it only where it’s safe, and give you full control over it at all times.
Data Residency
All of your website data — files, databases, backups, and media — is stored exclusively within the European Union. Our servers are operated by EU infrastructure in Germany, home to some of the strictest data protection laws in the world. Our data centers are ISO 27001 certified.
Your core hosting data stays in the EU: our servers and storage run in Germany, and your databases, backups and media are kept in EU regions. A small number of supporting services (such as the dashboard host, error-tracking, and our analytics and advertising tools) are operated by companies headquartered in the US; where that is the case, data is kept in EU regions wherever available and protected by Standard Contractual Clauses (SCCs). The complete list is in our sub-processor table below.
Under the GDPR, you have powerful rights over your personal data. Here’s what they mean in plain language.
Request a complete copy of all personal data we hold about you. We’ll provide it in a structured, readable format within 30 days.
If any of your data is inaccurate or incomplete, let us know and we’ll correct it promptly.
Request deletion of your personal data. We’ll erase it from all systems, subject only to legal retention obligations (like tax records).
Receive your data in a machine-readable format (JSON, SQL, archives) so you can move to another provider with zero lock-in.
Ask us to pause certain processing activities while you verify accuracy or contest our legal basis.
Object to processing based on legitimate interest. We’ll stop unless we can demonstrate compelling grounds that override your rights.
If you gave consent for any specific processing, you can withdraw it at any time. Withdrawal doesn’t affect the lawfulness of prior processing.
Send a request to our Data Protection Officer. We respond within 30 days, free of charge.
dpo@grandhosting.grWe only share data with providers who are essential to running the platform. Each is bound by a Data Processing Agreement.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Hetzner Online GmbH | Servers, networking, compute, and object storage for website media | Germany | EU-based, ISO 27001 data centres |
| Bunny.net (BunnyWay d.o.o.) | CDN, DNS and web application firewall (WAF) | Slovenia (EU) | EU company, GDPR compliant |
| Cloudflare, Inc. (R2) | Encrypted backup and snapshot storage | EU storage region (company US) | SCCs, encryption at rest |
| Supabase, Inc. | User authentication, platform database | EU hosting region (company US) | SOC 2 Type II, SCCs in place |
| Stripe Payments Europe Ltd | Payment processing | Ireland (EU) | PCI DSS Level 1, SCCs in place |
| Resend | Transactional and authentication email delivery | Ireland (EU) | EU data region, minimal data (email + subject only) |
| Sentry (Functional Software, Inc.) | Error and exception tracking | EU data region (company US) | SOC 2, EU data residency, data scrubbing, SCCs |
| Vercel, Inc. | Hosting and delivery of the customer dashboard | US | SCCs in place |
| Featurebase | In-app feedback and support widget (name, email, country) | EU data region | GDPR compliant, identity via signed token |
| Google LLC (Google Analytics) | Website usage analytics | US | SCCs, loaded only after consent |
| Meta Platforms, Inc. (Meta Pixel) | Advertising, retargeting, conversion measurement | US | SCCs, loaded only after consent |
| Termly, Inc. | Cookie consent management | US | SCCs, stores consent records |
| Hosting Concepts B.V. (OpenProvider) | Domain registration/transfer for non-.gr domains | Netherlands (EU) | EU company, registrant data only |
| ICS-FORTH (.gr/.el registry) | Registration of .gr / .el domains | Greece (EU) | EU national registry, registrant data only |
Security Measures
Security isn’t a feature we bolted on — it’s woven into our architecture. Every website runs in complete isolation, and we layer multiple defenses to keep your data safe.
TLS 1.2+ for all data in transit. Encrypted storage for data at rest. Automatic SSL certificates via Let’s Encrypt.
Every website runs in its own isolated environment with dedicated resources. No shared processes, no data leakage between sites.
Automated scanning runs nightly across all sites. Suspicious files are flagged and reported immediately.
Automated daily backups with 30-day retention. Stored encrypted on secure EU storage in the EU.
Least-privilege access policies. No shared credentials. Role-based access for all platform operations.
Prometheus metrics, Loki log aggregation, and 13 alert rules watching for anomalies 24/7.
Breach Notification
In the unlikely event of a personal data breach, we are committed to full transparency. In accordance with GDPR Article 33, we will:
We maintain an incident response plan that is tested and updated regularly. Our engineering team monitors for security events around the clock.
Contact
Whether you have a question, a request, or a concern about how we handle your data, our DPO is here to help.
Email dpo@grandhosting.grYou can also review our Privacy Policy and Data Processing Agreement for the full legal details.
5.99 €/month per site. Every feature included. This price locks the moment you go live and never increases — even when we launch at 11.99 €.
Early access means direct access to our team. You’re not a ticket number. You’re a founding partner.
No commitment. Start free. Go live when you’re ready.
Already hosted elsewhere? Managed migration, zero downtime →