Data Protection

Your data. Your rights.
Our commitment.

GrandHosting is built from the ground up with European data protection principles at its core. Here’s how we uphold your privacy.

Our Approach

GDPR isn’t a checkbox for us — it’s how we build.

The General Data Protection Regulation is the world’s strongest framework for protecting personal data. As a European company hosting European customers, we don’t just comply with GDPR — we embrace it as a design principle.

Every architectural decision we make, from where we place our servers to how we structure our database, considers data protection first. We collect only what we need, store it only where it’s safe, and give you full control over it at all times.

Data Residency

100% EU infrastructure. No exceptions for core data.

All of your website data — files, databases, backups, and media — is stored exclusively within the European Union. Our servers are operated by EU infrastructure in Germany, home to some of the strictest data protection laws in the world. Our data centers are ISO 27001 certified.

This means your data never leaves the EU for core hosting operations. There are no US-based servers, no data mirroring to non-EU regions, and no “we’ll try to keep it in the EU” caveats. It’s EU-only by design.

  • Compute and networking — EU data centers, Germany
  • Block and file storage — EU data centers, Germany
  • Backups — Secure EU storage
  • CDN — GrandHosting CDN, EU edge nodes
  • Authentication and platform database — Supabase, EU region
  • Payments — Stripe, EU (Ireland)
Your Rights

Seven rights. Zero friction.

Under the GDPR, you have powerful rights over your personal data. Here’s what they mean in plain language.

Right to Access

Request a complete copy of all personal data we hold about you. We’ll provide it in a structured, readable format within 30 days.

Right to Rectification

If any of your data is inaccurate or incomplete, let us know and we’ll correct it promptly.

Right to Erasure

Request deletion of your personal data. We’ll erase it from all systems, subject only to legal retention obligations (like tax records).

Right to Data Portability

Receive your data in a machine-readable format (JSON, SQL, archives) so you can move to another provider with zero lock-in.

Right to Restrict Processing

Ask us to pause certain processing activities while you verify accuracy or contest our legal basis.

Right to Object

Object to processing based on legitimate interest. We’ll stop unless we can demonstrate compelling grounds that override your rights.

Right to Withdraw Consent

If you gave consent for any specific processing, you can withdraw it at any time. Withdrawal doesn’t affect the lawfulness of prior processing.

How to exercise your rights

Send a request to our Data Protection Officer. We respond within 30 days, free of charge.

dpo@grandhosting.gr
Sub-Processors

Who handles your data — and why

We only share data with providers who are essential to running the platform. Each is bound by a Data Processing Agreement.

ProviderPurposeLocationSafeguards
EU Infrastructure ProviderServers, networking, compute infrastructureGermanyEU-based, ISO 27001, SOC 1 Type II
GrandHosting CDNMedia file delivery and cachingEU edge nodesEU company (Slovenia), GDPR compliant
GrandHosting Backup StorageBackup storageEU regionEU data region, encryption at rest
SupabaseUser authentication, platform databaseEU regionSOC 2 Type II, EU hosting option
StripePayment processingIreland (EU)PCI DSS Level 1, SCCs in place
GrandHosting SMTPTransactional email deliveryUS (with EU handling)SCCs, minimal data (email + subject only)
SentryError tracking and monitoringEU data regionSOC 2, EU data residency, data scrubbing

Security Measures

How we protect your data

Security isn’t a feature we bolted on — it’s woven into our architecture. Every website runs in complete isolation, and we layer multiple defenses to keep your data safe.

Encryption everywhere

TLS 1.2+ for all data in transit. Encrypted storage for data at rest. Automatic SSL certificates via Let’s Encrypt.

Complete site isolation

Every website runs in its own isolated environment with dedicated resources. No shared processes, no data leakage between sites.

Automated malware scanning

Automated scanning runs nightly across all sites. Suspicious files are flagged and reported immediately.

Daily backups

Automated daily backups with 30-day retention. Stored encrypted on secure EU storage in the EU.

Access controls

Least-privilege access policies. No shared credentials. Role-based access for all platform operations.

Continuous monitoring

Prometheus metrics, Loki log aggregation, and 13 alert rules watching for anomalies 24/7.

Breach Notification

If something goes wrong, you’ll know within 72 hours

In the unlikely event of a personal data breach, we are committed to full transparency. In accordance with GDPR Article 33, we will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach
  • Notify affected individuals without undue delay if the breach is likely to result in a high risk to their rights and freedoms
  • Provide a clear description of the nature of the breach, the data involved, likely consequences, and the measures taken to address it
  • Document the breach and our response for accountability purposes

We maintain an incident response plan that is tested and updated regularly. Our engineering team monitors for security events around the clock.

Contact

Talk to our Data Protection Officer

Whether you have a question, a request, or a concern about how we handle your data, our DPO is here to help.

Email dpo@grandhosting.gr

You can also review our Privacy Policy and Data Processing Agreement for the full legal details.

Early Access — Limited Spots

Join as a Founding Member.
Lock in €5.99 forever.

Early access pricing stays yours forever. Create a free demo site — no credit card, no contracts.

Create Free Demo Site