Legal

Privacy Policy

How we collect, use, and protect your personal data. We believe in minimal data collection and maximum transparency.

Last updated: March 14, 2026

1. Introduction

GrandHosting (“we,” “us,” or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

We operate in full compliance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — and all applicable data protection laws of the Republic of Cyprus and the European Union.

This policy applies to all users of grandhosting.gr and the GrandHosting platform, including the dashboard, APIs, and hosted websites.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name — your full name as provided during registration
  • Email address — used for account access, notifications, and support
  • Company name (optional) — if provided for billing purposes
  • Country and VAT number (optional) — for EU tax compliance

2.2 Billing Information

Payment processing is handled entirely by Stripe. We do not store your credit card numbers, CVV codes, or full payment details on our servers. We receive and store only:

  • Transaction history (amounts, dates, payment status)
  • Last four digits of your card (for identification in the dashboard)
  • Billing address (if provided)

2.3 Technical Information

When you use the Service, we automatically collect:

  • Server logs — IP addresses, request timestamps, HTTP methods, URLs, status codes, and user agents
  • Usage metrics — CPU, memory, and storage consumption per website (for billing and scaling)
  • Error logs — application errors and stack traces (collected by Sentry for debugging)

2.4 Website Data

As your hosting provider, we store the data that makes up your website:

  • WordPress files (themes, plugins, uploads)
  • Database content (posts, pages, users, settings)
  • Media files (images, documents, videos)
  • Backup snapshots (files and database exports)

This data belongs to you. We process it solely to provide the hosting service. See our Data Processing Agreement for the legal framework governing this processing.

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service provision — hosting your websites, processing deployments, managing your account
  • Billing — calculating usage costs, processing payments, generating invoices
  • Support — responding to your inquiries and resolving technical issues
  • Security monitoring — detecting malware, preventing abuse, protecting infrastructure
  • Service improvement — analyzing aggregate usage patterns to improve performance and reliability
  • Legal compliance — fulfilling our obligations under EU tax and business regulations
  • Communication — sending transactional emails (billing alerts, security notifications, service updates)

We do not use your data for advertising, profiling, or selling to third parties.

4. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contract performance (Article 6(1)(b)) — processing necessary to provide the hosting service you’ve signed up for, including account management, billing, and support
  • Legitimate interest (Article 6(1)(f)) — processing necessary for security monitoring, fraud prevention, abuse detection, and service improvement, where our interests do not override your fundamental rights
  • Legal obligation (Article 6(1)(c)) — processing required to comply with EU tax regulations, anti-money laundering laws, and lawful data requests
  • Consent (Article 6(1)(a)) — for any optional processing, such as marketing communications (you can withdraw consent at any time)

5. Data Sharing and Sub-Processors

We share personal data only with trusted service providers who assist us in operating the platform. Each sub-processor is bound by a Data Processing Agreement and processes data only as instructed by us.

  • EU Infrastructure Provider — Infrastructure provider (servers, networking, load balancers). Location: Germany (EU). Provides the physical and virtual infrastructure where your websites and data are hosted.
  • GrandHosting CDN — Content delivery network for media files. Location: EU edge nodes. Caches and delivers your media files globally for faster page loads.
  • GrandHosting Backup Storage — Object storage for backups. Location: EU region. Stores encrypted backup snapshots of your website files and database.
  • Supabase — Authentication and platform database. Location: EU region. Handles user authentication and stores platform-level data (account settings, billing records).
  • Stripe — Payment processing. Location: EU (Ireland). Processes credit card payments and manages payment methods. Stripe is PCI DSS Level 1 certified.
  • GrandHosting SMTP — Transactional email delivery. Location: processes in the US with EU data handling. Delivers emails such as billing alerts, security notifications, and password resets.
  • Sentry — Error tracking and monitoring. Location: EU data region available. Collects application error reports to help us identify and fix bugs.

We do not sell, rent, or trade your personal data to any third party. We may disclose data if required by a valid court order or legal process, and we will notify you unless prohibited by law.

6. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

  • Account data — retained while your account is active and for 30 days after deletion
  • Website data — retained while hosted and for 30 days after site deletion (for recovery purposes)
  • Backups — retained for 30 days on a rolling basis, then permanently deleted
  • Server logs — retained for 90 days, then automatically purged
  • Billing records — retained for 7 years as required by EU tax law
  • Support correspondence — retained for 2 years after last interaction

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — you can request a copy of all personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”) — you can request deletion of your personal data, subject to legal retention requirements
  • Right to data portability — you can receive your data in a structured, machine-readable format and transfer it to another provider
  • Right to restrict processing — you can ask us to limit how we process your data in certain circumstances
  • Right to object — you can object to processing based on legitimate interest, and we will cease unless we have compelling grounds
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing

To exercise any of these rights, contact our Data Protection Officer at dpo@grandhosting.gr. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

8. International Transfers

Your data is stored and processed exclusively within the European Union. Our servers are located in Germany (EU infrastructure), and we have selected sub-processors with EU data regions wherever possible.

Where a sub-processor processes data outside the EU (e.g., GrandHosting SMTP for email delivery), we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, or the sub-processor being certified under an adequacy decision.

9. Cookies

We use a minimal cookie approach. The GrandHosting platform uses only essential cookies required for the service to function:

  • Session cookies — to maintain your authenticated session while using the dashboard
  • Security cookies — CSRF tokens and similar security measures

We do not use tracking cookies, advertising cookies, or third-party analytics cookies. We do not participate in cross-site tracking or behavioral advertising.

10. Children’s Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at dpo@grandhosting.gr and we will promptly delete it.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS/SSL) and at rest
  • Site isolation via isolated environments
  • Automated malware scanning
  • Access controls and least-privilege principles
  • Regular security monitoring and incident response procedures

For more details, see the Security Measures section in our Data Processing Agreement.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify you by email at least 14 days before changes take effect
  • Provide a summary of what changed

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please reach out:

Grandhosting LTD
Lordou Vyronos 36, 1096 Nicosia, Cyprus
European Union

Early Access — Limited Spots

Join as a Founding Member.
Lock in €5.99 forever.

Early access pricing stays yours forever. Create a free demo site — no credit card, no contracts.

Create Free Demo Site