Legal

Privacy Policy

How we collect, use, and protect your personal data. We believe in minimal data collection and maximum transparency.

Last updated: March 14, 2026

1. Introduction

Grandhosting (“we,” “us,” or “our”) is committed to protecting your privacy and personal data. This Privacy Policy explains what information we collect, how we use it, and what rights you have in relation to it.

We operate in full compliance with the General Data Protection Regulation (GDPR) — Regulation (EU) 2016/679 — and all applicable data protection laws of the Republic of Cyprus and the European Union.

This policy applies to all users of grandhosting.gr and the Grandhosting platform, including the dashboard, APIs, and hosted websites.

2. Information We Collect

2.1 Account Information

When you create an account, we collect:

  • Name — your first and last name
  • Email address — used for account access, notifications, and support
  • Phone number — used for account verification and important account/billing notices

2.2 Billing & Tax Information

For invoicing and EU tax compliance, we collect:

  • Company name (optional) and VAT number (optional)
  • Billing address — street, city, postal code and country
  • Transaction history — amounts, dates, payment status, and the last four digits of your card (for identification only)

Card payments are processed entirely by Stripe. We do not store full card numbers or CVV codes.

2.3 Security & Sign-in Information

To protect your account, we collect and store sign-in and device information:

  • IP address and approximate location at sign-in
  • Device and browser information (user agent)
  • Login events and known devices — used to detect unusual activity and send new-device alerts
  • Two-factor authentication status (whether 2FA is enabled)

2.4 Technical Information

When you use the Service, we automatically collect:

  • Server logs — IP addresses, request timestamps, HTTP methods, URLs, status codes, and user agents
  • Usage metrics — CPU, memory, and storage consumption per website (for billing and scaling)
  • Error logs — application errors and stack traces (collected by Sentry for debugging)

2.5 Website Data

As your hosting provider, we store the data that makes up your website:

  • WordPress files (themes, plugins, uploads)
  • Database content (posts, pages, users, settings)
  • Media files (images, documents, videos)
  • Backup snapshots (files and database exports)

This data belongs to you. We process it solely to provide the hosting service. See our Data Processing Agreement for the legal framework governing this processing.

2.6 Domain Registration

If you register or transfer a domain through us, we collect the registrant contact details (name, address, email, phone) required by the relevant registry, and share them with the registry/registrar as needed to complete the registration (see Section 5).

3. How We Use Your Information

We use the information we collect for the following purposes:

  • Service provision — hosting your websites, processing deployments, managing your account
  • Billing — calculating usage costs, processing payments, generating invoices
  • Support — responding to your inquiries and resolving technical issues
  • Security monitoring — detecting malware, preventing abuse, protecting infrastructure
  • Service improvement — analyzing aggregate usage patterns to improve performance and reliability
  • Legal compliance — fulfilling our obligations under EU tax and business regulations
  • Communication — sending transactional emails (billing alerts, security notifications, service updates)

We do not sell your personal data. We use analytics and advertising cookies only with your consent (see Section 9, Cookies).

4. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

  • Contract performance (Article 6(1)(b)) — processing necessary to provide the hosting service you’ve signed up for, including account management, billing, and support
  • Legitimate interest (Article 6(1)(f)) — processing necessary for security monitoring, fraud prevention, abuse detection, and service improvement, where our interests do not override your fundamental rights
  • Legal obligation (Article 6(1)(c)) — processing required to comply with EU tax regulations, anti-money laundering laws, and lawful data requests
  • Consent (Article 6(1)(a)) — for any optional processing, such as marketing communications (you can withdraw consent at any time)

5. Data Sharing and Sub-Processors

We share personal data only with trusted service providers who assist us in operating the platform. Each sub-processor is bound by a Data Processing Agreement and processes data only as instructed by us.

  • Hetzner Online GmbH — Infrastructure (servers, networking, load balancers) and object storage for website media. Location: Germany (EU). The infrastructure where your websites and data are hosted.
  • Bunny.net (BunnyWay d.o.o.) — CDN, DNS and web application firewall (WAF). Location: Slovenia (EU). Speeds up and protects delivery of your site’s traffic globally.
  • Cloudflare, Inc. (R2) — Encrypted backup and snapshot storage. Location: EU storage region (company headquartered in the US — SCCs in place). Stores encrypted backups of your website files and database.
  • Supabase, Inc. — Authentication and platform database. Location: EU hosting region (company headquartered in the US — SCCs in place). Handles user authentication and stores platform-level data (account settings, billing records).
  • Stripe Payments Europe Ltd — Payment processing. Location: Ireland (EU). Processes payments and manages payment methods. PCI DSS Level 1 certified.
  • Resend — Transactional and authentication email delivery. Location: Ireland (EU); email address and subject only. Delivers emails such as billing alerts, security notifications, and password resets.
  • Sentry (Functional Software, Inc.) — Error and exception tracking. Location: EU data region (company headquartered in the US — SCCs in place). Collects error reports to help us fix bugs.
  • Vercel, Inc. — Hosting and delivery of the customer dashboard. Location: US (SCCs in place). Serves the dashboard application and processes related request data.
  • Featurebase — In-app feedback and support widget. Location: EU data region (GDPR compliant). Receives your name, email and country to power in-app support and feedback.
  • Google LLC (Google Analytics) — Website usage analytics. Location: US (SCCs in place). Set only with your consent.
  • Meta Platforms, Inc. (Meta Pixel) — Advertising, retargeting and conversion measurement. Location: US (SCCs in place). Set only with your consent.
  • Termly, Inc. — Cookie consent management (records your cookie choices). Location: US (SCCs in place).
  • Hosting Concepts B.V. (OpenProvider) — Domain registration and transfer for non-.gr domains. Location: Netherlands (EU). Receives domain registrant contact details.
  • ICS-FORTH (.gr/.el registry) — Registration of .gr / .el domains. Location: Greece (EU). Receives domain registrant contact details.

We do not sell, rent, or trade your personal data to any third party. We may disclose data if required by a valid court order or legal process, and we will notify you unless prohibited by law.

6. Data Retention

We retain your data for as long as necessary to provide the Service and fulfill the purposes described in this policy:

  • Account data — retained while your account is active and for 30 days after deletion
  • Website data — retained while hosted and for 30 days after site deletion (for recovery purposes)
  • Backups — retained for 30 days on a rolling basis, then permanently deleted
  • Server logs — retained for 90 days, then automatically purged
  • Billing records — retained for 7 years as required by EU tax law
  • Support correspondence — retained for 2 years after last interaction

7. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

  • Right of access — you can request a copy of all personal data we hold about you
  • Right to rectification — you can ask us to correct inaccurate or incomplete data
  • Right to erasure (“right to be forgotten”) — you can request deletion of your personal data, subject to legal retention requirements
  • Right to data portability — you can receive your data in a structured, machine-readable format and transfer it to another provider
  • Right to restrict processing — you can ask us to limit how we process your data in certain circumstances
  • Right to object — you can object to processing based on legitimate interest, and we will cease unless we have compelling grounds
  • Right to withdraw consent — where processing is based on consent, you may withdraw it at any time without affecting prior processing

To exercise any of these rights, contact our Data Protection Officer at dpo@grandhosting.gr. We will respond within 30 days. If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.

8. International Transfers

Your core hosting data (websites, databases, backups, media) is stored and processed within the European Union. Our servers are located in Germany, and we select sub-processors with EU data regions wherever possible.

Some supporting sub-processors are companies headquartered in the United States (for example Vercel for the dashboard, Google and Meta for consent-based analytics and advertising, and Cloudflare, Supabase, Sentry and Termly for the functions listed in Section 5). Where a sub-processor processes data outside the EU, we ensure adequate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission, and we keep data in EU regions where the provider offers them.

9. Cookies and Similar Technologies

We use cookies in two categories:

  • Essential cookies — required for the service to function, such as session cookies (to keep you logged in) and security/CSRF cookies. These are always active.
  • Analytics and marketing cookies — set only with your consent. These include Google Analytics (usage analytics) and the Meta Pixel (advertising and conversion measurement), which may transfer data to Google and Meta in the United States under appropriate safeguards (Standard Contractual Clauses).

When you first visit the site, our cookie consent banner lets you accept or reject non-essential cookies, and you can change your choice at any time through the cookie preferences link. Non-essential cookies are not loaded until you consent. For a full, current list of the cookies we use, see our Cookie Policy.

10. Children’s Privacy

The Service is not intended for use by individuals under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal information, please contact us at dpo@grandhosting.gr and we will promptly delete it.

11. Security

We implement appropriate technical and organizational measures to protect your personal data, including:

  • Encryption in transit (TLS/SSL) and at rest
  • Site isolation via isolated environments
  • Automated malware scanning
  • Access controls and least-privilege principles
  • Regular security monitoring and incident response procedures

For more details, see the Security Measures section in our Data Processing Agreement.

12. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make material changes, we will:

  • Update the “Last updated” date at the top of this page
  • Notify you by email at least 14 days before changes take effect
  • Provide a summary of what changed

13. Contact Us

If you have questions about this Privacy Policy or how we handle your data, please reach out:

Grandhosting LTD
Lordou Vyronos 36, 1096 Nicosia, Cyprus
European Union

Early Access — Limited to First 100 Founding Members

Founding Member pricing.
Yours forever.

5.99 €/month per site. Every feature included. This price locks the moment you go live and never increases — even when we launch at 11.99 €.

Early access means direct access to our team. You’re not a ticket number. You’re a founding partner.

No commitment. Start free. Go live when you’re ready.

Create Free Demo SiteBecome a Beta Tester

Already hosted elsewhere? Managed migration, zero downtime →