Gridharbor

Contact

Privacy Policy

Effective Date: 29 April 2026
Last Updated: 29 April 2026

This Privacy Policy explains how Gridharbor Ltd, a company incorporated in Cyprus under company number HE 491591, with its registered office at 7 Machiton Eldyk Street, Agios Athanasios, 4104, Limassol, Cyprus (“Gridharbor”, “Company”, “we”, “us”, or “our”), collects, uses, stores, discloses, and protects personal data in connection with our website, business communications, and professional services.

Gridharbor provides IT consulting and software development services, including advisory services for businesses in the areas of fintech, digital platforms, cloud-based systems, software architecture, technical integrations, and related technology solutions.

This Privacy Policy applies when you visit our website, contact us, request information, engage us for services, communicate with our team, or otherwise interact with us.

For the purposes of applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Cyprus data protection legislation, Gridharbor generally acts as a data controller in relation to personal data collected through our website, business communications, client onboarding, contracting, billing, and service administration.

Where we process personal data strictly on behalf of a client as part of software development, IT consulting, cloud implementation, technical support, integrations, testing, maintenance, or similar professional services, we may act as a data processor under a separate data processing agreement, service agreement, or contractual data protection clause with that client.

1. Personal Data We Collect

1.1 Contact and Identification Data

This may include:

  • full name;
  • business email address;
  • telephone number;
  • job title or role;
  • company name;
  • country of residence or business location;
  • postal or business address;
  • any other information you voluntarily provide when contacting us.

1.2 Business and Client Relationship Data

Where you or your organisation engage with us, we may process:

  • information about your company, project, business needs, or technical requirements;
  • communication history;
  • proposal, quotation, contract, statement of work, purchase order, and invoice details;
  • service request details;
  • meeting notes and project-related correspondence;
  • information necessary to manage our business relationship with you or your organisation.

1.3 Technical and Website Data

When you visit our website, we may process limited technical data necessary for website availability, security, troubleshooting, and basic operation, such as:

  • IP address;
  • browser type and version;
  • device type;
  • operating system;
  • approximate location based on technical identifiers;
  • time and date of access;
  • pages requested;
  • referring website or source;
  • server logs and similar technical records.

Our website does not use cookies or similar tracking technologies for analytics, advertising, profiling, or behavioural tracking purposes.

1.4 Communication Data

If you contact us by email, website form, phone, messaging platform, or other communication channels, we may process:

  • the content of your message;
  • contact details used for correspondence;
  • attachments or documents you provide;
  • records of our responses;
  • information necessary to handle your request or maintain business correspondence.

1.5 Professional, Technical, and Project Data

Depending on the nature of the services, we may receive, access, or process limited personal data contained in:

  • project documentation;
  • technical specifications;
  • system requirements;
  • user stories;
  • project management tools;
  • support tickets;
  • testing environments;
  • access management records;
  • audit logs or system logs;
  • client systems, databases, cloud environments, repositories, or integrations, where relevant to the agreed services.

Clients should not provide production personal data, live credentials, identity documents, financial data, special category data, or other sensitive information unless this is strictly necessary for the agreed services, expressly authorised, and covered by appropriate contractual, technical, and organisational safeguards.

1.6 Special Category Data

We do not intentionally collect or request special categories of personal data, such as health data, biometric data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, sex life, sexual orientation, or similar sensitive data.

We also do not intentionally collect or request personal data relating to criminal convictions or offences.

If such data is provided to us by a client or third party in connection with a specific project, it must be strictly necessary for the agreed services, shared on a lawful basis, and protected by appropriate contractual, technical, and organisational safeguards.

2. How We Collect Personal Data

We may collect personal data:

  • directly from you when you contact us or complete a website form;
  • from your employer, company, or authorised representative;
  • during business negotiations, onboarding, contracting, or service delivery;
  • through limited technical website logs and security technologies;
  • through email, calls, meetings, or project management channels;
  • from publicly available business sources, where relevant and lawful;
  • from third-party service providers used for communication, hosting, security, project administration, billing, or business operations.

3. Personal Data Received From Third Parties

We may receive personal data about you from third parties, including your employer, company, authorised representative, client, business partner, publicly available business source, or service provider.

This may include your name, business contact details, role, company affiliation, communication records, project-related information, or information necessary to manage a business relationship, provide services, or comply with legal obligations.

Where required by applicable data protection laws, we will provide relevant privacy information to you within the period required by law, unless an exemption applies.

4. Purposes and Legal Bases for Processing

We process personal data only where we have a lawful basis to do so. Depending on the context, we may rely on one or more of the following legal bases.

4.1 Performance of a Contract

We may process personal data where necessary to:

  • provide IT consulting, advisory, software development, cloud, fintech, digital platform, and related services;
  • prepare proposals, quotations, statements of work, and service agreements;
  • communicate with clients and their representatives;
  • manage projects, deliverables, support requests, and technical work;
  • issue invoices and administer payments;
  • perform contractual obligations owed to you or your organisation.

4.2 Legitimate Interests

We may process personal data where necessary for our legitimate business interests, provided that such interests are not overridden by your rights, freedoms, or interests.

This may include:

  • responding to business enquiries;
  • maintaining client, supplier, and professional relationships;
  • improving our website, services, communications, and internal processes;
  • securing our website, systems, networks, infrastructure, and communications;
  • preventing misuse, fraud, spam, security incidents, or unauthorised access;
  • keeping appropriate business and project records;
  • managing professional communications;
  • protecting our legal, commercial, and operational interests;
  • establishing, exercising, or defending legal claims.

4.3 Legal Obligations

We may process personal data where necessary to comply with applicable legal, tax, accounting, corporate, regulatory, record-keeping, or reporting obligations, and to respond to lawful requests from public authorities, regulators, courts, or law enforcement bodies.

4.4 Consent

We may rely on your consent where required by law, for example for optional marketing communications or specific processing activities.

Where processing is based on consent, you may withdraw your consent at any time. Withdrawal of consent does not affect the lawfulness of processing carried out before consent was withdrawn.

5. How We Use Personal Data

We may use personal data to:

  • respond to enquiries and requests;
  • assess whether our services are suitable for a potential client;
  • provide IT consulting, software development, technical advisory, cloud, fintech, digital platform, and related services;
  • prepare, negotiate, and perform contracts;
  • manage client accounts and project delivery;
  • provide technical support and service administration;
  • communicate regarding updates, meetings, deliverables, and business matters;
  • send service-related, contractual, administrative, or legal notices;
  • improve our website, communications, and professional services;
  • maintain internal business records;
  • protect the security and integrity of our website, systems, infrastructure, and communications;
  • comply with applicable laws and legal obligations;
  • manage disputes, legal claims, audits, or investigations.

We do not sell personal data.

6. Marketing Communications

We may send marketing or business development communications to existing or prospective business contacts where permitted by applicable law, including where we have your consent or where we rely on our legitimate interests.

You may opt out of marketing communications at any time by contacting us at information@gridharbor.net or by using the unsubscribe mechanism included in such communications, where available.

Service-related, transactional, contractual, legal, security, or administrative communications are not marketing communications and may still be sent where necessary.

7. Cookies and Similar Technologies

Our website does not use cookies or similar tracking technologies for analytics, advertising, profiling, or behavioural tracking purposes.

We may use strictly necessary technical technologies only where required for the basic operation, security, availability, or integrity of the website. These technologies do not require consent where they are strictly necessary to provide the website.

If we introduce analytics, advertising, functional, or other non-essential cookies or similar technologies in the future, we will update this Privacy Policy and, where required by law, request your consent before using them.

8. Disclosure of Personal Data

We may disclose personal data only where necessary and lawful, including to:

  • hosting, cloud, IT infrastructure, and cybersecurity providers;
  • email, communication, CRM, project management, and collaboration tool providers;
  • payment, accounting, tax, audit, and bookkeeping providers;
  • legal, compliance, and professional advisers;
  • subcontractors, developers, consultants, or technical specialists engaged to support service delivery;
  • clients, where data is processed as part of agreed project work;
  • public authorities, courts, regulators, or law enforcement bodies where required by law;
  • potential buyers, investors, successors, or professional advisers in connection with a business restructuring, merger, acquisition, financing, or sale of assets.

We require service providers, contractors, and subcontractors to process personal data only for authorised purposes and to apply appropriate confidentiality, contractual, technical, and organisational safeguards.

Where we act as a processor on behalf of a client, the use of subprocessors will be governed by the applicable data processing agreement, service agreement, or contractual data protection clause.

9. International Transfers

Some of our service providers, subcontractors, technical infrastructure providers, or business tools may be located outside Cyprus or the European Economic Area (“EEA”).

Where personal data is transferred outside the EEA, we will take steps designed to ensure that the transfer is lawful and that personal data remains protected in accordance with applicable data protection laws.

Such safeguards may include:

  • adequacy decisions adopted by the European Commission;
  • Standard Contractual Clauses approved by the European Commission;
  • supplementary contractual, technical, and organisational safeguards;
  • transfer risk assessments, where required.

10. Data Security

We apply appropriate technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures may include, where appropriate:

  • access controls and user permission management;
  • least-privilege access principles;
  • authentication and password controls;
  • secure credential management;
  • secure communication channels;
  • encryption where appropriate;
  • confidentiality obligations for personnel and contractors;
  • secure hosting and infrastructure providers;
  • data minimisation practices;
  • internal access restrictions;
  • environment segregation, where appropriate;
  • backup and recovery procedures;
  • monitoring, logging, and incident response processes;
  • vulnerability management;
  • secure development practices;
  • supplier and subcontractor controls.

No method of transmission or storage is completely secure. However, we take reasonable steps to protect personal data in line with the nature of the data, the processing context, and the risks involved.

11. Personal Data Breaches and Security Incidents

Where we act as a data controller and become aware of a personal data breach, we will assess the nature, scope, and potential impact of the incident and take appropriate measures in accordance with applicable data protection laws.

Where required by law, we will notify the competent supervisory authority and, where applicable, affected individuals.

Where we act as a data processor on behalf of a client, we will notify the relevant client without undue delay after becoming aware of a personal data breach affecting personal data processed on that client’s behalf, in accordance with the applicable data processing agreement or contractual data protection clause.

12. Data Retention

We retain personal data only for as long as reasonably necessary for the purposes for which it was collected, including to provide services, manage client relationships, comply with legal obligations, resolve disputes, maintain business records, and establish, exercise, or defend legal claims.

Unless a longer retention period is required or permitted by law, we generally apply the following indicative retention periods:

  • Enquiry and contact data: up to 24 months after the last meaningful communication, unless a longer period is necessary for business follow-up, legal, or compliance purposes.
  • Client and contract data: for the duration of the business relationship and up to 6 years thereafter, unless a longer period is required or permitted by law.
  • Accounting, invoicing, tax, and payment records: for at least 6 years, or for any longer period required under applicable Cyprus tax, accounting, or corporate laws.
  • Website technical logs: for up to 12 months, unless longer retention is necessary for security monitoring, troubleshooting, investigation, legal claims, or compliance purposes.
  • Project-related records: for the duration of the project and for a reasonable period thereafter, depending on contractual, support, audit, warranty, legal, or operational requirements.
  • Legal correspondence and dispute-related records: for as long as necessary to establish, exercise, or defend legal claims.
  • Marketing data: until you opt out, withdraw consent, or the data is no longer required for lawful marketing purposes.

When personal data is no longer required, we will delete it, anonymise it, or securely restrict access to it, unless continued retention is required or permitted by law.

13. Your Data Protection Rights

Subject to applicable legal conditions and limitations, you may have the following rights:

  • Right of access — to request confirmation of whether we process your personal data and obtain a copy of such data.
  • Right to rectification — to request correction of inaccurate or incomplete personal data.
  • Right to erasure — to request deletion of your personal data in certain circumstances.
  • Right to restriction of processing — to request limitation of processing in certain circumstances.
  • Right to data portability — to receive certain personal data in a structured, commonly used, machine-readable format.
  • Right to object — to object to processing based on legitimate interests or to direct marketing.
  • Right to withdraw consent — where processing is based on consent.
  • Right to lodge a complaint — with a competent supervisory authority.

To exercise your rights, please contact us at information@gridharbor.net.

We may need to verify your identity before responding to your request. We will respond to requests within the timeframe required by applicable data protection laws.

14. Automated Decision-Making and Profiling

We do not use personal data to make decisions based solely on automated processing, including profiling, that produce legal effects concerning you or similarly significantly affect you.

If this changes in the future, we will update this Privacy Policy and provide any additional information required by applicable data protection laws.

15. Data Protection Officer

We have not appointed a Data Protection Officer, as we are not currently required to do so under applicable data protection laws.

Privacy-related enquiries may be sent to information@gridharbor.net.

If we appoint a Data Protection Officer in the future, we will update this Privacy Policy with the relevant contact details.

16. Supervisory Authority

As Gridharbor Ltd is established in Cyprus, you may contact the Office of the Commissioner for Personal Data Protection in Cyprus if you believe that your personal data has been processed unlawfully or that your data protection rights have not been respected.

Further information is available on the Commissioner’s official website.

We encourage you to contact us first so that we can try to address your concern directly.

17. Third-Party Websites

Our website may contain links to third-party websites, platforms, or services.

We are not responsible for the privacy practices, security, or content of such third-party websites. You should review their privacy policies before submitting any personal data to them.

18. Client-Provided Data and Processor Role

In certain projects, clients may provide us with access to systems, databases, environments, logs, repositories, tickets, cloud resources, or datasets that may contain personal data.

In such cases, Gridharbor may process personal data on behalf of the client and in accordance with the client’s documented instructions.

Where required, the relevant processing will be governed by a separate data processing agreement, service agreement, or contractual data protection clause, which may address:

  • subject matter and duration of processing;
  • nature and purpose of processing;
  • categories of data subjects and personal data;
  • processing instructions;
  • confidentiality obligations;
  • security measures;
  • use of subprocessors;
  • assistance with data subject requests;
  • assistance with security incidents and personal data breaches;
  • deletion or return of data;
  • audit and compliance obligations.

Clients remain responsible for ensuring that any personal data they provide to us, or make available to us, has been collected and shared lawfully and that appropriate notices, consents, authorisations, access controls, and security measures are in place.

Clients should not provide production personal data, live credentials, special category data, financial data, identity documents, or other sensitive information unless this is strictly necessary for the agreed services, expressly authorised, and covered by appropriate safeguards.

Where access to client systems or environments is required, clients remain responsible for granting appropriate access permissions, limiting access to what is necessary, and revoking access when it is no longer required.

19. Children’s Data

Our website and services are intended for business and professional users.

We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child without an appropriate legal basis, we will take reasonable steps to delete it.

20. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our services, legal requirements, technologies, or business operations.

The updated version will be published on our website with a revised “Last Updated” date. We encourage you to review this Privacy Policy periodically.

21. Contact Details

If you have any questions about this Privacy Policy or how we process personal data, please contact us at:

Gridharbor Ltd
 Company number: HE 491591
 Registered office: 7 Machiton Eldyk Street, Agios Athanasios, 4104, Limassol, Cyprus
 Email: information@gridharbor.net
 Website: https://gridharbor.net