Privacy Policy
GrouHub OÜ Registry code: 16057166 FIU License: FIU000426 Effective Date: 01.01.2026
Welcome to GrouHub. These Terms of Service ("Terms" or "ToS") govern your use of the services provided by GrouHub OÜ ("Provider", "we", "us", or "our"), a company registered in Estonia under registry code 16057166, operating under FIU license FIU000426.
By accessing or using our services, you ("Client", "you", or "your") agree to be bound by these Terms. If you do not agree to these Terms, you may not use our services.
1. INTRODUCTION AND DATA CONTROLLER
Protecting personal data is a high priority for GrouHub OÜ ("we", "us", "our", or the "Company"). This Privacy Policy explains how we collect, use, share, and protect personal data in connection with our services.
We are subject to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation" or "GDPR") and the Estonian Personal Data Protection Act.
This Privacy Policy forms part of the contractual framework governing our relationship with clients, as set out in our Terms of Service.
We are subject to Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation" or "GDPR") and the Estonian Personal Data Protection Act.
This Privacy Policy forms part of the contractual framework governing our relationship with clients, as set out in our Terms of Service.
Data Controller:
GrouHub OÜ - Registry code: 16057166. - FIU License: FIU000426.
Address: Tööstuse tn 75-71, Tallinn, 10416, Estonia. - Email: info@grouhub.co
2. DEFINITIONS
"Personal Data" means any information relating to an identified or identifiable natural person.
"Processing" means any operation performed on personal data, such as collection, recording, storage, use, disclosure, or erasure.
"Data Controller" means the entity that determines the purposes and means of processing personal data.
"Data Processor" means the entity that processes personal data on behalf of a controller.
"Data Subject" means the natural person whose personal data is being processed.
"Subprocessor" means a third party engaged by us to process personal data on our behalf or on behalf of our clients.
3. WHAT PERSONAL DATA WE COLLECT
We collect and process the following categories of personal data:
Identity Data: Name, date of birth, personal identification code, nationality, copies of identification documents (passport, ID card).
Contact Data: Email address, telephone number, postal address, IP address.
Business Data: Company name, registry code, VAT number, business address, information about beneficial owners and business activities.
Financial Data: Bank account details, payment card information (processed by our payment provider), transaction history and invoices, among other related and relevant data.
Employment Data: Employer name, job title, professional details (where relevant to our services).
Communication Data: Records of correspondence with us, including emails and support requests.
Technical Data: Browser type, device information, website usage data, cookies (see Section 11).
Special Category Data: We do not process special categories of personal data as defined in Article 9 of the GDPR (such as data revealing racial or ethnic origin, political opinions, religious beliefs, health data, or biometric data for identification purposes).
4. HOW WE COLLECT PERSONAL DATA
We collect personal data through the following means:
Directly from you: When you complete our KYC forms, registration forms, or contact us via email or our website.
From your company: When your employer or company engages our services and provides your details as a contact person, board member, or beneficial owner.
From third parties: From public registers (such as the Estonian Business Register), government authorities, or other service providers where necessary for our services or legal obligations.
Automatically: Through cookies and similar technologies when you visit our website (see Section 11).
5. PURPOSES AND LEGAL BASES FOR PROCESSING
We process personal data only where we have a valid legal basis under Article 6 of the GDPR. The table below sets out our processing activities, purposes, and legal bases:
.
6. DATA RETENTION
We retain personal data only for as long as necessary to fulfill the purposes for which it was collected, or as required by law. Specific retention periods are set out in the table above.
When personal data is no longer required, we securely delete or anonymize it. Some data may be retained longer where required by law (e.g., accounting records must be retained for 7 years under Estonian law; KYC records must be retained for 5 years after the end of the business relationship under the Money Laundering and Terrorist Financing Prevention Act).
7. WHO WE SHARE DATA WITH
We may share personal data with the following categories of recipients:
Subprocessors: We engage third-party service providers to assist in delivering our services. These include providers of: website hosting, payment processing, cloud storage and email services, accounting software, expense management, and professional services (accounting, legal).
A current list of our subprocessors is available upon request by contacting info@grouhub.co. We maintain Data Processing Agreements with all subprocessors to ensure adequate protection of personal data.
Authorities: We may disclose personal data to government authorities, including the Estonian Tax and Customs Board, the Financial Intelligence Unit (FIU), police, and other regulatory bodies where required by law or in response to valid legal process.
Professional advisors: We may share data with our legal advisors, auditors, and other professional consultants where necessary for the provision of their services to us.
Business transfers: In the event of a merger, acquisition, or sale of all or part of our business, personal data may be transferred to the acquiring entity.
8. INTERNATIONAL DATA TRANSFERS
Personal data may be transferred to, and processed in, countries outside the European Economic Area (EEA), including the United States. This occurs when we use service providers whose infrastructure or operations are located outside the EEA.
Where such transfers occur, we ensure that appropriate safeguards are in place to protect personal data, including:
(a) Transfers to countries that have been deemed to provide an adequate level of data protection by the European Commission;
(b) The European Commission's Standard Contractual Clauses (SCCs); and/or
(c) Other appropriate safeguards as permitted under GDPR Article 46.
You may request a copy of the safeguards we have put in place by contacting us at info@grouhub.co.
9. YOUR RIGHTS UNDER GDPR
Under the GDPR, you have the following rights regarding your personal data:
Right of access: You have the right to request confirmation of whether we process your personal data and, if so, to access that data and receive information about how it is processed.
Right to rectification: You have the right to request correction of inaccurate personal data or completion of incomplete data.
Right to erasure: You have the right to request deletion of your personal data in certain circumstances (e.g., when the data is no longer necessary for the purposes for which it was collected).
Right to restriction: You have the right to request restriction of processing in certain circumstances (e.g., while we verify the accuracy of your data).
Right to data portability: You have the right to receive your personal data in a structured, commonly used, machine-readable format and to transmit it to another controller, where processing is based on consent or contract and carried out by automated means.
Right to object: You have the right to object to processing based on legitimate interests, including profiling. You also have the right to object to processing for direct marketing purposes at any time.
Right to withdraw consent: Where processing is based on your consent, you may withdraw that consent at any time, without affecting the lawfulness of processing before withdrawal.
Right not to be subject to automated decision-making: You have the right not to be subject to decisions based solely on automated processing that produce legal or similarly significant effects. We do not currently use automated decision-making.
To exercise any of these rights, please contact us at info@grouhub.co. We will respond to your request within one month, unless the request is complex, in which case we may extend this period by up to two additional months.
Please note that some rights are not absolute and may be subject to legal limitations. For example, we may be required to retain certain data to comply with legal obligations (such as AML/KYC requirements).
Right to lodge a complaint: If you believe that we have violated your data protection rights, you have the right to lodge a complaint with the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon) or another competent supervisory authority.
10. MARKETING COMMUNICATIONS
We generally do not engage in mass marketing communications. However, we may occasionally send information about our services to existing clients based on our legitimate interest in promoting relevant services.
You may opt out of marketing communications at any time by:
(a) Clicking the unsubscribe link in any marketing email; or
(b) Contacting us at info@grouhub.co.
Opting out of marketing will not affect service-related communications (such as invoices, service updates, or legally required notices).
11. COOKIES AND TRACKING TECHNOLOGIES
Our website is hosted on Wix.com. Wix uses cookies and similar tracking technologies to enable website functionality, analyze usage, and provide personalized content.
For detailed information about the cookies used on our website, including how to manage your cookie preferences, please refer to the Wix Cookie Policy available at: https://www.wix.com/about/cookie-policy
By using our website, you consent to the use of cookies in accordance with the Wix Cookie Policy and any cookie consent mechanism displayed on our website.
12. DATA SECURITY
We take the security of personal data seriously and have implemented appropriate technical and organizational measures to protect against unauthorized access, loss, destruction, or alteration. These measures include:
(a) Access controls limiting data access to authorized personnel only;
(b) Encryption of data in transit and at rest where appropriate;
(c) Regular security assessments and updates;
(d) Confidentiality agreements with employees and contractors;
(e) Secure backup procedures;
(f) Firewalls and intrusion detection systems.
Personal data is primarily stored on servers located within the European Union. Where data is processed by subprocessors outside the EU, appropriate safeguards are in place as described in Section 8.
13. DATA PROCESSING AGREEMENT
13.1 Scope and Instructions
We process personal data only on documented instructions from the client (the Data Controller), unless required to do otherwise by applicable law. The subject matter, duration, nature, and purpose of processing, as well as the types of personal data and categories of data subjects, are determined by the service agreement with the client.
13.2 Confidentiality
We ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
13.3 Security Measures
We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 12 of this Privacy Policy.
13.4 Subprocessors
We may engage subprocessors to assist in providing services. A list of current subprocessors is available upon request. We will inform clients of any intended changes to subprocessors, giving clients the opportunity to object. We ensure that subprocessors are bound by data protection obligations no less protective than those in this Section 13
13.5 Data Subject Rights
We assist the client in responding to requests from data subjects exercising their rights under GDPR, taking into account the nature of the processing.
13.6 Security Incidents
We notify the client without undue delay upon becoming aware of a personal data breach affecting the client's data. We provide reasonable assistance to the client in meeting its breach notification obligations under Articles 33 and 34 of the GDPR.
13.7 Deletion and Return of Data
Upon termination of services, we delete or return all personal data processed on behalf of the client, unless retention is required by applicable law. Accounting records and related documentation may be retained for up to 7 years as required by Estonian law.
13.8 Audit Rights
We make available to the client all information necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the client or an auditor mandated by the client, subject to reasonable notice and confidentiality obligations.
13.9 International Transfers
We do not transfer personal data processed on behalf of clients outside the EEA without the client's prior authorization and without ensuring appropriate safeguards are in place as described in Section 8.
14. CHILDREN'S PRIVACY
Our services are not directed at persons under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have inadvertently collected personal data from a child, we will take steps to delete such data promptly.
15. CHANGES TO THIS PRIVACY POLICY
We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or for other operational reasons.
Material changes will be communicated by email or by posting a prominent notice on our website at least 30 days before the changes take effect. We encourage you to review this Privacy Policy periodically.
The "Effective Date" at the top of this document indicates when the current version became effective.
22. CONTACT INFORMATION
If you have any questions about these Terms or our services, please contact us at:
GrouHub OÜ - Registry code: 16057166
Address: Tööstuse tn 75-71, 10416, Tallinn, Estonia
Email: info@grouhub.co & hello@grouhub.co
Website: www.grouhub.co