Last updated: May 2026
This Privacy Policy explains how Grecta Compliance OÜ (“Grecta”, “we”, “our”, or “us”), a company registered in Estonia, collects, uses, and protects personal data when you visit grecta.com or use our platform.
This Policy is designed to comply with the EU General Data Protection Regulation (GDPR), the Estonian Personal Data Protection Act, the UK GDPR, Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Singapore’s Personal Data Protection Act (PDPA), and other applicable privacy laws globally.
1. Who We Are
Grecta Compliance OÜ is the data controller for personal data collected through grecta.com and portal.grecta.com.
Contact: Grecta Compliance OÜ, Kesklinna linnaosa, Tornimäe tn 5, 10145 Estonia privacy@grecta.com
2. What Data We Collect
2.1 Data you provide directly
- Name and job title
- Company name and size
- Email address
- AI system descriptions submitted during onboarding
- Compliance documentation uploaded to the platform
- Communications with our team
2.2 Data collected automatically
- IP address and approximate location
- Browser type and version
- Device type and operating system
- Pages visited and time spent on site
- Referral source
- Cookie identifiers (see Section 8)
2.3 Data from third parties
We may receive limited data from integration partners (such as identity providers used for single sign-on) where you have authorised such sharing.
3. How We Use Your Data
We process your personal data for the following purposes:
| Purpose | Legal Basis |
|---|---|
| Providing access to the Grecta platform | Performance of contract |
| Account registration and management | Performance of contract |
| Sending product updates and compliance alerts | Legitimate interests |
| Responding to enquiries and support requests | Legitimate interests |
| Improving our platform and services | Legitimate interests |
| Sending marketing communications | Consent (where required) |
| Complying with legal obligations | Legal obligation |
| Fraud prevention and security | Legitimate interests |
We do not use your data to train AI models. We do not sell your data to third parties.
4. Compliance Data You Upload
When you upload evidence documentation, AI system descriptions, or compliance records to the Grecta platform, you remain the data controller for that content. Grecta processes it solely as a data processor on your behalf, in accordance with our Data Processing Agreement available on request.
We do not access, analyse, or share your compliance documentation except as required to provide the platform services or as required by law.
5. Who We Share Data With
We share personal data only with:
- Service providers acting as data processors on our behalf (cloud hosting, analytics, email delivery, payment processing) under appropriate data processing agreements
- Professional advisors (legal, accounting) under confidentiality obligations
- Regulatory authorities where required by law
- Acquirers in the event of a merger, acquisition, or asset sale, subject to equivalent privacy protections
We do not share personal data with third parties for their own marketing purposes.
6. International Data Transfers
Grecta is based in Estonia and operates within the European Economic Area. Where we transfer data outside the EEA, we ensure appropriate safeguards are in place, including:
- European Commission Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Binding Corporate Rules where relevant
Users in Canada, Singapore, and other jurisdictions may have additional rights under their local laws. We honour those rights regardless of where data is processed.
7. How Long We Keep Your Data
| Data type | Retention period |
|---|---|
| Account data | Duration of account plus 2 years |
| Compliance binders and evidence | Per your selected audit trail tier (90 days to 10 years) |
| Usage logs | 12 months |
| Marketing communications | Until you unsubscribe |
| Legal correspondence | 7 years |
8. Cookies
We use the following categories of cookies:
Strictly necessary — required for the platform to function. Cannot be disabled.
Analytics — help us understand how visitors use the site. We use privacy-preserving analytics that do not track individuals across sites. You may opt out at any time.
Preferences — remember your settings and language choice.
Marketing — only placed with your explicit consent.
You can manage your cookie preferences at any time via the cookie settings panel on our website.
9. Your Rights
Depending on your location, you have the following rights regarding your personal data:
Under GDPR (EU/UK):
- Right to access your data
- Right to rectification
- Right to erasure (“right to be forgotten”)
- Right to restriction of processing
- Right to data portability
- Right to object to processing
- Right to withdraw consent at any time
- Right to lodge a complaint with a supervisory authority
Under PIPEDA (Canada):
- Right to access and correct your personal information
- Right to withdraw consent
- Right to complain to the Office of the Privacy Commissioner of Canada
Under PDPA (Singapore):
- Right to access and correct your personal data
- Right to withdraw consent
To exercise any of these rights, contact us at privacy@grecta.com. We will respond within 30 days. We do not charge for reasonable requests.
The Estonian supervisory authority is the Data Protection Inspectorate (Andmekaitse Inspektsioon): www.aki.ee
10. Security
We implement appropriate technical and organisational measures to protect your personal data, including:
- Encryption in transit (TLS) and at rest
- Role-based access controls
- Regular security assessments
- Incident response procedures
In the event of a data breach that poses a risk to your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.
11. Children
Grecta is a business platform and is not directed at individuals under 18. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, contact us at privacy@grecta.com and we will delete it promptly.
12. Changes to This Policy
We may update this Policy from time to time. We will notify registered users of material changes by email and will update the “Last updated” date at the top of this page. Continued use of the platform after notification constitutes acceptance of the updated Policy.
13. Contact
For any privacy-related questions, requests, or complaints:
Grecta Compliance OÜ Kesklinna linnaosa, Tornimäe tn 5, 10145 Estonia, privacy@grecta.com