Privacy Policy
How Grilli OÜ — a private limited company registered in Estonia — collects, uses, and protects personal data, both through this website and in the course of professional service engagements.
1. Controller
The data controller is Grilli OÜ, registered in Estonia. For all data protection enquiries, rights requests, or complaints, contact privacy@grillisecurity.com.
Our lead supervisory authority is Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate). EEA residents may also contact their own national supervisory authority.
2. Cookies & Tracking
We do not set cookies. We do not use third-party analytics, advertising networks, tracking pixels, session recording, or fingerprinting on this website.
The only automated data collection is CDN access logs (IP address, user-agent, timestamp), retained for security and abuse-prevention purposes only.
Global Privacy Control (GPC) and Do Not Track signals have no additional effect because we do not track, sell, or share personal data. Rights requests are always honoured regardless.
3. Website Data
When you use this website we collect:
- Contact & lead forms — name, work email, and the message you submit. Processed by EU cloud infrastructure.
- Access logs — IP address, user-agent, and timestamp recorded by the CDN for security and abuse prevention.
Legal bases: form data — Art. 6(1)(b) GDPR (pre-contractual steps at your request); access logs — Art. 6(1)(f) GDPR (legitimate interests in website security).
Retention: form data up to 12 months; access logs up to 90 days. See our Website Data Processing Addendum for full details.
4. Service Engagement Data
When you engage us for professional services we process additional personal data necessary to deliver those services, which may include:
- Contact details, role, and organisational information.
- Engagement context: scope documents, statements of work, proposals, and technical artefacts.
- Communications: emails, meeting notes, and correspondence.
- Billing and financial records.
Legal basis: Art. 6(1)(b) GDPR (performance of a contract); Art. 6(1)(c) where processing is required by law (e.g. statutory accounting retention).
Retention: for the duration of the engagement and as required by applicable law thereafter. Financial and contractual records are retained for 7 years per Estonian accounting law. Data processing terms for engagements are negotiated separately — contact privacy@grillisecurity.com to request an engagement DPA.
5. Sharing & Processors
We do not sell, rent, or share personal data with third parties for commercial, advertising, or marketing purposes.
We engage two subprocessors, both with EU data residency: Amazon Web Services (public-facing services) and Hetzner (bare metal servers). Each is bound by a GDPR Art. 28 Data Processing Addendum. See the subprocessors page for details.
Engagement-specific processors, if any, are disclosed in the applicable Statement of Work and require written client approval.
We may disclose personal data where required by law, valid legal process, or to protect the rights, property, or safety of Grilli OÜ, our clients, or others.
6. International Transfers
All website data is stored in the EU. Form submission data does not leave the EU.
This website is delivered via a global CDN. Your IP address may be transiently processed at the nearest edge location, which may be outside the EEA. This is covered by the cloud provider's GDPR Data Processing Addendum and EU Standard Contractual Clauses (Commission Decision 2021/914).
For service engagements, data residency is EU by default. Alternative processing regions are available where explicitly required and agreed in writing.
7. Security
- Encryption in transit (TLS 1.2+) and at rest for all stored data.
- Least-privilege access control; MFA enforced on all systems handling personal data.
- Access to personal data restricted to named personnel with a documented need.
- Secure deletion when retention periods expire; certified destruction on request.
- Incident response processes covering detection, containment, and notification.
8. Breach Notification
In the event of a personal data breach, we will notify the Estonian Data Protection Inspectorate within 72 hoursof becoming aware where the breach is likely to result in a risk to individuals' rights and freedoms (Art. 33 GDPR).
Where the breach is likely to result in a high risk, we will also notify affected individuals without undue delay (Art. 34 GDPR), describing the nature of the breach, likely consequences, and measures taken.
9. Your Rights
Under GDPR you have the following rights:
- Access — obtain a copy of your personal data (Art. 15).
- Rectification — correct inaccurate data (Art. 16).
- Erasure — request deletion where there is no overriding legal basis to retain (Art. 17).
- Restriction — limit how we use your data in certain circumstances (Art. 18).
- Portability — receive data you provided in a structured, machine-readable format, where processing is based on contract or consent and carried out by automated means (Art. 20).
- Objection — object to processing based on legitimate interests (Art. 21).
To exercise any right, contact privacy@grillisecurity.com. We will verify your identity and respond within 30 days (extendable by a further 60 days for complex requests, with notice).
10. Complaints
If you believe we have not handled your personal data in accordance with applicable law, please contact us first at privacy@grillisecurity.com so we can attempt to resolve the matter.
You also have the right to lodge a complaint with a supervisory authority at any time. Our lead authority is the Estonian Data Protection Inspectorate (aki.ee). EEA residents may alternatively contact their own national authority.
11. Children
This website and our services are directed to business users only. We do not knowingly collect personal data from individuals under the age of 16. If you believe a minor has submitted data to us, contact privacy@grillisecurity.com and we will delete it promptly.
12. Data Protection Officer
Grilli OÜ is not required to appoint a Data Protection Officer under Article 37 GDPR. Our processing activities do not constitute large-scale processing of special categories of data and do not involve systematic monitoring of individuals at scale.
All data protection enquiries are handled directly by our management team at privacy@grillisecurity.com.
13. Automated Decision-Making
We do not carry out automated decision-making, including profiling, that produces legal effects or similarly significantly affects individuals (Art. 22 GDPR). No personal data submitted through this website is used for automated scoring, profiling, or algorithmic decisions.
Provision of personal data through our contact forms is voluntary. You are not legally or contractually required to submit data. The consequence of not providing data is that we may be unable to respond to or process your enquiry (Art. 13(2)(e) GDPR).
14. Changes to This Policy
We may update this policy to reflect changes in our practices or applicable law. Material changes will be indicated by a revised effective date at the top of this page. We encourage you to review this policy periodically.
Continued use of the website after a material change constitutes acceptance of the updated policy.
Contact
Data protection enquiries and rights requests: privacy@grillisecurity.com. See also our Website Data Processing Addendum, Subprocessors, and Terms of Service.
