Privacy Policy
Last updated: April 2026
1. Introduction
This Privacy Policy explains how the GrandVertex group of companies (referred to in this Policy as “GrandVertex”, “we”, “us”, or “our”) collects, uses, shares, and otherwise processes personal data when you visit our website at grandvertex.com (the “Website”), contact us through the channels described below, or otherwise interact with us in a corporate capacity.
We respect your privacy and are committed to handling personal data in accordance with the European Union General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”), the Cyprus Law Providing for the Protection of Natural Persons with regard to the Processing of Personal Data and for the Free Movement of Such Data of 2018 (Law 125(I)/2018), and other applicable data-protection laws.
Please read this Policy carefully. By using the Website or contacting us, you acknowledge that you have read and understood it. If you do not agree with this Policy, please do not use the Website.
2. Who we are
GrandVertex is a privately held corporate group. The data controller for personal data processed in connection with the Website is, in the first instance:
GrandVertex Holdings LTD
Registered Address: Strovolou 77, STROVOLOS CENTER, Flat/Office 301, Strovolos, 2018, Nicosia, Cyprus
Registration Number: HE 490479
Email: contact@grandvertex.com
Registration Number: HE 490479
Email: contact@grandvertex.com
Where personal data is processed in connection with operational or consulting activities carried out by our Marshall Islands affiliate, the relevant entity is:
GrandVertex Capital Inc
Registered Address: Trust Company Complex, Ajeltake Road, Ajeltake Island, MH 96960, Majuro, Republic of the Marshall Islands
Registration Number: 138067
Registration Number: 138067
In this Policy, references to “GrandVertex” mean the relevant entity acting as controller for the processing in question. If you are unsure which entity is the controller for a particular processing activity, please contact us using the details in section 12 below and we will clarify.
3. Scope of this Policy
This Policy applies to personal data we collect through the Website and through related corporate-communication channels, such as the email address contact@grandvertex.com. It does not apply to:
– Third-party websites that may be linked from the Website. We are not responsible for the privacy practices of those websites and recommend that you read their own privacy notices.
– Personal data processed in connection with non-public business relationships (for example, between us and our service providers, banks, or counterparties), where separate privacy information is provided.
– Third-party websites that may be linked from the Website. We are not responsible for the privacy practices of those websites and recommend that you read their own privacy notices.
– Personal data processed in connection with non-public business relationships (for example, between us and our service providers, banks, or counterparties), where separate privacy information is provided.
For the avoidance of doubt, GrandVertex does not provide regulated investment services and does not solicit, accept, hold, or manage funds belonging to third parties. The Website is informational. As a result, we typically process only limited categories of personal data, as described in section 4.
4. Personal data we collect
Depending on how you interact with us, we may collect and process the following categories of personal data:
4.1 Information you provide to us
– Identity and contact data — your name, email address, and any other information you provide when you submit our contact form or write to us at contact@grandvertex.com.
– Correspondence content — the content of your message, including any information you choose to include in it.
– Business-context data — where you contact us in a professional capacity, the name of your organisation, your role, and similar professional information you choose to share.
– Correspondence content — the content of your message, including any information you choose to include in it.
– Business-context data — where you contact us in a professional capacity, the name of your organisation, your role, and similar professional information you choose to share.
4.2 Information we collect automatically
– Technical data — IP address, approximate geolocation derived from IP address, device type, browser type and version, operating system, referral source, and pages visited.
– Usage data — information about how you use the Website, such as pages viewed, time on page, and navigation paths.
– Cookies and similar technologies — see section 9 below.
– Usage data — information about how you use the Website, such as pages viewed, time on page, and navigation paths.
– Cookies and similar technologies — see section 9 below.
4.3 Information we receive from third parties
We may, from time to time, receive personal data about you from publicly available business sources (for example, corporate registries) or from professional intermediaries who introduce you to us. Where we receive personal data from a third party, we will, where required, provide you with the information set out in Article 14 GDPR within a reasonable period.
We do not knowingly collect any special categories of personal data (such as data concerning health, racial or ethnic origin, political opinions, religious beliefs, or trade-union membership) through the Website. Please do not include such information in correspondence with us.
5. Purposes and lawful bases of processing
We process personal data only where we have a lawful basis to do so under Article 6 GDPR. The table below sets out the principal purposes for which we process personal data and the corresponding lawful basis.
Purpose
Responding to enquiries received via the contact form or by email.
Operating, securing, and improving the Website.
Carrying out due-diligence checks on counterparties, business partners, and persons acting on behalf of corporate clients.
Establishing, exercising, or defending legal claims; complying with legal and regulatory obligations.
Categories of data
Identity and contact data; correspondence content; business-context data.
Technical data; usage data; cookie data.
Identity and contact data; business-context data; data from publicly available sources.
Any of the categories above, as relevant.
Lawful basis
Article 6(1)(f) — our legitimate interest in handling business correspondence and managing our communications.
Article 6(1)(f) — our legitimate interest in maintaining a secure, functional, and well-performing website. Where required, consent under Article 6(1)(a) (see section 9 on cookies).
Article 6(1)(f) — our legitimate interest in conducting our business prudently and in protecting against fraud and reputational harm; Article 6(1)(c) — compliance with legal obligations to which we are subject.
Article 6(1)(c) — compliance with legal obligations; Article 6(1)(f) — our legitimate interest in protecting our legal rights.
Purpose
Responding to enquiries received via the contact form or by email.
Categories of data
Identity and contact data; correspondence content; business-context data.
Lawful basis
Article 6(1)(f) — our legitimate interest in handling business correspondence and managing our communications.
Purpose
Operating, securing, and improving the Website.
Categories of data
Technical data; usage data; cookie data.
Lawful basis
Article 6(1)(f) — our legitimate interest in maintaining a secure, functional, and well-performing website. Where required, consent under Article 6(1)(a) (see section 9 on cookies).
Purpose
Carrying out due-diligence checks on counterparties, business partners, and persons acting on behalf of corporate clients.
Categories of data
Identity and contact data; business-context data; data from publicly available sources.
Lawful basis
Article 6(1)(f) — our legitimate interest in conducting our business prudently and in protecting against fraud and reputational harm; Article 6(1)(c) — compliance with legal obligations to which we are subject.
Purpose
Establishing, exercising, or defending legal claims; complying with legal and regulatory obligations.
Categories of data
Any of the categories above, as relevant.
Lawful basis
Article 6(1)(c) — compliance with legal obligations; Article 6(1)(f) — our legitimate interest in protecting our legal rights.
Where we rely on legitimate interests, we have carried out a balancing exercise to ensure that those interests are not overridden by your interests, rights, or freedoms. Information about that balancing exercise is available on request.
6. Recipients of personal data
We do not sell personal data. We may share personal data with the following categories of recipient, only to the extent necessary for the purposes set out in section 5 and under appropriate contractual safeguards:
– Other entities within the GrandVertex group, on a need-to-know basis, for internal coordination, governance, and the management of business relationships.
– Professional advisers, such as lawyers, auditors, accountants, and tax advisers, where this is necessary for legal, compliance, or governance purposes.
– Information-technology and hosting service providers who provide the website-hosting, email, communication, security, and storage infrastructure that supports our operations. These providers act as our processors and are bound by written processing agreements.
– Banks, financial institutions, and other counterparties, where this is necessary in connection with our own banking and corporate operations or in response to their due-diligence enquiries about us.
– Public authorities, regulators, and law-enforcement agencies, where we are required by law to disclose personal data, or where disclosure is necessary to establish, exercise, or defend legal claims.
– Other entities within the GrandVertex group, on a need-to-know basis, for internal coordination, governance, and the management of business relationships.
– Professional advisers, such as lawyers, auditors, accountants, and tax advisers, where this is necessary for legal, compliance, or governance purposes.
– Information-technology and hosting service providers who provide the website-hosting, email, communication, security, and storage infrastructure that supports our operations. These providers act as our processors and are bound by written processing agreements.
– Banks, financial institutions, and other counterparties, where this is necessary in connection with our own banking and corporate operations or in response to their due-diligence enquiries about us.
– Public authorities, regulators, and law-enforcement agencies, where we are required by law to disclose personal data, or where disclosure is necessary to establish, exercise, or defend legal claims.
7. International transfers
Personal data we process may be transferred to, or accessed from, jurisdictions outside the European Economic Area (the “EEA”). In particular, our affiliate GrandVertex Capital Inc is established in the Republic of the Marshall Islands, which has not been the subject of an adequacy decision by the European Commission under Article 45 GDPR. Some of our service providers may also process personal data outside the EEA.
Where we transfer personal data outside the EEA to a country that has not been recognised as providing an adequate level of protection, we put in place appropriate safeguards in accordance with Article 46 GDPR. These safeguards typically take the form of the European Commission’s Standard Contractual Clauses, supplemented where necessary by additional technical and organisational measures following a transfer impact assessment.
You may request a copy of the safeguards we use for a particular transfer by contacting us at the address set out in section 12.
8. Retention
We retain personal data only for as long as is necessary for the purposes for which it was collected, including for the purposes of meeting any legal, accounting, or reporting obligations that apply to us.
– Contact-form and email correspondence is generally retained for up to 24 months from the date of last contact, after which it is deleted or anonymised, unless a longer retention period is required to establish, exercise, or defend a legal claim or to comply with a legal obligation.
– Technical and usage data collected through the Website is generally retained for up to 14 months.
– Records related to corporate, contractual, or compliance matters are retained for the period required by applicable Cyprus law (typically 6 years from the end of the relevant relationship), or longer where a longer period is required by law or is necessary to defend legal claims.
– Contact-form and email correspondence is generally retained for up to 24 months from the date of last contact, after which it is deleted or anonymised, unless a longer retention period is required to establish, exercise, or defend a legal claim or to comply with a legal obligation.
– Technical and usage data collected through the Website is generally retained for up to 14 months.
– Records related to corporate, contractual, or compliance matters are retained for the period required by applicable Cyprus law (typically 6 years from the end of the relevant relationship), or longer where a longer period is required by law or is necessary to defend legal claims.
At the end of the applicable retention period, personal data is deleted or, where deletion is not technically feasible, anonymised in a way that prevents you from being identified.
9. Cookies and similar technologies
The Website uses a small number of cookies and similar technologies. Cookies are small text files placed on your device when you visit a website. They allow the website to recognise your device and remember information about your visit.
We use the following categories of cookie:
– Strictly necessary cookies, which are essential for the operation of the Website (for example, to maintain session integrity and security). These cookies do not require your consent and cannot be disabled without affecting how the Website functions.
– Analytics cookies, which we use, where applicable, to understand how visitors use the Website on an aggregated basis. Where these cookies are not strictly necessary, we deploy them only after we have obtained your consent through the cookie banner.
– Strictly necessary cookies, which are essential for the operation of the Website (for example, to maintain session integrity and security). These cookies do not require your consent and cannot be disabled without affecting how the Website functions.
– Analytics cookies, which we use, where applicable, to understand how visitors use the Website on an aggregated basis. Where these cookies are not strictly necessary, we deploy them only after we have obtained your consent through the cookie banner.
You can change your cookie preferences at any time through the cookie banner, through your browser settings (most browsers allow you to refuse, accept, or delete cookies), or by contacting us. Please note that disabling certain cookies may affect the functionality of the Website.
10. Security
We implement appropriate technical and organisational measures designed to protect personal data against unauthorised or unlawful access, accidental loss, destruction, damage, alteration, or disclosure. These measures include, among others, secure hosting, access controls, encryption of data in transit, role-based access for personnel, and confidentiality obligations on our staff and service providers. No method of transmission over the internet or method of electronic storage, however, is fully secure, and we cannot guarantee the absolute security of personal data.
11. Your rights
Subject to the conditions and exceptions set out in the GDPR, you have the following rights in relation to personal data we hold about you:
– Right of access — to obtain confirmation as to whether we process your personal data and, if so, to obtain a copy of that data and certain related information (Article 15 GDPR).
– Right to rectification — to have inaccurate personal data corrected and incomplete personal data completed (Article 16 GDPR).
– Right to erasure — to have personal data deleted in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected (Article 17 GDPR).
– Right to restriction of processing — to obtain restriction of processing in certain circumstances, for example while we verify the accuracy of personal data you have contested (Article 18 GDPR).
– Right to data portability — to receive personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit it to another controller, where the processing is based on consent or on a contract and is carried out by automated means (Article 20 GDPR).
– Right to object — to object, on grounds relating to your particular situation, to processing based on our legitimate interests; we will then no longer process the data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms (Article 21 GDPR).
– Right to withdraw consent — where processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).
– Right to lodge a complaint — to lodge a complaint with a supervisory authority, in particular with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, whose contact details are: 1 Iasonos Street, 1082 Nicosia, Cyprus; tel. +357 22 818 456; email commissioner@dataprotection.gov.cy; website www.dataprotection.gov.cy. You may also lodge a complaint with the supervisory authority in your country of residence or place of work.
– Right of access — to obtain confirmation as to whether we process your personal data and, if so, to obtain a copy of that data and certain related information (Article 15 GDPR).
– Right to rectification — to have inaccurate personal data corrected and incomplete personal data completed (Article 16 GDPR).
– Right to erasure — to have personal data deleted in certain circumstances, for example where it is no longer necessary for the purposes for which it was collected (Article 17 GDPR).
– Right to restriction of processing — to obtain restriction of processing in certain circumstances, for example while we verify the accuracy of personal data you have contested (Article 18 GDPR).
– Right to data portability — to receive personal data you have provided to us in a structured, commonly used, and machine-readable format and to transmit it to another controller, where the processing is based on consent or on a contract and is carried out by automated means (Article 20 GDPR).
– Right to object — to object, on grounds relating to your particular situation, to processing based on our legitimate interests; we will then no longer process the data unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms (Article 21 GDPR).
– Right to withdraw consent — where processing is based on your consent, to withdraw that consent at any time, without affecting the lawfulness of processing carried out before withdrawal (Article 7(3) GDPR).
– Right to lodge a complaint — to lodge a complaint with a supervisory authority, in particular with the Office of the Commissioner for Personal Data Protection of the Republic of Cyprus, whose contact details are: 1 Iasonos Street, 1082 Nicosia, Cyprus; tel. +357 22 818 456; email commissioner@dataprotection.gov.cy; website www.dataprotection.gov.cy. You may also lodge a complaint with the supervisory authority in your country of residence or place of work.
To exercise any of these rights, please contact us using the details in section 12. We may need to verify your identity before responding to your request. We will respond within the time limits set out in the GDPR (typically one month, extendable by a further two months where necessary).
12. Contact
If you have any questions about this Policy, about how we process personal data, or if you wish to exercise any of your rights, please contact us at: contact@grandvertex.com
13. Changes to this Policy
We may update this Policy from time to time to reflect changes in our practices, in technology, in legal or regulatory requirements, or for other operational reasons. The current version is identified by the “Last updated” date at the top of this Policy. Where the changes are material, we will draw them to your attention by suitable means, for example by posting a notice on the Website or by contacting you directly. We encourage you to review this Policy periodically.