// legal
Privacy Policy
Last updated: 30 June 2026 · Effective: 30 June 2026
Granite takes privacy seriously — especially as a brand focused on security and encryption. This Policy explains what personal data we process when you visit our Site or contact us, and your rights under applicable data protection law (including the GDPR where it applies, and Ukrainian Law No. 2297-VI "On Personal Data Protection").
1. Data Controller
Granite Consulting is the controller for personal data processed through this Site and initial contact channels, unless a separate Data Processing Agreement (DPA) applies to a Client engagement.
Contact: Telegram
2. Scope
This Policy covers:
- Visitors to our website;
- Prospective clients who contact us;
- Cookie and similar technologies on the Site;
- Server and security logs generated by Site operation.
Client project data (source code, production credentials, end-user data of Client products) is governed by contractual terms and, where applicable, a DPA — not this general website policy alone.
3. Categories of Data We Collect
3.1 Data you provide
- Messages and identifiers when you contact us via Telegram or other channels (username, message content, attachments you choose to send);
- Business contact details (name, company, email if provided, project description);
- Any information you voluntarily include in inquiries or forms.
3.2 Data collected automatically
- IP address, approximate location (derived from IP), browser type, device type, operating system;
- Referring URL, pages viewed, timestamps, session duration;
- Technical logs for security monitoring, abuse prevention, and debugging;
- Cookie identifiers (see Cookie Policy).
3.3 Data we do not intentionally collect
We do not require payment card data through this marketing Site. Do not send passwords, private keys, seed phrases, or classified material via unsecured channels. Use agreed secure transfer methods for sensitive project data under contract.
4. Purposes & Legal Bases
| Purpose | Legal basis (GDPR) |
|---|---|
| Operate, secure, and improve the Site | Legitimate interests / contract preparation |
| Respond to inquiries and pre-sales communication | Legitimate interests / steps prior to contract |
| Analytics (with consent where required) | Consent |
| Fraud prevention, abuse detection, legal compliance | Legitimate interests / legal obligation |
| Perform Client contracts | Contract |
5. How We Use Personal Data
- Provide and maintain the Site;
- Communicate about Services you request;
- Protect against unauthorized access, attacks, and misuse;
- Analyze aggregated usage to improve performance and content (where permitted);
- Comply with legal obligations and enforce our Terms;
- Establish, exercise, or defend legal claims where necessary.
We do not sell personal data. We do not use Site visitor data for automated decision-making that produces legal or similarly significant effects without human review.
6. Retention
- Server logs: typically up to 90 days, unless needed for security investigations or legal holds;
- Contact / sales inquiries: up to 24 months after last interaction, or longer if a Client relationship forms;
- Cookie consent records: as documented in the Cookie Policy;
- Client project data: per contract and applicable law.
Data is deleted or anonymized when no longer needed for the purposes collected.
7. Security Measures
We apply administrative, technical, and organizational measures appropriate to the risk, including TLS in transit, access controls, least-privilege principles, monitoring, and encrypted storage where applicable. No method of transmission or storage is 100% secure; we cannot guarantee absolute security of data sent over the internet.
8. Processors & Third Parties
We may share data with:
- Hosting and CDN providers;
- Analytics providers (only with consent where required);
- Communication platforms you choose to use (e.g., Telegram — subject to their privacy policy);
- Professional advisers (legal, accounting) under confidentiality;
- Authorities when required by law or to protect rights and safety.
Sub-processors are bound by contractual data protection obligations where applicable. A list is available on request for Client DPAs.
9. International Transfers
If data is transferred outside your country (including outside the EEA), we implement appropriate safeguards such as Standard Contractual Clauses, adequacy decisions, or other mechanisms required by applicable law.
10. Your Rights
Depending on your location, you may have the right to:
- Access your personal data;
- Rectify inaccurate data;
- Erase data ("right to be forgotten") where applicable;
- Restrict or object to processing;
- Data portability;
- Withdraw consent (without affecting prior lawful processing);
- Lodge a complaint with a supervisory authority (e.g., Ukrainian Commissioner for Human Rights / relevant EU DPA).
To exercise rights, contact us via Telegram. We may need to verify identity before responding.
11. Children
The Site is not directed at children under 16. We do not knowingly collect personal data from children. If you believe we have, contact us and we will delete it promptly.
12. Changes
We may update this Policy. Material changes will be reflected in the "Last updated" date. Continued use after changes constitutes notice; where consent is required by law, we will obtain it separately.
