How we handle personal data.

Data controllers

Each GreenGridLabs operating entity is an independent data controller within the meaning of Art. 4(7) GDPR for the personal data it collects in its own jurisdiction. For general visits to greengridlabs.com, the controller is the entity of the jurisdiction you contact or contract with. Where no specific entity is involved, GreenGridLabs Finland Oy acts as the primary controller for the shared website.

For the full registered name, address and register entry of each entity, see the imprint. For privacy enquiries and data subject rights, contact info@greengridlabs.com.

Scope of this policy

This privacy policy applies to personal data processed by the GreenGridLabs entities in connection with: (a) visits to greengridlabs.com and its subdomains; (b) inquiries and communications sent through the contact form, email or telephone; (c) commercial relationships with customers, suppliers and partners; and (d) on-site visits to GreenGridLabs facilities.

It does not cover the processing of personal data by other companies in the Riveon group, which is governed by their own privacy notices, nor processing carried out by customers inside their own tenant environments for which GreenGridLabs acts solely as a colocation host.

Categories of personal data

Depending on how you interact with us, we may process:

• Identification & contact data — name, job title, employer, email address, phone number, postal address.
• Communication content — messages, attachments and metadata you send us through the contact form, email or other channels.
• Contract data — information needed to negotiate, perform and invoice colocation and related services, including authorised-personnel lists for site access.
• Access & security data — visitor logs, CCTV recordings and electronic access records for our datacenter facilities, where permitted by local law.
• Technical data — IP address, browser type, device identifiers, access timestamps and log files generated when you visit greengridlabs.com.

We do not knowingly collect special categories of personal data (Art. 9 GDPR) and ask you not to submit such data through our public channels.

Purposes & legal bases

We process personal data only on a lawful basis as defined in Art. 6(1) GDPR:

• Responding to inquiries — Art. 6(1)(b) (pre-contractual steps) and Art. 6(1)(f) (legitimate interest in answering questions addressed to us).
• Providing and invoicing services — Art. 6(1)(b) (performance of contract).
• Operating and securing facilities — Art. 6(1)(c) (legal obligations under workplace safety, electricity supply and critical-infrastructure regulations) and Art. 6(1)(f) (legitimate interest in physical security).
• Operating and securing the website — Art. 6(1)(f) (legitimate interest in a functioning, attack-resistant website).
• Compliance with legal obligations — Art. 6(1)(c) (tax, accounting, corporate and regulatory retention requirements under Finnish, Swedish and German law).

Recipients & processors

Personal data may be disclosed to: other entities within the Riveon group on a need-to-know basis; external processors that we engage under data processing agreements (Art. 28 GDPR) for hosting, email, customer relationship management, accounting, security and IT services; professional advisors (auditors, lawyers, tax advisors) bound by confidentiality; and public authorities where we are legally required to disclose.

We do not sell personal data. We do not disclose personal data to third parties for their own marketing purposes.

International transfers

Our primary processing takes place within the European Union and the European Economic Area. Where a processor operates outside the EU/EEA, we transfer personal data only on the basis of: (i) an adequacy decision of the European Commission; (ii) the Standard Contractual Clauses adopted by the European Commission under Art. 46(2)(c) GDPR; or (iii) another valid transfer mechanism under Chapter V GDPR. Transfers to Switzerland benefit from the Commission's adequacy decision for Switzerland.

A list of the non-EEA recipients and the applicable safeguards can be requested from info@greengridlabs.com.

Retention

We keep personal data only for as long as necessary for the purposes set out above or as required by law. Indicative retention periods:

• Inquiry correspondence — up to 24 months after the last contact, unless a contract results.
• Contract and invoice data — up to 10 years, in line with the statutory retention periods under Finnish, Swedish and German accounting and tax law.
• CCTV and access logs — typically 30 to 90 days, depending on site and local law.
• Website log files — up to 14 days for anti-abuse and troubleshooting, then aggregated or deleted.

Security

We maintain appropriate technical and organisational measures (Art. 32 GDPR) to protect personal data against unauthorised or unlawful processing and against accidental loss, destruction or damage, aligned with ISO 27001 principles. Measures include access control, encryption in transit, segregation of production data, logging, vendor due diligence and a documented incident response process. In the event of a personal data breach subject to Art. 33 GDPR, we notify the competent supervisory authority and, where required, affected individuals without undue delay.

Your rights

Subject to the conditions set out in the GDPR and applicable national law, you have the right to:

• obtain confirmation as to whether we process your personal data and, if so, access to that data (Art. 15);
• request rectification of inaccurate personal data (Art. 16);
• request erasure of your personal data (Art. 17);
• request restriction of processing (Art. 18);
• receive your personal data in a structured, commonly used and machine-readable format and to transmit it to another controller (Art. 20);
• object to processing carried out on the basis of our legitimate interests (Art. 21); and
• where processing is based on consent, to withdraw that consent at any time without affecting the lawfulness of prior processing (Art. 7(3)).

To exercise any of these rights, please contact info@greengridlabs.com. We may need to verify your identity before acting on a request.

Supervisory authorities

Without prejudice to any other administrative or judicial remedy, you have the right to lodge a complaint with a data protection supervisory authority — in particular in the Member State of your habitual residence, your place of work, or the place of the alleged infringement (Art. 77 GDPR). The authorities with jurisdiction over our operating entities are:

Cookies & tracking

greengridlabs.com uses a minimum of strictly necessary cookies for session handling and security. We do not deploy advertising or cross-site tracking cookies. Any non-essential cookies — such as analytics — are only set after you have given prior informed consent via our cookie banner, in line with Art. 5(3) of the ePrivacy Directive as transposed by Finnish, Swedish and German law. You can withdraw consent at any time through the cookie preferences link in the footer.

Changes to this policy

We may update this privacy policy from time to time to reflect changes in our processing activities, in technology or in the applicable law. The most current version is always available at greengridlabs.com/privacy-policy/. Material changes will be communicated in advance through the website or, where appropriate, directly to affected individuals.