Privacy Policy & Terms

1. Data protection contact (I think we should have a Privacy link - with the full policy here). Imprint goes to the Impressum, and Terms goes to the engagement at the bottom.)

Data controller: GREX Strategies (sole proprietor)
Address: Schlagmühlstr. 22, 57234 Wilnsdorf, Germany
Email (privacy enquiries / DSARs): privacy@grex-strategies.com
General enquiries: office@grex-strategies.com
Phone (optional): +49 1512 9511048

2. Summary — what this policy covers

This policy explains how GREX Strategies collects and uses personal data in connection with this website and our advisory services. It is written for a small, senior-led consultancy that: (a) does not use cookies, analytics, or contact forms on the public site; and (b) receives personal data only when you email us or when you engage our services.

3. What personal data we process

We only process the categories of data that are necessary for the purpose in question:

• Contact details you provide by email (name, email address, organization, phone if included).

• Professional and engagement data if you become a client (job title, organisation, contractual documents, invoices, engagement notes).

• Advisory / investigation data relevant to the specific engagement (factual information you provide or we collect as part of the assignment).

• We do not collect special categories of data via the website. Do not email us sensitive personal data unless instructed.
  
  

4. How we collect data

• When you email us, we collect the data you include in that email.

• When engaged as a client, we collect and store information necessary to provide and document the engagement.

• The public website itself does not set cookies or run analytics.
  
  

5. Legal bases for processing

• Contractual necessity (Art. 6(1)(b) GDPR): to perform services and take steps before entering into a contract.

• Legitimate interests (Art. 6(1)(f) GDPR): to respond to inquiries, maintain basic business records, and secure the website.

• Legal obligation (Art. 6(1)(c) GDPR): where retention or reporting is required by law (e.g., tax, accounting, AML/CFT obligations).

• Consent (Art. 6(1)(a) GDPR): only used for optional, explicit activities (not currently used on the public site).
  
  

6. Use of email and external hosting

• Email is the only way to contact us via the website. If you email us, we will use your email data to respond and, if relevant, to take pre-contractual steps.

• The website is hosted on Google Sites. Google provides hosting infrastructure and may process technical data for security and delivery. GREX has the contractual relationship with Google via its services; Google acts as a processor for hosting. Google’s own privacy/documentation and contractual safeguards apply — GREX does not use Google to run analytics or collect additional visitor profiles.
  
  

7. International transfers

Google may process or store data on servers outside the EEA. Where data is transferred outside the EEA we rely on appropriate safeguards (e.g., adequacy decisions, standard contractual clauses). Contact privacy@grex-strategies.com for details on specific transfers.

8. Data retention (typical periods — confirm with your accountant/legal where needed)

• General enquiries (email threads): retained up to 2 years after last contact unless a contract is formed.

• Prospective client records / proposals: 2–5 years depending on context.

• Client engagement files, working papers, invoices: retained for the duration of the engagement and up to 10 years thereafter where required for tax, professional or regulatory reasons (Germany typically requires 10 years for accounting records).

• Security logs / hosting temporary records: retained by the host as needed (you do not collect these centrally).
  When retention periods end we will securely delete or anonymize personal data.
  
  

9. Data sharing & processors

We do not sell personal data. We may share data with: regulators, courts or law enforcement when legally required; professional advisers (lawyers, accountants) when necessary to provide services; or service providers who act as processors (hosting — Google). All processors are contractually bound to protect the data.

10. Your rights (GDPR)

You have the right to: access, rectify, erase (in limited cases), restrict processing, portability, object, withdraw consent (where given), and lodge a complaint with a supervisory authority. To exercise rights, email privacy@grex-strategies.com. We will verify identity and respond within statutory timeframes.

11. Security

We use reasonable technical and organizational measures (HTTPS for the site, secure email systems, access controls) to protect personal data. Please do not send highly sensitive personal data by unencrypted email unless we agree a secure transfer method.

12. Children

Our site and services are not directed at children. We do not knowingly collect data from minors.

13. Changes to this policy

We will publish the effective date at the top. Material changes will be posted and, where appropriate, notified.

14. Supervisory authority

If you wish, you may contact the German data protection authority for Baden-Württemberg or the relevant state DPA. You also have the right to lodge a complaint with any EU supervisory authority.

Terms of Use (website) I THINK THIS SHOULD BE CLICKABLE

• Content on this site is for general information about GREX Strategies’ services. It does not create a client relationship. Use is at your own risk. GREX is not responsible for external links or third-party content.
  
  

• Intellectual property: site content is copyright GREX Strategies and may not be reused without permission.