Privacy Policy
Last updated: March 1, 2026
1. Who We Are
Program Development Company LLC ("GridPro", "we", "us", or "our") is the data controller responsible for your personal data.
Registered address: 777 Brickell Avenue, Suite 500, Miami, FL 33131, USA
Contact: privacy@gridpro.com
Data Protection Contact: For data protection inquiries, contact us at privacy@gridpro.com
This policy applies to personal data collected through gridpro.com and its subdomains, including account registration, cloud services, support, and software licensing.
2. What Personal Data We Collect
| Category | When | Data Collected |
|---|---|---|
| Account information | You register for an account | Email, password (stored hashed — we cannot see it), name, job title, company, department, country/city, contact number, organization type |
| Form submissions | You submit a form (contact, demo, license request, etc.) | Email, form field contents, uploaded files, timestamp |
| Software licensing | You request or hold a license | License type, product details, request status, approval history |
| Learning | You enrol in courses | Enrollment records, lesson completion, quiz scores |
| Support | You contact support | Email conversations, attachments, ticket subject and description |
| Cloud storage | You use GridPro Cloud | Files, file metadata (names, sizes, timestamps), storage usage |
| Automatic | You visit our website | IP address, browser type and version, OS, pages visited, timestamps, referring URL, country of origin |
| Cookies | You browse our site | See our Cookie Policy. You can manage preferences via "Cookie Settings" in the footer. |
3. How We Use Your Data
We process your personal data for the following purposes and legal bases:
| Purpose | Data Used | Legal Basis (GDPR Art. 6) |
|---|---|---|
| Account creation and authentication | Email, password, name | Contract — necessary to provide our services |
| Software licensing | Account info, license details | Contract — necessary to fulfil your license agreement |
| Responding to enquiries and support requests | Contact details, message content | Contract / Legitimate interest — to respond to your requests |
| Course delivery and progress tracking | Enrollment, completion, scores | Contract — necessary to provide the learning service |
| Cloud file storage | Files, metadata | Contract — necessary to provide the storage service |
| Website analytics | IP, browser, pages visited | Consent (EU/EEA/UK) / Legitimate interest (elsewhere) — to understand usage and improve our services. You may opt out at any time via the Cookie Settings link in the footer or on our Cookie Policy page. |
| CRM and relationship management | Contact details, interactions | Legitimate interest — see Section 3.1 below |
| Marketing communications | Email, name, company | Consent — you can withdraw at any time |
| Security and fraud prevention | IP, access logs, login attempts | Legitimate interest — to protect our services and users |
| Legal compliance | As required | Legal obligation — to comply with applicable laws |
3.1 Legitimate Interest Assessment — CRM Processing
We sync limited contact data (email, name, company) and activity records (license requests, access requests) to our CRM system (HubSpot) for the purpose of managing business relationships, tracking commercial enquiries, and providing a consistent customer experience.
Our legitimate interest: Efficiently managing customer and prospect relationships, tracking commercial pipeline activity, and ensuring continuity of service across interactions.
Balancing test: We have assessed that this processing does not override your rights because:
- Only business contact information is synced (no sensitive data)
- Processing is limited to commercial relationship management
- You can object at any time and we will cease CRM processing within 30 days (see Section 8)
- Data is not used for automated profiling or decision-making
4. Who We Share Your Data With
We share personal data only with service providers who process data on our behalf, subject to written data processing agreements. We do not sell your personal data.
4.1 Sub-Processors (Service Providers)
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Hetzner Cloud | Server hosting | USA | EU-based entity (Germany); SCCs; DPA |
| Cloudflare | CDN, security, DNS, and storage | Global (edge network) | EU-US Data Privacy Framework; SCCs; DPA |
| HubSpot | CRM — contact management, deal tracking | USA | EU-US Data Privacy Framework; SCCs; DPA |
| Google Workspace | Email routing for customer support (IMAP/SMTP) | USA / Global | EU-US Data Privacy Framework; SCCs; DPA |
We may update this list from time to time. Material changes to sub-processors will be reflected in this policy.
4.2 What We Share with HubSpot
When you register an account, submit a license request, or submit an access request, we sync the following to HubSpot CRM:
- Email address, first name, last name, company name
- Activity records (license requests, access requests, registration events)
This processing is based on our legitimate interest as described in Section 3.1. You may object to this processing at any time (see Section 8).
4.3 Other Disclosures
We may disclose personal data where we have a good-faith belief that disclosure is necessary:
- To comply with a legal obligation, court order, or binding regulatory request
- To protect the rights, safety, or property of GridPro, our users, or the public
- In connection with a merger, acquisition, or sale of assets (with prior notice where practicable)
5. International Transfers
Your personal data is stored and processed primarily in the United States. Data also flows through Cloudflare's global edge network.
For transfers of personal data from the European Economic Area (EEA), United Kingdom, or Switzerland to the United States, we rely on:
- Standard Contractual Clauses (SCCs) — as adopted by the European Commission, incorporated into our data processing agreements with sub-processors
- EU-US Data Privacy Framework (DPF) — our sub-processors (Cloudflare, HubSpot, Google) are independently self-certified, providing supplementary transfer safeguards
- Supplementary technical measures — including encryption in transit (TLS 1.2+), role-based access controls, and infrastructure security measures
A Transfer Impact Assessment is available upon request.
6. How Long We Keep Your Data
We retain personal data only for as long as necessary to fulfil the purposes for which it was collected, or as required by law. The following are our target retention periods:
| Data Type | Retention Period | Reason |
|---|---|---|
| User accounts | Duration of account + 12 months after account closure | Contract performance; post-termination enquiries |
| Form submissions | Up to 24 months from submission | Legitimate interest in responding to and tracking enquiries |
| Course enrollment and progress | Duration of account | Contract performance |
| Support tickets | Up to 36 months from last activity | Legitimate interest in support history and quality |
| Download history | Up to 12 months | Legitimate interest in usage tracking |
| Access logs | 7 days (local) | Security and troubleshooting |
| Access log archives | 7 days (encrypted cloud storage) | Security and compliance |
| Database backups | 30 days (rolling) | Disaster recovery |
| Session data | 24 hours | Automatic expiry |
We periodically review retained data and delete or anonymise data that is no longer necessary. Actual retention may be shorter than the periods above where data is no longer needed.
Backups: When personal data is deleted from our live systems, it may persist in encrypted backup copies for up to 30 additional days due to our automated backup rotation schedule. During this period, backup data is stored securely and is not actively processed or accessed except in the event of a disaster recovery scenario.
7. How We Protect Your Data
We implement appropriate technical and organisational measures to protect your personal data:
| Area | Measures |
|---|---|
| Encryption | All data in transit encrypted with TLS 1.2+; passwords stored using industry-standard one-way hashing (irreversible); cloud storage and production disks encrypted at rest |
| Access control | Role-based access control (RBAC) with field-level permissions; multi-factor authentication for administrators; key-based server authentication; principle of least privilege |
| Infrastructure | DDoS protection and Web Application Firewall (WAF); network firewalls at multiple layers; automated intrusion prevention; Content Security Policy (CSP) headers |
| Monitoring | 24/7 uptime monitoring with automated alerts; automated daily database backups with 30-day retention |
No method of transmission or storage is 100% secure. While we strive to use commercially acceptable means to protect your personal data, we cannot guarantee absolute security.
8. Your Rights
Depending on your location, you have the following rights regarding your personal data.
Under GDPR and UK GDPR
- Right of access — Request a copy of your personal data. You can download your data instantly from your profile page ("Download My Data"), or contact us for a manual export.
- Right to rectification — Request correction of inaccurate data. You can update most of your personal information directly from your profile page.
- Right to erasure — Request deletion of your data ("right to be forgotten"), subject to legal retention obligations. You can delete your account instantly from your profile page ("Delete My Account"), which removes your data from all connected systems.
- Right to restriction — Request that we limit processing of your data
- Right to data portability — Receive your data in a structured, machine-readable format. Your self-service data export (available from your profile page) provides a comprehensive JSON file covering all systems.
- Right to object — Object to processing based on legitimate interest, including CRM processing (Section 3.1) and analytics. Where you object, we will cease the relevant processing unless we demonstrate compelling legitimate grounds that override your interests.
- Right to withdraw consent — Withdraw consent for marketing at any time, without affecting the lawfulness of processing before withdrawal
- Right to lodge a complaint — File a complaint with your supervisory authority
For EU residents: You may contact your national data protection authority. A list is available at https://edpb.europa.eu/about-edpb/about-edpb/members_en
For UK residents: You may contact the Information Commissioner's Office (ICO) at https://ico.org.uk
Under CCPA/CPRA (California Residents)
If you are a California resident, you have the right to:
- Know what personal information we collect, use, and disclose — you can download a copy of your data from your profile page
- Delete your personal information — you can delete your account from your profile page, or contact us at privacy@gridpro.com
- Correct inaccurate personal information — you can update your profile directly, or contact us
- Opt out of the sale or sharing of personal information
- Non-discrimination — We will not discriminate against you for exercising your rights
Categories of personal information collected: Identifiers (name, email, IP address), professional information (job title, company), internet activity (browsing history, interactions), education information (course progress).
Sale of personal information: We do not sell personal information for monetary consideration.
Sharing of personal information: We share limited contact data with HubSpot CRM for business relationship management purposes. Under CCPA, this may constitute "sharing" of personal information for cross-context behavioural purposes. You may opt out of this sharing by contacting us at privacy@gridpro.com. We will process your opt-out request within 15 business days.
How to Exercise Your Rights
Self-Service (Instant)
If you have a GridPro account, you can exercise several rights directly from your profile page:
- Download your data — Click "Download My Data" in the Account Settings section to receive a comprehensive JSON export of all your personal data across our systems (profile, form submissions, license requests, course progress, support tickets, and CRM data).
- Delete your account — Click "Delete My Account" in the Danger Zone section to permanently delete your account and all associated data across all connected systems. You will need to confirm your password and acknowledge that the action is irreversible.
- Update your profile — Edit your personal information (name, company, contact details) directly on your profile page.
- Manage cookies — Click "Cookie Settings" in the footer of any page to update your consent preferences at any time.
Contact Us
For requests that cannot be completed via self-service, or if you do not have an account, contact us at:
- Email: privacy@gridpro.com
- Support: https://gridpro.com/support
Response time: We will acknowledge your request within 5 business days and provide a substantive response within 30 days. If your request is complex or we receive a large number of requests, we may extend this period by up to 60 additional days, in which case we will notify you of the extension and the reasons for it.
Identity verification: For self-service actions, identity is verified through your authenticated session and password confirmation. For email requests, we may ask you to confirm details associated with your account. We will not process a request if we cannot reasonably verify your identity.
Excessive or unfounded requests: Where requests are manifestly unfounded or excessive (for example, because of their repetitive character), we may charge a reasonable fee or refuse to act on the request, in accordance with applicable law. We will inform you of the reasons for any refusal.
9. Children's Data
Our services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe we have collected data from a child, please contact us and we will promptly delete it.
10. Automated Decision-Making
We do not use automated decision-making or profiling that produces legal or similarly significant effects on individuals.
11. Changes to This Policy
We may update this policy from time to time. We will notify you of material changes by posting the updated policy on our website with a new "Last updated" date. For significant changes that affect how we process your data, we will use reasonable efforts to provide advance notice (such as an email notification if you have an account).
Where changes require your consent under applicable law, we will obtain that consent before the changes take effect.
12. Contact Us
Program Development Company LLC
777 Brickell Avenue, Suite 500
Miami, FL 33131, USA
Privacy inquiries: privacy@gridpro.com
Website: https://gridpro.com
Support: https://gridpro.com/support