Privacy Policy – Grexgo

Last updated: 3 December 2025

This Privacy Policy explains how Grexgo Group SAS (“Grexgo”, “we”, “us”, “our”) collects,
uses, discloses, and protects personal data in accordance with:

  • The EU General Data Protection Regulation (GDPR – Regulation 2016/679)
  • The Swiss Federal Act on Data Protection (nLPD – 2023)
  • Applicable French and EU laws

This Policy applies to all users of the Grexgo platform, including hotels, travel agencies, companies,
corporate clients, and website visitors (“Users”).

1. Data Controller

Grexgo Group SAS
A company incorporated under the laws of France
Registered office: [Add your registered office address]
Email: privacy@grexgo.com

2. Data We Collect

We collect the following categories of personal data:

2.1 Data provided directly by Users

  • Identification data (name, surname, job title)
  • Professional contact details (email, phone number, company name)
  • Account login details (email + hashed password)
  • Documents uploaded (contracts, offers, requests, PDFs)
  • Messages exchanged through the platform

2.2 Automatically collected data

  • Technical data (IP address, browser type, device information)
  • Usage data (pages visited, actions performed, session logs)
  • Cookies and similar technologies (see Cookie Section)

2.3 Data related to professional activity

  • Hotel information, pricing, and availability
  • Group requests and negotiation history
  • Business documents shared between Users

Grexgo does not collect sensitive personal data (health, religion, biometrics, political opinions).

3. Purpose and Legal Basis

We process personal data only for legitimate purposes and based on legal grounds defined by EU GDPR and Swiss LPD.

3.1 Purposes

  • To create and manage User accounts
  • To facilitate group booking requests and negotiations between Users
  • To ensure platform security and fraud prevention
  • To provide customer support
  • To improve the platform and User experience
  • To comply with legal and regulatory obligations

3.2 Legal Basis (GDPR)

  • Contract performance (Art. 6-1-b)
  • Legitimate interest (Art. 6-1-f)
  • Compliance with legal obligations (Art. 6-1-c)
  • Consent for optional processing (cookies, marketing)

3.3 Legal Basis (Swiss LPD)

Processing is justified when necessary for:

  • Performance of a contract
  • Legitimate business operations
  • Compliance with Swiss legal obligations
  • User consent (when required)

4. Data Sharing

We only share personal data with:

  • Hotels, agencies, or companies involved in a group booking workflow
  • Our subcontractors (hosting provider, analytics tools, email services)
  • Authorities when legally required (fraud, compliance, legal obligations)

Grexgo does not sell personal data.

5. International Data Transfers

Data may be stored or processed in Switzerland or the European Union.

If data is transferred outside the EU or Switzerland, we ensure compliance through:

  • EU Standard Contractual Clauses (SCCs)
  • Swiss-compatible data transfer agreements
  • Adequacy decisions by the EU and Switzerland

6. Data Retention

We retain personal data only for the duration necessary for the purposes listed above:

  • Account data: retained until account deletion
  • Business documents: retained as long as required by Users
  • Logs & security data: 12 months
  • Legal and accounting documents: 10 years (as required by French law)

7. Cookies & Tracking Technologies

We use cookies to:

  • Enable platform functionality
  • Analyze usage (analytics)
  • Improve performance
  • Store User preferences

Users may configure cookies via their browser or the Grexgo cookie banner.

8. Data Security

We implement both technical and organizational security measures:

  • Encrypted connections (HTTPS/TLS)
  • Secure hosting (Infomaniak, Switzerland)
  • Access restrictions and authentication
  • Encrypted passwords
  • Regular backups and monitoring

9. User Rights

Users benefit from the following rights:

9.1 Under EU GDPR

  • Right of access
  • Right to rectification
  • Right to erasure (“right to be forgotten”)
  • Right to object
  • Right to data portability
  • Right to restriction of processing
  • Right to withdraw consent at any time

9.2 Under Swiss LPD

  • Right of access
  • Right to rectification
  • Right to deletion if no overriding legal obligation exists
  • Right to object to processing
  • Right to information on cross-border transfers

To exercise your rights:
privacy@grexgo.com

10. Automated Decision-Making

Grexgo does not use automated decision-making or profiling that produces legal or significant effects.

11. Third-Party Services

We may use external providers for:

  • Hosting (Infomaniak, Switzerland)
  • Email delivery
  • Analytics
  • Document storage

These providers comply with EU GDPR and Swiss data protection requirements.

12. Changes to this Policy

Grexgo may update this Privacy Policy from time to time.
Users will be notified of significant changes by email or through the Platform.

13. Contact

For any question or data protection request:
Grexgo Group SAS
Email: privacy@grexgo.com