Book a call

Privacy policy

Last updated: 17 April 2026

This privacy policy explains how GROU ("GROU", "we", "us", or "our") collects, uses, and protects personal data when you visit grouglobal.com (the "Website"), contact us, receive a communication from a GROU-managed campaign, or otherwise interact with our services.

We take privacy seriously. As a B2B pipeline agency operating from Slovenia across the EU and beyond, we comply with the EU General Data Protection Regulation (Regulation 2016/679, "GDPR"), the Slovenian Personal Data Protection Act (ZVOP-2), the EU ePrivacy rules as implemented locally, and where relevant the California Consumer Privacy Act (CCPA) and UK GDPR.

1. Who we are

Data controller:

Grou d.o.o.
Litostrojska cesta 58C, 1000 Ljubljana, Slovenia
Registration number: 8157898000
VAT ID: SI52009530
Email: hello@grouglobal.com
Website: https://grouglobal.com

If you have any questions about this policy or want to exercise your rights, contact us at hello@grouglobal.com.

1.1 Data Protection Officer

We have not appointed a Data Protection Officer. Under Article 37 GDPR and Article 46 ZVOP-2, a DPO is mandatory only for public authorities, organisations whose core activity involves large-scale systematic monitoring, or large-scale processing of special categories of data. Our activities do not meet these thresholds. A privacy lead within GROU handles all data protection matters and can be reached at hello@grouglobal.com.

2. Scope of this policy

This policy applies to:

Visitors to grouglobal.com.
People who contact us, book a call, request a proposal, download content, or subscribe to our newsletter.
Representatives of our clients, prospects, suppliers, and partners.
Individuals who receive a cold email, LinkedIn message, or call from a campaign that GROU runs on behalf of a client (see section 12 for your specific rights in that scenario).

This policy does not cover personal data we process on behalf of our clients as part of lead generation, outbound, or LinkedIn campaigns. In those cases we act as a data processor on our client's instructions. That processing is governed by the data processing agreement (DPA) signed with that client.

3. What personal data we collect

We only collect data that is necessary for a clearly defined purpose. Depending on how you interact with us, we may collect the following.

3.1 Data you provide directly

Contact details: full name, business email, phone number, company name, job title, country.
Message content: what you write in our contact form, book-a-call form, proposal requests, or emails.
Commercial information: the services you are interested in, your budget range, and campaign goals shared during discovery calls.
Newsletter data: email address and any preferences you set.
Application data: CV, cover letter, and professional details if you apply for a role with us.

3.2 Data collected automatically

When you use the Website we automatically collect:

Device and technical data: IP address, browser type and version, operating system, device identifiers, screen size, language settings.
Usage data: pages visited, time spent on pages, referring URL, search terms, clicks, scroll depth.
Cookies and similar technologies: see section 10.

3.3 Data from third parties

We may receive data about you from:

Public professional sources such as LinkedIn, company websites, press releases, and business directories when we identify you as a potential customer fit for GROU.
B2B data providers (for example Apollo, Clay, and similar tools) that verify and enrich business contact details under their own lawful basis.
Referrals from existing clients or partners.
Service providers such as HubSpot (our CRM and booking tool) and analytics tools.

We only collect business contact data that is necessary and role-relevant. We do not target individuals in their personal capacity and we do not knowingly process contact data of minors.

3.4 What we do not collect

We do not process special categories of personal data (such as data about health, religion, ethnicity, political opinions, or sexual orientation) in the course of our business. If you voluntarily include such data in a message to us, we will delete it unless it is necessary to respond to your request.

4. Why we use your data and our legal basis

Under GDPR, every use of personal data must have a legal basis. Here is what we do and why.

4.1 To respond to your enquiry and deliver our services

Legal basis: performance of a contract (Art. 6(1)(b) GDPR) or steps taken at your request before entering a contract.

Answering contact form submissions and emails.
Running discovery calls and preparing proposals.
Delivering agreed services and managing the client relationship.
Sending service-related communications such as reports, invoices, and project updates.

4.2 For direct B2B marketing and outreach

Legal basis: our legitimate interests (Art. 6(1)(f) GDPR) to grow our business by reaching companies that fit our ideal client profile.

Contacting business decision-makers by email, phone, or LinkedIn about services that are relevant to their role.
Sending our newsletter and commercial content to subscribers.
Running remarketing campaigns on LinkedIn, Meta, Google, YouTube, and Reddit.

We have conducted and documented a Legitimate Interest Assessment (LIA) to confirm this processing is proportionate, role-relevant, and does not override the rights of the individuals concerned. You can object to this processing at any time (see section 8) and every marketing message we send includes a one-click opt-out.

4.3 To operate and improve the Website

Legal basis: our legitimate interests in running a secure, functional, and useful website; consent (Art. 6(1)(a) GDPR) for non-essential cookies.

Measuring traffic, engagement, and conversion.
Detecting and preventing fraud, abuse, and technical issues.
Testing and improving pages, forms, and content.

4.4 To comply with legal obligations

Legal basis: legal obligation (Art. 6(1)(c) GDPR).

Keeping accounting and tax records under Slovenian law.
Responding to lawful requests from authorities.
Managing data subject rights requests.

4.5 For recruitment

Legal basis: steps taken at your request before entering a contract (Art. 6(1)(b) GDPR) and legitimate interests in evaluating candidates (Art. 6(1)(f) GDPR). For retaining CVs beyond a live role we rely on consent.

5. Automated processing and AI tools

We use software, automation, and AI tools to run our operations efficiently. This includes CRM automation, email sending and deliverability tools, lead enrichment platforms, advertising platforms, and general-purpose AI assistants for drafting, research, and analysis.

5.1 No solely automated decisions with legal effect

We do not make decisions that produce legal or similarly significant effects on you based solely on automated processing (Art. 22 GDPR). Human review is involved in every consequential decision, including whether to engage a client, whether to include a prospect in a campaign, and how to respond to an enquiry.

5.2 AI use disclosure

We may use AI tools to assist with drafting outbound copy, summarising research, analysing campaign performance, and personalising messages. Final outputs are reviewed by humans before delivery.
We take reasonable steps to prevent your personal data from being used to train public AI models. Where we use AI services for processing personal data, we prefer enterprise or API configurations that include contractual commitments that data will not be used for training. We maintain internal guidance for our team on how to use AI tools responsibly when handling personal data.
We do not profile individuals for sensitive inferences (such as health status or political views) using AI.

If you have questions about how AI is used in any specific interaction, contact us at hello@grouglobal.com.

6. Who we share your data with

We do not sell your personal data. We share it only with parties that need it to help us run our business, and only under written agreements that require them to protect it.

Categories of recipients:

CRM and sales tools: HubSpot and related booking and form providers.
Outreach and email tools: email sending platforms, deliverability tools, and LinkedIn automation tools.
Data enrichment providers: Apollo, Clay, and similar verified B2B data sources.
Analytics and advertising: Google (Analytics, Ads, YouTube), Meta, LinkedIn Ads, Reddit Ads.
Infrastructure and hosting: cloud hosting providers, email infrastructure, domain and DNS providers.
Business operations: accounting software, payment processors, e-signature tools, project management and collaboration tools.
Professional advisors: lawyers, accountants, and auditors, bound by confidentiality.
Public authorities: when required by law or legal process.
Business transfer parties: in the context of a merger, acquisition, or sale of assets, under appropriate safeguards.

A current list of our key subprocessors, including their role and location, is available on request at hello@grouglobal.com. Enterprise clients can receive this as part of their DPA review.

7. International transfers

Some of our service providers are based outside the European Economic Area (EEA), including in the United States and the United Kingdom.

When we transfer personal data outside the EEA, we rely on one of the transfer mechanisms permitted by GDPR:

An adequacy decision issued by the European Commission (for example the UK and the EU-US Data Privacy Framework for certified US recipients).
Standard Contractual Clauses (SCCs) approved by the European Commission.
Derogations under Article 49 GDPR, where applicable.

Where required, we carry out a Transfer Impact Assessment and apply supplementary measures such as encryption and access controls. You can request a copy of the relevant safeguards at hello@grouglobal.com.

8. Your rights

Under GDPR and ZVOP-2 you have the following rights over personal data we hold about you:

Access: ask us what data we hold about you and receive a copy.
Rectification: ask us to correct inaccurate or incomplete data.
Erasure: ask us to delete your data where there is no longer a valid basis to keep it.
Restriction: ask us to limit how we use your data in certain situations.
Objection: object to processing based on legitimate interests, including direct marketing. If you object to direct marketing we will stop.
Portability: receive data you provided to us in a structured, machine-readable format, or ask us to transfer it to another provider.
Withdraw consent: where we rely on consent, you can withdraw it at any time. This does not affect the lawfulness of processing before withdrawal.
Not be subject to solely automated decisions producing legal or similarly significant effects. See section 5.
Judicial protection: under Article 31 ZVOP-2 you may seek judicial protection directly before the Administrative Court of the Republic of Slovenia.
Complaint: lodge a complaint with the Slovenian Information Commissioner (Informacijski pooblaščenec, www.ip-rs.si) or your local EU data protection authority.

To exercise any of these rights, email hello@grouglobal.com. We will respond within one month and may extend this by a further two months for complex requests, as allowed by GDPR. We may ask you to confirm your identity before we act. Exercising these rights is free; we may charge a reasonable fee or refuse only for manifestly unfounded or excessive requests.

8.1 Rights for California residents (CCPA)

If you are a California resident, you have the right to know what personal information we collect, to request deletion or correction, to opt out of any "sale" or "sharing" of personal information (we do not sell personal information as defined by CCPA), and not to be discriminated against for exercising these rights. To submit a request, email hello@grouglobal.com.

8.2 Rights for UK residents

UK residents have equivalent rights under UK GDPR. You may lodge a complaint with the UK Information Commissioner's Office (ICO) at ico.org.uk.

9. How long we keep your data

We keep personal data only as long as needed for the purpose it was collected for, then delete or anonymise it. Typical retention periods:

Prospect and lead data: up to 24 months from the last meaningful interaction, then reviewed and either refreshed with a new lawful basis or deleted.
Client data: for the duration of the engagement plus 10 years, in line with Slovenian accounting and tax rules.
Contact form and booking submissions: 24 months.
Newsletter subscribers: until you unsubscribe, plus a suppression record to honour your opt-out indefinitely.
Website analytics (GA4): up to 14 months in identifiable form, after which data is aggregated.
Advertising platform data (Meta, LinkedIn, Google): typically 13 months for remarketing audiences.
Server and security logs: up to 12 months.
Recruitment data: 6 months after the decision unless you consent to longer retention for future roles.
Suppression and unsubscribe lists: kept indefinitely so we continue to honour your opt-out.

Where a legal obligation or a legitimate defence of legal claims requires a longer retention period, we apply that period.

10. Cookies and tracking

Our Website uses cookies and similar technologies (pixels, tags, local storage) to function correctly, measure performance, and run advertising.

10.1 Categories of cookies we use

Strictly necessary: required for the Website to work, for example session and security cookies. Legal basis: legitimate interests. No consent required.
Analytics: Google Analytics 4 (GA4). Helps us understand how visitors use the site so we can improve it. Legal basis: consent.
Marketing: Meta Pixel, LinkedIn Insight Tag, Reddit Pixel, and Google/YouTube tags. These measure ad performance and allow us to show relevant ads to people who have visited our site. Legal basis: consent.

10.2 How consent works

Non-essential cookies are only set after you give consent through our cookie banner. The banner lets you accept or reject non-essential cookies and choose categories where applicable. Your choice is recorded and stored. You can change or withdraw your consent at any time through the cookie preferences link in the footer.

You can also block or delete cookies through your browser settings. If you do, some parts of the Website may not work properly.

10.3 Cross-device and remarketing

Meta, LinkedIn, Google, and Reddit may combine data collected through their tags on our site with data they hold about you from other sources. Their own privacy policies govern that processing. Useful links:

Google (includes YouTube): policies.google.com/privacy
Meta: www.facebook.com/privacy/policy
LinkedIn: www.linkedin.com/legal/privacy-policy
Reddit: www.reddit.com/policies/privacy-policy

11. How we protect your data

We apply technical and organisational measures appropriate to the risk, including:

Encryption in transit (TLS 1.2 or higher) and at rest where supported by the service.
Access controls on a need-to-know basis, with role-based permissions and unique user accounts.
Multi-factor authentication on business-critical systems.
Password management through a dedicated password manager.
Vendor due diligence and signed data processing agreements with all processors.
Regular backups and documented recovery procedures.
Staff training on data protection, phishing, and secure handling of client data.
Periodic reviews of retention, access, and security posture.
Written confidentiality commitments from all team members and contractors.

No system is completely secure. If a personal data breach occurs that is likely to result in a risk to your rights, we will notify the relevant supervisory authority within 72 hours and, where required by GDPR, inform you directly.

12. Our role when processing data for clients

When we run outbound, LinkedIn, email, or lead generation campaigns for a client, the client is the data controller and GROU acts as a data processor. This means:

The client decides the target audience, the lawful basis, and the purpose of the campaign.
We only process prospect data on the client's documented instructions, under a signed data processing agreement.
We apply the security measures described in section 11, maintain records of processing, and assist the client in responding to data subject requests and breach notifications.
We use only sub-processors that are bound by equivalent data protection obligations.

12.1 If you received a message from a GROU-managed campaign

If you received a cold email, LinkedIn message, or call identifying a GROU-managed campaign and you want to:

Stop receiving messages: reply to the message with "unsubscribe" or click the opt-out link. We will process your request without delay and keep a suppression record.
Exercise other GDPR rights (access, deletion, rectification, objection): email hello@grouglobal.com with the name of the company that contacted you, if known. We will route the request to the client acting as data controller and respond on their behalf within the GDPR timeframe.
Ask where we got your contact details: we will tell you which category of source was used (for example public LinkedIn profile or B2B data provider) and, where possible, identify the specific provider.

13. Children

Our services are aimed at businesses. Under Article 8 GDPR and Article 6 ZVOP-2, the Slovenian age of digital consent is 15. We do not knowingly collect personal data from anyone under 15. If you believe a child has provided us with personal data, contact us and we will delete it promptly.

14. Changes to this policy

We may update this policy from time to time. The "Last updated" date at the top shows the latest version. For significant changes we will notify you by email or a prominent notice on the Website before the change takes effect. We recommend you review this page periodically.