groundcomply.aero

GDPR Compliance

Our platform is fully GDPR compliant

We take data protection seriously. Our robust Data Protection Management system ensures full compliance with legal standards and goes beyond the basics — covering processing principles, data subject rights, a detailed register of processing activities, and strong technical and organizational safeguards. All our servers are securely hosted in Germany. Plus, our certified Data Protection Officer stays ahead of the curve through regular, advanced training — so your data is always in trusted hands.

Your Data, Your Rights

We believe in transparency and control. That’s why we fully respect your data protection rights — including the right to access your data, correct inaccuracies, request deletion, limit how your data is used, transfer your data to another provider, or object to certain types of processing. Your data, your choice.

Our Platform is designed in compliance with GDPR (Privacy by Design and by Default)

which means we embedded privacy and data protection into every stage of the development process.

  1. Data Minimization
    We only collect and process data that is absolutely necessary for the specified purpose and the user can decide which additonal information should be entered in the system like foto or other information. This additional information can be deleted or added by the user.
  2. Purpose Limitation
    We ensure data is used strictly for clearly defined and legitimate purposes, laid down in the privacy policy and data processing agreement.
  3. Lawful Basis Management
    We have implemented mechanisms to capture and manage user consent, and/or ensure another legal basis (e.g. contract, legal obligation like DPA) exists.
  4. User Rights Enablement
    In the area „profile“ each user can change email address and personal data, we use features to support users’ rights: access, rectification, erasure, objection, restriction, and data portability.
  5. Transparency & Control
    We provide clear privacy notices and control user enabling, archiving and deletion automatically (e.g. consent settings, account activation, archiving and deletion by interface to HR software or by management). In addition, we use a demo platform for marketing.
  6. Security by Design
    We apply strong technical and organizational measures (TOMs), including encryption, role-based access control (only own data is visible for the user or the manager, secure data storage with daily back ups, secure session handling and password policy etc.)
  7. Data Retention Management
    We automatically delete data after it’s no longer needed (according to a archiving and data erasion category concept) by cron jobs (e.g. user data deletion after archiving > 12 months).
  8. Audit & Accountability We keep detailed logs and maintain a record of processing activities (ROPA) including categories of data, purposes, retention periods, and third-party transfers to demonstrate compliance.

GDPR Compliance Responsibility

Register of processing activities (ROPA) and check of principles for each set of personal data

We maintain a detailed and up-to-date Register of Processing Activities in accordance with Article 30 of the GDPR. This register provides full transparency into how, why, and where personal data is processed within our organization — ensuring accountability and compliance at every step.

Technical and organisational measures (TOMs)

We implement a comprehensive set of technical and organisational measures to ensure the security, confidentiality, and integrity of personal data. These include access controls, encryption, regular security audits, employee training, and secure data handling procedures — all designed to protect data from unauthorized access, loss, or misuse. Also we have developed a demo platform to seperate demonstrations from live data.

Subprocessors/contractors

We thoroughly select and control our contractors and sign DPAs – data processing agreements with all subprocessors and ensure they meet equivalent security and compliance standards.
We ensure copliance with with cross-border transfer rules (e.g., SCCs or adequacy decisions) if user data is transferred outside the EU/EEA.