Privacy Policy

1. Data Controller

Gfactor is the data controller for personal data collected through the g2f.ee website and the Gfactor fund management platform.

For any privacy-related inquiries, you can reach us at privacy@gfactor.io.

2. What Data We Collect

Contact form submissions

When you submit a form on our website (such as requesting pilot access or contacting us), we collect:

• Your name
• Email address
• Organization type (fund administrator, general partner, etc.)
• AUM range (if provided)
• Any additional information you include in your message

Website usage data

We use Plausible Analytics, a privacy-focused analytics tool that does not use cookies and does not collect personal data. Plausible collects:

• Page views and referral sources
• Browser and device type (aggregated, not individually identifying)
• Country of origin (derived from IP, which is never stored)

No individual visitor profiles are created. No data is shared with advertising networks.

3. Legal Basis for Processing

We process personal data under the following legal bases as defined by the General Data Protection Regulation (GDPR):

• Consent — When you submit a contact form, you consent to our processing of the information you provide for the purpose of responding to your inquiry.
• Legitimate interest — As a B2B SaaS provider serving institutional fund managers, we have a legitimate interest in understanding how our website is used and in communicating with prospective customers who have expressed interest.

You may withdraw consent at any time by contacting privacy@gfactor.io.

4. Cookies

The g2f.ee website uses only essential cookies that are strictly necessary for the website to function. We do not use:

• Advertising or marketing cookies
• Third-party tracking cookies
• Analytics cookies (Plausible Analytics is cookie-free)
• Social media tracking pixels

Because we only use essential cookies, no cookie consent banner is required under ePrivacy regulations.

5. Third-Party Services

We use a limited number of third-party services to operate our website. Each has been selected for its privacy characteristics:

Netlify (hosting and CDN)

Our website is hosted on Netlify. Netlify processes server access logs (including IP addresses) for security and operational purposes. Netlify's infrastructure operates in compliance with GDPR. See Netlify's Privacy Policy.

Google Fonts (typography)

We load the Outfit and JetBrains Mono typefaces from Google Fonts CDN. When you visit our website, your browser makes a request to Google's servers to retrieve the font files. Google may collect your IP address and basic request metadata as part of serving these files. See Google's Privacy Policy.

Plausible Analytics (website analytics)

We use Plausible Analytics for privacy-friendly website usage statistics. Plausible does not use cookies, does not collect personal data, and does not track visitors across sites. All data is aggregated. Plausible is an EU-based service. See Plausible's Data Policy.

6. Data Retention

• Contact form submissions are retained for 24 months from the date of submission and are automatically deleted after this period.
• Website analytics data is retained in aggregated, non-personal form by Plausible and is not subject to individual deletion requests (as no personal data is stored).

If you become a platform customer, your data will be governed by the applicable service agreement and data processing agreement (DPA), which will supersede this website privacy policy for platform-related data.

7. Your Rights Under GDPR

As a data subject in the European Union, you have the following rights with respect to your personal data:

• Right of access — Request a copy of the personal data we hold about you.
• Right to rectification — Request correction of inaccurate or incomplete data.
• Right to erasure — Request deletion of your personal data.
• Right to restriction — Request that we limit processing of your data in certain circumstances.
• Right to data portability — Request your data in a structured, commonly used, machine-readable format.
• Right to object — Object to processing based on legitimate interest.

To exercise any of these rights, contact us at privacy@gfactor.io. We will respond within 30 days.

You also have the right to lodge a complaint with your local data protection supervisory authority. In Estonia, this is the Estonian Data Protection Inspectorate (Andmekaitse Inspektsioon).

8. Data Processing Agreement

For enterprise customers and prospects who require a formal Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR, a signed DPA is available on request. Contact privacy@gfactor.io to request one.

9. Data Security

We implement appropriate technical and organizational measures to protect personal data, including TLS encryption in transit, access controls, and regular security reviews. Our platform infrastructure is hosted in the EU (AWS eu-north-1, Stockholm) to ensure data residency within the European Economic Area.

10. International Transfers

Your data is primarily stored and processed within the European Union. Where third-party services process data outside the EU (such as Google Fonts CDN), appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) and adequacy decisions where applicable.

We do not transfer personal data to countries without adequate data protection unless appropriate legal mechanisms are in place.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be indicated by updating the "Last updated" date at the top of this page. We encourage you to review this page periodically.

Continued use of the website after changes constitutes acceptance of the updated policy.

12. Contact

For any questions or requests regarding this Privacy Policy or your personal data:

Email: privacy@gfactor.io

Jurisdiction: European Union / Estonia