Privacy Policy — GPRHub — Guest Post Reach Hub

Last updated: April 23, 2026

1. Who We Are (Data Controller)

This Privacy Policy describes how Amoledo Sp. z o.o. ("GPRHub", "we", "us", "our") collects, uses, shares, and protects your personal data when you use our B2B guest post marketplace at gprhub.com and related services (the "Platform").

Data Controller:

Company: Amoledo Sp. z o.o.
Registered address: ul. Hoża 86/410, 00-682 Warszawa, Poland
KRS: 0001068982
NIP: 7011174670
REGON: 526950935
Email: [email protected]

We process your personal data in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) and the Polish Act on the Protection of Personal Data of 10 May 2018.

2. Who This Policy Applies To

This Policy applies to all users of the Platform, including:

Advertisers — businesses purchasing guest post placements.
Publishers — website owners offering guest post placements.
Visitors — anyone browsing gprhub.com without an account.

The Platform is intended for business use only. Users must be at least 18 years old and acting on behalf of a legally established business.

3. Personal Data We Collect

We collect the following categories of personal data:

3.1. Account data (provided by you at registration):

First name, last name
Email address
Password (stored in hashed form)
Account type (advertiser, publisher, or both)
Preferred interface language

3.2. Business data (provided during use):

Company name and address (for invoicing)
VAT number (for B2B tax handling)
Website URLs owned by publishers
Project details submitted by advertisers
Article content and link anchors

3.3. Financial data:

Balance history and transactions
Withdrawal requests and destinations
Payment identifiers (Stripe transaction IDs; we do not store full card numbers or banking credentials)

3.4. Technical data (collected automatically):

IP address
Browser type and version
Device type and operating system
Session identifiers and login timestamps
Referrer URL

3.5. Communication data:

Messages exchanged with other users through the Platform
Support requests sent to us
Dispute history

4. Why We Process Your Data (Purposes) and Legal Basis

We process personal data for the following purposes, each with a specific legal basis under GDPR Article 6:

Providing the Platform and executing contracts — operating accounts, processing orders, handling payments, enabling communication. Legal basis: Article 6(1)(b) GDPR — performance of a contract.
Identity verification and fraud prevention — verifying publisher website ownership, monitoring suspicious activity, preventing fraud. Legal basis: Article 6(1)(f) GDPR — legitimate interest in protecting the integrity of the Platform.
Accounting and tax obligations — issuing invoices, maintaining transaction records, reporting to tax authorities. Legal basis: Article 6(1)(c) GDPR — legal obligation under Polish accounting law.
Security and logging — detecting breaches, maintaining access logs, investigating incidents. Legal basis: Article 6(1)(f) GDPR — legitimate interest in platform security.
Customer support — responding to inquiries, handling disputes. Legal basis: Article 6(1)(b) and 6(1)(f) GDPR.
Marketing communications — sending service updates and relevant offers. Legal basis: Article 6(1)(a) GDPR — consent (you may withdraw at any time).
Legal claims — establishing, exercising, or defending legal claims. Legal basis: Article 6(1)(f) GDPR — legitimate interest.

5. Who We Share Your Data With (Recipients)

We share personal data with the following categories of recipients, only to the extent necessary:

Stripe Payments Europe, Ltd. (Ireland) — payment processing for deposits and withdrawals. Stripe acts as an independent data controller for card data. More information: stripe.com/privacy
Google Ireland Limited (Gordon House, Barrow Street, Dublin 4, Ireland) — website analytics via Google Analytics 4, activated only with your consent. Google may transfer data to the United States under the EU–U.S. Data Privacy Framework. More information: policies.google.com/privacy and opt-out: tools.google.com/dlpage/gaoptout
Hosting provider (MIROhost) — infrastructure for the Platform (server, database, storage). Acts as our data processor under a Data Processing Agreement.
Other Platform users — when you place an order, the relevant counterparty (advertiser or publisher) sees your username, project/site details, and messages exchanged through the Platform. Private contact details are not shared.
Professional advisors — accountants, lawyers, auditors bound by professional secrecy.
Public authorities — only when required by law (e.g., tax office, UODO, law enforcement with valid legal basis).

We do not sell personal data to third parties.

5.1. Publisher-Connected Google Services

Publishers may voluntarily connect their own Google Analytics 4 (GA4) and Google Search Console (GSC) accounts to display verified site metrics on their listings. This is separate from the Google Analytics cookie tracking on gprhub.com (Section 9).

When a publisher connects these services through OAuth, we request the following scopes:

analytics.readonly — to read traffic metrics from the publisher's connected GA4 property (sessions, organic traffic, traffic sources);
webmasters.readonly — to read Search Console metrics (clicks, impressions, average position) for the publisher's verified sites.

How we use this data:

Read-only access. We never modify, delete, or write data to the publisher's GA4 or Search Console accounts.
Fetched twice monthly via server-side scheduled jobs.
Stored in our database solely to display verified metrics on the publisher's public site listing page.
Never shared with third parties, sold, or used for advertising.
Never used to train AI/ML models.
Aggregated metrics may be visible to advertisers reviewing the publisher's site for placement orders.

GPRHub's use of information received from Google APIs adheres to the Google API Services User Data Policy (https://developers.google.com/terms/api-services-user-data-policy), including the Limited Use requirements.

Publishers can disconnect their Google account at any time via "My sites → Edit → Google connections → Disconnect". Upon disconnection, all stored Google API data for that connection is deleted immediately, including OAuth credentials, connection metadata, and any cached metrics fetched via Google Analytics or Search Console APIs.

Legal basis: Article 6(1)(a) GDPR — explicit consent from the publisher during the OAuth authorization flow.

6. International Data Transfers

Some of our service providers may process data outside the European Economic Area (EEA), notably:

Stripe — operates globally, with data transfers to the United States under Standard Contractual Clauses approved by the European Commission and the EU-U.S. Data Privacy Framework.

For every transfer outside the EEA, we ensure appropriate safeguards under GDPR Chapter V, including Standard Contractual Clauses, adequacy decisions, or other approved mechanisms.

7. How Long We Keep Your Data (Retention)

We retain personal data only as long as necessary for the purposes set out in this Policy:

Account data — for the duration of your account, plus 3 years after closure (for potential disputes and claims).
Transaction and invoicing data — 6 years from the end of the tax year (as required by Polish accounting law — Article 74 of the Polish Accounting Act).
Communication data (messages, disputes) — up to 3 years after the related order is closed.
Marketing consent data — until consent is withdrawn.
Technical logs — up to 12 months, unless required longer for security investigations.

After the retention period, data is securely deleted or anonymized.

8. Your Rights Under GDPR

You have the following rights in relation to your personal data:

Right of access (Article 15) — obtain confirmation of whether we process your data and a copy of it.
Right to rectification (Article 16) — correct inaccurate or incomplete data.
Right to erasure (Article 17) — request deletion of data ("right to be forgotten"), subject to legal retention obligations.
Right to restriction of processing (Article 18) — limit processing under certain circumstances.
Right to data portability (Article 20) — receive your data in a structured, machine-readable format.
Right to object (Article 21) — object to processing based on legitimate interest or for direct marketing.
Right to withdraw consent (Article 7(3)) — withdraw consent at any time (does not affect prior lawful processing).
Right to lodge a complaint — file a complaint with the Polish Data Protection Authority (UODO): uodo.gov.pl

To exercise any of these rights, contact us at [email protected]. We will respond within one month of your request (extendable by two months for complex requests, as permitted by Article 12(3) GDPR).

9. Cookies and Similar Technologies

We use two categories of cookies on gprhub.com:

Strictly necessary cookies — required for the Platform to function (session, login, language preference). These do not require consent under Article 173 of the Polish Electronic Communications Act.
Analytics cookies (Google Analytics 4) — activated only after your explicit consent via the cookie banner. Used to understand visitor behavior in an aggregated, pseudonymized form. IP addresses are anonymized before storage.

You can manage your cookie preferences at any time through the "Cookie preferences" link in the footer. Detailed information is available in our Cookies Policy.

We do not use advertising cookies, social media tracking pixels, or cross-site profiling technologies.

10. Data Security

We implement appropriate technical and organizational measures to protect personal data, including:

HTTPS/TLS encryption for all data in transit
Password hashing (bcrypt)
Database access control and logging
Regular security updates to platform software
Role-based access within the organization
Incident response procedures aligned with GDPR Article 33

In case of a personal data breach likely to result in a risk to your rights and freedoms, we will notify the Polish DPA (UODO) within 72 hours and, if required, notify you directly.

11. Automated Decision-Making

We do not use automated decision-making or profiling that produces legal effects concerning you or similarly significantly affects you within the meaning of Article 22 GDPR.

12. Children

The Platform is not intended for persons under 18 years of age. We do not knowingly collect personal data from minors. If you believe a minor has provided us with personal data, please contact us at [email protected] and we will delete it promptly.

13. Changes to This Policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent version. For material changes, we will notify registered users via email or a prominent notice on the Platform at least 30 days before the changes take effect.

14. Contact

For any privacy-related questions, requests, or concerns, please contact us:

Email: [email protected]
Post: Amoledo Sp. z o.o., ul. Hoża 86/410, 00-682 Warszawa, Poland

You also have the right to lodge a complaint with the Polish Data Protection Authority:

Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl