Skip to content
Data Privacy

Your data isn't a liability. It's a trust engine.

Not compliance theatre. Not a 47-page policy nobody reads. We build privacy into the way your business actually works β€” so your users trust you, regulators leave you alone, and your team stops panicking every time someone says "GDPR."

Your startup doesn't need a checkbox DPO. It needs a privacy architect.

The Privacy Journey
Every growth stage has privacy decisions you can't skip.

If you can't answer these questions, that's where we come in.

πŸ›‘ Foundation
What data are you actually collecting β€” and do you have a legal basis for any of it?
Without a privacy architect

Copy-pasted privacy policy from a competitor. Consent banner that doesn't actually block anything. "We'll deal with it when we're bigger."

With a privacy architect

Data map from day one. Legal basis assigned per processing activity. Privacy policy that humans can read and regulators respect.

Data mapping Privacy policy Lawful basis register
πŸ”Œ Product
Is privacy baked into the product β€” or bolted on after launch?
Without a privacy architect

Engineering ships first, legal reviews later. Analytics tracking everything "just in case." Cookie consent that's technically illegal in 3 jurisdictions.

With a privacy architect

Privacy by design embedded in the sprint cycle. Data minimisation that makes engineering simpler, not harder. Consent architecture your users actually trust.

Privacy by design review DPIA Consent architecture
🌍 Expansion
You're in 3 countries now β€” which privacy laws apply and where are you exposed?
Without a privacy architect

"We're GDPR compliant" (you're not). Transferring data to a US processor on vibes. No idea if Brazil's LGPD or Kenya's DPA even applies to you.

With a privacy architect

Jurisdiction map with clear obligations per market. Transfer mechanisms locked in. One privacy framework that scales across borders.

Cross-border transfer audit Multi-jurisdiction roadmap Standard contractual clauses
🚨 Crisis
It's 2am and someone just found a data breach. Who does what in the next 72 hours?
Without a privacy architect

Panic. Someone Googles "GDPR breach notification." The CEO emails all users saying "we take your privacy seriously" (they didn't). Regulator finds out from Twitter.

With a privacy architect

Breach playbook activated. Roles clear. Regulator notified in 72 hours with a clean filing. Affected users told what happened and what you're doing about it. Crisis becomes proof you can be trusted.

Breach response playbook Regulator notification User communications

Know what stage you're at? Let's figure out what you need.

Let's Jam →
Your Privacy Lead
Meet Oana.

Oana Grigore

Privacy & Data Protection Lead

Romanian. Lawyer. Privacy nerd who actually likes reading GDPR recitals (there are 173 of them β€” she's checked).

Oana spent years in private practice at one of Central Europe's top law firms advising multinationals on TMT and data protection. Then she went in-house β€” because the best way to understand how privacy works in the real world is to be the one building the product, not just reviewing it.

She's worked across fintech, edtech, and enterprise SaaS. She's filed with regulators, built consent architectures from scratch, and managed breaches at 2am on a Sunday. She brings the legal precision of a law firm partner and the operational instinct of someone who's sat in the engineering standup.

EU & cross-border data protection Β· GDPR Β· LGPD Β· African data protection frameworks Β· Privacy by design Β· DPIA Β· Breach response Β· International data transfers

Engagement
Choose your level of involvement.

From a quick privacy health check to building your entire data protection programme.

Health Check

Where do you stand?

A focused audit of your current privacy posture. What's working, what's exposed, what needs fixing first. Clear report, prioritised actions.

Privacy Architect

Build it right

Full privacy programme design: policies, data mapping, consent architecture, DPIA, processor agreements, breach playbook. The infrastructure that lets you scale without surprises.

Embedded DPO

Ongoing protection

Outsourced Data Protection Officer. Continuous monitoring, regulator liaison, team training, and incident response. Privacy leadership without the full-time hire.

Engagement structures adapt to your size and stage. A 5-person startup needs different privacy architecture than a 500-person scale-up.

Hourly

Specific question, clear answer. Pay for what you use.

Monthly Retainer

Reserved privacy capacity at a preferred rate. Ongoing access.

Fixed Fee

Defined deliverable. Fixed price. No hourly clock-watching.

Bulk Hours

Buy a block upfront at a reduced rate. Use them as you need them.

Let's Jam →
How We Work
Privacy that speaks human.

Plain language, always

If your team can't understand the privacy policy, neither can your users. We write for humans first, regulators second.

Embedded in your workflow

Privacy reviews happen inside your sprint cycle, not as a bottleneck after the fact. We work with your engineers, not against them.

Cross-border by default

EU, Africa, LatAm, US β€” we build privacy frameworks that travel with your business, not ones that break at every border.

Breach-ready, not breach-scared

Every client gets a breach playbook before they need one. When the 2am call comes, the plan is already written.

What Happens Next
Four steps. No compliance theatre.
1

Let's talk

30-minute call. You tell us what you're building and where your data lives. We tell you honestly what we see.

2 🔍

We scan the terrain

Quick assessment of your privacy posture: what data you hold, where the gaps are, what a regulator would find if they knocked tomorrow.

3 🤝

We agree on the shape

Health Check, Privacy Architect, or Embedded DPO. Hourly, retainer, or fixed fee. Your stage, your terms.

4 🛡️

You sleep better

Privacy programme in place. Breach playbook ready. Team trained. Regulator-proof and user-friendly. That's the goal.

Let's Jam →
janis@mexzungu.com

Professional Services Notice. Mexzungu Group provides data privacy consulting, strategic advisory, and compliance programme design. The information on this website and services provided do not constitute legal advice and do not establish an attorney-client relationship. Mexzungu Group is not a law firm. For matters requiring formal legal counsel in a specific jurisdiction, we coordinate with specialist external counsel. By engaging with our services, you acknowledge that our work is strategic, structural, and operational in nature.