European Union & EEA addendum (GDPR)
This addendum applies if you are in the European Union, the wider European Economic Area (Iceland, Liechtenstein, Norway), or are otherwise covered by Regulation (EU) 2016/679 (GDPR) and the ePrivacy Directive (2002/58/EC, as transposed locally). It supplements our baseline Privacy Policy rather than replacing it.
1. Controller / processor
Galeira is the data controller for account, billing, analytics and abuse-prevention data, and the processor for the photos, videos, voice messages, guest lists, and other event content that hosts collect through the service. Hosts who run public-facing events on Galeira are the controller for that event's content; we process it on their instructions under the standard terms of service (/legal/terms) — a separate negotiated DPA is available on request to [email protected].
2. Lawful bases (Article 6)
- Contract (Art. 6(1)(b)) — running your account, taking payment, delivering uploads to the gallery you signed up for.
- Legitimate interests (Art. 6(1)(f)) — abuse prevention, fraud detection, securing the platform, basic non-tracking server logs. A balancing test is recorded internally and re-reviewed yearly.
- Consent (Art. 6(1)(a)) — non-essential cookies, analytics (PostHog), error monitoring (Sentry), face-grouping biometric processing, the marketing newsletter. Withdrawn at any time via the cookie banner or by email.
- Legal obligation (Art. 6(1)(c)) — tax records, lawful requests for assistance from authorities, retention of disputed transaction data.
3. Special categories (Article 9)
If a host enables the optional Find your photos face-grouping feature, we compute biometric face vectors (Article 9(1) special-category data) on Amazon Rekognition. We rely on the data subject's explicit consent (Art. 9(2)(a)) collected by the host before the event (see our host consent template). Vectors are stored encrypted in the EU, deleted with the event, never shared, and never used to train any model.
4. International transfers
Default storage is in the EU (Neon Frankfurt, Resend eu-west-1, AWS eu-central-1, Hetzner Germany). Transfers to processors outside the EEA (Stripe, Twilio, Sentry, GitHub, Firebase) are covered by the European Commission's Standard Contractual Clauses (2021/914) together with Transfer Impact Assessments where required by the Schrems II ruling. Sentry additionally relies on the EU-U.S. Data Privacy Framework.
5. Your GDPR rights (Articles 15–22)
- Access (Art. 15) — request a copy of what we hold about you.
- Rectification (Art. 16) — correct inaccurate data.
- Erasure / right to be forgotten (Art. 17) — delete your account and uploads.
- Restriction (Art. 18) — pause processing while you contest accuracy or lawful basis.
- Portability (Art. 20) — receive your data in JSON / standard image formats.
- Object (Art. 21) — opt out of processing based on legitimate interests.
- Automated decision-making (Art. 22) — we do not subject you to legal- or similarly-significant decisions made solely by automated means.
To exercise any of these, email [email protected]. We acknowledge within 5 business days and respond within 30 days. Free of charge unless the request is manifestly unfounded or excessive.
6. Article 27 representative
Until a named in-region representative is appointed, EEA data subjects may contact us at [email protected], subject line "Art. 27".
7. Supervisory-authority complaints
You have the right to lodge a complaint with the supervisory authority of your habitual residence, place of work or place of the alleged infringement. A list is at edpb.europa.eu.
8. Cookies & tracking
Strictly necessary cookies (session, language, palette) load without consent. Analytics, error monitoring and any future marketing pixels load only after consent is granted via our banner. See our Cookie Policy.
9. Retention
Default retention follows the host's plan tier (Free 30 days, Wedding 24 months, Forever 5 years). Aggregated, anonymised analytics is retained indefinitely. Audit logs are kept for 24 months for fraud / abuse investigation.