Trust.

Hosts hand us photos of the most personal moments in their lives. That demands a clear answer to: what happens to those photos, who can see them, and what happens if you disappear? This page is that answer.

Where data lives

• Photos / videos / audio: Cloudflare R2, encrypted at rest, EU residency available on request.
• Account & event metadata: Neon Postgres in Frankfurt (eu-central-1).
• If you enable cloud mirror: also in your own Google Drive / Photos / Dropbox / OneDrive / S3 / WebDAV — every approved photo, within a few minutes. Wedding tier mirrors to 1 destination; Forever and Pro mirror to up to 5.
• App server: Hetzner CAX11 in Germany.
• Analytics (consent-gated): PostHog in EU (eu-central-1).
• Error monitoring (consent-gated): Sentry in US under SCCs + DPA. Strict PII scrubbing.

Full named-processor list with region + transfer mechanism lives in the privacy policy.

Security posture

• TLS everywhere, HSTS preloaded, strict transport upgrade.
• Sessions: Lucia v3 sessions, HttpOnly + SameSite=Lax cookies, automatic refresh.
• CSP: Content-Security-Policy enforcing, with a curated allowlist scoped to first-party plus a small set of audited third parties (PostHog, Sentry, Stripe, Pusher, R2, Cloudflare Insights). Observed in report-only mode prior to enforcement.
• Secrets: never in code or git history; live in the server's .env.local + GitHub Actions secrets.
• Backups: Neon point-in-time recovery + every git push acts as a code backup. R2 has 11 9s of durability.
• Rate limiting: Upstash Redis sliding-window on magic links, NPS, beta redemption, abuse reports.
• Automated moderation: AWS Rekognition for nudity / violence / hate symbols before guests see uploads.
• Vulnerability disclosure: RFC 9116 security.txt, full VDP with safe-harbour at /security.

What we won't do with your data

• Sell it.
• Use your photos, voices, or face vectors to train AI — ours or anyone else's.
• Share it with advertisers or data brokers.
• Run cross-event face matching (your guests at one event are not matched against guests at any other event, ever).
• Lock you in. Cloud mirror means your photos are already in a cloud you own; downloading the full archive as a ZIP is one click from your dashboard.

Compliance

Region-specific addenda at /legal/regions covering:

EU GDPR · UK GDPR · CCPA / CPRA · Virginia VCDPA · Colorado CPA · Connecticut CTDPA · Utah UCPA · Texas TDPSA · Brazil LGPD · Canada PIPEDA + Quebec Law 25 · Australia Privacy Act 1988 · India DPDP 2023 · Japan APPI + South Korea PIPA.

Data-subject requests (access, deletion, correction, portability, opt-out): email [email protected] — answered within 30 days, free of charge.

What happens if Galeira shuts down

Every company eventually ends. Here's our written commitment:

• 90 days notice by email to every host before any service shutdown.
• A final ZIP export of every event, automatically generated, sent to the host.
• One last mirror run for any host with cloud-mirror configured — even on the Free tier, even if they let their subscription lapse.
• The code goes open-source so self-hosting communities can keep the lights on for galleries that matter to them.

Reporting issues

• Security vulnerabilities: /security
• Abusive content / takedown: /report
• Copyright (DMCA): /legal/dmca
• Privacy / data: [email protected]
• Anything else: /contact