United Kingdom addendum (UK GDPR + DPA 2018)
This addendum applies if you are in the United Kingdom or if your personal data is processed in connection with offering services to people in the UK. It supplements our baseline Privacy Policy and aligns with the UK GDPR (Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019) and the Data Protection Act 2018, as amended by the Data Protection and Digital Information Act where in force.
1. Controller
Galeira is the data controller for UK users. We do not have a UK establishment, so for the purposes of UK GDPR Article 27 we appoint [email protected]as the point of contact until a named in-region UK representative is registered.
2. Lawful bases & rights
Identical to our EU addendum: contract / legitimate interests / consent / legal obligation, with explicit consent for biometric face-grouping under Article 9. Your rights of access, rectification, erasure, restriction, portability, objection, and rights related to automated decision-making mirror UK GDPR Articles 15–22.
3. International transfers
Transfers out of the UK rely on the UK Government's approved transfer mechanism (the International Data Transfer Agreement, IDTA) or the UK Addendum to the EU Standard Contractual Clauses, supported by a UK Transfer Risk Assessment. The UK has issued adequacy decisions for the EU/EEA, so EU-located processors (Neon, Resend, Pusher, AWS eu-central-1, Hetzner DE) do not require additional safeguards.
4. Cookies — PECR
We comply with the Privacy and Electronic Communications Regulations (PECR). Non-essential cookies (analytics, error monitoring, marketing) are loaded only after explicit opt-in via our cookie banner; necessary cookies are listed in the Cookie Policy.
5. ICO complaints
If you are unhappy with how we handle your data, you can complain to the Information Commissioner's Office: ico.org.uk/make-a-complaint/, or by phone on +44 303 123 1113. We'd prefer the chance to fix things first — [email protected] — but complaining to the ICO is your right and we won't make it harder.
6. DPDI Act 2025
Where the Data Protection and Digital Information Act 2025 (or successor) amends UK GDPR in ways that affect this addendum (e.g. recognised legitimate interests under the new Schedule 1, changes to the soft-opt-in marketing rules), we will update this page. For UK-specific privacy questions email [email protected].