California addendum (CCPA + CPRA)
This addendum is Galeira's Notice at Collection and Privacy Notice for California Residents under the California Consumer Privacy Act of 2018 (CCPA) as amended by the California Privacy Rights Act (CPRA), Cal. Civ. Code §§ 1798.100 et seq. and the regulations of the California Privacy Protection Agency (CCPA Regs).
1. Notice at Collection
At or before the point of collection we tell you what we collect and why. The full list lives in our baseline Privacy Policy. The table below summarises by CCPA category.
| CCPA category (§1798.140(v)) | Example | Source | Purpose | Retention |
|---|---|---|---|---|
| Identifiers | Email, account ID | You | Account, sign-in | Until deletion |
| Customer records | Payment metadata (no card numbers) | Stripe | Billing | 7 years (tax) |
| Commercial info | Plan, add-ons, refunds | You / Stripe | Service delivery | 7 years |
| Internet activity | Page views, clicks, browser/device fingerprint (consent-only) | Your browser | Analytics, abuse prevention | 13 months |
| Geolocation (coarse) | City-level from IP | Your browser | Fraud / locale | 30 days |
| Audio, electronic, visual | Photos, videos, voice messages you upload | You / event guests | Service delivery | Per host plan tier |
| Inferences | Engagement signals | Derived | Product improvement | 13 months |
| Sensitive PI — biometric (face vectors) | Face embeddings for opt-in "Find your photos" | Photos you upload | Group guests within event | Deleted with event |
2. Do we "sell" or "share" personal information?
No. Galeira does not sell personal information for monetary or other valuable consideration as defined in CCPA §1798.140(ad), and we do not share personal information for cross-context behavioural advertising as defined in §1798.140(ah). We have no advertising business. We have not done so in the preceding 12 months and have no plans to.
Because we do not sell or share, the "Do Not Sell or Share My Personal Information" link is not required, but we honour Global Privacy Control (GPC) signals as an opt-out anyway. With consent revoked you remain on the service with no analytics / Sentry / future marketing pixels firing.
3. Sensitive personal information
We process sensitive PI only for the purposes set out in §1798.121: providing the service you requested, security, fraud prevention, and short-term first-party uses. The opt-in face-grouping feature uses biometric data and is treated as a use that requires affirmative consent under both California law and Illinois BIPA.
We do not use or disclose sensitive PI to infer characteristics about you.
4. Your CCPA / CPRA rights
- Right to know — categories and specific pieces of PI we've collected, used, disclosed in the last 12 months.
- Right to delete — erase your account and uploads.
- Right to correct — fix inaccurate PI.
- Right to opt out of sale / sharing — moot (we do neither), and we honour GPC.
- Right to limit use of sensitive PI — we already limit per §1798.121.
- Right to non-discrimination — exercising any right does not change your price or service quality.
- Right to opt out of automated decision-making — we do not subject you to AD-M that produces legal effects.
To exercise these rights: email [email protected] from the address on your account, or use the in-app delete option in account settings. We verify identity using account email; for higher-risk requests we send a one-time confirmation link. Authorised agents may submit a request with written permission. We respond within 45 days (extension to 90 if necessary, with notice).
5. Children
We do not knowingly sell or share PI of consumers under 16. If a parent or guardian requests deletion of a minor's data, email [email protected] and we'll action within 7 days.
6. Disclosures for direct marketing — "Shine the Light"
California Civil Code §1798.83 lets California residents request a list of third parties to whom we disclosed PI for those third parties' direct marketing in the previous calendar year. Galeira does not engage in such disclosures, but you may confirm in writing at [email protected].
7. CalOPPA
Per the California Online Privacy Protection Act we treat Do Not Track signals and Global Privacy Control signals as opt-out signals where applicable.
8. Complaints
Contact us first at [email protected]. If we cannot resolve, you may complain to the California Attorney General at oag.ca.gov or the California Privacy Protection Agency at cppa.ca.gov.