Privacy Policy

Effective: 2026-05-17 · Owner: privacy@galaxyzen.ai

1. What we collect

When you submit a form on this site (e.g. /book), we collect: your name, email, company, optional website URL, the services you indicated interest in, and your message. We also log your IP address and basic technical data (user-agent, timestamp) for security and fraud-prevention purposes.

We do not collect special-category data (health, genetic, biometric, religious, political, etc.). If you send us such data unsolicited, we will redact it on intake.

2. Why we collect it

  • To respond to you — book the discovery call you requested, send the brief, follow up. (GDPR lawful basis: performance of pre-contractual measures under Art. 6(1)(b).)
  • To improve our service — aggregate (de-identified) patterns in incoming requests so we can serve future clients better. (GDPR Art. 6(1)(f) — legitimate interests.)
  • Security + abuse prevention — rate-limit, block bots, detect attacks. (GDPR Art. 6(1)(f).)

3. How long we keep it

  • Contact submissions: 365 days, then auto-deleted unless you became a client.
  • Audit / security logs: 7 years (aligned to SOC 2 retention guidance). These are hashed/redacted — no raw PII.
  • Cookie consent records: 12 months from last visit.

4. Who we share it with

We share your data only with the processors required to operate the site:

  • Vercel — site hosting (US, EU regions).
  • Cloudflare — DNS + edge security.
  • Supabase — database for form submissions (US/EU regions; we can pin to EU on request).
  • Resend — transactional email delivery.
  • Cal.com — calendar booking (only if you book).
  • Anthropic — AI model provider behind the on-site chat assistant (chat text only, PII redacted before send; not used for model training).

All processors have Data Processing Agreements (DPAs) in place. We do not sell your data. We do not share it with advertisers.

5. Your rights

If you are in the EU/EEA, UK, or California, you have the right to:

  • Access the personal data we hold about you
  • Correct inaccuracies
  • Request deletion (right to erasure)
  • Export your data in a portable format
  • Object to processing for legitimate-interests purposes
  • Lodge a complaint with your supervisory authority

Email privacy@galaxyzen.ai with subject line "DSAR Request" — we respond within 30 days.

6. International transfers

Data may be processed in the US, EU, and India (where our team operates). Transfers from the EU/UK use Standard Contractual Clauses (SCCs) as the safeguard mechanism per GDPR Chapter V.

7. Security

TLS 1.2+ in transit. AES-256 at rest (Supabase platform-managed). Per-agent scoped API keys with least-privilege access. Detailed security controls in our SOC2 Type 1 readiness package — available to enterprise prospects on request.

8. Changes to this policy

Material changes will be announced via email to clients and a banner on this site. Effective date at the top of this page always reflects the latest version.

Questions? privacy@galaxyzen.ai.