GALOR

PRIVACY POLICY.

Last updated: March 2026 // GDPR compliant

This Privacy Policy describes how Galor Analytics ("we", "us", "our") collects, uses, and shares information about you when you use our analytics service at app.galor.group ("Service").

1. Who We Are

Galor Analytics is a product of Galor d.o.o., a company registered in Slovenia, European Union. As an EU-based company, we operate under the General Data Protection Regulation (GDPR).

Data Controller: Galor d.o.o.
Contact: privacy@galor.group

2. Data We Collect — Dashboard Users

When you create a Galor Analytics account, we collect:

  • Email address and name (for authentication and communication)
  • Password (hashed with bcrypt, never stored in plaintext)
  • Billing information (processed by Paddle — we never see payment card numbers)
  • Usage data (which dashboard features you use, to improve the product)
  • IP address at login time (stored for 30 days for security purposes)

3. Data We Collect — Website Visitors (Your Clients' Sites)

When your clients' visitors trigger events via the Galor tracker script, we collect the following data on behalf of you (the data controller for your clients' sites):

In Cookieless Mode (Default — Tier 1)

  • Page URL and referrer URL
  • UTM campaign parameters
  • Browser and OS (derived from User-Agent; full User-Agent string is stored for browser/OS detection and deleted per retention policy)
  • Country and region (derived from IP, IP is not stored)
  • Viewport size and device type
  • Event data (pageview, scroll depth, clicks, web vitals)
  • Session identifier (random, per-session, not tied to a user)

In Persist Mode (Tier 2 & 3 — requires consent)

In addition to the above, with explicit user consent:

  • Persistent visitor ID (stored in a first-party cookie, 2-year expiry)
  • Cross-session behavior (return visits, time between sessions)
  • Lead scoring data (accumulated behavior metrics)
  • Visitor identity fields submitted via the identify API (name, email, phone) — all three are hashed with SHA-256 before storage and are never stored in plaintext

4. Data Storage and Infrastructure

All analytics data is stored in ClickHouse on Hetzner servers in Nuremberg, Germany (EU). User account data is stored in PostgreSQL on the same infrastructure. No analytics data leaves the European Union.

We do not use AWS, Google Cloud, or any US-based cloud provider for data storage. Traefik handles SSL termination. All data is encrypted in transit (TLS 1.3).

5. Data Retention

  • Analytics events: Retained for up to 5 years (ClickHouse TTL), or until you request deletion, whichever is sooner
  • Visitor profiles: Retained for up to 5 years (ClickHouse TTL); all identity fields are SHA-256 hashed
  • Account data: Retained until you delete your account, then 30 days grace period
  • Security logs (IP at login): 30 days
  • Billing history: 7 years (legal requirement for EU invoicing)

6. Your GDPR Rights

If you are in the EU/EEA, you have the following rights:

  • Right of access: Request a copy of all data we hold about you
  • Right to rectification: Correct inaccurate data
  • Right to erasure: Delete your account and all associated data
  • Right to portability: Export your data in JSON or CSV format
  • Right to restrict processing: Pause processing while a dispute is resolved
  • Right to object: Object to processing based on legitimate interests

To exercise any of these rights, email privacy@galor.group. We will respond within 30 days.

7. Your Clients' Visitors' Rights (Data Processor Role)

For data collected from your clients' website visitors, you are the data controller and Galor Analytics acts as a data processor. You are responsible for:

  • Having a valid legal basis for collection (consent, legitimate interest, etc.)
  • Informing your clients' visitors about analytics in your privacy policy
  • Handling visitor rights requests (we will assist via our DPA)

Our Data Processing Agreement (DPA) is publicly available and accepted upon registration.

8. Cookies

In default (cookieless) mode, the Galor tracker sets no cookies. In persist mode (Tier 2/3), one first-party cookie is set:

  • Name: _galor_vid
  • Purpose: Persistent visitor identifier for cross-session analytics
  • Duration: 2 years
  • Type: First-party, httpOnly when using CNAME server-side cookie

Our dashboard at app.galor.group uses session cookies for authentication (@auth/sveltekit).

9. Third-Party Sub-Processors

  • Paddle (paddle.com) — Payment processing and subscription management; Paddle is the merchant of record. Ireland/UK.
  • Hetzner (hetzner.com) — Cloud infrastructure provider (EU-based, ISO 27001 certified). Germany.
  • Google Gemini API (ai.google.dev) — AI-powered analytics insights; data is not stored by Google for training. US.
  • IPinfo (ipinfo.io) — IP-to-company enrichment for lead identification. US.
  • Resend (resend.com) — Transactional email delivery (reports, alerts, invitations). US.
  • MaxMind (maxmind.com) — GeoIP database for country/region detection; database is downloaded and processed locally, no API calls are made per request. US.

10. Changes to This Policy

We will notify registered users by email before material changes take effect. The "Last updated" date at the top of this page will always reflect the current version.

11. Contact

For privacy questions or to exercise your rights:
privacy@galor.group