G
Galgo.ai

Privacy Policy

Last updated: 11 May 2026

This Privacy Policy explains how Galgomedia (“we”, “us”, “our”), operator of the Galgo.ai marketing platform (the “Service”), collects, uses, stores, shares, and protects information about the people who use it. It also describes the rights you have in relation to that information.

We act as a data controller for the account information of users who sign up for Galgo.ai, and as a data processor for the marketing data and end-customer data that our customers (the organisations using Galgo.ai) load into the platform. Where we act as a processor, our customers’ own privacy notices govern the underlying processing.

1. Who we are

Galgomedia operates the Galgo.ai service. For privacy questions, contact galcivar@galgomedia.com. Our registered postal address is available on request.

2. Information we collect

2.1 From people who sign in to Galgo.ai

  • Account profile: name, email address, profile picture (when provided by your identity provider), organisation membership, and the role assigned to you within an organisation.
  • Authentication: session cookies, IP address of the login request, and the identity provider used (Google sign-in or email + password).
  • Usage and diagnostic logs: URL paths visited inside the Service, error traces, and interaction events used to keep the product running. These logs do not contain the content of the messages, briefs, or creatives you produce in the Service.
  • Audit logs: when you take a sensitive action (invite a teammate, change a permission, connect a platform), we record the actor, timestamp, and IP address. Audit logs are append-only.

2.2 From the platforms you connect

When you click Connect on Meta, Google, TikTok, LinkedIn, Shopify, HubSpot, or any other supported integration, the third-party provider asks you to authorise Galgo.ai. After you consent, we receive and store:

  • OAuth access and refresh tokens. Tokens are encrypted at rest with AES-256-GCM using a key that is not exposed to the application database. We never log raw tokens.
  • Identifiers for the ad accounts, pages, pixels, properties, or stores you select to link to a brand.
  • Marketing performance data we are authorised to read on your behalf — campaign metadata, ad creative, impressions, clicks, spend, conversions, and audience definitions.
  • Conversion events you choose to forward to the Service (via webhooks or pixel) for attribution and reporting.

2.3 Personal information of your end customers

To support attribution and Conversions API integrations, the Service may process limited personal information about your customers (e.g. email, phone number) supplied through your conversion events. We apply SHA-256 hashing to this information before it leaves the Service and never store it in plaintext form.

2.4 Cookies and similar technologies

We use a small number of strictly necessary cookies for authentication (the session cookie issued by our authentication provider) and a preference cookie that remembers your light/dark theme choice. We do not use third-party advertising cookies on the Service itself.

3. How we use the information

  • To provide, maintain, and secure the Service.
  • To execute the actions you ask agents to perform on your behalf against the platforms you have connected.
  • To compute analytics, A/B test outcomes, and the per-brand “agent memory” that improves future generations.
  • To meter usage of paid third-party APIs (Anthropic, OpenAI, Replicate, Stripe, Resend) so we can bill credits accurately.
  • To investigate abuse, prevent fraud, and comply with legal obligations.
  • To send you operational email about your account and the Service. We do not send marketing email unless you opt in.

4. Legal bases (UK GDPR / EU GDPR)

  • Performance of a contract: for everything required to deliver the Service to a logged-in user.
  • Legitimate interests: for security logging, anti-fraud, and product improvement, balanced against your rights.
  • Consent: for any processing that requires it — for example, optional marketing email or non-essential cookies (we do not use any today).
  • Legal obligation: for tax, accounting, and responding to lawful requests from authorities.

5. Sharing

We share information only with the following categories of recipients, and only as necessary:

  • Subprocessors we rely on to operate the Service (hosting, database, email delivery, payment processing, AI providers). Each is bound by a data-processing agreement.
  • Platforms you connect when you ask the Service to push, read, or sync data on your behalf.
  • Authorities when we are legally compelled to do so, or to protect the safety of users or the public.

We do not sell personal information and we do not share it for cross-context behavioural advertising.

6. International transfers

The Service is hosted in regions that may be outside your country. When personal data is transferred outside the UK or EEA, we rely on mechanisms recognised under UK and EU data-protection law, such as the Standard Contractual Clauses, supplemented where required.

7. Retention

  • Account data is kept for as long as your organisation has an active account, plus a short grace period.
  • Audit and billing records are kept for the period required by applicable accounting and tax law (typically up to seven years).
  • Marketing-platform data is kept for the duration of the active OAuth connection. Disconnecting a platform deletes the stored OAuth tokens and stops further sync.
  • Hashed end-customer identifiers are kept only as long as needed for attribution and the integrations you have enabled.

8. Security

We apply technical and organisational measures appropriate to the risk, including row-level security in the database, AES-256-GCM encryption of OAuth tokens, hashing of end-customer identifiers, signed webhooks with replay protection, audit logging of sensitive actions, and least-privilege access for our team. No system is perfectly secure; if we become aware of a breach affecting your data, we will notify you and the relevant authorities as required by law.

9. Your rights

Depending on where you live, you may have the right to:

  • access the personal data we hold about you;
  • request correction of inaccurate data;
  • request deletion of your data;
  • request restriction of, or object to, certain processing;
  • request data portability;
  • withdraw consent where processing is based on consent;
  • lodge a complaint with your local data-protection authority.

To exercise any of these rights, see our Data Deletion Instructions or email galcivar@galgomedia.com. We respond within 30 days.

10. Children

The Service is not directed at children under 16, and we do not knowingly collect personal information from them. If you believe a child has provided us personal information, contact us and we will delete it.

11. Platform-specific notes

When you connect Meta (Facebook / Instagram), Google (Ads / Analytics / Tag Manager), TikTok, or LinkedIn, those platforms may also collect information about you under their own privacy policies. Galgo.ai uses the Meta Marketing API, Google APIs, TikTok Marketing API, and LinkedIn Marketing API in accordance with each provider’s developer terms. Use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

12. Changes to this policy

We may update this policy from time to time. The “Last updated” date at the top reflects the most recent change. Where changes are material, we will give you reasonable notice — typically inside the Service or by email — before they take effect.

13. Contact

Questions about this policy or about how we handle personal information:

Galgomedia
galcivar@galgomedia.com