Privacy Policy
Effective date: May 14, 2026 Last updated: May 14, 2026
This Privacy Policy explains how Galvoro collects, uses, and shares information about you when you use galvoro.app and its subdomains (the "Service").
1. Who we are
Galvoro is currently operated as an individual project, free of charge, by Sacha Epskamp, based in Singapore. No company has been incorporated. This means data controller responsibilities under applicable law rest with the operator personally.
Contact: privacy@galvoro.app
Data Protection contact / DPO: Sacha Epskamp, privacy@galvoro.app. This contact handles privacy requests, data protection questions, and complaints.
2. What we collect
2.1 Information you give us
- Account information: your primary email address (or GitHub account if you sign in with GitHub) and a university email address that you confirm belongs to you.
- Profile information: display name, username, biography, institution, academic field/sub-discipline selections, social links, and an optional profile photo. You choose what to share.
- Activity: capsules you save, capsules you like, lists you create, and (once enabled) comments and capsules you submit.
- Communications: the contents of any message you send us by email or through support routes.
2.2 Information we collect automatically
- Technical data: IP address, browser type, device type, operating system, referrer URL, and pages viewed. This comes from server logs and from our analytics provider.
- Authentication data: session cookies issued by our authentication provider. These are strictly necessary for the Service to function.
- Error and performance data: when something goes wrong in your browser, we collect a stack trace, page URL, and browser version. Error monitoring may include short, privacy-masked session replays when an error occurs. We configure replay to mask text input and user-entered content where technically possible, and we do not use replay for advertising, behavioural profiling, or cross-site tracking.
We do not knowingly collect special-category personal data (health, religion, political opinions, etc.). Please do not submit such information through the Service.
3. Why we collect it (lawful basis)
For users in the EU/UK (GDPR) and Singapore (PDPA), our lawful bases are:
| Purpose | Lawful basis |
|---|---|
| Creating and operating your account | Performance of a contract (the Terms of Service) |
| Verifying your university affiliation | Legitimate interest in maintaining a verified academic audience; performance of contract |
| Sending service emails (verification, security, account changes) | Performance of contract |
| Sending optional product updates | Consent (you opt in; you can opt out anytime) |
| Analytics and error monitoring | Legitimate interest in operating and improving the Service |
| Preventing abuse and security incidents | Legitimate interest |
| Responding to legal requests | Legal obligation |
4. Who we share it with
We do not sell your personal data and we do not share it with advertisers.
We do use the following sub-processors, which act on our instructions:
| Provider | Purpose | Location | Notes |
|---|---|---|---|
| Supabase | Authentication, database, file storage | Singapore (AWS) | Stores your account, profile, and content data |
| Cloudflare | DNS, content delivery, edge storage (R2), Workers | Global edge | Standard CDN access logs |
| Vercel | Application hosting | Singapore (function runtime); United States (control plane) | Request logs, function telemetry |
| Resend | Transactional email delivery | United States | Verification emails, security notices |
| Sentry | Error monitoring and session replay | EU (Frankfurt) | Stack traces and masked session replay on error |
| Plausible Analytics | Privacy-friendly analytics | EU (Germany) | No cookies, no personally identifiable data |
| GitHub | Optional sign-in via OAuth | United States | Only if you choose GitHub sign-in |
We may share information with law enforcement or regulators where legally required, and with successors if the project is ever transferred (you will be notified).
5. International data transfers
Galvoro is operated from Singapore and uses providers in Singapore, the EU, and the United States.
For transfers of personal data from the EU/UK to countries without an EU adequacy decision (currently including Singapore and the United States), we rely on Standard Contractual Clauses (SCCs) offered by the sub-processors listed above. By using the Service, you understand that your data may be processed in these jurisdictions.
EU/UK representative: At this preview stage, we do not intentionally target users in the EU or UK as a market, and we believe our processing is limited, low-risk, and not large-scale special-category processing. On that basis we have not appointed a representative under GDPR Article 27 or the UK equivalent. We will reassess this if Galvoro becomes commercial, actively targets EU/UK users, or materially expands its user base or processing activities. EU/UK users with privacy concerns can reach us directly at privacy@galvoro.app.
6. How long we keep it
- Account data: for as long as your account is active. Up to 30 days after deletion to complete the removal across backups and sub-processors.
- Server logs: typically 30–90 days, depending on the provider.
- Error and replay data: up to 90 days, then deleted automatically by Sentry.
- Analytics data: aggregated indefinitely; not tied to individual users.
- Communications you send us: as long as needed to respond and for a reasonable record afterward.
7. Your rights
Depending on where you live, you have some or all of the following rights:
- Access — request a copy of the personal data we hold about you.
- Correction — ask us to fix inaccurate data.
- Deletion — ask us to delete your account and associated data. Public contributions (capsules, comments) under permissive licenses may remain published with attribution removed or anonymised; see the Terms of Service.
- Restriction — ask us to stop processing certain data while a dispute is resolved.
- Portability — ask for an export of data you provided to us.
- Object — object to processing based on legitimate interests.
- Withdraw consent — for anything we do based on consent (e.g. marketing emails).
- Complain — to your local data protection authority. In Singapore, this is the Personal Data Protection Commission (PDPC). In the EU, your national supervisory authority.
To exercise these rights, email privacy@galvoro.app. We aim to respond within 30 days.
8. Cookies and similar technologies
We use a small number of cookies and similar technologies, all strictly for operating the Service:
- Authentication cookies (Supabase) — required to keep you signed in.
- CSRF and security cookies — required to prevent cross-site request forgery.
Our analytics provider (Plausible) does not use cookies and does not track you across sites. Sentry uses no cookies for session replay; it identifies sessions through its own SDK only when an error occurs.
We do not run advertising, retargeting, or cross-site tracking cookies.
9. Marketing emails
We will only send you marketing or product-update emails if you explicitly opt in. You can opt out anytime through the link in any such email, or by emailing privacy@galvoro.app.
Service-critical emails (account verification, security notifications, important changes to the Service or this Policy) are sent regardless and cannot be opted out of while you have an active account.
10. Children
The Service is intended for use by people aged 16 or older affiliated with a higher-education institution. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact privacy@galvoro.app and we will delete it.
11. Security
We take reasonable technical and organisational measures to protect your data, including encryption in transit, encryption at rest at our sub-processors, role-based database access controls, and two-factor authentication on administrative accounts. No system is perfectly secure; we cannot guarantee absolute security.
If we become aware of a personal data breach affecting you, we will notify you and applicable authorities where required by law.
12. Changes to this Policy
We may update this Policy. If we make material changes, we will notify you by email or through a notice on the Service before the changes take effect. Continued use of the Service after the effective date means you accept the updated Policy.
13. Contact
Privacy questions, requests, or complaints: privacy@galvoro.app
This Policy was written for a non-commercial preview launch and will be reviewed by qualified counsel before any paid or institutional offering goes live.