Privacy Policy

Last updated: December 2025

1. Introduction and Data Controller Information

At GaletAI, we are committed to protecting your privacy and ensuring the security of your personal data. This Privacy Policy explains how we collect, use, store, and protect your information when you visit our website or use our services, in full compliance with the General Data Protection Regulation (GDPR) (Regulation EU 2016/679), also known in Poland as RODO (Rozporządzenie o Ochronie Danych Osobowych).

1.1. Data Controller

The data controller responsible for processing your personal data is:

1.2. Scope of This Policy

This Privacy Policy applies to all personal data processing activities conducted through our primary domains and associated web properties:

  • galetai.com
  • galetai.pl
  • anixai.com
  • anixai.pl

This policy should be read in conjunction with our Terms of Service, Cookie Policy, and AI Disclaimer.

2. What Personal Data We Collect

We collect and process various categories of personal data depending on how you interact with our website and services. Below is a comprehensive overview of the data we may collect:

2.1. Data You Provide Directly

When you voluntarily submit information through our website, we collect:

  • Identity Data: First name, last name, username, or similar identifiers
  • Contact Data: Email address, phone number, mailing address (if provided)
  • Inquiry Data: Messages, questions, or feedback you submit through contact forms
  • Registration Data: Information provided when signing up for early access, beta testing, newsletters, or accounts
  • Communication Preferences: Your choices regarding marketing communications and newsletter subscriptions
  • Professional Information: Company name, job title, industry (if relevant to your inquiry or participation in B2B programs)

2.2. Data Collected Automatically

When you visit our website, certain data is collected automatically through cookies, analytics tools, and server logs:

  • Technical Data: Internet Protocol (IP) address (anonymized where possible), browser type and version, operating system, device type, screen resolution
  • Usage Data: Pages visited, time spent on pages, clickstream data, navigation paths, referral sources (how you found our website)
  • Location Data: Approximate geographic location derived from IP address (country, region, city level)
  • Cookie Data: Information stored in cookies and similar tracking technologies (see our Cookie Policy for details)
  • Performance Data: Page load times, errors encountered, browser compatibility issues
  • Interaction Data: Mouse movements, scroll depth, clicks, form interactions (used for user experience optimization)

2.3. Data from Interactive Features

If you use interactive features such as live chat, demos, or AI powered tools:

  • Chat Transcripts: Messages exchanged with our support team or AI chatbots
  • Demo Interaction Data: Inputs, prompts, files uploaded, and usage patterns within demonstration environments
  • Feedback Data: Ratings, reviews, or suggestions you provide about our products or services
  • Conversation Logs: Anonymized conversation logs used for ANIXAI model tuning and improvement (only where explicit consent is granted)

Important: Each interactive demo or product has its own specific data processing notice detailing exactly what data is collected and how it is used. You will be informed before using such features.

2.4. Data We Do NOT Collect

We respect your privacy and do not collect:

  • Sensitive personal data (racial or ethnic origin, political opinions, religious beliefs, health data, genetic data, biometric data for identification) unless explicitly required and consented to for specific research programs
  • Payment card information (if we process payments in the future, we will use PCI DSS compliant third-party processors who handle this data securely)
  • Social security numbers or national identification numbers
  • Data from children under 16 years of age without verifiable parental consent

3. How and Why We Use Your Personal Data

We process your personal data only for specified, explicit, and legitimate purposes in compliance with GDPR Article 5 (lawfulness, fairness, transparency). Below are the purposes and legal bases for our data processing activities:

3.1. Providing and Managing Our Services

Purpose: To deliver our website, respond to inquiries, manage registrations, and provide access to our products and services.

Legal Basis: Contract performance (GDPR Art. 6(1)(b)) – necessary to fulfill your requests and our obligations.

Data Used: Identity, contact, registration, and technical data.

3.2. Communication and Support

Purpose: To respond to your questions, provide customer support, send transactional emails (e.g., account confirmations, password resets), and notify you about important service updates.

Legal Basis: Contract performance (Art. 6(1)(b)) and legitimate interest (Art. 6(1)(f)) – maintaining customer relationships and ensuring service quality.

Data Used: Contact data, inquiry data, chat transcripts, communication preferences.

3.3. Marketing and Newsletter Communications

Purpose: To send you newsletters, product announcements, early access invitations, and marketing materials about our services (only if you opt in).

Legal Basis: Consent (Art. 6(1)(a)) – you explicitly subscribe to receive marketing communications. You can withdraw consent at any time via unsubscribe links or by contacting us.

Data Used: Email address, name, communication preferences.

3.4. Website Optimization and Analytics

Purpose: To understand how visitors use our website, identify usability issues, optimize performance, and improve user experience through analytics and heatmaps.

Legal Basis: Consent (for non-essential analytics cookies) and legitimate interest (Art. 6(1)(f)) – improving our website and services for all users.

Data Used: Technical data, usage data, interaction data (anonymized and aggregated where possible).

3.5. Security and Fraud Prevention

Purpose: To detect, prevent, and respond to security threats, fraudulent activities, abuse of our services, and violations of our Terms of Service. This includes DDoS protection, bot detection, and intrusion prevention.

Legal Basis: Legitimate interest (Art. 6(1)(f)) – protecting our infrastructure, users, and data integrity. In some cases, legal obligation (Art. 6(1)(c)) – compliance with cybersecurity regulations.

Data Used: IP addresses, technical data, usage patterns, security logs.

3.6. AI Model Development and Research

Purpose: To improve our AI systems (e.g., ANIXAI) through machine learning model training, evaluation, and research activities using anonymized and aggregated interaction data.

Legal Basis: Consent (Art. 6(1)(a)) – explicit opt-in for participation in AI training programs. For scientific research purposes, GDPR Article 89 exemptions may apply with appropriate safeguards (anonymization, data minimization).

Data Used: Anonymized conversation logs, demo interaction data, feedback data (identifiers removed).

3.7. Legal Compliance and Regulatory Obligations

Purpose: To comply with legal obligations such as responding to lawful requests from authorities, defending legal claims, enforcing our Terms of Service, and meeting regulatory requirements (e.g., EU AI Act transparency obligations, tax laws, anti-money laundering).

Legal Basis: Legal obligation (Art. 6(1)(c)) and legitimate interest (Art. 6(1)(f)).

Data Used: Any data relevant to the legal requirement or claim.

3.8. Business Operations and Administration

Purpose: To manage our business operations, including accounting, auditing, corporate governance, and strategic planning.

Legal Basis: Legitimate interest (Art. 6(1)(f)) – ensuring efficient business operations.

Data Used: Transaction records, usage statistics (aggregated), operational logs.

4. Third-Party Services and Data Processors

To provide our services effectively, we engage trusted third-party service providers who process personal data on our behalf as data processors. We have data processing agreements (DPAs) in place with all processors to ensure GDPR compliance. Below is a comprehensive list of third-party services we use:

4.1. Cloudflare

Purpose: Content delivery network (CDN), DDoS protection, web application firewall (WAF), SSL/TLS encryption, bot management, and performance optimization.

Data Processed: IP addresses, browser information, HTTP headers, requested URLs, cookies (for security purposes).

Privacy Policy: Cloudflare Privacy Policy

Location: USA (Standard Contractual Clauses in place for GDPR compliance)

4.2. Google Services

We use various Google services for analytics, communication, and infrastructure:

4.2.1. Google Analytics

Purpose: Website traffic analysis, user behavior tracking, conversion measurement, and audience insights.

Data Processed: IP addresses (anonymized), browser data, device information, page views, session duration, geographic location (country/city level), user interactions.

Configuration: We have enabled IP anonymization, disabled data sharing with Google for advertising purposes, and respect Do Not Track signals where technically feasible.

Privacy Policy: Google Privacy Policy

Opt-Out: Google Analytics Opt-out Browser Add-on

4.2.2. Google Cloud Platform (GCP)

Purpose: Cloud hosting infrastructure, data storage, AI/ML model hosting, and compute resources.

Data Processed: Any data stored or processed on our servers (application data, user accounts, files uploaded to demos).

Security: Data is encrypted in transit (TLS) and at rest (AES-256). We use GCP's EU-based data centers where possible.

DPA: Google Cloud Data Processing Amendment ensures GDPR compliance.

4.2.3. Google reCAPTCHA

Purpose: Protection against spam, bots, and automated abuse on forms and interactive elements.

Data Processed: IP address, browser fingerprint, mouse movements, interaction patterns, cookies.

Privacy Policy: Google Privacy Policy

4.2.4. Google Workspace

Purpose: Internal email communication (Gmail), document collaboration (Google Docs/Sheets), and calendar management (used internally, does not process visitor data unless you email us directly).

4.3. Microsoft Services

4.3.1. Microsoft Clarity

Purpose: Website analytics, session replay (anonymized), heatmaps, user journey analysis to improve user experience and identify usability issues.

Data Processed: Mouse movements, clicks, scroll depth, page interactions, device type, browser information, anonymized session recordings (no personally identifiable information visible in replays).

Privacy Policy: Microsoft Privacy Statement

Configuration: We have configured Clarity to mask sensitive form fields (passwords, payment info) and respect user privacy settings.

4.3.2. Microsoft Azure

Purpose: Cloud infrastructure for hosting, storage, backup, and AI processing workloads (used for certain ANIXAI and AILOJZ components).

Data Processed: Application data, user-generated content, AI model training data (anonymized).

Security: ISO 27001, SOC 2, and GDPR certified. Data stored in EU data centers (West Europe or North Europe regions).

4.3.3. Bing Webmaster Tools / Microsoft Advertising

Purpose: Search engine optimization (SEO) monitoring, website indexing status, search performance analytics, and advertising campaign management (if applicable).

Data Processed: Website URLs, search queries leading to our site, click-through rates, crawl errors, aggregated visitor data.

Privacy Policy: Microsoft Privacy

4.4. Matomo Analytics

Purpose: Privacy focused web analytics platform providing detailed insights into website usage while giving us full control over data (self-hosted or cloud option).

Data Processed: IP addresses (anonymized by default), page views, visit duration, referral sources, browser/device information, user interactions.

Privacy Advantages: Matomo respects Do Not Track (DNT) headers, allows full data ownership, and can be configured for cookie-less tracking. We anonymize visitor IPs by removing the last 2 octets.

Privacy Policy: Matomo Privacy Policy

Opt-Out: You can opt out of Matomo tracking via our Cookie Preferences or using your browser's DNT setting.

4.5. Additional Third-Party Services

We may also use the following services, which will be disclosed in our Cookie Policy with opt-in/opt-out mechanisms:

  • Email Service Providers: For sending newsletters and transactional emails (e.g., SendGrid, Mailchimp, or similar – only with consent)
  • Customer Relationship Management (CRM): For managing business contacts and customer interactions (data processed: contact info, communication history)
  • Video Hosting: For embedding demo videos or tutorials (e.g., YouTube, Vimeo – subject to their privacy policies)
  • Social Media Plugins: If we embed social media content, third-party cookies may be set (disclosed in Cookie Policy)

All third-party processors are vetted for GDPR compliance, and we maintain updated Data Processing Agreements (DPAs) with each.

5. International Data Transfers

Some of the third party services we use (e.g., Google, Microsoft, Cloudflare) operate globally and may process data outside the European Economic Area (EEA). To ensure your data remains protected, we implement appropriate safeguards as required by GDPR Chapter V:

  • Standard Contractual Clauses (SCCs): EU Commission-approved contractual terms ensuring equivalent data protection for transfers to non-EEA countries
  • Adequacy Decisions: Transfers to countries recognized by the EU Commission as providing adequate data protection (e.g., UK under the UK GDPR adequacy decision)
  • Binding Corporate Rules (BCRs): Internal policies adopted by multinational companies (e.g., Microsoft, Google) ensuring consistent data protection standards
  • Data Localization: Where possible, we use EU-based data centers and regions (e.g., Google Cloud Europe, Azure West Europe) to minimize international transfers

For specific information about data transfer mechanisms used by each third-party service, please refer to their respective privacy policies linked above.

6. Cookies and Tracking Technologies

Our website uses cookies and similar tracking technologies to enhance functionality, analyze performance, and personalize your experience. Cookies are small text files stored on your device that help us recognize you and remember your preferences.

6.1. Types of Cookies We Use

  • Strictly Necessary Cookies: Essential for website operation (e.g., session management, security, load balancing). These cannot be disabled without affecting website functionality.
  • Performance Cookies: Collect anonymous information about how visitors use our site (e.g., Google Analytics, Matomo) to help us improve performance.
  • Functional Cookies: Remember your preferences and choices (e.g., language, region, cookie consent) to provide enhanced features.
  • Marketing Cookies: Used for advertising and remarketing (if applicable) – we will ask for explicit consent before setting these cookies.

6.2. Managing Cookies

You have full control over cookies:

  • Cookie Consent Banner: When you first visit our site, you can accept or reject non-essential cookies via our consent banner.
  • Cookie Preferences: Manage your cookie settings at any time through our Cookie Policy page.
  • Browser Settings: Configure your browser to block or delete cookies (note: this may affect website functionality).

For comprehensive information about cookies, their purposes, and retention periods, please see our detailed Cookie Policy.

7. Data Retention and Deletion

We retain your personal data only for as long as necessary to fulfill the purposes for which it was collected, comply with legal obligations, resolve disputes, and enforce our agreements. Retention periods vary depending on the type of data and purpose:

7.1. Retention Periods by Data Category

  • Contact Form Inquiries: 2 years from the date of last communication (for customer support history and follow-up)
  • Newsletter Subscriptions: Until you unsubscribe, then deleted or anonymized within 30 days
  • Account Data: Duration of account activity plus 1 year after account closure (for legal compliance and fraud prevention)
  • Analytics Data: Aggregated and anonymized data retained indefinitely; raw logs retained for 14-26 months (Google Analytics default: 26 months, Matomo: configurable, typically 12 months)
  • Chat Transcripts: 1 year for quality assurance and support purposes; anonymized transcripts for AI training (if consented) retained longer
  • Security Logs: 90 days to 1 year (for incident investigation and compliance with cybersecurity regulations)
  • Legal/Regulatory Data: As required by applicable laws (e.g., accounting records: 7 years in Poland; legal claims: duration of statute of limitations)

7.2. Automated Deletion

We implement automated processes to delete or anonymize personal data once retention periods expire. Data that is no longer needed for its original purpose and not subject to legal retention requirements is securely deleted.

7.3. Your Right to Request Deletion

You can request deletion of your personal data at any time by contacting us at [email protected]. We will comply with your request unless we have legitimate legal grounds to retain the data (e.g., ongoing legal claims, regulatory obligations).

8. Your Rights Under GDPR/RODO

As a data subject under the General Data Protection Regulation (GDPR/RODO), you have comprehensive rights regarding your personal data. We are committed to facilitating the exercise of these rights in a transparent and accessible manner.

8.1. Right to Access (Art. 15 GDPR)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data. You can request a copy of your data in a commonly used electronic format.

How to exercise: Email [email protected] with "Data Access Request" in the subject line. We will respond within 30 days (may be extended by 2 months for complex requests with notification).

8.2. Right to Rectification (Art. 16 GDPR)

You have the right to correct inaccurate or incomplete personal data we hold about you.

How to exercise: Email us at [email protected] with the specific corrections needed.

8.3. Right to Erasure / "Right to Be Forgotten" (Art. 17 GDPR)

You can request deletion of your personal data when:

  • The data is no longer necessary for the purposes it was collected
  • You withdraw consent (where processing was based on consent)
  • You object to processing based on legitimate interest and there are no overriding legitimate grounds
  • The data was unlawfully processed
  • Deletion is required for legal compliance

Exceptions: We may retain data if necessary for legal claims, legal obligations, or public interest purposes.

8.4. Right to Restriction of Processing (Art. 18 GDPR)

You can request that we limit how we use your data (e.g., store but not process) in specific circumstances, such as when you contest data accuracy or object to processing.

8.5. Right to Data Portability (Art. 20 GDPR)

You have the right to receive your personal data in a structured, commonly used, machine-readable format (e.g., CSV, JSON) and to transmit it to another controller without hindrance.

Scope: Applies to data you provided to us based on consent or contract, and that we process by automated means.

8.6. Right to Object (Art. 21 GDPR)

You can object to:

  • Direct Marketing: At any time, with no justification needed (use unsubscribe links or contact us)
  • Processing based on Legitimate Interest: You can object on grounds relating to your particular situation; we must stop processing unless we demonstrate compelling legitimate grounds that override your interests

8.7. Right to Withdraw Consent (Art. 7(3) GDPR)

Where processing is based on your consent (e.g., marketing emails, AI training participation), you can withdraw consent at any time. Withdrawal does not affect the lawfulness of processing before withdrawal.

8.8. Right to Lodge a Complaint (Art. 77 GDPR)

If you believe we have violated your data protection rights, you have the right to lodge a complaint with a supervisory authority, particularly in your country of residence, workplace, or where the alleged violation occurred.

Polish Supervisory Authority:
Urząd Ochrony Danych Osobowych (UODO)
ul. Stawki 2, 00-193 Warszawa, Poland
Website: uodo.gov.pl
Email: [email protected]
Phone: +48 22 531 03 00

8.9. Automated Decision Making and Profiling (Art. 22 GDPR)

We do not currently engage in automated decision-making with legal or similarly significant effects on individuals without human oversight. If we introduce such processing in the future, you will be informed and have the right to:

  • Obtain human intervention
  • Express your point of view
  • Contest the decision

Any AI-powered systems we use (e.g., chatbots, recommendation engines) are designed with human oversight and do not make consequential decisions autonomously.

9. Data Security Measures

We take data security seriously and have implemented comprehensive technical and organizational measures to protect your personal data against unauthorized access, accidental loss, destruction, or damage:

9.1. Technical Safeguards

  • Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security). Data at rest is encrypted using AES-256 encryption.
  • Secure Infrastructure: Our servers are hosted in secure, ISO 27001-certified data centers with physical access controls, environmental monitoring, and redundancy systems.
  • Firewall and Intrusion Detection: Web application firewalls (WAF) and intrusion detection/prevention systems (IDS/IPS) monitor and block malicious traffic.
  • DDoS Protection: Cloudflare's advanced DDoS mitigation protects against denial-of-service attacks.
  • Regular Security Updates: We apply security patches and updates to our systems promptly to address known vulnerabilities.
  • AI-Powered Security: Our AILOJZ Security Sentinel and other AI-based security tools monitor for anomalous behavior, potential breaches, and fraud attempts.

9.2. Organizational Safeguards

  • Access Controls: Personal data is accessible only to authorized employees and contractors who need it to perform their duties. Role-based access controls (RBAC) limit data exposure.
  • Confidentiality Agreements: All personnel with access to personal data are bound by confidentiality obligations.
  • Data Minimization: We collect and process only the data necessary for specified purposes.
  • Privacy by Design: Data protection principles are integrated into the development of new systems and processes from the outset.
  • Incident Response Plan: We maintain a documented data breach response plan to ensure rapid detection, containment, and notification in case of security incidents.
  • Regular Audits: Security and privacy practices are periodically reviewed and audited for compliance with GDPR and industry standards.

9.3. Data Breach Notification

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will:

  • Notify the relevant supervisory authority (UODO in Poland) within 72 hours of becoming aware of the breach (GDPR Art. 33)
  • Notify affected individuals without undue delay if the breach poses a high risk to their rights (GDPR Art. 34)
  • Provide information about the nature of the breach, likely consequences, and measures taken to mitigate harm

10. Children's Privacy

Our website and services are not directed at children under the age of 16 (or the applicable age of digital consent in your country). We do not knowingly collect personal data from children without verifiable parental or guardian consent.

If we become aware that we have inadvertently collected personal data from a child without appropriate consent, we will take steps to delete that information as soon as possible. If you believe we have collected data from a child improperly, please contact us at [email protected].

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, legal requirements, or business operations. Updates may be necessary due to:

  • Changes in GDPR, ePrivacy Directive, or other data protection regulations
  • Introduction of new services or features
  • Changes in third-party service providers
  • Feedback from supervisory authorities or legal counsel

11.1. Notification of Changes

When we make material changes to this policy, we will notify you through one or more of the following methods:

  • Prominent notice on our website homepage
  • Email notification to registered users
  • In-product notifications
  • Updated "Last Updated" date at the top of this document

We encourage you to review this Privacy Policy periodically to stay informed about how we protect your data. Your continued use of our website after changes take effect constitutes acceptance of the updated policy.

12. Our Primary Domains

This Privacy Policy applies to all personal data processing activities conducted through our primary web properties and associated domains:

  • galetai.com – Main corporate website and information portal
  • galetai.pl – Polish-language website serving the Polish market
  • anixai.com – ANIXAI product website and documentation
  • anixai.pl – Polish-language ANIXAI resources

Any subdomains or related properties (e.g., demo.galetai.com, docs.anixai.com) are also covered by this policy unless they display a separate, specific privacy notice.

13. Contact Us and Exercise Your Rights

If you have questions about this Privacy Policy, wish to exercise your GDPR rights, or need to report a privacy concern, please contact us using the information below:

13.1. Privacy Contact

13.2. Postal Address

GaletAI
ul. Bolesława Prusa 2
18-400 Łomża
Poland, European Union

13.3. Response Time

We aim to respond to all privacy inquiries and rights requests within 30 days of receipt. For complex requests, this period may be extended by an additional 2 months, and we will notify you of the extension and reasons within the initial 30-day period.

13.4. Verification

To protect your privacy and security, we may need to verify your identity before fulfilling data access or deletion requests. We will request additional information (e.g., account details, verification code sent to your registered email) to confirm you are the data subject or an authorized representative.

Last Updated: January 13, 2026
Effective Date: December 18, 2025
Version: 1.01