Privacy Policy — Galvanic Works S.L.
Last updated: 4 May 2026
Version: 2.3
1. Data Controller
Galvanic Works S.L.
NIF: B26774091
Llubí, Illes Balears, Spain
Email: privacy@galvanicworks.com
Website: galvanicworks.com
Galvanic Works S.L. (“we”, “us”, “our”) is the data controller responsible for processing your personal data in accordance with the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Spain’s Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (“LOPD-GDD”).
2. What Personal Data We Collect
2.1 Data You Provide Directly
| Data | When | Purpose |
|---|---|---|
| Email address | Newsletter signup, quiz email gate, contact form | Email marketing, send The 3AM Report, respond to enquiries |
| Name (if provided) | Contact form, email correspondence | Respond to enquiries |
| Quiz responses and scores | Completing a quiz on our website | Personalise content, segment audience, improve quizzes |
| Survey responses | Completing a survey on our website | Marine safety research (with consent), improve content |
| Research consent status | Opting in to research use of responses | Record and respect your consent choice |
| Message content | Contact form, email | Respond to your enquiry |
2.2 Data Collected Automatically
| Data | Technology | Purpose |
|---|---|---|
| IP address | Web server logs, analytics | Security, approximate location for analytics |
| Browser type and version | Analytics | Improve website compatibility |
| Pages visited, time on page | Google Analytics 4, Brevo | Understand how visitors use our site |
| Referring website | Google Analytics 4 | Measure marketing effectiveness |
| Device type and screen size | Analytics | Optimise website design |
2.3 Order and Pre-Order Data
When you place an order or pre-order through galvanicworks.com (including Galvanic Voice pre-orders for October 2026 dispatch), we collect the data needed to process and fulfil the order:
| Data | When | Purpose |
|---|---|---|
| Full name | Checkout | Order processing, dispatch, invoice |
| Billing address | Checkout | Invoice, VAT determination, fraud prevention |
| Shipping address (if different) | Checkout | Dispatch and customs |
| Email address | Checkout | Order confirmation, dispatch notifications, customer service |
| Telephone number (optional) | Checkout | Courier delivery contact only |
| Payment details (card data) | Checkout | Processed directly by Revolut (PCI-DSS compliant) — we do not store full card numbers |
| Order history | After purchase | Customer service, statutory guarantee claims, accounting records |
| VAT number (B2B only) | Checkout | Intra-community VAT exemption, invoicing |
Order data is processed under GDPR Article 6(1)(b) (performance of the contract you have entered into with us) and, for invoicing and accounting records, under GDPR Article 6(1)(c) (compliance with our legal obligations under Spanish tax and commercial law).
Pre-order data is used solely to fulfil your order. We do not add pre-order buyers to marketing lists unless you separately opt in to email marketing at checkout or elsewhere.
2.4 Cookies and Tracking Technologies
We use cookies and similar technologies. These fall into three categories:
Essential cookies — Required for the website to function. Cannot be disabled. Include session management and cookie consent preferences.
Analytics cookies — Help us understand how visitors use our website. These only activate after you give consent via our cookie banner. Include:
– Google Analytics 4 (Google LLC, USA) — anonymous traffic analytics with IP anonymisation enabled
Marketing cookies — Used to measure the effectiveness of our advertising. These only activate after you give consent. Include:
– Meta Pixel (Meta Platforms Inc., USA) — measures visits from Facebook and Instagram ads
– Brevo tracking (Brevo SAS, France) — tracks email campaign interactions on our website
Local storage — Our quizzes and surveys use your browser’s localStorage to save your progress, consent preferences, and interaction data. This data remains on your device and is not transmitted to our servers unless you explicitly submit a form. You can clear localStorage at any time through your browser settings.
You can change your cookie preferences at any time by clicking the cookie settings link in our website footer.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) | Data Used |
|---|---|---|
| Send newsletters and marketing emails | Consent (you sign up voluntarily) | Email address |
| Send The 3AM Report PDF | Consent (you request it via quiz email gate) | Email address |
| Email nurture sequences about marine safety | Consent (given at signup) | Email address, quiz score |
| Respond to contact form enquiries | Legitimate interest (pre-contractual communication) | Name, email, message |
| Process and fulfil orders and pre-orders | Contract (Art. 6(1)(b) — performance of the sales contract) | Name, billing/shipping address, email, phone, payment details, order history |
| Issue invoices and keep statutory accounting records | Legal obligation (Art. 6(1)(c) — Spanish Código de Comercio Art. 30 + LGT Art. 66) | Name, billing address, VAT number (if B2B), order details, payment records |
| Customer service for placed orders | Contract (post-contractual) | Order history, contact details |
| Website analytics | Consent (cookie banner) | IP address, browsing data |
| Measure advertising effectiveness | Consent (cookie banner) | Browsing data, Meta Pixel data |
| Prevent fraud and ensure security | Legitimate interest | IP address, server logs |
| Comply with legal obligations | Legal obligation | As required by law |
4. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only with the following service providers (“processors”), each under a data processing agreement:
| Processor | Location | Purpose | Data Shared |
|---|---|---|---|
| Brevo SAS | France (EU) | Email marketing, automations, contact management | Email address, quiz scores, signup date, segment tags |
| Google LLC (Analytics) | USA | Website traffic analysis | Anonymised browsing data, IP (truncated) |
| Meta Platforms Ireland Ltd / Inc. (Pixel & Ads) | Ireland (EU) + USA | Advertising measurement, audience targeting. Joint controller under GDPR Art. 26 for Pixel/event data and Page Insights. | Browsing behaviour on our site (with consent), ad interactions |
| Hetzner Online GmbH | Germany (EU) | Website and server hosting | All data stored on our website |
| Google LLC (Firebase) | EU region | Mobile app data storage and analytics | App usage data, device identifiers (app users only) |
| Revolut Bank UAB | Lithuania (EU) | Payment processing | Payment details, billing address (when active) |
| Namecheap Inc. | USA | Domain registration and DNS | Domain configuration only (no personal data) |
We may also disclose personal data if required by law, court order, or to protect our legal rights.
5. International Data Transfers
Our website is hosted in Germany (Hetzner) within the European Economic Area. Some processors are based in the USA:
- Google LLC and Meta Platforms Inc. — covered by the EU-US Data Privacy Framework (DPF), adopted by the European Commission on 10 July 2023 (Adequacy Decision C(2023) 4745).
- Revolut Bank UAB — based in Lithuania (EU). No international transfer required.
These safeguards ensure your data receives equivalent protection when transferred outside the EEA.
6. How Long We Keep Your Data
| Data | Retention Period |
|---|---|
| Email marketing contacts | Until you unsubscribe, then deleted within 30 days |
| Quiz responses and scores | 24 months from submission |
| Survey responses | 24 months from submission |
| Contact form submissions | 24 months from last communication |
| Order records (name, address, order details) | 6 years from end of fiscal year of the transaction (Spanish Código de Comercio Art. 30) |
| Invoices and tax records | 6 years from issue (Spanish Código de Comercio Art. 30; minimum 4 years per LGT Art. 66) |
| Customer service correspondence linked to an order | 3 years after order delivery (statutory guarantee period of 3 years per LGDCU Art. 120) |
| Website analytics (GA4) | 14 months (GA4 default setting) |
| Cookie consent records | 12 months (then re-consent requested) |
| Server logs | 90 days |
| App usage data | As specified in the Galvanic App Privacy Policy |
After the retention period, data is permanently deleted or fully anonymised.
7. Your Rights
Under GDPR and LOPD-GDD, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — correct inaccurate or incomplete data
- Erasure (“right to be forgotten”) — request deletion of your data
- Restriction — limit how we process your data
- Data portability — receive your data in a structured, machine-readable format
- Object — object to processing based on legitimate interest
- Withdraw consent — at any time, without affecting the lawfulness of prior processing
To exercise any right, email us at privacy@galvanicworks.com. We will respond within 30 days.
To unsubscribe from emails, click the unsubscribe link in any email, or email us directly.
8. Supervisory Authority
If you believe your data protection rights have been violated, you have the right to lodge a complaint with:
Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan 6, 28001 Madrid, Spain
Website: www.aepd.es
Phone: +34 901 100 099
You may also contact the data protection authority in your country of residence.
9. Quiz and Survey Data Collection
Our website includes interactive quizzes and surveys about marine safety. When you take a quiz or survey:
- Quiz/survey interaction data (your answers and score) is processed locally in your browser. We record only the final score if you choose to submit the email form.
- Email submission is voluntary. You can complete quizzes and surveys and see your results without providing any personal data.
- If you submit your email, we add you to our email marketing list (Brevo) and send you The 3AM Report PDF. You will also receive occasional emails about marine safety topics. You can unsubscribe at any time.
- Data stored in Brevo: email address, quiz score, quiz date, lead source (which quiz), and a segment tag.
- Research consent: If you opt in to allow your anonymised responses to be used for marine safety research, we record your consent status alongside your responses. This consent is separate from email marketing consent and is entirely optional.
- Cookie consent on quizzes and surveys: Analytics and marketing trackers (GA4, Meta Pixel, Brevo) are only loaded on quiz and survey pages after you give consent via the cookie banner. No tracking scripts run until you actively consent.
- localStorage: Quizzes and surveys store progress and consent preferences in your browser’s localStorage. This data is not sent to our servers unless you submit a form.
- Data retention: Quiz and survey response data is retained for 24 months from submission, then permanently deleted.
- Deleting your quiz data: You can request deletion of your quiz and survey data at any time. A “Delete my quiz data” link is available on quiz and survey results pages. You can also email privacy@galvanicworks.com.
10. Newsletter and Marketing Emails
We send marketing emails only to people who have given consent by submitting their email address through our website (quiz email gate or newsletter signup form).
Our emails are sent via Brevo SAS (formerly Sendinblue), based in France. When you subscribe:
- You receive The 3AM Report (PDF download) and/or a welcome email
- You may receive a nurture sequence of 2-3 emails over 14 days about marine safety topics
- You will receive occasional newsletters (no more than 2 per month)
Every email includes an unsubscribe link. You can also email privacy@galvanicworks.com to be removed.
11. Children’s Privacy
Our website and services are not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
12. Security
We implement appropriate technical and organisational measures to protect your personal data:
- SSL/TLS encryption (HTTPS) on all pages
- Secure hosting infrastructure (Hetzner, Germany)
- Access controls and authentication
- Regular backups
- Firewall protection
- Encryption at rest for stored data
No method of internet transmission is 100% secure. If you become aware of a security vulnerability, please contact us immediately.
13. Changes to This Policy
We may update this privacy policy to reflect changes in our practices or legal requirements. When we make material changes:
- We will update the “Last updated” date at the top
- For significant changes, we will notify email subscribers
We encourage you to review this policy periodically.
14. Contact Us
For any privacy-related questions or requests:
Email: privacy@galvanicworks.com
Location: Llubí, Illes Balears, Spain
Website: galvanicworks.com/contact
We aim to respond to all privacy-related requests within 30 days as required by GDPR.
This privacy policy complies with the General Data Protection Regulation (EU) 2016/679 (GDPR), Spain’s Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPD-GDD), and other applicable privacy laws.