Privacy Policy — Galvanic
Works S.L.
Last updated: 20 May 2026 Version:
2.5
Language of reference. This document is maintained
in English. Any translation into another language is produced
automatically (machine translation) and is provided for convenience
only. In the event of any discrepancy, ambiguity, or conflict between
the English version and any translation, the English version
prevails and is the sole legally binding text.
1. Data Controller
Galvanic Works S.L. NIF: B26774091 Llubí, Illes
Balears, Spain Email: privacy@galvanicworks.com Website:
galvanicworks.com
Galvanic Works S.L. (“we”, “us”, “our”) is the data controller
responsible for processing your personal data in accordance with the
General Data Protection Regulation (EU) 2016/679 (“GDPR”) and Spain’s
Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los
derechos digitales (“LOPD-GDD”).
2. What Personal Data We
Collect
2.1 Data You Provide Directly
| Data | When | Purpose |
|---|---|---|
| Email address | Newsletter signup, quiz email gate, contact form | Email marketing, send The 3AM Report, respond to enquiries |
| Name (if provided) | Contact form, email correspondence | Respond to enquiries |
| Quiz responses and scores | Completing a quiz on our website | Personalise content, segment audience, improve quizzes |
| Survey responses | Completing a survey on our website | Marine safety research (with consent), improve content |
| Research consent status | Opting in to research use of responses | Record and respect your consent choice |
| Message content | Contact form, email | Respond to your enquiry |
2.2 Data Collected
Automatically
| Data | Technology | Purpose |
|---|---|---|
| IP address | Web server logs, analytics | Security, approximate location for analytics |
| Browser type and version | Analytics | Improve website compatibility |
| Pages visited, time on page | Google Analytics 4, Brevo | Understand how visitors use our site |
| Referring website | Google Analytics 4 | Measure marketing effectiveness |
| Device type and screen size | Analytics | Optimise website design |
2.3 Order and Pre-Order Data
When you place an order or pre-order through galvanicworks.com, we
collect the data needed to process and fulfil the order:
| Data | When | Purpose |
|---|---|---|
| Full name | Checkout | Order processing, dispatch, invoice |
| Billing address | Checkout | Invoice, VAT determination, fraud prevention |
| Shipping address (if different) | Checkout | Dispatch and customs |
| Email address | Checkout | Order confirmation, dispatch notifications, customer service |
| Telephone number (optional) | Checkout | Courier delivery contact only |
| Payment details (card data) | Checkout | Processed directly by Revolut (PCI-DSS compliant) — we do not store full card numbers |
| Order history | After purchase | Customer service, statutory guarantee claims, accounting records |
| VAT number (B2B only) | Checkout | Intra-community VAT exemption, invoicing |
Order data is processed under GDPR Article 6(1)(b) (performance of
the contract you have entered into with us) and, for invoicing and
accounting records, under GDPR Article 6(1)(c) (compliance with our
legal obligations under Spanish tax and commercial law).
Pre-order data is used solely to fulfil your order.
We do not add pre-order buyers to marketing lists unless you separately
opt in to email marketing at checkout or elsewhere.
Required vs optional fields (GDPR Art. 13.2.e). The
data marked as required at checkout (full name, billing address, email
address, payment details, and shipping address where it differs from
billing) is a contractual requirement: if you do not
provide it, we cannot conclude or fulfil the sales contract with you.
Telephone number is optional and used only for courier delivery contact;
VAT number is optional and used only for intra-community B2B
invoicing.
2.4 Cookies and Tracking
Technologies
For full details on the cookies we use, their purposes, durations,
and how to manage them, see our Cookie
Policy. The summary below sets out the categories.
We use cookies and similar technologies. These fall into three
categories:
Essential cookies — Required for the website to
function. Cannot be disabled. Include session management and cookie
consent preferences.
Analytics cookies — Help us understand how visitors
use our website. These only activate after you give consent via our
cookie banner. Include: – Google Analytics 4 (Google
LLC, USA) — anonymous traffic analytics with IP anonymisation
enabled
Marketing cookies — Used to measure the
effectiveness of our advertising. These only activate after you give
consent. Include: – Meta Pixel (Meta Platforms Inc.,
USA) — measures visits from Facebook and Instagram ads – Brevo
tracking (Brevo SAS, France) — tracks email campaign
interactions on our website
Local storage — Our quizzes and surveys use your
browser’s localStorage to save your progress, consent preferences, and
interaction data. This data remains on your device and is not
transmitted to our servers unless you explicitly submit a form. You can
clear localStorage at any time through your browser settings.
You can change your cookie preferences at any time by clicking the
cookie settings link in our website footer.
3. How We Use Your Data
| Purpose | Legal Basis (GDPR Art. 6) | Data Used |
|---|---|---|
| Send newsletters and marketing emails | Consent (you sign up voluntarily) | Email address |
| Send The 3AM Report PDF | Consent (you request it via quiz email gate) | Email address |
| Email nurture sequences about marine safety | Consent (given at signup) | Email address, quiz score |
| Respond to contact form enquiries | Legitimate interest (pre-contractual communication) |
Name, email, message |
| Process and fulfil orders and pre-orders | Contract (Art. 6(1)(b) — performance of the sales contract) |
Name, billing/shipping address, email, phone, payment details, order history |
| Issue invoices and keep statutory accounting records |
Legal obligation (Art. 6(1)(c) — Spanish Código de Comercio Art. 30 + LGT Art. 66) |
Name, billing address, VAT number (if B2B), order details, payment records |
| Customer service for placed orders | Contract (post-contractual) | Order history, contact details |
| Website analytics | Consent (cookie banner) | IP address, browsing data |
| Measure advertising effectiveness | Consent (cookie banner) | Browsing data, Meta Pixel data |
| Prevent fraud and ensure security | Legitimate interest | IP address, server logs |
| Comply with legal obligations | Legal obligation | As required by law |
3.1 Profiling and
Automated Decision-Making
We use a limited form of profiling for marketing purposes (GDPR Art.
13.2.f):
- Audience segmentation in Brevo. When you submit
your email via a quiz email gate or newsletter signup, we tag your
contact record in Brevo with the source (which quiz or form), the quiz
score where applicable, and a segment tag. We use these tags to send
content relevant to your interests (for example, anchor-watch material
to people who completed the anchor-watch quiz). - Meta advertising audiences. If you give cookie
consent, the Meta Pixel records your interactions with our website and
shares that data with Meta to (a) measure the effectiveness of our
advertising and (b) build audience segments for retargeting and
lookalike targeting. The processing logic is set by Meta and is
described in Meta’s Privacy Policy and in our joint controller
arrangement (§4).
We do not carry out automated decision-making that
produces legal effects on you, or similarly significantly affects you,
within the meaning of GDPR Article 22. The profiling described above is
used only for content personalisation and advertising relevance, not for
credit decisions, eligibility decisions, pricing decisions, or anything
similar.
You have the right to object at any time to
processing of your personal data for direct marketing purposes,
including profiling related to direct marketing (GDPR Art. 21.2). You
can exercise this right by clicking unsubscribe in any email, by
withdrawing cookie consent in our cookie banner, or by emailing
privacy@galvanicworks.com — see §7.
4. Who We Share Your Data With
We do not sell, rent, or trade your personal data. We share data only
with the following service providers (“processors”), each under a data
processing agreement:
| Processor | Location | Purpose | Data Shared |
|---|---|---|---|
| Brevo SAS | France (EU) | Email marketing, automations, contact management | Email address, quiz scores, signup date, segment tags |
| Google LLC (Analytics) | USA | Website traffic analysis | Anonymised browsing data, IP (truncated) |
| Meta Platforms Ireland Ltd / Inc. (Pixel & Ads) |
Ireland (EU) + USA | Advertising measurement, audience targeting. Joint controller under GDPR Art. 26 for Pixel/event data and Page Insights — the essence of our joint controller arrangement is set out in Meta’s Joint Controller Addendum at https://www.facebook.com/legal/controller_addendum and Meta’s privacy practices at https://www.facebook.com/privacy/policy. |
Browsing behaviour on our site (with consent), ad interactions |
| Hetzner Online GmbH | Germany (EU) | Website and server hosting | All data stored on our website |
| Google LLC (Firebase) | EU region | Mobile app data storage and analytics | App usage data, device identifiers (app users only) |
| Revolut Bank UAB | Lithuania (EU) | Payment processing | Payment details, billing address (when active) |
| Namecheap Inc. | USA | Domain registration and DNS | Domain configuration only (no personal data) |
We may also disclose personal data if required by law, court order,
or to protect our legal rights.
5. International Data
Transfers
Our website is hosted in Germany (Hetzner) within the European
Economic Area. Some processors are based in the USA:
- Google LLC and Meta Platforms Inc.
— covered by the EU-US Data Privacy Framework (DPF), adopted by the
European Commission on 10 July 2023 (Adequacy Decision C(2023)
4745). - Revolut Bank UAB — based in Lithuania (EU). No
international transfer required.
These safeguards ensure your data receives equivalent protection when
transferred outside the EEA.
6. How Long We Keep Your Data
| Data | Retention Period |
|---|---|
| Email marketing contacts | Until you unsubscribe, then deleted within 30 days |
| Quiz responses and scores | 24 months from submission |
| Survey responses | 24 months from submission |
| Contact form submissions | 24 months from last communication |
| Order records (name, address, order details) | 6 years from end of fiscal year of the transaction (Spanish Código de Comercio Art. 30) |
| Invoices and tax records | 6 years from issue (Spanish Código de Comercio Art. 30; minimum 4 years per LGT Art. 66) |
| Customer service correspondence linked to an order |
3 years after order delivery (statutory guarantee period of 3 years per LGDCU Art. 120) |
| Website analytics (GA4) | 14 months (GA4 default setting) |
| Cookie consent records | 12 months (then re-consent requested) |
| Server logs | 90 days |
| App usage data | As specified in the Galvanic App Privacy Policy |
After the retention period, data is permanently deleted or fully
anonymised.
7. Your Rights
Under GDPR and LOPD-GDD, you have the right to:
- Access — request a copy of the personal data we
hold about you - Rectification — correct inaccurate or incomplete
data - Erasure (“right to be forgotten”) — request
deletion of your data - Restriction — limit how we process your data
- Data portability — receive your data in a
structured, machine-readable format - Object — object to processing based on legitimate
interest. You also have the absolute right to object at any time
to processing of your personal data for direct marketing purposes,
including profiling related to direct marketing (GDPR Art.
21.2). Where you exercise this right, we will stop processing your data
for those purposes - Withdraw consent — at any time, without affecting
the lawfulness of prior processing
To exercise any right, email us at
privacy@galvanicworks.com. We will respond within 30 days.
To unsubscribe from emails, click the unsubscribe
link in any email, or email us directly.
8. Supervisory Authority
If you believe your data protection rights have been violated, you
have the right to lodge a complaint with:
Agencia Española de Protección de Datos (AEPD) C/
Jorge Juan 6, 28001 Madrid, Spain Website: www.aepd.es Phone: +34 901
100 099
You may also contact the data protection authority in your country of
residence.
9. Quiz and Survey Data
Collection
Our website includes interactive quizzes and surveys about marine
safety. When you take a quiz or survey:
- Quiz/survey interaction data (your answers and
score) is processed locally in your browser. We record only the final
score if you choose to submit the email form. - Email submission is voluntary. You can complete
quizzes and surveys and see your results without providing any personal
data. - If you submit your email, we add you to our email
marketing list (Brevo) and send you The 3AM Report PDF. You will also
receive occasional emails about marine safety topics. You can
unsubscribe at any time. - Data stored in Brevo: email address, quiz score,
quiz date, lead source (which quiz), and a segment tag. - Research consent: If you opt in to allow your
anonymised responses to be used for marine safety research, we record
your consent status alongside your responses. This consent is separate
from email marketing consent and is entirely optional. - Cookie consent on quizzes and surveys: Analytics
and marketing trackers (GA4, Meta Pixel, Brevo) are only loaded on quiz
and survey pages after you give consent via the cookie banner. No
tracking scripts run until you actively consent. - localStorage: Quizzes and surveys store progress
and consent preferences in your browser’s localStorage. This data is not
sent to our servers unless you submit a form. - Data retention: Quiz and survey response data is
retained for 24 months from submission, then permanently deleted. - Deleting your quiz data: You can request deletion
of your quiz and survey data at any time. A “Delete my quiz data” link
is available on quiz and survey results pages. You can also email
privacy@galvanicworks.com.
10. Newsletter and Marketing
Emails
We send marketing emails only to people who have given consent by
submitting their email address through our website (quiz email gate or
newsletter signup form).
Our emails are sent via Brevo SAS (formerly
Sendinblue), based in France. When you subscribe:
- You receive The 3AM Report (PDF download) and/or a welcome
email - You may receive a nurture sequence of 2-3 emails over 14 days about
marine safety topics - You will receive occasional newsletters (no more than 2 per
month)
Every email includes an unsubscribe link. You can also email
privacy@galvanicworks.com to be removed.
11. Children’s Privacy
Our website and services are not directed at children under 16 years
of age. We do not knowingly collect personal data from children. If you
believe a child has provided us with personal data, please contact us
and we will delete it.
12. Security
We implement appropriate technical and organisational measures to
protect your personal data:
- SSL/TLS encryption (HTTPS) on all pages
- Secure hosting infrastructure (Hetzner, Germany)
- Access controls and authentication
- Regular backups
- Firewall protection
- Encryption at rest for stored data
No method of internet transmission is 100% secure. If you become
aware of a security vulnerability, please contact us immediately.
13. Changes to This Policy
We may update this privacy policy to reflect changes in our practices
or legal requirements. When we make material changes:
- We will update the “Last updated” date at the top
- For significant changes, we will notify email subscribers
We encourage you to review this policy periodically.
14. Contact Us
For any privacy-related questions or requests:
Email: privacy@galvanicworks.com
Location: Llubí, Illes Balears, Spain
Website: galvanicworks.com/contact
We aim to respond to all privacy-related requests within 30 days as
required by GDPR.
This privacy policy complies with the General Data Protection
Regulation (EU) 2016/679 (GDPR), Spain’s Ley Orgánica 3/2018 de
Protección de Datos Personales y garantía de los derechos digitales
(LOPD-GDD), and other applicable privacy laws.