Legal

Privacy Policy

Last updated: 8 July 2025  ·  Effective: 8 July 2025

Plain English summary: We collect only what we need to run the service, we never sell your data, and we give you clear rights over it. We comply with South Africa's POPIA and, where applicable, the EU GDPR.

1. Who We Are

This Privacy Policy describes how Galactic Digital (trading as Keel), a business registered in South Africa, collects, uses, and protects personal information when you use the Keel platform and services.

For the purposes of the Protection of Personal Information Act 4 of 2013 ("POPIA") we are the Responsible Party. For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR"), where applicable, we act as the Controller.

Contact: hey@trykeel.dev

2. Information We Collect

2.1 Information You Provide Directly

When you create an account or use the Service, you provide:

  • Account information: name, email address, and password (stored hashed).
  • Billing information: plan selection. Payment card details are collected and held by Paddle (our merchant of record) — we never see or store full card numbers.
  • Organisation details: company name and any profile information you choose to add.
  • Request content: project briefs, attached files, comments, and any other material you submit through the portal.
  • Communications: emails you send to us, support conversations, and feedback.

2.2 Information We Collect Automatically

When you use the Service, we or our third-party providers may collect:

  • Log data: IP address, browser type, pages visited, timestamps, and referring URLs.
  • Session data: authentication tokens stored in secure HTTP-only cookies.
  • Device information: operating system, screen resolution, and device type (used for display optimisation only).

We do not use third-party advertising trackers or sell behavioural data for advertising purposes.

2.3 Information from Third Parties

We receive limited information from our third-party service providers, including subscription status and billing events from Paddle, and authentication confirmation from Supabase. We do not purchase or receive personal data from data brokers.

3. How We Use Your Information

We use personal information only for the following purposes, on the lawful bases indicated:

PurposeLawful basis
Provide the Service and manage your accountPerformance of contract
Process payments and manage subscriptionsPerformance of contract
Send transactional emails (confirmations, request updates)Performance of contract
Respond to support enquiriesLegitimate interest (service delivery)
Improve the Service through aggregated, anonymised analysisLegitimate interest (product improvement)
Send product updates and announcements (opt-out anytime)Legitimate interest / consent
Comply with legal obligations (tax records, law enforcement)Legal obligation
Detect and prevent fraud, abuse, or security threatsLegitimate interest (security)

4. How We Share Your Information

We do not sell or rent your personal information. We share information only in the following limited circumstances:

4.1 Service Providers (Sub-processors)

We use the following sub-processors to operate the Service:

Supabase
Database, authentication, file storage
AWS — US East (data may be replicated per your Supabase project region)
Paddle
Payment processing, subscription management, tax collection
UK / USA
Vercel
Application hosting and CDN
Global edge network
Resend / SMTP provider
Transactional email delivery
USA

Each sub-processor is bound by appropriate data processing agreements and is selected based on their privacy and security standards.

4.2 Legal Disclosure

We may disclose personal information to government authorities or law enforcement if required to do so by law, court order, or to protect the rights, property, or safety of Galactic Digital, its clients, or the public.

4.3 Business Transfers

If Galactic Digital is involved in a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction. We will provide notice and, where required by law, obtain your consent before any such transfer.

5. Data Retention

We retain personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data: retained for the duration of your account plus 12 months after closure (to allow reactivation and to address any outstanding disputes).
  • Billing records: retained for 5 years from the date of transaction as required by South African tax law.
  • Request content and deliverables: retained for the duration of your subscription plus 90 days, after which they may be deleted or anonymised.
  • Log data: retained for up to 90 days for security monitoring.

You may request deletion of your account and associated data at any time (see Section 7 below). We will comply within 30 days except where retention is required by law.

6. Security

We implement industry-standard technical and organisational measures to protect your personal information, including:

  • Encryption in transit (TLS 1.2+) and at rest for database storage.
  • Row-Level Security (RLS) policies at the database layer — each client can only access their own data.
  • Multi-factor authentication support for all accounts.
  • Restricted access to production systems on a need-to-know basis.

No system is perfectly secure. If you discover a potential security vulnerability, please notify us at hey@trykeel.dev before public disclosure.

7. Your Rights

Depending on your location, you have the following rights regarding your personal information:

Access
Request a copy of the personal information we hold about you.
Correction
Request that we correct inaccurate or incomplete information.
Deletion
Request deletion of your personal information ("right to be forgotten"), subject to legal retention obligations.
Restriction
Request that we restrict processing of your information in certain circumstances.
Portability
Receive your data in a structured, machine-readable format (where applicable under GDPR).
Objection
Object to processing based on legitimate interests, including direct marketing.
Withdraw Consent
Where processing is based on consent, withdraw it at any time without affecting prior processing.

To exercise any of these rights, contact us at hey@trykeel.dev. We will respond within 30 days. We may need to verify your identity before processing your request.

South African residents (POPIA): If you believe we have processed your personal information unlawfully, you may lodge a complaint with the Information Regulator of South Africa at justice.gov.za/inforeg.

EEA / UK residents (GDPR/UK GDPR): You may lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.

8. Cookies

We use a minimal set of cookies necessary to operate the Service:

  • Authentication cookies: Secure, HTTP-only cookies to maintain your session. These are essential and cannot be disabled.
  • Preference cookies: To remember UI settings such as theme preferences.

We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that identify you individually. We do not use Google Analytics or Facebook Pixel.

9. International Transfers

Some of our sub-processors (Supabase, Vercel, Paddle) operate servers outside South Africa, including in the United States. When we transfer personal information internationally, we ensure appropriate safeguards are in place, including standard contractual clauses (SCCs) where required under GDPR, and compliance with POPIA's transborder information flow requirements.

10. Children's Privacy

The Service is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice in the portal at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.

Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.

12. Contact and Information Officer

For any privacy-related queries, requests, or complaints, contact our Information Officer:

Bruce Vorster
Information Officer, Galactic Digital (trading as Keel)
South Africa
hey@trykeel.dev