GDPR at Galdr
The General Data Protection Regulation (GDPR — EU 2016/679) is the world's strongest data protection law. Galdr was designed from day one to not just comply with GDPR, but to use its principles as a product philosophy. We are a European company, and your privacy is central to everything we build.
Data controller & processor
Controller: When you use Galdr as an individual, Galdr ApS is the data controller of your personal data.
Processor: When your organisation deploys Galdr for your employees or clients, Galdr acts as a data processor on your behalf. In this case, a Data Processing Agreement (DPA) governs our relationship.
How we apply the GDPR principles
Lawfulness, fairness & transparency
We process only what is necessary, on a clear legal basis (contract, legitimate interest, or consent), and we are transparent about it in our Privacy Policy.
Purpose limitation
Data collected for one purpose is not used for another. Meeting content is used only to deliver the call — never for profiling or advertising.
Data minimisation
We collect only the minimum data needed. We do not require a phone number. We do not track your activity across other websites.
Accuracy
You can update your account data at any time from your settings. We correct errors promptly on request.
Storage limitation
We retain data only as long as necessary — see our retention schedule. You can delete your account and all associated data at any time.
Integrity & confidentiality
All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Video and audio streams are end-to-end encrypted. Access is limited to authorised personnel on a strict need-to-know basis.
Accountability
We maintain records of processing activities (ROPA) as required by GDPR Art. 30, have a designated DPO, and conduct Data Protection Impact Assessments (DPIAs) for high-risk processing activities.
Exercising your GDPR rights
You have the following rights under GDPR. To exercise any of them, email dpo@galdr.eu with your request. We respond within 30 days (one month) as required by GDPR Art. 12.
- Right of access (Art. 15): Obtain a copy of your personal data and information about how it is used.
- Right to rectification (Art. 16): Have inaccurate personal data corrected.
- Right to erasure (Art. 17): Have your personal data deleted, subject to legal retention obligations.
- Right to restriction (Art. 18): Restrict processing of your data in certain circumstances.
- Right to portability (Art. 20): Receive your data in a structured, commonly used, machine-readable format (JSON/CSV).
- Right to object (Art. 21): Object to processing based on legitimate interest.
- Rights related to automated decision-making (Art. 22): We do not make automated decisions with legal or significant effects based on your personal data.
International data transfers
Galdr does not transfer personal data outside the European Economic Area (EEA). All infrastructure is hosted in the EU. We do not use cloud services based in the United States or other third countries for the processing of personal data.
This means your data has no CLOUD Act exposure. There is no US parent company that could be compelled to hand over your data under US law.
Data Processing Agreement for organisations
If your organisation uses Galdr to process personal data of your employees, clients, or end users, a Data Processing Agreement (DPA) is required under GDPR Art. 28.
Our standard DPA is available at galdr.eu/dpa. It includes:
- Subject matter and duration of processing
- Nature, purpose, and categories of data processed
- Technical and organisational security measures
- Sub-processor list and change notification
- Data subject rights assistance obligations
- Breach notification procedure
- Audit rights
To sign a DPA, email legal@galdr.eu.
Data Protection Officer
Galdr has appointed a Data Protection Officer as required by GDPR Art. 37.
DPO contact:
dpo@galdr.eu
Galdr ApS, Nørreport 14, 3. sal, 1165 Copenhagen K, Denmark
Supervisory authority complaints
If you believe your GDPR rights have been violated, you have the right to lodge a complaint with the competent supervisory authority. Galdr's lead supervisory authority is:
Datatilsynet (Danish Data Protection Authority)
Carl Jacobsens Vej 35, 2500 Valby, Denmark
datatilsynet.dk
dt@datatilsynet.dk
You may also contact the data protection authority in your EU member state of residence.