1. Who we are
Galdr ApS ("Galdr", "we", "us") is the data controller for personal data processed through the galdr.eu website and the Galdr video conferencing service. We are incorporated in Denmark (CVR 44 55 66 77) and our registered address is Nørreport 14, 3. sal, 1165 Copenhagen K, Denmark.
We have appointed a Data Protection Officer (DPO) reachable at dpo@galdr.eu.
2. Data we collect
Account data
When you register, we collect your name, email address, and a hashed password. You may optionally add a profile photo and job title.
Meeting data
When you host or join a meeting, we process audio, video, and screen-share streams to provide the service. By default, sessions are not recorded; if you enable recording, content is stored encrypted in EU datacenters only.
Usage data
We collect log data (IP address, browser type, pages visited, timestamps) to operate and improve the service. IP addresses are anonymised within 30 days.
Payment data
Payment card details are processed by Stripe Payments Europe Limited (Dublin, IE). We do not store card numbers ourselves.
Communications
If you contact us by email or support ticket, we retain that correspondence to resolve your query.
3. How we use your data
- Providing, maintaining, and improving the Galdr service
- Authenticating your account and ensuring security
- Processing payments and issuing invoices
- Sending transactional emails (password reset, meeting invitations)
- Sending product and feature updates (you can unsubscribe at any time)
- Complying with legal obligations
We do not sell your personal data. We do not use your data to train AI models without your explicit consent.
4. Legal basis for processing
We process your personal data on the following legal bases under GDPR Article 6:
- Contract (Art. 6(1)(b)): processing necessary to provide the service you signed up for.
- Legitimate interest (Art. 6(1)(f)): security, fraud prevention, and service improvement.
- Legal obligation (Art. 6(1)(c)): where required by EU or Danish law.
- Consent (Art. 6(1)(a)): for optional marketing communications and optional cookies.
5. Where your data is stored
All personal data is stored and processed exclusively in the European Union — specifically in ISO 27001-certified datacenters in Frankfurt, Germany and Amsterdam, the Netherlands. We do not transfer personal data to third countries (outside the EEA).
Our sole payment processor, Stripe Payments Europe, is based in Dublin, Ireland and is subject to EU data protection law.
6. Sharing with third parties
We share your data only where strictly necessary:
- Stripe Payments Europe (IE): payment processing
- Hetzner Online GmbH (DE): cloud infrastructure and hosting
- Legal authorities: if required by a lawful court order under EU or Danish law
All third parties are EU-based and bound by GDPR-compliant data processing agreements.
7. Data retention
- Account data: retained for the duration of your account, deleted within 30 days of account closure
- Meeting recordings: retained for 90 days by default (Pro plan); you may delete them at any time
- Log data: 90 days (IP addresses anonymised after 30 days)
- Payment records: 7 years (Danish bookkeeping law)
- Support correspondence: 2 years after resolution
8. Your rights under GDPR
As a data subject in the EEA, you have the following rights:
- Access (Art. 15): request a copy of your personal data
- Rectification (Art. 16): correct inaccurate data
- Erasure (Art. 17): request deletion ("right to be forgotten")
- Restriction (Art. 18): request that processing be limited
- Portability (Art. 20): receive your data in a structured, machine-readable format
- Objection (Art. 21): object to processing based on legitimate interest
- Withdraw consent (Art. 7(3)): at any time, without affecting prior processing
To exercise any of these rights, email dpo@galdr.eu. We will respond within 30 days. You also have the right to lodge a complaint with the Danish Data Protection Authority (Datatilsynet) at datatilsynet.dk.
9. Cookies
We use only strictly necessary cookies to operate the service (session authentication). We do not use tracking, advertising, or analytics cookies. No third-party cookies are set by galdr.eu.
10. Children
The Galdr service is not directed at persons under 16 years of age. We do not knowingly collect personal data from children. If you believe a child's data has been submitted, please contact dpo@galdr.eu and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. We will notify you by email and/or by a prominent notice on our website at least 14 days before significant changes take effect. The "last updated" date at the top of this page reflects the most recent revision.
12. Contact & DPO
Data Protection Officer
Galdr ApS
Nørreport 14, 3. sal
1165 Copenhagen K, Denmark
dpo@galdr.eu