Privacy Policy

Last updated: April 2026

This policy explains what personal data GALOR processes, under which GDPR legal basis, how long it is retained, and how to exercise your rights under the EU General Data Protection Regulation (GDPR, Regulation 2016/679) and the Slovenian Personal Data Protection Act (ZVOP-2).

1. Data Controller

  • Legal entity: Galor, Rok Žnidar Petelinšek s.p.
  • Legal form: Sole proprietor (samostojni podjetnik)
  • Tax ID (davčna številka): 13965867
  • Registered office: Polica 155, 1290 Grosuplje, Slovenia
  • Privacy contact: privacy@galor.agency
  • Responsible person: Rok Žnidar Petelinšek (Founder)

Supervisory authority: Informacijski pooblaščenec (Slovenian Data Protection Authority) — www.ip-rs.si.

2. Legal Bases for Processing (Art 6 GDPR)

Art 6(1)(a) — Consent

  • Newsletter subscriptions.
  • Non-essential cookies and analytics (fired only after banner consent).

Art 6(1)(b) — Contract performance

  • Delivering AI Opportunity Audits, implementation work, and ongoing support to paying clients.

Art 6(1)(c) — Legal obligation

  • Tax records, invoices, and regulatory retention under the Slovenian Companies Act and Tax Procedure Act.

Art 6(1)(f) — Legitimate interest (B2B cold outreach)

GALOR relies on legitimate interest under Art 6(1)(f) to contact prospective business clients in our target markets (CEE + Nordic, €2–50M annual revenue) for the purpose of offering our AI Opportunity Audit and delivery services.

Balancing test summary:

  • Purpose: identifying business efficiency opportunities for regulated operations teams.
  • Necessity: cold outreach is the only practical way to reach B2B decision-makers at mid-market companies that are not yet GALOR customers.
  • Impact on data subject: minimal — contact is limited to professional email addresses of public business roles, with immediate opt-out, no profiling beyond publicly available company information.
  • Safeguards: opt-out link in every outreach email, public /unsubscribe endpoint, DSAR response within 30 days, no special-category data, no automated decision-making.

Recipients may object at any time under Art 21 via /unsubscribe or by emailing privacy@galor.agency. We will cease contact immediately and add the address to a suppression list retained for 3 years to prevent re-contact.

3. Categories of Data Processed

  • Identification data: name, professional email, company name, job role.
  • Commercial data: project scope, invoices, payment records.
  • Website analytics: aggregate page views, referrer, device type, country (via Galor Analytics, cookie-free, post-consent).
  • Communication records: emails, booking notes, support tickets.

We do not process special-category (Art 9) data.

4. Data Subject Rights (Art 15–22)

  1. Right of access (Art 15) — submit via /dsar.
  2. Right to rectification (Art 16) — email privacy@galor.agency.
  3. Right to erasure (Art 17) — via /dsar or privacy@galor.agency.
  4. Right to restrict processing (Art 18) — via /dsar or privacy@galor.agency.
  5. Right to data portability (Art 20) — via /dsar.
  6. Right to object (Art 21) — via /unsubscribe for outreach; via privacy@galor.agency otherwise.
  7. Right to withdraw consent (Art 7(3)) — at any time, without affecting prior lawfulness.
  8. Right to lodge a complaint with the Supervisory Authority — Informacijski pooblaščenec, www.ip-rs.si.

Response SLA: 30 days (GDPR default, extendable once by 60 days for complex requests).

5. Retention Schedule

  • Cold outreach suppression list: 3 years after last contact.
  • Prospect email addresses: 6 months if no engagement, then deleted.
  • Customer data: duration of engagement plus 7 years (Slovenian tax obligations).
  • Analytics data (Galor Analytics): 26 months.
  • DSAR request records: 3 years.
  • Server logs: 30 days rolling.

6. International Transfers

All data is processed on EU infrastructure (Hetzner, Germany and Finland). No routine transfer to third countries occurs. Where a specific integration requires a vendor outside the EEA (e.g. Cal.com for booking), we rely on that vendor's Standard Contractual Clauses (SCCs) combined with our own transfer-impact assessment.

7. Recipients and Processors

  • Hetzner Online GmbH (EU hosting) — Art 28 DPA in place.
  • Galor Analytics (self-hosted, EU) — first-party.
  • Cal.com (booking) — SCCs + vendor-side DPA.
  • Transactional email provider (Resend) — SCCs + DPA.
  • Payment and invoicing processors as required by law.

8. Cookies

We do not use tracking cookies. Galor Analytics is cookie-free. Strictly necessary cookies are used only for consent state and session management. Full cookie inventory is available on request.

9. Automated Decision-Making

We do not engage in automated decision-making or profiling producing legal or similarly significant effects on data subjects (Art 22).

10. Contact

Privacy requests: privacy@galor.agency.

General enquiries: hello@galor.agency.