Legal
Privacy Policy
Last updated: 8 July 2025 · Effective: 8 July 2025
1. Who We Are
This Privacy Policy describes how Galactic Digital (trading as Keel), a business registered in South Africa, collects, uses, and protects personal information when you use the Keel platform and services.
For the purposes of the Protection of Personal Information Act 4 of 2013 ("POPIA") we are the Responsible Party. For the purposes of the EU General Data Protection Regulation 2016/679 ("GDPR"), where applicable, we act as the Controller.
Contact: hey@trykeel.dev
2. Information We Collect
2.1 Information You Provide Directly
When you create an account or use the Service, you provide:
- Account information: name, email address, and password (stored hashed).
- Billing information: plan selection. Payment card details are collected and held by Paddle (our merchant of record) — we never see or store full card numbers.
- Organisation details: company name and any profile information you choose to add.
- Request content: project briefs, attached files, comments, and any other material you submit through the portal.
- Communications: emails you send to us, support conversations, and feedback.
2.2 Information We Collect Automatically
When you use the Service, we or our third-party providers may collect:
- Log data: IP address, browser type, pages visited, timestamps, and referring URLs.
- Session data: authentication tokens stored in secure HTTP-only cookies.
- Device information: operating system, screen resolution, and device type (used for display optimisation only).
We do not use third-party advertising trackers or sell behavioural data for advertising purposes.
2.3 Information from Third Parties
We receive limited information from our third-party service providers, including subscription status and billing events from Paddle, and authentication confirmation from Supabase. We do not purchase or receive personal data from data brokers.
3. How We Use Your Information
We use personal information only for the following purposes, on the lawful bases indicated:
| Purpose | Lawful basis |
|---|---|
| Provide the Service and manage your account | Performance of contract |
| Process payments and manage subscriptions | Performance of contract |
| Send transactional emails (confirmations, request updates) | Performance of contract |
| Respond to support enquiries | Legitimate interest (service delivery) |
| Improve the Service through aggregated, anonymised analysis | Legitimate interest (product improvement) |
| Send product updates and announcements (opt-out anytime) | Legitimate interest / consent |
| Comply with legal obligations (tax records, law enforcement) | Legal obligation |
| Detect and prevent fraud, abuse, or security threats | Legitimate interest (security) |
4. How We Share Your Information
We do not sell or rent your personal information. We share information only in the following limited circumstances:
4.1 Service Providers (Sub-processors)
We use the following sub-processors to operate the Service:
Each sub-processor is bound by appropriate data processing agreements and is selected based on their privacy and security standards.
4.2 Legal Disclosure
We may disclose personal information to government authorities or law enforcement if required to do so by law, court order, or to protect the rights, property, or safety of Galactic Digital, its clients, or the public.
4.3 Business Transfers
If Galactic Digital is involved in a merger, acquisition, or asset sale, your personal information may be transferred as part of that transaction. We will provide notice and, where required by law, obtain your consent before any such transfer.
5. Data Retention
We retain personal information for as long as your account is active or as needed to provide the Service. Specifically:
- Account data: retained for the duration of your account plus 12 months after closure (to allow reactivation and to address any outstanding disputes).
- Billing records: retained for 5 years from the date of transaction as required by South African tax law.
- Request content and deliverables: retained for the duration of your subscription plus 90 days, after which they may be deleted or anonymised.
- Log data: retained for up to 90 days for security monitoring.
You may request deletion of your account and associated data at any time (see Section 7 below). We will comply within 30 days except where retention is required by law.
6. Security
We implement industry-standard technical and organisational measures to protect your personal information, including:
- Encryption in transit (TLS 1.2+) and at rest for database storage.
- Row-Level Security (RLS) policies at the database layer — each client can only access their own data.
- Multi-factor authentication support for all accounts.
- Restricted access to production systems on a need-to-know basis.
No system is perfectly secure. If you discover a potential security vulnerability, please notify us at hey@trykeel.dev before public disclosure.
7. Your Rights
Depending on your location, you have the following rights regarding your personal information:
To exercise any of these rights, contact us at hey@trykeel.dev. We will respond within 30 days. We may need to verify your identity before processing your request.
South African residents (POPIA): If you believe we have processed your personal information unlawfully, you may lodge a complaint with the Information Regulator of South Africa at justice.gov.za/inforeg.
EEA / UK residents (GDPR/UK GDPR): You may lodge a complaint with your local supervisory authority. For UK residents, this is the Information Commissioner's Office (ICO) at ico.org.uk.
8. Cookies
We use a minimal set of cookies necessary to operate the Service:
- Authentication cookies: Secure, HTTP-only cookies to maintain your session. These are essential and cannot be disabled.
- Preference cookies: To remember UI settings such as theme preferences.
We do not use advertising cookies, cross-site tracking pixels, or third-party analytics that identify you individually. We do not use Google Analytics or Facebook Pixel.
9. International Transfers
Some of our sub-processors (Supabase, Vercel, Paddle) operate servers outside South Africa, including in the United States. When we transfer personal information internationally, we ensure appropriate safeguards are in place, including standard contractual clauses (SCCs) where required under GDPR, and compliance with POPIA's transborder information flow requirements.
10. Children's Privacy
The Service is not directed at children under the age of 18. We do not knowingly collect personal information from anyone under 18. If you believe we have inadvertently collected information from a minor, please contact us immediately and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. When we make material changes, we will notify you by email and/or by posting a prominent notice in the portal at least 14 days before the changes take effect. The "Last updated" date at the top of this page reflects the most recent revision.
Continued use of the Service after the effective date of a revised Policy constitutes your acceptance of the changes.
12. Contact and Information Officer
For any privacy-related queries, requests, or complaints, contact our Information Officer: