Privacy Policy
Last updated: 16 April 2026
1. Overview
This Privacy Policy describes how we collect, use, store, and protect your personal data when you use the Gala Seating platform. We are committed to processing personal data in accordance with the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), Spanish Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), and applicable national laws of the countries where our users reside (including, for users in Romania, Law no. 190/2018).
This policy forms part of our Terms and Conditions. Terms defined in the Terms and Conditions have the same meaning in this policy unless indicated otherwise.
2. Data controller
The controller of the personal data processed through the Platform is:
- Name: Raul-Cristian Maier
- Legal form: Trabajador autónomo (self-employed individual) registered in Spain
- NIF: Z3230583P
- Intra-community VAT number: ESZ3230583P
- Registered address: Avenida Duque de Ahumada 11, apartment 706A, 29602 Marbella, Málaga, Spain
- Email: contact@galaseating.com
- Phone: +40 740 819 034
We have not appointed a Data Protection Officer, as we are not required to do so under Article 37 GDPR. For any data-protection query, please contact us directly at the email above.
3. Personal data we collect
We collect the following categories of personal data:
Account data
- First name and last name
- Email address
- Venue name (for Venue Accounts)
- Profile image (where Google authentication is used)
- Encrypted password (for Accounts created with email + password)
- Preferred language
Event and guest data
- Couple's name and event date
- Guest list entries: names, menu preferences, notes, table assignments, groupings
- Seating configurations: tables, decorative elements, programmes
- Uploaded files (images, PDF backgrounds for floor plans)
Technical data
- IP address
- Browser type and version
- Operating system
- Platform usage data (via Firebase Analytics, pseudonymised)
- Authentication session identifiers
Communications data
- Emails sent through the contact or support form
- Email addresses used for collaboration invitations and notifications
- Beta-access request submissions (name, email, venue name, optional message)
Role regarding Guest data: where a Venue or Collaborator uploads personal data about wedding Guests (names, menu preferences, notes), that Venue or Collaborator acts as the controller of such data. We process it as a processor on their instructions and for the sole purpose of providing the Platform. A data-processing agreement is available on request.
4. Legal basis for processing (Art. 6 GDPR)
We process your personal data under the following legal bases:
- Performance of a contract (Art. 6(1)(b) GDPR) — to provide the Platform, create and manage your Account, process collaboration invitations, deliver transactional emails, and enable the core features of the service.
- Consent (Art. 6(1)(a) GDPR) — for marketing communications, non-essential cookies, beta-access requests, and the processing of your Google profile image where you authenticate with Google. You may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
- Legitimate interests (Art. 6(1)(f) GDPR) — to secure and improve the Platform, detect and prevent fraud and abuse, maintain aggregated usage analytics, respond to support requests, and defend our legal interests. We have balanced these interests against your rights and concluded that they do not override your interests or fundamental rights.
- Legal obligation (Art. 6(1)(c) GDPR) — to comply with tax, accounting, and other statutory obligations under Spanish and EU law.
5. How we use your data
We use your personal data to:
- Provide, operate, maintain, and improve the Platform
- Create and manage your Account
- Enable collaboration between Venues, Couples, and Guests
- Send transactional emails (invitations, notifications, service updates)
- Respond to your enquiries and provide customer support
- Monitor and analyse usage of the Platform on an aggregated, pseudonymised basis
- Detect, investigate, and prevent fraud, abuse, or security incidents
- Comply with legal and regulatory obligations
- Defend, establish, or exercise legal claims
We do not sell your personal data, and we do not share your personal data with third parties for their own marketing purposes.
6. Sub-processors
To provide the Platform, we rely on the following sub-processors. All sub-processors are bound by written data-processing agreements that require GDPR-equivalent levels of protection.
| Sub-processor | Purpose | Location |
|---|---|---|
| Google Ireland Limited (Firebase / Google Cloud) | Cloud infrastructure, database (Firestore), authentication, file storage, hosting, cloud functions, analytics | EU — europe-west4 (Netherlands) |
| Sendinblue SAS (Brevo) | Transactional email for invitations, notifications, and user communications | EU — France |
| Twilio Inc. | Transactional SMS for selected notifications (where configured) | Ireland / United States (SCCs in place) |
You can consult the privacy policies of our main sub-processors here: Firebase, Brevo, Twilio. We will notify you of any material change to the list of sub-processors before it takes effect.
7. International data transfers
Your personal data is primarily stored and processed within the European Economic Area (EEA), in the Google Cloud region europe-west4 (Netherlands).
Certain sub-processors (such as Google LLC and Twilio Inc., parent entities of our EU-based service providers) may access personal data from the United States for limited support and platform-operation purposes. Where such access involves a transfer of personal data outside the EEA, the transfer is protected by one or more of the following safeguards under Chapter V GDPR:
- Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914)
- The EU-U.S. Data Privacy Framework, where the recipient is certified
- Supplementary technical and organisational measures (encryption in transit and at rest, access controls, auditing)
You may request a copy of the relevant safeguards by contacting us at contact@galaseating.com.
8. Data retention
We retain personal data only for as long as necessary for the purposes for which it was collected, after which it is deleted or anonymised. Typical retention periods are:
- Account data — for as long as your Account is active. On Account deletion, data is removed within 30 calendar days.
- Event and guest data — for as long as the Event exists within the Platform. On Event deletion, associated data is removed.
- Communications data — up to 3 years from the last contact, or until you request erasure.
- Technical data (logs) — up to 14 months, in line with Firebase Analytics defaults.
- Beta-access request data — up to 2 years, then deleted or anonymised.
- Accounting and fiscal records — retained for the minimum period required by Spanish law (currently 6 years under the Commercial Code, extended where required by tax law).
After these periods, we delete or irreversibly anonymise the data, except where we are required by law to retain it for longer or where it is necessary to defend legal claims.
9. Your rights under the GDPR
Subject to the conditions set out in the GDPR, you have the following rights regarding your personal data:
- Right of access (Art. 15) — to obtain confirmation of whether your personal data is being processed and, if so, a copy of that data.
- Right to rectification (Art. 16) — to obtain correction of inaccurate or incomplete personal data.
- Right to erasure (Art. 17) — the "right to be forgotten"; to request deletion of your personal data.
- Right to restriction of processing (Art. 18) — to obtain restriction of processing in specified circumstances.
- Right to data portability (Art. 20) — to receive your personal data in a structured, commonly used, machine-readable format, and to transmit it to another controller.
- Right to object (Art. 21) — to object to processing based on legitimate interests, including profiling.
- Right to withdraw consent (Art. 7(3)) — where processing is based on your consent, at any time, without affecting the lawfulness of processing before withdrawal.
- Right not to be subject to automated individual decision-making (Art. 22) — see section 14 below.
10. How to exercise your rights
To exercise any of your rights, please send an email to contact@galaseating.com with the subject line "Data subject request" and a clear description of the right you wish to exercise. We may ask you to verify your identity before acting on your request.
We will respond to your request without undue delay and in any case within one (1) month of receipt. Where a request is particularly complex, we may extend this period by up to two further months, in which case we will inform you of the extension and the reasons for it within one month.
Exercising your rights is free of charge. In case of manifestly unfounded or excessive requests, we may charge a reasonable fee or refuse to act on the request, in accordance with Art. 12(5) GDPR.
11. Cookies
The Platform uses essential cookies required for the service to function (authentication, interface preferences) and analytics cookies (Firebase Analytics). For full details, please consult our Cookies Policy.
12. Google authentication
The Platform allows you to sign in using your Google account. When you use this option, you explicitly consent to the transfer, from Google to us, of the following information from your Google profile:
- First name and last name
- Email address
- Profile image
- Google account unique identifier
This data is used exclusively to create and manage your Account on Gala Seating. The legal bases for this processing are Art. 6(1)(a) (consent) and Art. 6(1)(b) (performance of a contract) of the GDPR. You may revoke Google's authorisation at any time from your Google account settings.
13. Data security
We implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including:
- Encryption in transit (HTTPS / TLS) and at rest
- Secure authentication (Firebase Authentication with industry-standard hashing)
- Database-level access controls (Firestore Security Rules) with per-Venue and per-Event isolation
- Role-based access control within each Venue workspace
- Logging and monitoring of authentication and administrative events
- Regular security reviews of our dependencies and infrastructure
- Principle of least privilege for operational access
No security system is impenetrable, and we cannot guarantee the absolute security of our systems. You are responsible for keeping your Account credentials confidential.
14. Data breach notification
In the event of a personal data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the competent supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, in accordance with Art. 33 GDPR. Where the breach is likely to result in a high risk, we will also inform the affected data subjects without undue delay, in accordance with Art. 34 GDPR.
15. Automated decision-making and profiling
We do not carry out any automated decision-making that produces legal effects concerning you or that significantly affects you in a similar way, within the meaning of Art. 22 GDPR. Automated features of the Platform (such as the automatic seating arrangement) are tools that assist you; the final decision on whether to use, modify, or ignore their output rests with you.
16. Children's data
The Platform is not intended for use by children under 16 years of age, and we do not knowingly collect personal data from children. If you believe we have inadvertently collected personal data of a child, please contact us at contact@galaseating.com and we will promptly delete such data. When Venues or Collaborators upload guest-list entries that may include the names of minor attendees, those Venues or Collaborators are responsible for ensuring an appropriate legal basis for such processing under applicable law.
17. Right to lodge a complaint
If you consider that our processing of your personal data infringes the GDPR, you have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement. The competent supervisory authorities include:
- Spain: Agencia Española de Protección de Datos (AEPD) — www.aepd.es
- Romania: Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP) — www.dataprotection.ro
- Other Member States: a list of all EU supervisory authorities is available at edpb.europa.eu.
We would, however, appreciate the opportunity to address your concerns directly before you approach a supervisory authority. Please contact us first at contact@galaseating.com.
18. Changes to this Privacy Policy
We may update this Privacy Policy from time to time. The updated version will be published on this page with the "Last updated" date at the top. Where changes are material, we will notify you by email or through an in-Platform notice before the changes take effect.
19. Contact
For any question about this Privacy Policy or about the protection of your personal data, please contact us at:
- Email: contact@galaseating.com
- Post: Avenida Duque de Ahumada 11, apartment 706A, 29602 Marbella, Málaga, Spain