Skip to main content
Try GalaDesk

Privacy Policy

Effective Date: April 20, 2026  ·  Version 1.0

"GalaDesk" (or "we," "us," or "our") refers to GalaDesk, a product operated by Printmods, a sole proprietorship based in Pennsylvania, United States. GalaDesk operates the platform at galadesk.com. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our services.

In this policy, we use the following terms for clarity: "event pros" refers to the account owners who subscribe to and buy the service; "team" refers to the group of workers an event pro manages within GalaDesk; and "contractors"refers to 1099 workers engaged by an event pro.

1. Controller vs. Processor (Important)

For data that an event pro provides about themselves and their business (account details, billing, usage), Printmods (operating GalaDesk) acts as the data controller.

For data that an event pro uploads about their team members, contractors, or clients (names, emails, phone numbers, addresses, pay rates, payout details, event records, messages, etc.), the event pro (the Customer) is the data controller and GalaDesk is a data processor acting on the Customer's documented instructions.

If you are a team member, contractor, or client whose information was uploaded to GalaDesk by an event pro, please direct data access, correction, or deletion requests to that event pro (your employer or hiring entity) first. GalaDesk will assist the event pro in responding to your request where required by law.

2. Information We Collect

2.1 Account Information (collected from event pros)

When you create an account, we collect your name, email address, hashed password, and phone number. If you sign up through a third-party provider (e.g., Google), we receive basic profile information from that provider. We also collect business information such as company name and business address.

2.2 Organization, Team, Contractor, Client & Event Data

We collect information that event pros upload to the platform, including but not limited to:

  • Team member and contractor information: names, email addresses, phone numbers, physical addresses, pay rates, and (for contractors receiving payouts) bank/payout details forwarded to Stripe
  • Client information: names, email addresses, phone numbers, and venue addresses
  • Event/job data: dates, locations, assignments, notes, and uploaded files and file metadata
  • Messaging and chat content exchanged between event pros, team members, contractors, and clients through the platform

2.3 Payment Information

Payment processing is handled by Stripe. GalaDesk does not store full card numbers or full payment details on our servers. We receive and store a tokenized Stripe customer identifier, the last four digits of the payment method, subscription status, and billing email. For contractor payouts, bank/payout details are transmitted to and held by Stripe under Stripe's terms and privacy policy.

2.4 Usage & Analytics Data

We use Google Analytics 4 (GA4) to collect pseudonymous usage data, including pages visited, features used, session duration, device type, browser, IP address, and approximate geographic location derived from IP address. GA4 data is transferred to and processed by Google LLC in the United States. GA4 is a non-essential analytics cookie; visitors in the EU, UK, and other consent-required jurisdictions will only have GA4 loaded after they grant consent through our cookie banner.

2.5 Derived & Calculated Data

GalaDesk may calculate mileage, travel time, and travel pay by sending venue and starting addresses to Google Maps Platform. We also generate performance analytics, reliability metrics, and venue history records from activity within the platform.

2.6 Cookies & Local Storage

We use cookies and local storage in the following categories:

  • Strictly necessary — authentication session cookies and CSRF tokens required for the service to function. These cannot be disabled.
  • Functional — cookies that remember your preferences (e.g., theme, timezone).
  • Analytics — Google Analytics 4 cookies (first-party `_ga`, `_ga_*`) used to measure product usage. Loaded only after consent in consent-required regions.

You can manage your cookie preferences through our cookie banner or your browser settings. For a complete list of cookies, their purposes, and durations, see our Cookie Policy.

2.7 Third-Party Location Services

When you use location-based features, we send venue addresses and related query data to Google Maps Platform (Geocoding, Distance Matrix, and Maps APIs) to display maps and calculate distances. Google's privacy policy governs their handling of this data.

3. Why We Collect Your Information & Legal Bases (GDPR)

For users in the European Economic Area, United Kingdom, and Switzerland, we process personal data under the following lawful bases set out in Article 6(1) of the GDPR:

  • Account creation, authentication, and providing the Service — Contract (Art. 6(1)(b)): processing is necessary to perform the contract you enter into when you sign up.
  • Billing, subscriptions, and payouts — Contract (Art. 6(1)(b)) and Legal Obligation (Art. 6(1)(c)) for tax and financial recordkeeping.
  • Customer support and transactional emails — Contract (Art. 6(1)(b)).
  • Product analytics and service improvement — Legitimate Interest (Art. 6(1)(f)) in understanding how our product is used. You may object at any time.
  • Marketing emails and promotional content — Consent (Art. 6(1)(a)). You may withdraw consent at any time via the unsubscribe link or by contacting us.
  • Security, fraud prevention, and abuse detection — Legitimate Interest (Art. 6(1)(f)) in keeping our service and users safe.
  • Compliance with applicable laws — Legal Obligation (Art. 6(1)(c)).

We do not sell your personal data to third parties. We do not use your data to train AI or machine-learning models.

4. Subprocessors & Data Sharing

We share data only with the following service providers (subprocessors), each contractually bound to handle your data securely and only for the purposes we specify. All listed subprocessors are based in the United States.

  • Supabase (Supabase, Inc., United States) — primary database hosting, authentication, and file storage.
  • Stripe (Stripe, Inc., United States) — payment processing, subscription management, and contractor payouts.
  • Google (Google LLC, United States) — Google Maps Platform / Geocoding API for address-to-distance calculations, and Google Analytics 4 for product analytics.
  • Vercel (Vercel, Inc., United States) — application hosting and edge delivery.
  • Resend (Resend, Inc., United States) — transactional and notification email delivery (e.g., account verification, password resets, job notifications).

We may also disclose information if required by law, valid legal process, court order, or to protect the rights, property, or safety of GalaDesk, our users, or the public. In the event of a merger, acquisition, or sale of assets, user data may be transferred, and we will notify affected users.

5. Data Storage & Security

Your data is stored in Supabase-managed infrastructure. We implement industry-standard security measures including encryption in transit (TLS 1.2+), encryption at rest, role-based access controls, row-level security policies, hashed passwords, and periodic internal security reviews. While no system is perfectly secure, we take commercially reasonable measures to protect your information.

6. Data Breach Notification

In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of affected individuals, we will notify affected users and, where applicable, the relevant supervisory authority without undue delay and, in any event, within 72 hours of becoming aware of the breach, consistent with Articles 33 and 34 of the GDPR and applicable US state breach-notification laws.

7. Data Retention

We retain your account data for as long as your account is active. If you delete your account, we will remove your personal data within 30 days, except where we are required to retain it for legal, accounting, tax, or fraud-prevention purposes (up to 7 years for financial records).

Organization data (jobs, events, team records) is retained for the organization owner. If an organization is deleted, all associated data is permanently removed within 30 days, subject to the same legal-retention exceptions noted above.

8. Your Rights (GDPR, UK GDPR & Global Privacy)

Depending on your location, you have the following rights regarding your personal data:

  • Access — Request a copy of the personal data we hold about you
  • Rectification — Request correction of inaccurate or incomplete data
  • Erasure — Request deletion of your personal data ("right to be forgotten")
  • Portability — Request your data in a structured, commonly used, machine-readable format
  • Restriction — Request that we limit processing of your data
  • Objection — Object to processing based on legitimate interests or for direct marketing
  • Withdraw Consent — Where processing is based on consent, withdraw at any time
  • Lodge a Complaint — Lodge a complaint with your local data protection authority (e.g., your EU member-state DPA or the UK ICO)

To exercise any of these rights, contact us at daniel@galadesk.com. We will respond within 30 days (extendable by up to two additional months for complex requests, as permitted by the GDPR).

9. California Privacy Rights (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"), provides you with additional rights regarding your Personal Information.

9.1 Categories of Personal Information Collected

In the preceding 12 months, we have collected the following categories of Personal Information:

  • Identifiers — name, email, phone number, IP address, account identifiers, Stripe customer ID
  • Customer records (Cal. Civ. Code § 1798.80(e)) — business address, billing details
  • Commercial information — subscription plan, transaction history
  • Internet or other network activity — browsing, feature usage, session data, device/browser fingerprints
  • Geolocation data — approximate location derived from IP address only (we do not collect precise GPS location)
  • Professional or employment-related information — business name, role, pay rates and payout details for contractors (as uploaded by event pros)
  • Inferences — performance analytics and reliability metrics derived from platform activity

9.2 Sources of Personal Information

  • Directly from you when you create an account, subscribe, or use the Service
  • From event pros (Customers) who upload information about their team, contractors, or clients
  • Automatically from your browser and device when you interact with the Service
  • From subprocessors such as Stripe (billing metadata) and Google (Maps-derived calculations)

9.3 Business Purposes for Collection

  • Providing, maintaining, and improving the Service
  • Billing, subscriptions, and processing payouts
  • Customer support and account communications
  • Security, fraud prevention, and abuse detection
  • Product analytics and service improvement
  • Compliance with legal obligations

9.4 Categories of Recipients

We disclose Personal Information for business purposes only to the subprocessors listed in Section 4 (Supabase, Stripe, Google, Vercel, and our transactional email provider), and to legal or governmental authorities where required.

9.5 No Sale or Sharing of Personal Information

GalaDesk does not sell Personal Information. GalaDesk does not share Personal Information for cross-context behavioral advertising.We have not sold or shared Personal Information in the preceding 12 months, and we do not do so now.

9.6 Sensitive Personal Information

We collect a limited category of Sensitive Personal Information (account login credentials in hashed form, and, for contractors, payout/bank information forwarded to Stripe). We use this information only for the purposes permitted under CCPA/CPRA § 7027(m) — namely, to provide the Service requested — and not for inferring characteristics about a consumer.

9.7 Your California Rights

  • Right to Know — request the categories and specific pieces of Personal Information we have collected about you
  • Right to Delete — request deletion of Personal Information we hold about you
  • Right to Correct — request correction of inaccurate Personal Information
  • Right to Opt-Out of Sale/Sharing — not applicable here, as we do not sell or share Personal Information for cross-context behavioral advertising
  • Right to Limit Use of Sensitive Personal Information — request that we limit use to purposes necessary to provide the Service
  • Right to Non-Discrimination — we will not discriminate against you for exercising any of these rights

9.8 How to Exercise California Rights

Submit requests by email to daniel@galadesk.com with the subject line "California Privacy Request." We will verify your identity using information on file (such as your account email) and will respond within 45 days, with a possible 45-day extension where reasonably necessary, as permitted by statute.

9.9 Authorized Agents

You may designate an authorized agent to submit a request on your behalf. The agent must provide written permission signed by you, and we may require you to verify your own identity directly before fulfilling the request.

10. International Data Transfers

GalaDesk is operated from the United States, and your data is stored and processed in the United States by our subprocessors. If you are located in the European Economic Area, United Kingdom, or Switzerland, your personal data will be transferred to the United States.

For these transfers, we rely on appropriate safeguards under Article 46 of the GDPR, including the Standard Contractual Clauses adopted by the European Commission in June 2021 (and the UK International Data Transfer Addendum where applicable), and, where a subprocessor is certified, the EU-US Data Privacy Framework (and UK Extension / Swiss-US DPF). Copies of the relevant safeguards are available upon request.

11. Children's Privacy

The Service is not intended for individuals under 18 years of age for account creation. Consistent with the Children's Online Privacy Protection Act (COPPA) in the United States and Article 8 of the GDPR in the European Union, we do not knowingly collect or process personal data from children under 13 years of age (US) or under 16 years of age (EU). If you believe we have inadvertently collected data from a child, please contact us at daniel@galadesk.com and we will promptly delete it.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the platform at least 14 days before the changes take effect. Your continued use of GalaDesk after the effective date constitutes acceptance of the updated policy.

13. Contact Us

If you have questions about this Privacy Policy or our data practices, contact us at:

GalaDesk, a product of Printmods (sole proprietorship, Pennsylvania, USA)
Email: daniel@galadesk.com
Website: galadesk.com

This policy is provided for informational purposes. For legal advice specific to your situation, consult a qualified attorney.