Privacy policy

Version 1.0 · Effective 12 July 2026 · The Dutch translation is provided for convenience; in case of divergence this English version prevails.

1. Who we are

Galactic Automation BV, Wijnhuizestraat 44, 9620 Zottegem, Belgium, enterprise number (KBO/BCE) 0768.244.354 ("Sceau Risk", "we"), is the party responsible for the processing described in this policy. Privacy contact: privacy@sceau.eu.

2. Two roles, clearly separated

We process personal data in two distinct capacities:

3. What we process as controller, why, and on which legal basis

ContextDataPurposeLegal basis (GDPR)Retention
Website visitTruncated IP address, requested page, timestamp, user agent (server logs)Delivering the site, security, abuse preventionArt. 6(1)(f) — legitimate interest in operating a secure serviceLogs: max. 30 days
Demo / contact by e-mailName, e-mail, organisation, message contentResponding to your enquiry, arranging a demoArt. 6(1)(b) — pre-contractual steps at your request24 months after last contact
Platform accountName, business e-mail, role, authentication data, permission set, sign-in eventsProviding access, enforcing role-based permissions, securityArt. 6(1)(b) — performance of the contractDuration of subscription + 30 days, then deleted
Audit chainUser identifier and timestamp attached to actions inside the platform (approvals, signatures, rule executions)The tamper-evident record that is the core of the serviceArt. 6(1)(b) and 6(1)(f) — the integrity guarantee customers contract forDuration of subscription; exported to the customer and erased on termination
BillingInvoicing details, VAT number, payment recordsInvoicing and accountingArt. 6(1)(c) — legal obligation (Belgian accounting law)7 years (statutory)
SupportCorrespondence, diagnostic context you provideResolving your issueArt. 6(1)(b)24 months after ticket closure
Security research contactReporter contact details, report contentCoordinated vulnerability handlingArt. 6(1)(f)36 months

We do not use tracking cookies, advertising identifiers, behavioural analytics or third-party marketing pixels — on this website or in the product. See the cookie policy for the short, complete list of what is stored in your browser.

4. AI features

The optional "Ask Sceau" copilot processes the question a user types and the tenant data needed to answer it. Prompts and responses are logged to the customer's own tenant for auditability. Tenant content is not used to train models, and the copilot can be disabled per tenant. Where a customer configures an external model provider, that provider is listed in the customer's DPA processor annex before activation.

5. Recipients and processors

We share personal data only with processors necessary to run the service, under Article 28 agreements:

The current, complete processor list is available on request via privacy@sceau.eu and in the DPA annex. We do not sell personal data, ever.

6. International transfers

All production processing takes place within the European Economic Area (Belgium). We do not transfer personal data to third countries. The ultimate parent of our default infrastructure provider is US-headquartered; our contract is with its EU entity under GDPR terms with EU data-residency controls, and any ancillary transfer would be covered by Chapter V safeguards (SCCs / EU–U.S. DPF). Should that ever change for a specific optional feature, it will occur only with appropriate safeguards under Chapter V GDPR and prior notice in the DPA annex.

7. Security

Measures include: tenant isolation enforced through PostgreSQL row-level security (fail-closed), role-based access control with segregation of duties, encryption in transit (TLS) and at rest, hardened EU infrastructure, least-privilege internal access, logging on a tamper-evident hash chain, and tested backup and restore procedures. Details relevant to your assessment are described in our security documentation, available under NDA.

8. Your rights

Under the GDPR you may request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. Write to privacy@sceau.eu; we respond within one month. Where our processing rests on consent, you may withdraw it at any time without affecting prior processing.

You also have the right to lodge a complaint with the Belgian Data Protection Authority: Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussels, gegevensbeschermingsautoriteit.be — or with the supervisory authority of your habitual residence.

9. Automated decision-making

We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects. Platform outputs (scores, forecasts, recommendations) are decision support for our customers' trained users, with the underlying factors disclosed.

10. Children

The website and the service are directed at professional organisations and are not intended for minors.

11. Changes

We will post any material change here with a new version number and effective date, and notify customers through the platform for changes affecting the service. The version history is available on request.