Privacy policy
1. Who we are
Galactic Automation BV, Wijnhuizestraat 44, 9620 Zottegem, Belgium, enterprise number (KBO/BCE) 0768.244.354 ("Sceau Risk", "we"), is the party responsible for the processing described in this policy. Privacy contact: privacy@sceau.eu.
2. Two roles, clearly separated
We process personal data in two distinct capacities:
- As controller — for this website, for sales and demo contacts, for the accounts of platform users, and for billing and support.
- As processor — for the content our customers place inside their Sceau Risk tenant (risk registers, assessments, documents, evidence, names of risk owners, and similar). For that content the customer is the controller and we act strictly on their documented instructions under the Data Processing Agreement (DPA) that forms part of every subscription. Requests from data subjects concerning tenant content should be addressed to the relevant customer; we assist that customer as required by Article 28 GDPR.
3. What we process as controller, why, and on which legal basis
| Context | Data | Purpose | Legal basis (GDPR) | Retention |
|---|---|---|---|---|
| Website visit | Truncated IP address, requested page, timestamp, user agent (server logs) | Delivering the site, security, abuse prevention | Art. 6(1)(f) — legitimate interest in operating a secure service | Logs: max. 30 days |
| Demo / contact by e-mail | Name, e-mail, organisation, message content | Responding to your enquiry, arranging a demo | Art. 6(1)(b) — pre-contractual steps at your request | 24 months after last contact |
| Platform account | Name, business e-mail, role, authentication data, permission set, sign-in events | Providing access, enforcing role-based permissions, security | Art. 6(1)(b) — performance of the contract | Duration of subscription + 30 days, then deleted |
| Audit chain | User identifier and timestamp attached to actions inside the platform (approvals, signatures, rule executions) | The tamper-evident record that is the core of the service | Art. 6(1)(b) and 6(1)(f) — the integrity guarantee customers contract for | Duration of subscription; exported to the customer and erased on termination |
| Billing | Invoicing details, VAT number, payment records | Invoicing and accounting | Art. 6(1)(c) — legal obligation (Belgian accounting law) | 7 years (statutory) |
| Support | Correspondence, diagnostic context you provide | Resolving your issue | Art. 6(1)(b) | 24 months after ticket closure |
| Security research contact | Reporter contact details, report content | Coordinated vulnerability handling | Art. 6(1)(f) | 36 months |
We do not use tracking cookies, advertising identifiers, behavioural analytics or third-party marketing pixels — on this website or in the product. See the cookie policy for the short, complete list of what is stored in your browser.
4. AI features
The optional "Ask Sceau" copilot processes the question a user types and the tenant data needed to answer it. Prompts and responses are logged to the customer's own tenant for auditability. Tenant content is not used to train models, and the copilot can be disabled per tenant. Where a customer configures an external model provider, that provider is listed in the customer's DPA processor annex before activation.
5. Recipients and processors
We share personal data only with processors necessary to run the service, under Article 28 agreements:
- Google Cloud EMEA Limited (Ireland) — infrastructure hosting in Google Cloud’s Belgian region (europe-west1, St-Ghislain), with data residency restricted to the EU.
- Hetzner Online GmbH (Germany) / Hetzner Finland Oy — EU-owned infrastructure used for Enterprise sovereign single-tenant deployments.
- An EU-based transactional e-mail provider — delivery of account and notification e-mails.
- Our accountant and, where legally required, Belgian public authorities.
The current, complete processor list is available on request via privacy@sceau.eu and in the DPA annex. We do not sell personal data, ever.
6. International transfers
All production processing takes place within the European Economic Area (Belgium). We do not transfer personal data to third countries. The ultimate parent of our default infrastructure provider is US-headquartered; our contract is with its EU entity under GDPR terms with EU data-residency controls, and any ancillary transfer would be covered by Chapter V safeguards (SCCs / EU–U.S. DPF). Should that ever change for a specific optional feature, it will occur only with appropriate safeguards under Chapter V GDPR and prior notice in the DPA annex.
7. Security
Measures include: tenant isolation enforced through PostgreSQL row-level security (fail-closed), role-based access control with segregation of duties, encryption in transit (TLS) and at rest, hardened EU infrastructure, least-privilege internal access, logging on a tamper-evident hash chain, and tested backup and restore procedures. Details relevant to your assessment are described in our security documentation, available under NDA.
8. Your rights
Under the GDPR you may request access, rectification, erasure, restriction, portability, and object to processing based on legitimate interest. Write to privacy@sceau.eu; we respond within one month. Where our processing rests on consent, you may withdraw it at any time without affecting prior processing.
You also have the right to lodge a complaint with the Belgian Data Protection Authority: Gegevensbeschermingsautoriteit, Drukpersstraat 35, 1000 Brussels, gegevensbeschermingsautoriteit.be — or with the supervisory authority of your habitual residence.
9. Automated decision-making
We do not subject you to decisions based solely on automated processing that produce legal or similarly significant effects. Platform outputs (scores, forecasts, recommendations) are decision support for our customers' trained users, with the underlying factors disclosed.
10. Children
The website and the service are directed at professional organisations and are not intended for minors.
11. Changes
We will post any material change here with a new version number and effective date, and notify customers through the platform for changes affecting the service. The version history is available on request.