Privacy Policy
Last updated: March 2026
Galley is an editorial review platform. This policy explains what data we collect, why, and who has access to it.
The short version: we collect what we need to run the platform and nothing more. We do not sell your data, we do not serve ads, and we do not use your submissions to train AI models.
What We Collect
Account information
When you sign up, we store your email address. You may optionally add a display name, username, bio, and avatar image. If you choose to make your profile public, your display name, username, and bio are visible to others.
We do not store passwords. Authentication is handled through magic links and passkeys.
Submissions
When you submit work, we store the title, cover letter, uploaded files, and any custom fields defined by the organization’s call for submissions. Uploaded files (PDF, DOCX, RTF) are stored in a private cloud bucket and are accessible only to you, the organization’s editors, and assigned reviewers.
We extract the plain text from uploaded documents for reading within the platform. A content fingerprint (a one-way hash) is generated to help editors detect simultaneous submissions. The original file is preserved as-is.
Reviews and editorial decisions
When editors and reviewers evaluate submissions, their ratings, comments, and decision history are stored. This data is visible to the editorial team and, where applicable, communicated to the submitter.
Payment information
If a call requires a submission fee, payment is processed entirely by Stripe. We store only the Stripe session ID and payment timestamp — never your card number, billing address, or other payment details. See Stripe’s privacy policy for how they handle your data.
Session data
When you sign in, our authentication service records your IP address and user agent as part of the session. This data is used for security purposes and is not shared. Sessions expire automatically.
Feedback
If you submit feedback through the platform, we store your email, message, category, and the page URL where the feedback was submitted.
How We Use Your Data
- Providing the service — displaying your submissions, delivering editorial decisions, managing your account.
- Email notifications — sending magic links, submission confirmations, and editorial decisions.
- Security — rate limiting, bot detection, session management.
- Error tracking — identifying and fixing bugs.
- Analytics — understanding how the platform is used in aggregate, without tracking individual users.
We do not use your data for advertising, profiling, or AI training.
Third-Party Services
We share the minimum data necessary with these services to operate the platform:
| Service | Purpose | Data shared |
|---|---|---|
| Neon | Database hosting (PostgreSQL) | All stored data |
| Cloudflare | CDN, DNS, file storage (R2) | Uploaded files, network traffic |
| Resend | Transactional email | Recipient email, sender email, message content |
| Stripe | Payment processing | Email, Stripe account/session IDs |
| Sentry | Error tracking | Error reports, performance samples (no personal data) |
| Umami | Privacy-focused analytics (self-hosted) | No personal data; no cookies |
| Fly.io | Application hosting | All stored data (in transit and at rest) |
No third-party service receives the content of your submissions except Neon (database), Cloudflare R2 (file storage), and Fly.io (hosting). These are infrastructure providers, not data consumers.
Cookies
Galley uses a small number of cookies, all strictly necessary for authentication. No advertising or tracking cookies are used. See our Cookie Policy for details.
Data Retention
Your data is retained for as long as your account is active. Submission records are retained for the organization’s editorial records even if your account is inactive.
We are building account deletion and data export features. In the meantime, contact us through the feedback page if you need your data deleted or exported, and we will handle it manually.
Data Security
- All connections use HTTPS with TLS 1.3.
- Authentication tokens are short-lived (15 minutes) and refreshed automatically.
- Cookies are httpOnly, secure, and sameSite.
- Uploaded files are stored in a private bucket with no public access. Downloads require authentication.
- Payment data never touches our servers — it goes directly to Stripe.
Your Rights
Regardless of where you are located, you have the right to:
- Access your data — request a copy of what we store about you.
- Correct your data — update your profile information at any time.
- Delete your data — request deletion of your account and associated data.
- Export your data — request a machine-readable copy.
To exercise any of these rights, contact us through the feedback page.
Children
Galley is not directed at children under 13. We do not knowingly collect data from children.
Changes
If we make material changes to this policy, we will notify users by email or through the platform. Minor clarifications may be made without notice.
Questions? Reach us through the feedback page.