Galleys

Privacy Policy

Last updated: February 2026

1. Information We Collect

Account Information

When you create an account, we collect your name, email address, and password (hashed with bcrypt). If you sign in via Google or GitHub OAuth, we receive your name, email, and profile picture from those providers.

Manuscript Content

When you upload a manuscript, we store the extracted text content, detected chapters, and file metadata (filename, word count, format). Manuscripts are stored encrypted at rest and are used solely to provide the editorial analysis service.

Analysis Results

Editorial reports, issues, severity classifications, and revision plans generated by AI analysis are stored in your account so you can access them at any time.

Usage Data

We collect standard usage data including pages visited, features used, analysis configurations (model choice, tone settings, genre), and timestamps. This data is used to improve the Service and diagnose issues.

Payment Information

Payment processing is handled entirely by Stripe. We do not store your credit card number, bank account details, or other payment credentials. We receive and store your Stripe customer ID and subscription status.

Cookies

We use essential cookies for authentication and session management. These are required for the Service to function and cannot be disabled.

2. How We Use Your Information

We use the information we collect to:

  • Provide, maintain, and improve the editorial analysis service.
  • Process your manuscripts through AI providers to generate editorial reports.
  • Manage your account, subscription, and billing.
  • Send transactional emails (account confirmation, password reset, billing receipts).
  • Diagnose technical issues and prevent abuse.
  • Comply with legal obligations.

We do not use your manuscripts or personal data to train AI models. We do not sell your personal information to third parties.

3. Third-Party AI Providers

To generate editorial reports, your manuscript text is sent to the AI provider you select:

  • Anthropic (Claude models) — API data is not used for model training per their API terms.
  • OpenAI (GPT models) — API data is not used for model training per their API terms.
  • Google (Gemini models) — API data is not used for model training per their API terms.

You choose which provider processes your manuscript. Only the manuscript text and editorial instructions are sent to the provider — your account details, payment information, and other personal data are never shared with AI providers.

4. BYOK (Bring Your Own Key) Data Handling

If you provide your own API keys:

  • Your API keys are encrypted at rest using AES-256-GCM encryption.
  • Keys are decrypted only at the moment of use and are never logged in plaintext.
  • You can view, rotate, or delete your stored API keys at any time from your account settings.
  • When using your own keys, data sent to AI providers is governed by your own agreement with that provider, not ours.

5. Other Third-Party Services

  • Stripe — Payment processing. Stripe receives your payment details directly and is subject to the Stripe Privacy Policy.
  • Vercel — Hosting and infrastructure. Subject to the Vercel Privacy Policy.
  • Google & GitHub OAuth — If you use social login, these providers share your basic profile information with us per their respective privacy policies.

6. Data Retention & Deletion

You can delete individual manuscripts and their associated analysis results at any time from your dashboard. Deleted data is removed from our active systems immediately.

If you delete your account, all associated data — including manuscripts, analyses, API keys, and account information — will be permanently purged from our systems within 30 days. Backups containing deleted data are overwritten on a rolling 30-day cycle.

We may retain minimal records (email, deletion date) as required by law or to resolve disputes.

7. Data Security

We implement industry-standard security measures to protect your data:

  • Encryption in transit — All data is transmitted over HTTPS/TLS.
  • Encryption at rest — Manuscripts and sensitive data are encrypted at rest.
  • Password hashing — Passwords are hashed using bcrypt with salt.
  • API key encryption — BYOK keys are encrypted using AES-256-GCM.
  • Access controls — Your data is accessible only to your authenticated account.

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

8. Your Rights

All Users

Regardless of your location, you can:

  • Access and download your manuscripts and analysis results from your dashboard.
  • Export your data in Markdown or JSON format.
  • Delete individual manuscripts, API keys, or your entire account from your settings.
  • Update your account information at any time.

European Users (GDPR)

If you are in the European Economic Area (EEA), you have additional rights under the General Data Protection Regulation:

  • Right of access — Request a copy of your personal data.
  • Right to erasure — Request deletion of your personal data.
  • Right to portability — Receive your data in a structured, machine-readable format.
  • Right to rectification — Correct inaccurate personal data.
  • Right to object — Object to processing of your personal data.

Our legal basis for processing your data is contractual necessity (providing the Service you signed up for) and legitimate interest (improving the Service, preventing abuse).

California Users (CCPA)

If you are a California resident, you have rights under the California Consumer Privacy Act:

  • Right to know — Request what personal information we collect, use, and disclose.
  • Right to delete — Request deletion of your personal information.
  • Right to opt out — We do not sell personal information, so this right is satisfied by default.
  • Right to non-discrimination — We will not discriminate against you for exercising your privacy rights.

To exercise any of these rights, contact us at privacy@galleys.ai or use the self-service tools in your account settings.

9. Children's Privacy

The Service is not intended for children under 13 years of age (or under 16 in the EEA). We do not knowingly collect personal information from children. If we learn that we have collected data from a child, we will delete it promptly. If you believe a child has provided us with personal information, please contact us at privacy@galleys.ai.

10. International Transfers

Your data may be processed in the United States or other countries where our service providers operate. By using the Service, you consent to the transfer of your data to these jurisdictions, which may have different data protection laws than your country of residence.

For EEA users, we rely on Standard Contractual Clauses or other approved transfer mechanisms to ensure adequate protection for your data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a prominent notice on the Service at least 30 days before changes take effect. Your continued use of the Service after changes become effective constitutes acceptance of the updated policy.

12. Contact

Questions about this Privacy Policy or your data? Contact us at privacy@galleys.ai.