Privacy Policy

Last updated: March 2026

1. Controller

The controller responsible for data processing on this website is:

Restless UG (haftungsbeschränkt)
Luca von Oesen
Finkenau 1
22081 Hamburg, Germany
Email: hi@gala-cube.com

2. Data We Collect

2.1 Server Log Files

When you visit our website, your browser automatically transmits certain information (IP address, browser type, date and time of access, requested URL). These data are not linked to specific individuals and are not merged with other data sources.

2.2 Event Request Data

When you submit an event request, we collect: your name, email address, event type, date, location, guest count, budget range, and any additional preferences you provide.

2.3 Account Data

If you create an account, we store your email address and authentication tokens required for secure login.

2.4 Communication Data

Messages exchanged between customers and providers through our platform are stored to facilitate the matchmaking process.

2.5 Booking and Commission Data

For providers, we process booking confirmations and commission invoicing data necessary for payment processing.

2.6 Analytics Data

With your consent, we collect anonymised usage data such as pages visited, visit duration, and referral sources using Google Analytics. See Section 8 (Cookies and Analytics) for details.

3. Purposes and Legal Basis

We process your data for the following purposes:

  • Event matchmaking service — Art. 6(1)(b) GDPR (performance of a contract)
  • AI-assisted event matching — Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in efficient matchmaking). AI suggestions are always reviewed by our team before delivery.
  • Communication about your requests — Art. 6(1)(b) GDPR
  • Commission invoicing (providers) — Art. 6(1)(b) GDPR
  • Website analytics — Art. 6(1)(a) GDPR (consent). You may withdraw consent at any time.
  • Advertising measurement — Art. 6(1)(a) GDPR (consent). We use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. With Enhanced Conversions, hashed user data may be sent to Google for improved ad attribution. You may withdraw consent at any time.
  • Service improvement — Art. 6(1)(f) GDPR (legitimate interest in improving our platform)
  • Legal obligations (tax, accounting) — Art. 6(1)(c) GDPR

4. AI-Assisted Processing

We use artificial intelligence (Anthropic Claude API) to assist in matching your event request with suitable providers from our network. When you submit an event request, the following data may be processed by our AI system: event type, date, location, guest count, budget range, and your preferences.

How we use AI: Our AI system analyses your event requirements and suggests potentially suitable providers. All AI-generated suggestions are reviewed and curated by our team before being presented to you. No decisions with legal or similarly significant effects are made solely by automated means.

Data and training: Your data is not used to train AI models. The AI processes your data only for the purpose of generating provider suggestions for your specific request. Data sent to the AI provider is automatically deleted within 30 days.

Your rights: You may request a fully human review of your event matching at any time by contacting us at hi@gala-cube.com. The legal basis for this processing is Art. 6(1)(b) GDPR (performance of a contract) and Art. 6(1)(f) GDPR (legitimate interest in providing efficient, high-quality matchmaking).

5. Recipients and Data Processors

We use the following third-party service providers to operate our platform:

  • Vercel Inc. (USA) — Website hosting
    Privacy Policy · Transfer mechanism: EU-US Data Privacy Framework + SCCs
  • Supabase Inc. (USA) — Database and authentication
    Privacy Policy · DPA · Transfer mechanism: EU-US Data Privacy Framework + SCCs
  • Stripe Inc. (USA) — Payment processing (provider commissions only)
    Privacy Policy · Transfer mechanism: EU-US Data Privacy Framework + SCCs
  • Resend Inc. (USA) — Transactional email delivery
    Privacy Policy · DPA · Transfer mechanism: EU-US Data Privacy Framework + SCCs
  • Anthropic PBC (USA) — AI-assisted event matching and matches generation
    Privacy Policy · DPA · Transfer mechanism: Standard Contractual Clauses (SCCs)
  • Google LLC / Google Ireland Limited (Ireland/USA) — Website analytics (Google Analytics) and advertising measurement (Google Ads conversion tracking, including Enhanced Conversions)
    Privacy Policy · Business Data Privacy · Transfer mechanism: EU-US Data Privacy Framework + SCCs
  • n8n GmbH (Germany) — Workflow automation
    Privacy Policy · DPA · Data hosted in EU (Frankfurt)
  • ManyChat Inc. (USA) — Chatbot and messaging automation
    Privacy Policy · DPA · Transfer mechanism: EU-US Data Privacy Framework + SCCs
  • Meta Platforms Ireland Ltd. (Ireland/USA) — Instagram messaging and social media integration
    Privacy Policy · When you contact us via Instagram, Meta processes your data as a joint controller (Art. 26 GDPR). We have no influence over Meta's data processing beyond the messages we exchange.

6. International Data Transfers

Your data may be transferred to the United States through the processors listed above. For data transfers to the US, our processors use one or more of the following safeguards:

  • EU-US Data Privacy Framework (DPF): Vercel, Supabase, Stripe, Resend, Google (Analytics and Ads), and ManyChat are certified under the EU-US Data Privacy Framework, providing an adequacy basis for data transfers.
  • Standard Contractual Clauses (SCCs): All US processors, including Anthropic, use Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) to ensure an adequate level of data protection.

n8n GmbH hosts data within the EU (Frankfurt, Germany), which does not require additional transfer safeguards.

7. Data Retention

  • Event requests: 12 months after last activity
  • Account data: until account deletion
  • Booking and commission data: 10 years (German tax law, Section 147 AO)
  • Server logs: 14 days
  • Communication data: 12 months after request closure
  • AI processing data: deleted within 30 days by the AI provider
  • Analytics data: 14 months (Google Analytics default)

8. Cookies and Analytics

8.1 Technically Necessary Cookies

We use technically necessary cookies for authentication and session management. These cookies are essential for the operation of our platform and do not require your consent (Section 25(2) TDDDG).

8.2 Analytics Cookies (Consent Required)

With your consent, we use Google Analytics to analyse website usage. Google Analytics uses cookies to collect anonymised data about your visit, including pages viewed, time spent, and referral sources. IP anonymisation is enabled. You can withdraw your consent at any time through our cookie settings or by installing the Google Analytics opt-out browser add-on. The legal basis for this processing is Art. 6(1)(a) GDPR (consent).

8.3 Google Ads Conversion Tracking and Enhanced Conversions (Consent Required)

With your consent, we use Google Ads conversion tracking to measure the effectiveness of our advertising campaigns. When you complete an action on our website after clicking on a Google ad (for example, submitting an event request), a conversion is recorded. Google Ads sets the following cookies: _gcl_au and _gac_* to attribute conversions to specific ad clicks.

Enhanced Conversions: To improve the accuracy of conversion measurement, we may send hashed (SHA-256 encrypted) user data — such as email address, name, phone number, and city — to Google when a conversion event occurs. Google uses this hashed data solely to match conversions to ad interactions in a privacy-preserving manner. The original data is never shared in plain text, and Google may not use this data for any other purpose.

The data processor for Google Ads is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland. For more information, see Google's Privacy Policy and Google's Advertising Policies. You can withdraw your consent at any time through our cookie settings. You may also opt out of personalised advertising at Google Ad Settings. The legal basis for this processing is Art. 6(1)(a) GDPR (consent).

9. Your Rights

Under the GDPR, you have the right to:

  • Access your personal data (Art. 15 GDPR)
  • Rectify inaccurate data (Art. 16 GDPR)
  • Erase your data (Art. 17 GDPR)
  • Restrict processing (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Object to processing (Art. 21 GDPR)
  • Withdraw consent at any time (Art. 7(3) GDPR)

To exercise any of these rights, contact us at: hi@gala-cube.com

10. Right to Lodge a Complaint

You have the right to lodge a complaint with a data protection supervisory authority. The competent authority for GalaCube is:

Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit (HmbBfDI)
Ludwig-Erhard-Str. 22, 7th Floor
20459 Hamburg, Germany
datenschutz-hamburg.de

11. Changes to This Policy

We may update this privacy policy from time to time. The date at the top of this page indicates the latest revision.