Privacy Policy
This Privacy Policy explains how Galactiv EOOD (a Bulgarian EOOD with registered office at Kniaz Boris 1 55, Sofia 1000, Bulgaria, EIK/UIC 205028781; "Company", "we", "us") collects, uses, shares, and protects personal information.
It covers four audiences:
- Visitors to our marketing site at calivina.com;
- Recipients of unsolicited Previews generated as part of our outreach;
- Account holders and paying Customers who subscribe to the Service;
- Visitors to a Generated Site that we host on a Customer's behalf.
If you have questions, write to privacy@calivina.com.
1. Quick Summary
- We collect: account, billing, usage, communications, and (for outreach) public business information.
- We use it to: run the Service, bill you, support you, and conduct outreach.
- We share it with: payment, hosting, AI, email, and analytics sub-processors strictly necessary to operate the Service.
- We do not sell personal information, and we do not share it for cross-context behavioral advertising.
- You have rights: access, correction, deletion, portability, opt-out of marketing, and (where applicable) opt-out of "sale/share" under the CCPA.
- We rely on multiple GDPR lawful bases: contract performance, legitimate interests, consent, and legal obligation, depending on the activity.
- Our services are not directed to children under 16; we do not knowingly collect their information.
2. Who is the Controller / Business
For purposes of the EU General Data Protection Regulation, the UK GDPR, and similar laws, Galactiv EOOD is the controller of personal information we collect about visitors, prospects, and account holders.
For purposes of the California Consumer Privacy Act / California Privacy Rights Act (collectively the "CCPA"), Company is a business.
When we host a Generated Site for you, you (the Customer) are the controller / business with respect to personal information collected through that Generated Site (e.g., contact-form submissions from your visitors), and we are a processor / service provider acting on your documented instructions. Our standard Data Processing Addendum is available on request and is deemed entered into between you and us upon your request.
3. Personal Information We Collect
3.1 Information you give us
- Account information: name, email address, password (hashed), business name, business address, country, time zone.
- Billing information: name on card, billing address, last four digits and brand of payment card, taxpayer identification number where required. Full payment-card details are collected and stored by Stripe; we do not see or store your full card number.
- Communications: support emails, chat transcripts, replies to outreach.
- Customer Content you upload or instruct us to crawl: business logo, photos, copy, hours, services, and similar materials used to compose your Generated Site.
3.2 Information we collect automatically
- Service-usage telemetry: IP address, user-agent, dashboard pages viewed, feature usage, session times, error events.
- Generated-Site visitor logs (on your behalf, as your processor): IP address, user-agent, requested URL, timestamps, referrer. Retained for up to 30 days for security and abuse mitigation.
- Cookies and similar technologies on calivina.com: see Section 8 (Cookies). On Generated Sites, cookie usage is configured by you, the Customer.
3.3 Information we collect from public sources (Previews and outreach)
To prepare a Preview and conduct outreach, we crawl your business's publicly accessible website (respecting robots.txt and shallow-crawl limits) and look up information in publicly available business directories (such as OpenStreetMap, Google Places, government registries like Companies House or the U.S. SEC, and commercial directories).
The information we collect this way may include:
- Business name, address, phone, email (where publicly published), website URL, hours.
- Logo and photos as displayed on the public website.
- Industry classification, approximate domain age, and technology stack signals.
- Publicly listed personnel names, only if they appear in roles such as "owner", "managing partner", or similar on the business's own website.
3.4 Information we receive from third parties
- Stripe confirms successful payments and may share card-bin metadata for fraud prevention.
- Email-deliverability vendors (e.g., bounce or unsubscribe events).
- Analytics providers (privacy-friendly aggregate measurements).
We do not purchase or rent contact lists from data brokers for outreach.
4. How We Use Personal Information
We use personal information to:
(a) provide the Service — create and operate your account, generate, host, and serve the Generated Site, deliver Previews, route email forwarders, perform billing through Stripe; (b) support you — respond to your inquiries, troubleshoot issues, send service announcements; (c) bill and collect — issue invoices, accept payments, recover unpaid amounts, comply with tax law; (d) secure the Service — detect fraud, abuse, and security incidents; prevent and investigate violations of the AUP; (e) conduct outreach — generate Previews based on public information about a business and send a single cold email or follow-ups (subject to opt-out, suppression list, and Section 6); (f) improve the Service — analyze usage in aggregate, evaluate the quality of AI-generated copy, train internal heuristics (we do not use Customer Content or visitor data to train third-party AI models without an opt-in); (g) comply with law — respond to lawful requests, enforce our rights, defend ourselves in legal disputes; (h) communicate marketing — send newsletters or product announcements only where we have a permitted basis (for existing customers, on a soft-opt-in basis with one-click unsubscribe; for prospects, on the legitimate-interest basis described in Section 6 or with consent where required).
5. GDPR Lawful Bases (For Individuals in the EEA, UK, and Switzerland)
For each processing activity, our lawful basis under Article 6 GDPR is:
| Activity | Lawful basis |
|---|---|
| Operating the Service for a paid Customer | Contract (Art. 6(1)(b)) — necessary to perform the Subscription |
| Billing and tax compliance | Contract + Legal obligation (Art. 6(1)(c)) |
| Generating Previews from public information for prospective B2B customers | Legitimate interests (Art. 6(1)(f)) — direct B2B marketing on the basis of publicly published business contact details, balanced against the recipient's interests by (i) one-click takedown, (ii) non-indexed delivery, (iii) clear identification, (iv) suppression on request, and (v) regional opt-outs as described in Section 6 |
| Cold-email outreach to identified business roles | Legitimate interests in the U.S., U.K., and most of the EEA outside Germany/Austria/Switzerland; Consent is required where local law mandates it (we do not cold-email DE/AT/CH or to recipients on Canadian addresses without prior consent) |
| Marketing emails to existing customers about similar services | Legitimate interests with soft opt-in (PECR-style) |
| Newsletter to prospects who signed up | Consent (Art. 6(1)(a)) |
| Analytics and product improvement | Legitimate interests with aggregation, IP truncation, and short retention; cookies require consent per ePrivacy |
| Security, fraud prevention, abuse investigation | Legitimate interests + Legal obligation |
You have the right to object to processing based on legitimate interests at any time (Art. 21 GDPR). We will stop unless we demonstrate compelling legitimate grounds that override your interests, or for the establishment, exercise, or defense of legal claims. For direct marketing, an objection is absolute: we will stop on request.
6. Outreach, Previews, and Your Right to Opt Out
6.1 What we do
We may identify a small business with a publicly accessible, dated-looking website, generate a Preview at a <slug>.preview.calivina.com URL, and email a representative of that business with a link to the Preview. The email is identifiable as commercial, includes our valid postal address, and includes a one-click unsubscribe link.
6.2 Where we do not send outreach
We do not send unsolicited cold email to recipients in:
- Germany, Austria, Switzerland (UWG §7 / equivalent) — too restrictive of B2B unsolicited email;
- Canada (CASL) — express consent required; we do not send to Canadian recipients without prior consent;
- bulk EU consumer addresses (we limit outreach to publicly published business role addresses such as
info@,contact@, orowner@).
6.3 Your right to opt out (universal)
You can opt out of further outreach at any time by:
- clicking the unsubscribe link in any email we send;
- replying with the word "unsubscribe" or "stop";
- writing to unsubscribe@calivina.com with the relevant address(es); or
- requesting takedown of any Preview at takedown@calivina.com.
Opt-out requests are honored within ten (10) business days for email and within twenty-four (24) hours for Preview takedown. Opt-out is cross-domain: a single request adds you to a permanent suppression list applied to all of our outreach.
6.4 No "Sale" of contact information
We do not buy, rent, sell, or share contact information for advertising. Information we collect from public sources for outreach is used only for the outreach to that business and is subject to deletion on request.
7. How We Share Personal Information
We share personal information only with the categories below and only as necessary.
7.1 Sub-processors and service providers
| Category | Provider(s) | Purpose | Region |
|---|---|---|---|
| Payments | Stripe, Inc. (and its affiliates) | Process Subscription Fees, fraud prevention, tax determination | U.S. |
| Hosting and CDN | Cloudflare, Inc. | Host the Service, serve Generated Sites and Previews, DNS, TLS | Global edge |
| Object storage | Cloudflare R2 | Store generated assets and Customer Content | EU/U.S. |
| Email sending | Resend, Inc. or Postmark (ActiveCampaign) | Send transactional and outreach email | U.S. |
| Email forwarding | Cloudflare Email Routing | Forward your contact@yourdomain to your Gmail/Outlook |
Global edge |
| AI inference | Anthropic, PBC; OpenAI, L.L.C.; optionally Google LLC (Gemini) | Generate AI Content for Generated Sites and Previews | U.S. (AI providers contractually agree not to train on our or your data) |
| Image generation | Replicate, Inc. (Flux models) | Generate decorative imagery | U.S. |
| Stock imagery | Unsplash, Pexels APIs | Source license-clean stock images | U.S. |
| Error and performance | Sentry, Plausible Analytics | Error reporting, privacy-friendly analytics | EU/U.S. |
| Customer support | {HELPDESK} (e.g., Help Scout) | Manage support tickets | U.S. |
| Business productivity | Google Workspace | Internal email, docs | U.S. |
The current list is also published at calivina.com/legal/subprocessors and is updated as we change vendors. Customers will receive thirty (30) days' notice (via email or dashboard) of any new sub-processor that processes Customer Content.
7.2 International transfers
Some sub-processors are based in or operate from the United States or other countries outside the EEA, the UK, or Switzerland. Where personal information of EEA, UK, or Swiss individuals is transferred internationally, we rely on appropriate safeguards:
- EU Standard Contractual Clauses (Module 2 or 3, as applicable) with each receiving processor;
- the UK International Data Transfer Addendum for UK individuals;
- the Swiss-U.S. Data Privacy Framework and the EU-U.S. Data Privacy Framework for transfers to certified U.S. recipients;
- transfer impact assessments where appropriate;
- supplementary technical measures (encryption in transit and at rest).
7.3 Legal disclosures
We may disclose personal information when we believe in good faith that disclosure is required to (a) comply with applicable law, regulation, or legal process; (b) respond to a valid government or law-enforcement request; (c) protect the rights, property, or safety of Company, our users, or the public; or (d) enforce our agreements.
7.4 Business transfers
If we are involved in a merger, acquisition, financing, reorganization, bankruptcy, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected users, and the receiving party will be bound by privacy commitments at least as protective as this Policy.
7.5 No sale; no sharing for cross-context behavioral advertising
We do not "sell" personal information and do not "share" it for cross-context behavioral advertising as those terms are defined under the CCPA. We have not done so in the preceding twelve (12) months.
8. Cookies and Similar Technologies (Marketing Site)
On our marketing site at calivina.com, we use:
- Strictly necessary cookies: required for site function, login state, security, CSRF protection. No consent required.
- Analytics: privacy-friendly, no individual tracking (currently Plausible Analytics, which does not set persistent cookies on visitors).
- Marketing: none, by default. If we add advertising or retargeting in the future, we will require consent and update this Policy.
A cookie banner is displayed to visitors from the EEA/UK/Switzerland and from California (where required by law). You can withdraw consent at any time via the banner's "manage preferences" link.
For Generated Sites, you (the Customer) configure cookies and analytics. We do not load advertising or tracking pixels on Generated Sites by default.
9. How Long We Keep Personal Information
| Data | Retention |
|---|---|
| Account and Customer Content (active Subscription) | Through the Subscription Term |
| Customer Content after cancellation | 30 days, then deleted (unless legal hold applies) |
| Generated Site source code after cancellation | 7 days, then deleted |
| Billing records and tax documents | 10 years from issuance (EU/Bulgarian tax law) |
| Support tickets | 3 years from closure |
| Outreach data on suppression list | Indefinite (suppression must persist to honor opt-out) |
| Outreach data not on suppression list (no conversion) | Up to 12 months from last contact |
| Generated-Site visitor logs (acting as your processor) | 30 days |
| Backups | Up to 30 days, encrypted |
We may retain longer where law requires (e.g., to satisfy a regulatory or litigation hold).
10. Your Rights
10.1 Rights under the GDPR (EEA, UK, Switzerland)
You have the right to: access your personal information; correct inaccurate information; delete information ("right to erasure"); restrict processing; object to processing (including direct marketing); portability (receive a copy in a structured, commonly used, machine-readable format); withdraw consent at any time without affecting prior processing; and lodge a complaint with a supervisory authority (in Bulgaria, the Commission for Personal Data Protection, https://www.cpdp.bg/).
To exercise any right, write to privacy@calivina.com. We will respond within thirty (30) days.
We do not engage in fully automated decision-making with legal or similarly significant effects within the meaning of Article 22 GDPR.
10.2 Rights under the California CCPA/CPRA
If you are a California resident, you have the right to:
- Right to know what personal information we collect, the purposes, the categories of recipients, and the categories of sources.
- Right to delete your personal information, subject to exceptions.
- Right to correct inaccurate personal information.
- Right to opt out of "sale" or "sharing" of personal information. We do not sell or share, but you can submit a request to confirm that status: calivina.com/do-not-sell.
- Right to limit use of sensitive personal information. We do not knowingly collect sensitive personal information beyond payment-card data (which is held by Stripe, not us) and account credentials.
- Right to non-discrimination for exercising your rights.
- Right to designate an authorized agent to make a request on your behalf.
To exercise these rights, write to privacy@calivina.com with the subject "CCPA Request" or use the form at calivina.com/privacy/request. We will verify your identity by reasonable means before fulfilling. We will respond within forty-five (45) days, extendable once by another forty-five (45) days with notice to you.
Categories of personal information we collect, the business purposes for which they are collected, the categories of recipients, and the retention periods are summarized in Sections 3, 4, 7, and 9. We collect personal information from the sources described in Section 3.
10.3 Rights under other U.S. state laws
If you are a resident of Virginia, Colorado, Connecticut, Utah, Texas, Iowa, Indiana, Tennessee, Oregon, Montana, Florida (where its protections apply to you), or another U.S. state with a comprehensive privacy law, you may have rights similar to those listed above. Submit your request to privacy@calivina.com and identify your state of residence.
We do not engage in profiling that produces legal or similarly significant effects, and we do not "sell" personal information under any of these laws.
10.4 Right to appeal
If we decline a privacy request, you may appeal by replying to our response with the subject "Appeal". A different individual than the one who handled the original request will review the appeal within forty-five (45) days. If we again decline, you may complain to your state attorney general or supervisory authority.
11. Security
We implement and maintain commercially reasonable technical and organizational measures intended to protect personal information against unauthorized access, alteration, disclosure, or destruction:
- TLS for all data in transit;
- encryption at rest for production datastores;
- principle-of-least-privilege access controls and audit logging;
- multi-factor authentication for administrative access;
- vendor diligence on sub-processors;
- routine security review and patching;
- incident-response plan and a designated security contact.
No system is perfectly secure. If we become aware of a personal-data breach affecting your information, we will notify you and any applicable supervisory authority as required by law.
12. Children
The Service is not directed to, and we do not knowingly collect personal information from, individuals under sixteen (16) years of age. If we learn that we have collected personal information from such an individual, we will delete it. Parents or guardians who believe their child has provided us with personal information may contact privacy@calivina.com.
13. EU Representative; UK Representative
We do not currently have a permanent establishment in another EEA Member State or in the United Kingdom. If and when our processing activities require designation of a representative under Article 27 GDPR or Article 27 UK GDPR, we will publish that representative's contact details here.
For Bulgarian data-protection matters, our supervisory authority is the Commission for Personal Data Protection (Комисия за защита на личните данни).
14. Do Not Track / Global Privacy Control
We do not respond to "Do Not Track" headers because there is no industry consensus on their meaning. We do treat a Global Privacy Control (GPC) signal received from a California or Colorado resident's browser as a valid opt-out of "sale" or "sharing" under those states' laws.
15. Changes to this Policy
We may update this Privacy Policy from time to time. The updated version will be posted at calivina.com/legal/privacy with a new "last updated" date. For material changes, we will notify Customers by email at least thirty (30) days in advance. Continued use of the Service after the effective date constitutes acceptance.
Prior versions remain available at calivina.com/legal/privacy/archive.
16. Contact
- Privacy and data-rights requests: privacy@calivina.com
- Do-Not-Sell / Opt-out portal: calivina.com/do-not-sell
- General: support@calivina.com
- Mail: Galactiv EOOD, Kniaz Boris 1 55, Sofia 1000, Bulgaria, Bulgaria, attn. Data Protection
Document version 1.0.0 — effective 2026-04-29.