Privacy Policy

1. Identification of the Data Controller

GALACTIKPERSPECTIVE, registered at the Commercial Registry Office of Ponta Delgada under the unique registration and corporate tax number 516 279 572, with its registered office at Rua Conselheiro Luís Bettencourt Medeiros Câmara, nos. 24, 26, and 28, 9500-058 Ponta Delgada, is the entity responsible for collecting and processing the personal data provided by its clients, as well a individual or corporate entities, for the purposes outlined in this data protection policy.

2. Data Collection and Processing

GALACTIKPERSPECTIVE processes your personal data in strict compliance with Portuguese law and the General Data Protection Regulation (GDPR) – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

When processing data that can directly or indirectly identify natural persons, we strictly apply the principle of “strict necessity”. Consequently, our websites, applications, and platforms have been designed from the ground up to ensure that the use of personal data is kept to a minimum and never exceeds the original purpose for which it was collected and/or processed.

All employees, service providers, or equivalents of GALACTIKPERSPECTIVE who handle registered personal data in the course of their duties are required to act in accordance with all information received and to comply with the guidelines defined in this Personal Data Protection Policy. They are individually responsible for complying with applicable legal and regulatory provisions, and are obliged to guarantee data confidentiality as an inseparable part of their duties provided for in their employment contract or equivalent agreement. Non-compliance may lead to disciplinary and/or legal consequences.

3. Identification of Personal Data and Object of Collection

“Personal data” means any information relating to an identified or identifiable natural person – the “data subject”. This definition includes personal data collected offline through direct customer service, as well as data collected online on our websites, pages, applications, platforms, and other applications accessed or used through third-party platforms recognised by our organisation.

GALACTIKPERSPECTIVE may collect personal data provided directly to us by filling out forms, surveys, and other tools required for the proper functioning of our services and legal compliance. Alternatively, data may be collected automatically whenever you interact with us online through cookies and tracking technologies. In particular, when registering on the platform, application, or website within your restricted access area, or when purchasing services and products online, you expressly grant GALACTIKPERSPECTIVE your consent to use your personal data, address, and data relating to your requests.

We collect your information when you register an account. This information is purposely kept to a minimum and is restricted to:

Username;

Password;

Display name (if you choose to provide one);

Email address (if you choose to provide one);

Verified phone number (if you choose to provide one);

Your password is stored until you change it or until your account is deactivated. Your username is stored indefinitely to prevent it from being reused by another user.

Your email and/or phone number, if you choose to provide them, are used so that other users can access your profile. The email address will also be used to allow password resets if you forget it, and to send notifications about unread messages from other users if you activate this feature. Similarly, it may be used less frequently to notify you of platform updates.

Each device you use to access the service is allocated a user-configured identifier. When you access the service, we log the device identifier, the IP address used to connect, the user agent, and the time you last connected to the service. The aforementioned information is collected to help you manage your devices.

We currently log the IP addresses of all users who access the service. This data is subsequently used to mitigate abuse, debug operational issues, and monitor traffic patterns.

Our logs are kept for no longer than 180 days.

We may share your information when working with our suppliers to provision the service. Furthermore, MiM is a decentralised and open service. This means that to support communication between users on different home servers or different messaging platforms, your username, display name, files, and messages will sometimes be shared with other services connected to the Matrix federation.

4. Federation

Only applicable when federation is active.

Matrix homeservers share user data with the wider federation ecosystem. When a user sends files and/or messages in a specific room, a data copy is automatically generated and subsequently sent to all room participants, including, depending on the room settings, participants who join in the future. If these participants are on remote homeservers, your username, display name, files, and messages may be replicated on each participating homeserver.

At your request, we will delete our copy of your data. We will likewise forward your request for deletion to federated homeservers. However, please be advised that these homeservers are beyond our control. We cannot guarantee that they will delete the user’s data.

Federated homeservers may be located anywhere in the world and are subject to local laws and regulations.

Access control settings are shared between homeservers, as are any requests to remove messages or personal data under Article 17 of the GDPR (Right to Erasure / Right to be Forgotten). Federated homeservers and Matrix clients are expected to respect the Matrix protocol and honour these deletion requests. Other federated homeservers are beyond the control of GALACTIKPERSPECTIVE, and it cannot be guaranteed that this data will be processed in accordance with these standards.

Some Matrix rooms may be linked to third-party services. When you connect to a room, your display name, messages, and file transfers may be duplicated on the bridging service.

Please note that, technically, it may not be possible to support the management of your data after it has been copied to a bridging service. As these services are interconnected, they may be located anywhere in the world and are always subject to local laws and regulations.

Access control settings and requests for message removal or personal data removal under Article 17 of the GDPR (Right to Erasure / Right to be Forgotten) shared with bridging services must be honoured to the best of their ability. Please be aware that not all networks or bridges support the technical features required to limit, remove, or erase messages. If this is unacceptable to you, do not use rooms with bridges.

The homeserver provides a range of integrations in the form of Widgets (miniature web applications accessed via the Client) and Bots (automated room participants).

Currently, Widgets and Bots have access to all messages and files present in any room in which you participate.

5. Transfers of Your Data

By using our service, your data may be transferred outside the EU if the entity responsible for the installation authorises it, or to other homeservers and services connected to the federation due to the necessity of providing the service to you. Due to the nature of the service, such transfers will occur regularly, without our control over the safeguards adopted by third parties.

How do we handle passwords? We never store password data in plain text. Instead, they are stored as hashes. Passwords sent to the server are encrypted using SSL.

It is your responsibility to keep your password and other sensitive data confidential. All actions carried out using your credentials will be deemed to have been performed by you, which may result in a series of consequences, including termination of service, as well as civil and criminal penalties.

If you become aware of any unauthorised use of your account or any other breach of security, you must notify GALACTIKPERSPECTIVE immediately by sending an email to security@galactikperspective.pt. Suspicious devices can be removed using the user’s configuration management tools. Users must follow best practices regarding password management (for example, by using a password manager application) and change their password whenever they believe their account has been compromised.

If you forget your password and have registered your email address, you can use the password reset feature.

It is part of our policy not to change any password on your behalf in order to protect your privacy and the integrity of your account.

In both encrypted and unencrypted rooms, users connecting to the homeserver (directly or via federation) will be able to view messages and files according to the access permission settings of the rooms in question. This data is stored in the format in which it was received by our servers and can only be viewed by the GALACTIKPERSPECTIVE team under the conditions described below.

Rooms have different visibility settings determined by the administrators of each room.

The history visibility options are as follows (in increasing order of openness):

joined – users must join the room to see the history, and they will only have access to messages sent after they join.

invited – users can only see messages sent after they have been

invited. No history is visible before that point.

shared – users must join the room to see the history, but they will only have access to it from the moment this visibility setting was defined.

world_readable – everyone can see the room history, even without joining it.

If you share information in a room set to “world_readable”, the information may be available to people outside the Matrix ecosystem and indexed by search engines through projects such as archive.matrix.org. Please ensure you check the settings of each room before participating and avoid sharing personal and/or confidential data in unencrypted rooms as much as possible.

In encrypted rooms, data is stored in our databases; however, the encryption keys are stored by you, solely on your devices. Users may optionally back up an encrypted copy of their keys to assist in the recovery process. This key backup is encrypted by a recovery key to which only the user has access. GALACTIKPERSPECTIVE cannot read the content of your messages in our database. If you lose access to your encryption keys, you will lose access to your messages forever.

We use HTTPS to transfer all data.

GALACTIKPERSPECTIVE is a data processor managing the homeserver. The hosting of most of the service is carried out in Google Cloud data centres. You can find Google Cloud’s privacy notice here: https://cloud.google.com/terms/cloud-privacy-notice

Some services are hosted in Hetzner data centres, which control physical access to their locations. You can find Hetzner’s privacy policy here: https://www.hetzner.com/legal/privacy-policy

We use Cloudflare to mitigate the risk of DDoS attacks. You can find Cloudflare’s privacy policy here: https://www.cloudflare.com/privacypolicy/

Partners for infrastructure management and development: Tetrapi, SA – https://tetrapi.pt/rgpd/

Video-conferencing services (hosted on our own infrastructure): Jitsi – https://jitsi.org/meet-jit-si-privacy/

We use secure private keys (FIDO2 sk-ecdsa-sha2-nistp256) when accessing servers via SSH and protect our passwords locally with a password management tool. We also enforce 2FA to access all services whenever possible.

6. Location Information

We may collect your location data if you choose to use the static or live location sharing features in the MiM application. This includes your longitude, altitude, and latitude data so that we can calculate your exact location.

Location data is kept within the room where it is shared; thus, it will be encrypted in rooms where encryption is active and unencrypted in rooms where encryption is disabled. The first time you use this feature, we suggest exercising the utmost consideration when sharing your personal data within the application.

MiM clients use a third-party service, namely MapTiler, to provide the imagery used to display maps.

7. Purpose and Legal Basis

The collection, processing, use, and disclosure of personal data provided by data subjects are strictly for the purposes set out in this document. GALACTIKPERSPECTIVE undertakes not to transmit, disclose, or make this data available to third parties not specified in this document, unless: it has obtained the explicit consent of the data subject; the transmission is carried out in compliance with a legal obligation; it complies with a court order or any other provision under the Law; or there is a legitimate interest on the part of GALACTIKPERSPECTIVE that is essential for the execution of statutory purposes strictly related to its contractual obligations inherent to its activity.

The processing of personal data constitutes indispensable evidence to formalise a service provision or execute a contract to which the data subject is or will become a party, justified by the nature of the functional relationship. Under no circumstances will the individual rights of the data subject be compromised. If consent is the legal basis for processing, the data subject has the right to withdraw their consent at any time. This right does not compromise the lawfulness of the processing carried out based on the consent previously given, nor the subsequent processing of the same data based on another legal ground.

8. Access to Personal Data

In order to process your requests, respond to your queries, and provide you with various tools, services, and materials through our communication channels, websites, applications, and platforms, we share your personal data with our internal employees whose roles require it, and with duly authorised external specialised service providers who perform functions on behalf of GALACTIKPERSPECTIVE. Access to personal data is exclusively for the purposes they are bound to fulfill. They may not use it for other practices beyond those described in this Privacy Policy and linked to bilateral agreements, in accordance with the General Data Protection Regulation.

In strict compliance with its legal duties, GALACTIKPERSPECTIVE may transfer data at the request of legal authorities within the scope of an investigation or inquiry, or, if justified, to respond to an emergency, detect and protect against fraud, or address any technical or security vulnerabilities.

In all the circumstances mentioned above, your consent for data processing will not be specifically requested, as it is implied by the authorisation previously granted.

In implementing the practices resulting from the Company’s Privacy Policy, authorisation levels for accessing personal data have been assigned to the departments, employees, and collaborators of GALACTIKPERSPECTIVE, referenced under their respective areas of intervention and competence.

9. Personal Data Retention Period

Your personal data will be stored for the period necessary to achieve the purpose for which it was collected and processed. It will be kept permanently in accordance with the provisions of the legal standards in force on the matter:

Within the scope of invoicing, your data will be kept for a period of 10 years due to legal requirements relating to tax authorities; The data stored on physical media is safeguarded through technical and organisational measures necessary for its proper protection; The data stored on computer systems is safeguarded by performing backups, and security measures taken to prevent unauthorised access to data include, notably, the use of firewalls, the installation of antivirus software, and the use of complex passwords. GALACTIKPERSPECTIVE undertakes to store identifiable data collected for specific purposes for the shortest possible time, after which measures will be taken to delete it permanently. To this end, personal data under its custody will be monitored and securely erased or, if justified, anonymised when the legal, institutional, or commercial obligation to retain it ceases.

10. Cookies

GALACTIKPERSPECTIVE uses automatic data collection systems such as cookies. These are small text files containing relevant information that your access device (computer, mobile phone, smartphone, or tablet) loads through the internet browser when a website is visited by the user. They fall into one of the following types:

Necessary – Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website may not function properly without these cookies;

Preferences – Preference cookies allow a website to remember information that changes the way the website behaves or looks, such as your preferred language or the region you are in;

Statistics – Statistic cookies help website owners understand how visitors interact with websites by collecting and reporting information anonymously;

Marketing – Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third-party advertisers.

Only GALACTIKPERSPECTIVE has access to the information collected by cookies in order to optimize its services, websites, platforms, and applications for the user’s needs and preferences, and to ensure that these communication tools are personalized. Accepting our data collection procedures and the use of cookies is necessary to take advantage of the many features and services offered through our websites, including service bookings and product purchases. If you configure your browser to block or delete cookies, we cannot guarantee that you will have access to all the features and services offered through the websites designed for service provision and product sales.

11. Rights of the Personal Data Subject

As the data subject of your personal data, you are guaranteed a set of rights in relation to it and the way it is processed, which can be exercised at any time, namely:

Right to object: The data subject has the right to object, on grounds relating to their particular situation, at any time to the processing of personal data concerning them, including profiling under the General Data Protection Regulation;

Right to information: The data subject has the right to clear, simple, concise, transparent, intelligible, and easily accessible information. Furthermore, it is their prerogative to be informed about how their personal data is used, without prejudice to the clarification of rights legally granted under the Privacy Policy;

Right of access and rectification: The data subject has the right to access their personal data, to rectify any inaccuracies, and/or to complete it if it proves to be incomplete;

Right to data portability: The data subject has the right to receive the personal data concerning them which they have provided, in a structured, commonly used, and machine-readable format, and has the right to transmit those data to another controller, subject to the principles provided by law;

Right to erasure: Without prejudice to legal obligations, the data subject has the right to the erasure of their personal data, provided it is demonstrably requested from the controller. If you wish to erase your personal data, you must inform us, and we will take appropriate measures to respond to your request in accordance with legal requirements. If the personal data in our possession is no longer required for any purpose and we are not legally obliged to retain it, we will make our best efforts to permanently delete, destroy, or anonymise it;

Right to restriction of processing: The data subject has the right to restrict the processing of their personal data, without prejudice to the provisions of applicable legislation;

Right to lodge a complaint with a Supervisory Authority: The data subject has the right to lodge a complaint with any Supervisory Authority regarding the way their personal data is processed;

Right to withdraw consent: If you have given your consent to the use of your personal data, you have the right to withdraw it at any time (the withdrawal of consent does not affect the lawfulness of processing based on consent before its withdrawal). To do so, you must communicate your intention to us via the contacts listed below;

Rights related to automated decision-making: The data subject has the right not to be subject to a decision based solely on automated processing which produces legal effects concerning them or similarly significantly affects them. In particular, they have the right to obtain human intervention, express their point of view, obtain an explanation of the decision, and challenge it if they see fit.

12. Contacts

If you have any questions or concerns about this Privacy Policy regarding the collection and processing of data, you may contact the internal representative, Ricardo Santos, using the following details:

Rua de São Gonçalo, nº113, 9500-110 Ponta Delgada; Tel. +351 296240800; E-mail: rgpd@galactikperspective.pt

GALACTIKPERSPECTIVE will make every effort to respond in a timely manner to queries communicated to them regarding data protection and GALACTIKPERSPECTIVE’s Privacy Policy. Any additional information or advice regarding your rights can be obtained from the supervisory authority, which in Portugal is the National Data Protection Commission (Comissão Nacional de Proteção de Dados – CNPD), whose details are as follows:

Rua de São Bento, n.º 148 – 3.º, 1200-821 Lisboa;

Tel. +351 213928400;

Fax: +351 213976832;

E-mail: geral@cnpd.pt.

13. Privacy Policy Updates

GALACTIKPERSPECTIVE reserves the right to amend and regularly update this Privacy Policy, adopting the applicable procedures to best safeguard the superior interests of those who use our services. Whenever it does so, the update will be published in the news section of the GALACTIKPERSPECTIVE website, while previous versions of the Privacy Policy will naturally be kept on file so they can be consulted.