Privacy Policy

Last updated: 2026-04-20

What we collect

Account data: email address, optional display name, hashed password, subscription tier, created/updated timestamps, last-login timestamp. Usage data: count of replies generated per day (for rate limiting), last active timestamp, feature preferences. Viewer memory: the chat conversation snippets, notes you write about viewers, and AI-generated conversation summaries — stored on our server so the AI can recall them across sessions. Payment data: crypto transaction records, USDT wallet addresses (derived from a master HD wallet) associated with your subscription. Email verification tokens, password reset tokens.

What we do NOT collect

We do not record or store: your camera feed, microphone, screen contents, passwords for third-party platforms (Chaturbate, Stripchat, Fansly), browsing history outside supported platforms, IP addresses beyond basic rate-limit and abuse prevention logs, or any personally identifiable information beyond email. The browser extension reads chat text from the currently-active tab only, on supported platforms only.

How we use what we collect

Your chat snippets are sent to the xAI Grok API to generate reply variants. xAI may process these snippets per their own policies. We do not store chat content longer than necessary for operation, and we do not use it for training models. Viewer memory is stored per-user and never shared across accounts. Payment data is used only for subscription management.

Email communications

We send two types of email to the address on your account:

Account and transactional — email verification, password reset, payment confirmations, subscription expiry notices, and security alerts. These are required to operate your account safely and are sent whenever the corresponding event happens.
Product and service updates — occasional messages in the first few days after you sign up to help you get set up, plus notices when your plan, pricing, or the service itself changes in a way that affects you. Every message in this category carries a one-click unsubscribe link in its footer; unsubscribing takes effect immediately and stops all further messages of this kind.

We do not sell, rent, or share your email address with third parties for their marketing, and we do not place your address into any advertising audience. Our emails are sent from no-reply@galatea.chat via our email provider (see below).

Third parties

xAI (Grok API) — AI model provider. TronGrid (USDT payment verification). Brevo (transactional email delivery). Statbate Premium API (public viewer statistics enrichment — we query public cam-platform data, we do not share your data with them). All third-party requests are made from our server, never directly from the browser extension.

Data retention and deletion

Active-account data (email, subscription state, viewer profiles, conversation snippets, notes) is kept while your account is active. You can delete any individual viewer profile, conversation, or note from your dashboard at any time. Deleting the whole account removes associated personal data within 7 days, with these specific exceptions:

Usage counters (daily request totals for rate limiting) — purged automatically 90 days after the date they record.
Viewer conversation snippets — purged automatically 90 days after they were written, regardless of account status.
Payment records — retained as long as required by tax and accounting law in the applicable jurisdiction (typically 5-7 years). We retain only the minimum required: amount, date, subscription ID, and the crypto transaction reference.
Bounce and abuse signals — the email address of a bounced account is retained as a negative flag so a re-registration from the same address doesn't immediately re-send mail that previously bounced.

Uninstalling the browser extension removes all local extension data (JWT, settings, cached selectors) from your device immediately. For a full records-erasure request (GDPR Right to Erasure / CCPA Right to Delete), email support@galatea.chat; we remove everything not under a retention obligation, confirm in writing, and keep anything that law forces us to keep in the minimum form required.

Cookies and local storage

We use the smallest possible set of cookies:

Session cookies (galatea_jwt, galatea_admin) — HttpOnly, Secure, SameSite=Strict. Required to keep you signed in on the dashboard. Deleted on logout.
Attribution cookie (galatea_attr) — identifies the first campaign source that brought you to the site, so referral credit is assigned correctly. Not shared with any advertising network.
Product analytics — we use PostHog (EU cloud, Frankfurt) to measure aggregate feature usage and detect breakage. Its cookies are set through our server-side proxy at /ingest/*; events are pseudonymized and never sold, shared, or used for cross-site advertising.

The browser extension uses Chrome local storage (not cookies) for your login tokens and settings; nothing is set on third-party cam platforms. No advertising cookies, no fingerprinting, no cross-site tracking.

Legal basis for processing (EEA/UK)

If you are in the European Economic Area, the United Kingdom, or Switzerland, we process your personal data under these GDPR Article 6 bases:

Contract (Art. 6(1)(b)) — account creation, login, subscription billing, AI reply generation, and related operations required to deliver the service you signed up for.
Legitimate interest (Art. 6(1)(f)) — security and abuse prevention (rate limits, failed-login monitoring), product-improvement analytics on aggregate usage, and occasional lifecycle emails. You can object or unsubscribe at any time; where you do, we stop or minimize the corresponding processing.
Legal obligation (Art. 6(1)(c)) — retention of payment records for tax and accounting compliance.

Your GDPR rights — access, rectification, erasure, restriction, portability, objection, and withdrawal of consent where applicable — can be exercised by emailing support@galatea.chat. We respond within 30 days and do not charge for a reasonable request.

California residents (CCPA / CPRA)

If you are a California resident, you have these additional rights:

Right to know — the categories listed under "What we collect" and "What we do NOT collect" above are the complete picture.
Right to delete — from your dashboard, or by emailing support@galatea.chat.
Right to opt-out of sale and sharing — we do not sell or share your personal information for cross-context behavioral advertising. There is nothing for you to opt out of.
Right to correct — email support@galatea.chat with the correction.
Right to non-discrimination — exercising any of these rights does not affect your pricing, tier, or access to features.

We respond to verifiable California rights requests within 45 days.

Security

All traffic to our server is encrypted via HTTPS. Passwords are hashed with bcrypt. JWT tokens are short-lived (1 hour) with refresh tokens (30 days). We use rate limiting and brute-force protection on login endpoints. We do not store credit card details — all card payments (if available) are handled by external payment processors.

Contact

Questions about this policy or your data: @galatea_owner on Telegram or email support@galatea.chat.

Age restriction

Galatea is a text tool for adult performers. You must be 18 years or older to use this service, and you confirm you are of legal age in your jurisdiction.