Your privacy at Re:Galia

Re:Galia is the official second-hand marketplace for Galia Lahav couture. This Privacy Policy is issued by GALIA LAHAV ONLINE INC, a corporation registered in New York, USA, with its registered office at 155 Wooster Street, New York, NY 10012, United States ("Re:Galia", "we", "us", "our").

For the purposes of the EU General Data Protection Regulation ("GDPR"), the UK Data Protection Act 2018, the California Consumer Privacy Act ("CCPA"), and Israel's Protection of Privacy Law, 5741-1981, Re:Galia is the data controller of personal data processed through regalia.galialahav.com (the "Service") and the related mobile and email touchpoints.

For privacy questions, requests, or complaints, write to customerservice@galialahav.com and a member of our team will respond.

We collect personal data in three ways: what you give us directly, what we collect automatically when you use the Service, and what we receive from the third parties listed in section 4.

Information you give us directly

• Account data: email address, password (stored only as a hash we cannot reverse), display name, phone number, avatar image.
• Listing data (sellers): gown measurements, condition notes, photos, asking price, city and country for shipping origin.
• Transaction data: shipping address, billing address, payment card details (handled by Stripe — we never see or store your card number; Stripe returns us a token and the last four digits).
• Communication data: messages you send to other users, messages you send to our support team, the content of any dispute claims you submit.
• Identity verification data: in limited cases, we may ask sellers to verify their identity (for example, for high-value consignments). This is held by a third-party verification provider and deleted from our records after verification.
• Marketing preferences: whether you've agreed to receive promotional email.

Information we collect automatically

• Technical data: IP address, device identifiers, browser type and version, operating system, referring URL, pages viewed, timestamps, crash logs.
• Session cookies: used to keep you logged in and to protect against cross-site request forgery. See our Cookies Policy.
• Rate-limiting data: brief records of authentication attempts and upload counts, keyed by IP address, kept for up to 24 hours to prevent abuse.

Information from third parties

• If you sign in with Google, we receive your name, email address, and profile picture from Google. We do not receive your Google password.
• Our catalogue of original Galia Lahav gowns is synced from the Galia Lahav stockist system — this contains product information only, not personal data.

Under the GDPR we process personal data only where we have a lawful basis to do so:

• Performance of a contract — account creation, listing management, processing orders, handling messages between buyers and sellers, running disputes. Without this data we cannot provide the Service.
• Legitimate interests — protecting the Service against fraud and abuse, preventing credential-stuffing attacks via rate limiting, monitoring errors through Sentry to keep the site working, analysing aggregate usage to improve the Service.
• Consent — sending marketing emails, setting analytics or marketing cookies, storing non-essential preferences. You can withdraw consent at any time by updating your cookie settings or email preferences from the dashboard.
• Legal obligation — keeping tax records for completed sales, responding to lawful requests from courts or regulators, complying with anti-money-laundering requirements where applicable.
• Vital interests — in rare cases, to protect someone's life (e.g. a credible threat in a conversation).

We share data only with the services listed below, each of which acts as a processor under our instruction. None of these providers use your data for their own purposes beyond running the service we've contracted them for.

We do not sell personal data to third parties. We do not share personal data with advertisers. If we add any new processor, we will update this list and notify users where legally required.

Some of our processors operate outside the European Economic Area, the United Kingdom, or Israel. Where personal data is transferred to a country that the relevant authority has not recognised as providing adequate protection, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, the UK International Data Transfer Agreement, or the equivalent safeguards under Israeli law. Copies of the relevant SCCs are available on request from customerservice@galialahav.com.

When the retention period expires, we either permanently delete the data or anonymise it so it can no longer be linked to you.

Depending on where you live, you have some or all of the following rights over your personal data:

• Access — ask for a copy of the personal data we hold about you.
• Rectification — ask us to correct data that's wrong or incomplete.
• Erasure ("right to be forgotten") — ask us to delete your data where we no longer have a lawful basis to keep it.
• Restriction — ask us to stop processing your data in certain situations.
• Portability — get a machine-readable copy of the data you provided to us, to send to another service.
• Objection — object to processing based on legitimate interests, including marketing.
• Withdraw consent — at any time, without affecting the lawfulness of processing before withdrawal.
• Not be subject to automated decision-making — we do not make decisions about you by automated means that have legal or significant effects.

California residents have additional rights under the CCPA, including the right to know what categories of personal information we collect, the right to delete personal information (subject to exceptions), and the right to non-discrimination for exercising any of these rights. We do not sell personal information and have not done so in the past 12 months.

To exercise any of these rights, email customerservice@galialahav.com. We will respond within 30 days (or the timeframe required by your local law, whichever is shorter). We may ask you to verify your identity first.

If you are unhappy with how we handle your request, you can complain to your local data protection authority. In the EU, this is the supervisory authority in your country of residence. In the UK, the Information Commissioner's Office (ico.org.uk). In Israel, the Privacy Protection Authority. In California, the California Attorney General.

• All traffic is encrypted in transit (TLS 1.2+, HSTS preloaded).
• Data at rest is encrypted by our database and storage providers.
• Passwords are hashed using industry-standard algorithms; we never store them in plaintext.
• Access to production systems is limited to authorised team members, uses multi-factor authentication, and is logged.
• We run security reviews on every release and have third-party-verified security headers (Mozilla Observatory grade A+).
• Uploaded photos have location metadata (EXIF) stripped automatically before storage, so your home address is not published in an image file.

No system can be guaranteed 100% secure. If we ever become aware of a personal data breach that affects you, we will notify you and the relevant authorities within 72 hours of discovery, as required by law.

Re:Galia is not intended for use by anyone under 18. We do not knowingly collect data from children. If you believe a child has registered, please contact customerservice@galialahav.com and we will delete the account.

We may update this policy from time to time. When we do, we will update the "Last updated" date at the top of the page and, for material changes, notify registered users by email at least 14 days before the change takes effect. Continued use of the Service after the change means you accept the updated policy.

A dated archive of previous versions is available on request at customerservice@galialahav.com.

Privacy questions and requests

customerservice@galialahav.com

155 Wooster Street, New York, NY 10012, United States

Lodge a complaint

You have the right to complain to your local data protection authority at any time. We would appreciate the chance to address your concerns first — please write to us before you escalate.