Privacy Policy and Data Rights Statement

Preamble

This Website is an online environment, operating under the domain names galry.net and galry.art, together with all associated subdomains, interfaces, applications, and services, whether accessed through web browsers, mobile devices, APIs, or any other medium, is owned, created, operated, and administered by Moka (Mueed ul Haq Qazi, also known as Moeed U. Q., Esq.). It is being used by the First Party to the Terms and Conditions under license. We believe that privacy is not merely a legal obligation but a matter of respect for every individual who interacts with this environment.

This statement explains how the said First Party collects, processes, and safeguards your personal data and sets out your rights in a clear, transparent, and principled manner. This approach aligns with global standards, including the EU General Data Protection Regulation (GDPR) and other international privacy laws, ensuring your data is handled lawfully, responsibly, and respectfully.

—

1. Scope and Purpose

• This Privacy Policy applies to all visitors, users, buyers, and licensees who access, interact with, or use services within this online environment. It covers data collected across all associated domains, subdomains, applications, interfaces, and services, whether accessed via web browser, mobile device, API, or any other medium.

1. Definitions

• Capitalised terms used in this policy have the meanings assigned to them in the Terms and Conditions, unless otherwise defined herein.

1. Legal Basis and Compliance

• Your personal data is processed in accordance with applicable law, including the EU General Data Protection Regulation (GDPR), UK GDPR, CCPA, and other relevant regulations. The lawful basis for each category of processing is as follows:
• Contractual necessity: The majority of processing described in this policy is carried out because it is necessary to perform our obligations to you under the Terms and Conditions. This includes account creation and management, order processing, payment handling, delivery and fulfillment, identity verification, licensing administration, KYC and AML screening, and the disbursement of publishing proceeds. This basis applies from the moment you create an account and does not require separate consent.
• Legal compliance: Certain processing is required to fulfill obligations imposed by applicable law or regulatory authorities, including tax reporting, anti-money laundering and sanctions compliance, and responses to lawful requests from courts, regulators, or law enforcement agencies.
• Legitimate interests: Some processing is carried out on the basis of the legitimate interests of the First Party and the Administrator, where those interests are not overridden by your rights and freedoms. This includes fraud detection and prevention, account security monitoring, and the improvement of Website functionality and user experience. See the Legitimate Interests Assessment at the end of this policy.
• Consent: We rely on consent as a lawful basis in two specific and limited circumstances only:
  • Marketing communications: If you choose to subscribe to promotional emails or updates by submitting your email address via the designated subscription form on the Website, we will process your email address for that purpose on the basis of your consent. You may withdraw this consent at any time by clicking the unsubscribe link in any communication or by contacting us at assistance@galry.net. Withdrawal of consent will not affect the lawfulness of any processing carried out before withdrawal.
  • Non-essential cookies and third-party embedded content: We do not load non-essential cookies or third-party embedded content — including YouTube videos and Pinterest iframes — until you have actively accepted the cookie consent banner displayed on the Website. Your acceptance constitutes valid consent for that processing. You may withdraw this consent at any time by clearing your browser cookies and declining consent upon your next visit, or by adjusting your browser settings.
• No other processing described in this policy relies on consent as its lawful basis. Where processing is necessary for contractual, legal compliance, or legitimate interests purposes, it will continue regardless of whether you have subscribed to marketing communications or accepted non-essential cookies.

1. Information We Collect

• We collect personal information necessary to provide services, protect accounts, and comply with legal obligations. This includes:
  • Account data: Name, email address, phone number, billing and shipping details.
  • Transactional data: Payment information (processed by authorized third parties), transaction history, and delivery information.
  • Technical data: IP addresses, device and browser details, cookies, and usage data.
  • Optional submissions: Feedback, inquiries, and communications with the Administrator or the Accounts and Assistance Desks.
• Note: Payment card details are collected and stored only by authorized third-party processors, not by the Administrator or the First Party.

1. Use of Personal Data

• We use your data to:
  • Verify identity and prevent fraud.
  • Process registration, orders, payments, and deliveries.
  • Maintain and secure your account.
  • Provide IP rights clearance, copyright licensing, and related services.
  • Respond to queries, requests, or feedback.
  • Comply with legal obligations and enforce Terms and Conditions.
  • Protect the legitimate interests of the First Party, the Administrator, and users.
  • Personalize communications and improve services.

1. Disclosure of Personal Data

• The Administrator and the First Party prioritize confidentiality. Data is shared only when necessary, under secure and controlled conditions:
  • Courts, tribunals, arbitrators, regulators, law enforcement, insurers, and legal advisers.
  • Logistics partners, customs agents, and delivery providers.
  • Payment processors, card networks, banks, and financial institutions for transactional purposes.
  • Authorized risk assessment and fraud prevention providers.
  • Other recipients with your consent or where legally required.
• The name of a licensee-publisher is disclosed to other users where it appears in connection with a Publishing Activity or a Publication Offer. This disclosure is necessary for the proper operation of the licensing and publishing framework established under the Terms and Conditions — specifically, to identify the Publishing and Accepting parties and to enable users to verify the legitimacy of Publishing Activities and Publication Offers. The lawful basis for this processing is contractual necessity, as the identification of Publishers and Acceptors is an integral and inseparable part of the publishing arrangement to which all licensees are party.

1. Security and Data Protection

• The First Party and the Administrator implement commercially reasonable technical, administrative, and organizational measures to protect personal data. These include:
  • Encrypted storage and transmission using SSL/TLS.
  • Account security via user-generated passwords.
  • Controlled access to personal data by authorized personnel.
• No method of transmission over the internet can be guaranteed perfectly secure; you transmit data at your own risk.

1. Data Retention and International Data Transfers

• We retain personal data only for as long as is necessary to fulfil the purpose for which it was collected, to perform our obligations under the Terms and Conditions, and to comply with applicable legal, regulatory, accounting, and reporting requirements. The following indicative retention periods apply to the main categories of personal data we process:
  • Account data — retained for the duration of your active account, and for a period of three (3) years following account closure or deletion. This period reflects the clawback and recoupment window under the Terms and Conditions and ensures we can respond to any disputes, regulatory enquiries, or legal claims arising after account closure.
  • Transactional data — retained for a period of seven (7) years from the date of the relevant transaction. This period is determined by applicable tax, accounting, and financial reporting obligations in the jurisdictions in which we operate, which typically require financial records to be maintained for this duration.
  • KYC and AML records — retained for a period of five (5) years from the date of verification, or from the date of the last transaction to which the verification relates, whichever is later. This period is determined by anti-money laundering regulations applicable in the relevant jurisdictions.
  • Licensing and publishing records — retained for the duration of the relevant Extended License and for a period of seven (7) years thereafter. This period reflects the potential for disputes, royalty claims, or regulatory enquiries arising from publishing activity.
  • Technical data — including IP addresses, device identifiers, login records, and session data — retained for a period of twelve (12) months from the date of collection, unless retained for longer in connection with a specific security investigation or legal proceeding.
  • Marketing data — email addresses collected via the subscription form are retained for as long as your subscription remains active. Upon unsubscription, your email address will be removed from our marketing list within thirty (30) days.
  • Cookie and analytics data — retained in accordance with the cookie lifespan disclosed in the cookie consent banner. Aggregated or anonymised analytics data from which you cannot be identified may be retained indefinitely.
  • Correspondence and support records — including communications with the Acquisitions Desk, Accounts Desk, and Assistance Desk — retained for a period of three (3) years from the date of the last communication, to enable us to respond to any follow-up enquiries or disputes.
• Where a legal claim, regulatory investigation, or dispute is commenced or reasonably anticipated before the expiry of the applicable retention period, the relevant data will be retained until that matter is fully resolved, after which it will be deleted or anonymised promptly.
• You may request permanent deletion of your account and associated personal data via Account > Security > Delete all personal data. Deletion requests are processed within forty-eight (48) hours of confirmation. Please note that deletion requests cannot override our obligation to retain data where required by law or where retention is necessary to protect our legitimate legal interests in connection with an ongoing or anticipated dispute.
• The Website is hosted on servers located in the United States of America. As a result, personal data collected through the Website is transferred to and stored in the United States as a matter of course. Additionally, personal data may be transferred to other countries outside the European Economic Area (EEA) and the United Kingdom in connection with the third-party services and partners described below. The First Party is committed to ensuring that all such transfers are carried out in accordance with applicable data protection law, including Chapter V of the EU GDPR and the equivalent provisions of UK GDPR.
  • Hosting and infrastructure: Personal data is stored on servers located in the United States. The hosting provider is subject to data processing terms that incorporate Standard Contractual Clauses (SCCs) approved by the European Commission, which provide an appropriate safeguard for the transfer of personal data from the EEA and the UK to the United States.
  • Payment processing: Personal data necessary for payment processing is currently handled by a payment processor located in Pakistan. Pakistan is not currently the subject of an adequacy decision by the European Commission or the UK Information Commissioner’s Office. Transfers to the payment processor are therefore carried out on the basis of Standard Contractual Clauses or other appropriate safeguards as required by applicable law. In the future, payment processing may be transitioned to a US-based processor, in which case this section will be updated accordingly. Users will be notified of any material change to payment processing arrangements in accordance with Section 12 of this policy.
  • Logistics and fulfillment partners: To fulfill physical orders, personal data including name, shipping address, and order details may be transferred to logistics and fulfillment partners located in various jurisdictions, including but not limited to North America, Europe, and Asia. Each logistics partner is selected in part on the basis of their ability to handle personal data in accordance with applicable data protection law. Where a partner is located outside the EEA or UK and no adequacy decision applies, transfers are carried out on the basis of Standard Contractual Clauses or equivalent safeguards. A current list of logistics partners and the applicable transfer mechanisms is available on request by contacting assistance@galry.net.
  • Analytics: The Website intends to implement Google Analytics, a web analytics service provided by Google LLC, which is located in the United States. Google Analytics processes technical and usage data including IP addresses, device identifiers, and browsing behaviour for the purpose of generating aggregated reports on Website performance and user interaction. Google LLC participates in the EU-US Data Privacy Framework, which has been recognised by the European Commission as providing an adequate level of protection for personal data transferred from the EEA to participating organisations in the United States. For UK transfers, Google LLC relies on Standard Contractual Clauses. IP anonymisation will be enabled to minimise the personal data transmitted to Google. For further information on how Google processes data, please refer to Google’s privacy policy at policies.google.com/privacy. This section will be updated when Google Analytics is activated on the Website.
  • General safeguard: Where no adequacy decision exists in respect of a recipient country, and where Standard Contractual Clauses are used as the transfer mechanism, the First Party has carried out or will carry out a transfer impact assessment to ensure that the level of protection afforded to personal data in the recipient country is not materially lower than that guaranteed within the EEA and the UK. Copies of applicable Standard Contractual Clauses are available on request by contacting assistance@galry.net.

1. Your Rights

• Depending on your jurisdiction, you may have rights in respect of your personal data under applicable law. The following rights are recognised and respected by the First Party regardless of where you are located, to the extent they are available to you under the laws of your jurisdiction:
  • Access: You have the right to request a copy of the personal data we hold about you and to be informed of how it is being processed.
  • Correction: You have the right to request that inaccurate or incomplete personal data be corrected or completed without undue delay.
  • Deletion: You have the right to request the deletion of your personal data where it is no longer necessary for the purposes for which it was collected, where you have withdrawn consent and no other lawful basis applies, or where applicable law otherwise requires deletion. This right is subject to our legal obligations to retain certain data as described in Section 8.
  • Restriction: You have the right to request that we restrict the processing of your personal data in certain circumstances — for example, where you contest the accuracy of the data or where you have objected to processing pending verification of our legitimate grounds.
  • Objection: You have the right to object to processing carried out on the basis of legitimate interests. We will cease such processing unless we can demonstrate compelling legitimate grounds that override your interests, rights, and freedoms, or where processing is necessary for the establishment, exercise, or defence of legal claims.
  • Portability: Where processing is carried out by automated means on the basis of your consent or contractual necessity, you have the right to receive your personal data in a structured, commonly used, and machine-readable format, and to transmit it to another controller where technically feasible.
  • Withdrawal of consent: Where processing is based on your consent, you have the right to withdraw that consent at any time without affecting the lawfulness of processing carried out before withdrawal.
  • Non-discrimination: Where applicable law provides this right — including under the California Consumer Privacy Act (CCPA) — you have the right not to be discriminated against for exercising any of your privacy rights.
  • Opt-out of sale or sharing: We do not sell or share your personal data for commercial purposes. If this practice ever changes, you will be notified and given the opportunity to opt out in accordance with applicable law, including the CCPA.
• The following additional notes apply:
  • EEA and UK users have the rights described above under the EU GDPR and UK GDPR respectively, which are substantively identical in their current form.
  • California residents have the rights described above under the CCPA, including the right to know, the right to delete, the right to correct, and the right to opt out of the sale or sharing of personal data.
  • Users in other jurisdictions — including but not limited to Brazil (LGPD), Canada (PIPEDA), Australia (Privacy Act), and other jurisdictions with applicable privacy legislation — are entitled to exercise equivalent rights available to them under their local law. The First Party will respond to all such requests in good faith and in accordance with applicable requirements.
• To exercise any of the rights described in this section, please contact us at assistance@galry.net. We will respond to all requests within thirty (30) days of receipt. Where a request is complex or numerous, this period may be extended by a further two (2) months, in which case we will notify you of the extension and the reasons for it within the initial thirty-day period.
• Where you believe your data protection rights have been violated, you have the right to lodge a complaint with the supervisory authority in your jurisdiction. EEA users may contact their national data protection authority. UK users may contact the Information Commissioner’s Office (ICO) at ico.org.uk. Users in other jurisdictions may contact their equivalent national authority.

1. Automated Decision-Making

• The Website does not employ fully automated decision-making or profiling that produces legal or similarly significant effects. All processes are supervised and subject to human oversight.

1. Cookies and Tracking

• We use essential cookies for account functionality, analytics, and performance improvements. You may manage or disable cookies via your browser settings. Third-party services may also set cookies; their use is subject to their own policies.

1. Changes to this Privacy Policy

• Updates will be communicated via email and/or public announcements on the Website. Continuing use of the Website after such updates constitutes consent to the revised policy. If you do not agree, you may withdraw your consent or cease using the Website.

Legitimate Interests Assessment

This assessment is maintained in accordance with Article 6(1)(f) of the EU General Data Protection Regulation (GDPR) and equivalent provisions under UK GDPR. It documents the basis on which the First Party and the Administrator rely on legitimate interests as a lawful basis for certain processing activities.

• Activity 1: Fraud Detection and Prevention

• • • Interest being pursued: The First Party and the Administrator have a legitimate interest in detecting and preventing fraudulent activity on the Website, including unauthorised account access, payment fraud, identity misrepresentation, and abuse of the licensing and publishing framework.
    • Necessity of processing: This processing is necessary to protect the integrity of the Website, the financial interests of the First Party, the Administrator, and other users, and to comply with applicable financial crime prevention obligations. It cannot be achieved by less intrusive means without materially undermining its effectiveness.
    • Balancing exercise: Users have a reasonable expectation that a platform handling financial transactions and publishing rights will monitor for fraud and abuse. This processing does not involve sensitive personal data beyond what is already collected for contractual purposes. The impact on users who are not engaged in fraudulent activity is minimal. The interests of the First Party and the Administrator in maintaining a secure and trustworthy environment are not overridden by the privacy interests of users in this context.
    • Conclusion: Legitimate interests prevail. Processing is proportionate and necessary.

• Activity 2: Account Security Monitoring

• • • Interest being pursued: The First Party and the Administrator have a legitimate interest in monitoring account activity to detect unauthorised access, suspicious login patterns, and potential security breaches, in order to protect users’ accounts and the integrity of the Website.
    • Necessity of processing: Security monitoring requires the processing of technical data including IP addresses, device identifiers, login timestamps, and session data. This processing cannot be replaced by less intrusive means without leaving accounts and user data materially less secure.
    • Balancing exercise: Users have a direct and reasonable expectation that their accounts will be protected against unauthorised access. This processing is carried out for the benefit of users as much as for the First Party and the Administrator. The data processed is technical in nature and is not used for any purpose beyond security. The privacy impact on users is low relative to the security benefit provided.
    • Conclusion: Legitimate interests prevail. Processing is proportionate and necessary.

• Activity 3: Improvement of Website Functionality and User Experience

• • Interest being pursued: The First Party and the Administrator have a legitimate interest in understanding how users interact with the Website in order to identify technical issues, improve navigation and usability, and ensure the Website functions effectively across devices and browsers.
  • Necessity of processing: This processing involves the collection and analysis of aggregated or pseudonymised usage data, including page visits, interaction patterns, error logs, and performance metrics. It cannot reasonably be carried out without some processing of technical user data.
  • Balancing exercise: Users benefit directly from improvements to Website functionality and performance. The data processed for this purpose is technical and aggregated where possible, and is not used to build individual profiles or make decisions about users. Users retain the right to object to this processing at any time. The privacy impact is low and the benefit to the overall user experience is meaningful.
  • Conclusion: Legitimate interests prevail. Processing is proportionate and necessary.

General Safeguards Applicable to All Three Activities

• The following safeguards apply across all legitimate interests processing:
  • Data is retained only for as long as necessary for the relevant purpose.
  • Access is restricted to authorised personnel only.
  • Data is not shared with third parties except as described in Section 6 of this policy.
  • Users retain the right to object to legitimate interests processing at any time by contacting assistance@galry.net, and the First Party will cease that processing unless compelling legitimate grounds exist that override the user’s interests, rights, and freedoms.
  • This assessment will be reviewed and updated whenever a new legitimate interests processing activity is introduced or existing activities materially change.

Data Controller Identity and Contact Information

• The data controller responsible for your personal data in connection with this Website is:
  • Moka (Mueed ul Haq Qazi, also known as Moeed U. Q., Esq.)
  • Office address: 19 Ayub Lawyers Plaza, District Bar Compound, Abbottabad, Khyber Pakhtunkhwa, Pakistan.
  • Email: assistance@galry.net
• For questions, requests, complaints, or the exercise of any data rights described in this policy, please contact the data controller at the above address or email.
• All formal legal correspondence must be directed to the postal address above.