Platform Privacy Policy

GAIA Global AS

In this Privacy Policy (“Policy”), references to “We”, “Us” or “Our” means GAIA Global AS, whose registered address Slettebakksveien 38, Bergen, Norway. This Privacy Policy shall govern Our use of any Personal Information collected by Us concerning your use of GAIA (“Platform”). The use of information collected through the Platform shall be limited to the purposes under this Policy. GAIA Global AS understands that your privacy is important to you and that you care about how your personal and non-personal information is used and shared online. We respect and value the privacy of everyone who visits Our Site and will only collect and use information in ways that are useful to you and in a manner consistent with your rights and obligations under the law. Please read this Privacy Policy carefully and ensure that you understand it. If you have any questions regarding the Privacy Policy, the practices of the Platform or your dealings with the Platform, you may contact us at info@gaia.global

GAIA may act as:

  • Data Processor, when processing Personal Information on behalf of Our customers (the Data Controllers) through the Platform, and

  • Data Controller, with respect to Personal Information We collect directly for Our own business operations (e.g., website usage, billing, account management, direct communications, and compliance purposes).

  • GAIA is never the “owner” of Personal Information and never asserts ownership rights over Customer Data.

If you have questions about this Policy or Your Data Protection Agreement (“DPA”), please contact: info@gaia.global.

1. Introduction

1.1. This Policy applies to Our processing of your Personal Information when you access or use the Platform, as well as when We process customer data on behalf of Our clients.

1.2. This Policy applies to visitors, customers, end-users, representatives, and other individuals interacting with the Platform.

1.3. This Policy applies exclusively to the GAIA website and Platform and does not extend to external websites or services linked from Our Site.

1.4. GAIA is not responsible for how external websites collect, store, or process your data. You should review their privacy policies before submitting information.

2. Definition and Interpretation

Account: means an account required to access and/or use certain areas and features of Our Site;

“Controller” and “Processor”: Defined under GDPR Articles 4(7) and 4(8).
GAIA may act as either Controller or Processor depending on the processing activity.

“Cookie” / “Local Storage Technologies”: means a small text file placed on your computer or device by Our Site when you visit certain parts of Our Site and/or when you use certain features of Our Site. Details of the Cookies used by Our Site are set out in section 12, below;

“Platform”: The GAIA PRM web application.

“Personal Information” / “Personal Data”: means any information relating to an identified or identifiable natural person;

“Processing”: means any operation or set of operations which is performed on Personal Information or sets of Personal Information, whether by automated means, such as collection, recording, structuring, storage, organization, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Services”: Services provided by GAIA through the Platform.

“Subprocessors”: Third-party service providers engaged by GAIA to process Personal Information on Our behalf.

We/Us/Our”: means GAIA Global AS, whose registered address is Slettebakksveien 28, Bergen, Norway.

3. Personal Identification Information We Collect

3.1. GAIA collects Personal Information that users voluntarily submit when interacting with the website, creating accounts, subscribing to communications, or using the Platform.

This may include:

  • Name

  • Email address

  • Telephone number

  • Profile and login information

  • Company information

  • Billing details (where applicable)

3.2. GAIA acts as Controller only for Personal Information that We collect for Our own business purposes.

4. Non-personal Identification Information We Collect

4.1. When customers upload, input, or integrate Personal Information into the Platform (e.g., partner data, contact lists, workflow-related information), the customer is the Data Controller, and GAIA acts solely as a Data Processor.

4.2. GAIA processes such Customer Data strictly according to the DPA and the customer’s documented instructions.

4.3. GAIA never determines the purposes or means of processing Customer Data.

5. Non-Personal Identification Information

5.1. GAIA may collect certain device and technical metadata, such as browser information, operating system, device identifiers, and network information.

5.2. Such information does not identify the user directly and is used to maintain and improve the Platform.

6. Purposes and Legal Bases for Processing

GAIA processes Personal Information for the following purposes and under the following legal bases:

As Controller (GDPR):

  • Performance of a Contract:

  • Account creation, billing, support, and delivery of the Platform.

  • Legitimate Interests:

  • Platform analytics, fraud prevention, service improvement, and security monitoring.

  • Consent:

  • When required for marketing communications or non-essential cookies.

When applicable under the LGPD:

  • GAIA relies on the LGPD bases of execution of contract, legitimate interest, and consent, depending on the processing activity.

As Processor:

Processing is governed by the DPA and performed only under the Controller’s instructions, per GDPR Art. 28.

7. How GAIA Uses Personal Information

GAIA may use Personal Information to:

  • Respond to communications

  • Provide and maintain the Platform

  • Customize user experience

  • Improve product design and performance

  • Conduct internal analytics

  • Contact users for updates or marketing (only with proper consent or lawful basis)

GAIA does not sell Personal Information.

7. How GAIA Uses Personal Information

GAIA may use Personal Information to:

  • Respond to communications

  • Provide and maintain the Platform

  • Customize user experience

  • Improve product design and performance

  • Conduct internal analytics

  • Contact users for updates or marketing (only with proper consent or lawful basis)

GAIA does not sell Personal Information.

8. Data Retention Period

8.1. GAIA retains Personal Information only for as long as necessary for the purposes described in this Policy, including compliance, dispute resolution, fraud prevention, and contractual obligations.

8.2. Customer Data processed as Processor is retained in accordance with the contractual terms and the Controller’s instructions.

8.3. Upon termination, Customer Data is deleted or returned as required under the DPA.

9. Data Security

9.1. GAIA implements appropriate technical and organizational measures (TOMs), including encryption, access controls, authentication mechanisms, and secure deployment practices.

9.2. No internet-based system is completely secure, and users should take reasonable precautions when transmitting data.

9.3 Your Personal Information is extremely important to us. We use appropriate technical and organizational measures to protect the Personal Information that We collect and Process. The measures We use are designed to provide a level of security appropriate to the risk of Processing your Personal Information. If you have questions about the security of your Personal Information, please contact Us immediately as described in this Policy.

9.4 Notwithstanding the security measures that We take, it is important to remember that the transmission of data via the Internet may not be completely secure and that you are advised to take suitable precautions when transmitting Us data via the Internet.

10. Disclosure of Information

10.1. Subprocessors (Processors engaged by GAIA)

GAIA may share Personal Information with third-party service providers essential for operating the Platform (e.g., hosting, authentication, analytics).

A current list of Subprocessors is maintained publicly or made available upon request.

10.2. Intra-group transfers

Where applicable, GAIA may share data with affiliated entities.

10.3. Legal Obligations

GAIA may disclose Personal Information to comply with lawful requests from courts or regulatory authorities.

10.4. Business Transactions

If GAIA undergoes a merger or acquisition, Personal Information may be transferred as part of that transaction.

11. Children’s Privacy

GAIA does not knowingly collect Personal Information from children under 16.

12. International Transfers

12.1. Personal Information may be stored or processed outside the EEA. GAIA ensures adequate safeguards using:

  • Standard Contractual Clauses (SCCs)

  • Adequacy decisions

  • Additional contractual and security safeguards

12.2. When applicable, LGPD cross-border transfer rules are also observed.

13. Cookies and Local Storage Technologies

The Platform uses Cookies, LocalStorage, IndexedDB, and other similar technologies to:

  • Maintain user sessions

  • Enable authentication

  • Support essential platform functionality

  • Improve performance

Non-essential cookies (if any) will be subject to user consent mechanisms compliant with GDPR and ePrivacy Directive.

14. Clause – Confidentiality (Adapted Version for Terms of Service)

Confidential Information” shall mean any and all information, data, documents, or materials disclosed by one Party (“Disclosing Party”) to the other Party (“Receiving Party”) in the context of the performance of these Terms of Service, whether disclosed in written, verbal, electronic form or by any other means.

For the purposes of these Terms, the following shall be deemed Confidential Information, without limitation:

a) commercial, strategic, or operational information, including but not limited to: price tables, profit margins, targets, commercial policies, sales strategies, performance reports, negotiation conditions, and contractual instruments;

b) data related to clients, potential clients, suppliers, or commercial partners, such as lists, contacts, purchase history, contracted volumes, or commercial preferences;

c) financial information, internal data, market planning, and internal policies;

d) technical knowledge (know-how), methodologies, processes, training materials, marketing materials, trade secrets, and any internal documents made available during the term of these Terms;

e) any other information that, by its nature or the circumstances of its disclosure, should reasonably be treated as confidential.

Receiving Party’s Obligations

The Receiving Party agrees to:

  1. maintain the strictest confidentiality regarding all Confidential Information it accesses;

  2. not disclose, reveal, transfer, or make such information available to third parties, except with the prior and express authorization of the Disclosing Party;

  3. not use the Confidential Information for any purpose other than the performance of these Terms;

  4. apply the same degree of care used to protect its own confidential information, never less than a reasonable standard of care;

  5. restrict access to the Confidential Information solely to its employees, agents, representatives, or subcontractors who need such information to fulfill these Terms, ensuring that such persons are bound by confidentiality obligations equivalent to those herein.

Exceptions

Information shall not be deemed Confidential Information if it:

a) is in the public domain at the time of disclosure or becomes public without breach of these Terms;
b) is already lawfully in the possession of the Receiving Party, as evidenced by documentation;
c) is lawfully obtained from a third party not bound by a duty of confidentiality;
d) is required to be disclosed pursuant to law, regulation, or court order, limited to what is strictly necessary, provided that the Receiving Party gives prior notice to the Disclosing Party, when possible, so that protective measures may be sought;
e) consists of training materials or documents that cease to be confidential by express decision of the Disclosing Party.

Return, Destruction, and Archiving

Upon termination or expiration of these Terms, the Receiving Party shall, immediately or upon request of the Disclosing Party:

a) return all documents, media, files, materials, or copies containing Confidential Information; or
b) securely destroy all Confidential Information and provide written confirmation of such destruction to the Disclosing Party.

Notwithstanding the foregoing, the Disclosing Party authorizes the Receiving Party to retain archived copies of Confidential Information solely for the purpose of complying with legal, tax, regulatory, or auditing obligations, or for the protection of rights arising from these Terms. Such archived information shall remain protected under this clause and may not be used for any other purpose.

Term of the Confidentiality Obligation

The obligations set forth in this clause shall remain in effect throughout the entire term of these Terms and for 3 to 5 years after their termination or expiration, regardless of the reason.

15. Links to External Sites

External links are governed by their own privacy policies. GAIA is not responsible for third-party data practices.

16. Changes to This Policy

GAIA may update this Policy from time to time.

Material changes will be communicated directly to users, rather than requiring users to check this page.

The version history will be maintained at the end of the document.

17. Contact Information

For privacy-related inquiries, or to exercise GDPR/LGPD rights, contact:

 info@gaia.global