Privacy Policy

Effective date: March 25, 2026

1. Overview

Gallantic Inc. ("we," "us," "our") operates the Citadel platform, a suite of business productivity applications. This privacy policy explains what personal information we collect through the Citadel platform, how we use it, and what rights you have regarding your data.

This policy applies to all Citadel applications:

• Citadel Auth — centralized identity provider (SSO, passkeys, TOTP two-factor authentication)
• Citadel Support — ticketing and helpdesk
• Citadel Time — time tracking and timesheets
• Citadel Contracts — contract and proposal management
• Citadel Invoice — invoicing and payments
• Citadel Engage — managed services engagement
• Citadel Events — event management and registrations

When we say "the platform" or "our services" in this policy, we mean all of the above applications collectively.

2. Information We Collect

Account Information

When you create an account, we collect your name, email address, and organization membership. If you set a password, we store it as a one-way cryptographic hash — we never store passwords in plaintext and cannot retrieve your original password.

Authentication Data

To keep your account secure, we process and store session tokens, TOTP (time-based one-time password) secrets if you enable two-factor authentication, passkey/WebAuthn credentials if you register a passkey, login timestamps, and the IP address used at login.

Application-Specific Data

Each Citadelapplication collects data relevant to its function:

• Citadel Support — support tickets, comments, attachments, SLA records, customer contact information
• Citadel Time — time entries, timesheets, projects, leave requests, approval records
• Citadel Contracts — contracts, proposals, document versions, clause libraries, approval workflows, signatures
• Citadel Invoice — invoices, quotes, credit notes, payment records, client and product information
• Citadel Engage — engagement records, assessments, KPIs, questionnaire responses, service-level data
• Citadel Events — events, sessions, registrations, attendee information, invitations

Technical and Log Data

We automatically collect technical information when you use the platform, including your IP address, browser user agent, and request timestamps. We maintain audit logs that record significant actions (such as logins, permission changes, and data modifications) for security and compliance purposes.

Payment Data

Citadel Invoice integrates with Stripe for payment processing. We do not collect, store, or have access to your full credit card number or bank account details. Stripe handles all card data directly. We store only transaction references (such as Stripe payment IDs and invoice status) needed to reconcile payments within the platform.

3. Cookies and Similar Technologies

We use only essential cookies that are strictly necessary for the platform to function. We do not use any analytics, tracking, advertising, or third-party cookies.

The cookies we use are:

• Session cookies — these keep you logged in while you use the platform. They are encrypted and expire when your session ends.
• CSRF protection tokens — these prevent cross-site request forgery attacks on form submissions.
• OAuth/OIDC state cookies — temporary, encrypted cookies used during the single sign-on login flow. They expire automatically within 5 to 10 minutes.

Because we use only cookies that are strictly necessary for the service to operate, no cookie consent banner is required under the GDPR or ePrivacy Directive.

4. How We Use Your Information

We use your information to:

• Provide, operate, and maintain the platform and its features
• Authenticate your identity and manage your sessions
• Respond to your requests, comments, and support inquiries
• Send transactional notifications (such as password resets, approval requests, and event reminders)
• Detect, prevent, and address security incidents and fraud
• Comply with legal obligations

We want to be clear about what we do not do with your information:

• We do not sell, rent, or trade your personal information to anyone.
• We do not send marketing communications unless you have explicitly opted in.
• We do not build advertising profiles or engage in automated profiling or scoring of individuals.

5. Single Sign-On

Citadel Auth serves as the centralized identity provider for all Citadel applications. When you log into any Citadelapp through single sign-on, Citadel Auth shares your identity information — specifically your email address, name, and organization membership — with that application.

Only the minimum data necessary for authentication and authorization is shared. Each application stores its own session independently. You can review which applications you have accessed through your Citadel Auth account settings.

6. Data Sharing and Third Parties

We do not sell your data. We share personal information only in the following limited circumstances:

• Email delivery — we use SMTP email providers to send transactional notifications (such as password resets and approval alerts). These providers process your email address and message content solely to deliver messages on our behalf.
• Payment processing — Citadel Invoice uses Stripe to process payments. When you make a payment, Stripe receives the information necessary to complete the transaction. Stripe's use of your data is governed by Stripe's privacy policy.
• Webhooks — organization administrators may configure webhook integrations that send event data (such as ticket updates or invoice status changes) to external URLs. Webhook destinations are chosen and controlled by the organization administrator, not by Gallantic.
• Legal requirements — we may disclose information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that disclosure is necessary to protect our rights, your safety, or the safety of others.

7. Data Retention

• Sessions — expire after a configurable period (default: 7 days of inactivity). Expired sessions are automatically deleted.
• Audit logs — retained for compliance and security investigation purposes in accordance with applicable regulations.
• Account data — retained for as long as your account is active and you maintain a relationship with us or your organization.
• Deleted accounts — when you or your organization administrator deletes an account, we remove your personal data in accordance with your right to erasure. Some data may be retained in anonymized form or where required by law.

8. Data Security

We take the security of your data seriously and implement multiple layers of protection:

• Password hashing — all passwords are hashed using Argon2id, a modern algorithm designed to resist brute-force and hardware-accelerated attacks.
• Encryption at rest — sensitive data (such as TOTP secrets and API keys) is encrypted using AES-256-GCM.
• Encryption in transit — all connections to the platform are secured with TLS.
• WebAuthn and passkeys — we support passwordless authentication through FIDO2-compliant passkeys for phishing-resistant login.
• Two-factor authentication — TOTP-based two-factor authentication is available for all accounts and can be enforced by organization administrators.
• Rate limiting and account lockout — we limit login attempts and temporarily lock accounts after repeated failures to prevent credential-stuffing attacks.
• CSRF protection — all form submissions are protected against cross-site request forgery.

No system is perfectly secure. While we implement reasonable and industry-standard safeguards, we cannot guarantee absolute security. If you become aware of a security vulnerability, please contact us at privacy@gallantic.com.

9. Your Rights

Depending on where you are located, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — request that we correct inaccurate or incomplete information.
• Deletion — request that we delete your account and associated personal data.
• Data portability — request an export of your data in a structured, commonly used format.
• Withdraw consent — where processing is based on consent, you may withdraw it at any time.
• Object to processing — object to certain types of data processing where we rely on legitimate interests.

These rights are recognized under:

• PIPEDA (Personal Information Protection and Electronic Documents Act) — Canada
• GDPR (General Data Protection Regulation) — European Union
• CCPA (California Consumer Privacy Act) — California, United States

For California residents: we do not sell personal information as defined by the CCPA. We do not use or disclose sensitive personal information for purposes beyond what is necessary to provide the service.

To exercise any of these rights, contact us at privacy@gallantic.com. We will respond within 30 days (or sooner where required by law).

10. International Data

Our servers are located in Canada. Canadian privacy law (PIPEDA) has been recognized by the European Commission as providing an adequate level of data protection.

If we transfer personal data outside of Canada, we ensure appropriate safeguards are in place, such as contractual commitments that meet applicable data protection standards.

11. Children

The Citadel platform is designed for business use and is not directed at children under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at privacy@gallantic.com and we will promptly delete it.

12. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices, technology, or legal requirements. When we make changes, we will revise the "Effective date" at the top of this page. We encourage you to review this policy periodically.

13. Contact

If you have questions about this privacy policy or wish to exercise your privacy rights, please contact us: