This document outlines Galooli's official procedure for processing client-initiated data deletion requests. It supports our commitment to data privacy, security, and regulatory compliance, as an ISO 27001-certified and GDPR-compliant organization. The procedure ensures that all requests are handled lawfully and transparently, defines the data types involved, specifies approval requirements, and details the irreversible nature of data deletion across all Galooli platforms and services. This policy applies to all private client data managed by Galooli’s systems and serves as a guide for both internal teams and client representatives.

1 Commitment to Data Privacy and Security
2 Purpose and Scope
3 Requesting Data Deletion
4 Financial and Business-Critical Personal Data
5 Deletion Process and Irreversibility
6 Documentation and Audit Trail
7 Contact
8 Appendix A – Client Data Deletion Request Form
- 8.1 Exclusion of Financial and Legal Data
- 8.2 Confirmation and Authorization

Commitment to Data Privacy and Security

As an ISO 27001-certified and GDPR-compliant company, Galooli treats data privacy and information security with the utmost seriousness. Acting as a data processor on behalf of its clients, Galooli ensures that all personal and business-related data is handled lawfully, fairly, and transparently.

Galooli employs robust security controls, including encryption, identity-based access restrictions, and regular internal and external audits, aligned with ISO 27001 and industry best practices. For further information, please refer to the Privacy, Security, Backup, and Recovery documentation.

Galooli’s Privacy Policy and Data Processing Addendum provide further details on our data protection framework and the types of information we process.

Purpose and Scope

This document defines the procedure by which Galooli processes client-initiated requests for data deletion.

Galooli distinguishes between two categories of data:

Data Type	Description

Data Type	Description
Customer Data	Operational and business data provided or collected during service usage
Personal Data	Any information relating to an identified or identifiable natural person

This document applies to all private data handled by Galooli on behalf of its clients across all its SaaS platforms and cloud-based infrastructure.

Requesting Data Deletion

Upon filing a termination request clients may also request deletion of Personal Data associated with their organization (see Appendix below). Requests must:

Be submitted in writing through the assigned Account Executive
Be jointly approved by two senior client representatives, including one Regional Manager or equivalent
Be digitally signed using a legally recognized e-signature platform
Include confirmation of understanding and acceptance of the implications outlined in Section 5 below.

Galooli’s Accounts team will validate and confirm all deletion parameters with the client. For high-volume or sensitive deletions, a pre-execution review may be conducted with Galooli’s Account Teams and/or Legal Counsel.

Financial and Business-Critical Personal Data

Personal data required for invoicing, payment processing, tax compliance, legal obligations, or essential client communications (e.g., billing contact details, contract history, correspondence) is excluded from the default deletion policy.

This data is retained to comply with legal, regulatory, and contractual obligations and will not be deleted unless both Galooli and the client provide explicit written consent, regardless of the data’s age.

Deletion Process and Irreversibility

5.1 Once approved and confirmed:

All deletions are permanent and irreversible. Deleted data cannot be recovered under any
circumstances and will not be accessible through any platform, including though not limited to
Galooli’s web application, mobile app, or any associated service interface.
Data will be permanently deleted from:
- Galooli’s hosted cloud infrastructure, regardless of location or service provider
- Any local or archived backups, whether physical or virtual
- All internal systems, integrations, and authorized third-party services

5.2 Deleted data will no longer be available for:

Dashboard access or export
Historical reports or analytics
Any Galooli product and/or service, including internal reuse

5.3 Prior to execution, Galooli will inform the authorized individuals who submitted the deletion request of the planned deletion date.

5.4 A three (3) business day cooling-off period will follow this notification. During this period:

The client has the right to submit a written request to Galooli to cancel the deletion request
The cancellation request will only be considered valid if Galooli confirms receipt and grants explicit written approval. Any cancellation request that is not explicitly approved in writing by Galooli will be considered invalid and non-binding
The cooling-off period will last up to three business days from the date of notification and will not exceed 72 hours in total.

Galooli will not execute the deletion until the cooling-off period has concluded.

5.5 Galooli will provide the client with a formal deletion confirmation within one week of the data deletion, verifying that the request has been fully executed.

5.6 Clients acknowledge and waive any future claims related to deleted data, which is permanently
inaccessible. Galooli shall not be held liable for any consequence arising from such deletion.

Documentation and Audit Trail

Galooli documents data deletion requests for traceability and internal audit purposes. Records include:
• Client request details and submission date
• Approved scope and specifications
• Execution method and final deletion date
• Names and roles of responsible personnel

These audit records are retained for compliance purposes only and do not retain any of the
deleted personal data.

This documentation supports Galooli’s internal controls and compliance with ISO 27001 and GDPR.

Contact

For all matters related to data deletion or retention, clients may contact their Galooli Account Executive or reach out to:

Accounts@galooli.com

Appendix A – Client Data Deletion Request Form

To be submitted to your Galooli Account Executive

________________________________________________________________________________________________________
Client Organization Name:

________________________________________________________________________________________________________
Date of Request:

________________________________________________________________________________________________________
Contact Person(s):

________________________________________________________________________________________________________

Email: ____________________________ Phone: ___________________________

Requested Deletion Scope:

________________________________________________________________________________________________________
Data Types for Deletion:

________________________________________________________________________________________________________
Date Range for Deletion:
From: _______________ To: _______________
________________________________________________________________________________________________________

Exclusion of Financial and Legal Data

☐ I acknowledge that personal data related to financial transactions, payments, invoicing, and
essential contractual communications is excluded from deletion unless expressly requested and
approved in writing by Galooli.

________________________________________________________________________________________________________

Confirmation and Authorization

☐ This request is jointly submitted by two authorized representatives of the client organization,
including one Regional Manager or equivalent.
☐ This form has been digitally signed using a recognized e-signature platform
☐ I understand that the request is subject to internal validation, and approval by a senior Galooli
representative. It may also involve additional review for high-sensitivity data
☐ I confirm that I understand and accept the following:
• The deletion process is permanent and irreversible
• Deleted data will not be available in any form (including backups, dashboards, or exports)
• Galooli shall not be held liable for any claims related to access, usage, or recovery of the deleted data

________________________________________________________________________________________________________
Authorized Signatory 1 – Regional Manager
Full Name: ____________________________
Title: ________________________________
Signature (Digital): ____________________
Date: ________________________________
Authorized Signatory 2
Full Name: ____________________________
Title: ________________________________
Signature (Digital): ____________________
Date: _______________________________

Version	Date	Comment
Current Version (v. 1)	Jun 11, 2025 11:06	arkadi kaplon

Galooli Data Deletion Procedure (Per Client Request)