This Privacy Policy describes how Galveri™, operated by American Directional Driller, Inc. ("Company," "we," "us," or "our"), collects, uses, and protects information when you use galveri.ai and all associated subdomains and services (collectively, the "Service"). By accessing or using the Service, you agree to the practices described in this Policy.
Privacy architecture is foundational to the platform's value — not an afterthought. The core design principle: credential records are permanent; GPS location data is ephemeral. These are different things and are handled differently.
We do not sell your personal data. We do not use your data for advertising. We do not share your credential data with any party other than those you have explicitly granted access to.
We collect mobile phone numbers solely to deliver one-time SMS verification codes (passcodes) for account authentication. Users provide their phone number and explicitly consent by checking a required checkbox: "I agree to receive SMS verification codes at my registered phone number for account authentication." The complete opt-in flow, rendered consent UI, and all message samples are publicly viewable at galveri.ai/sms-opt-in.
Phone numbers are used only for OTP delivery. No marketing or promotional messages are ever sent via SMS. Message and data rates may apply. Message frequency: one message per login or verification event. Reply STOP to opt out. Reply HELP for assistance.
We do not share, sell, or disclose mobile phone numbers or SMS opt-in consent data with any third parties or affiliates for marketing or promotional purposes under any circumstances.
Reply STOP to any SMS message to stop receiving them. You may also remove your phone number from your account at any time via the dashboard. Opting out disables SMS-based login; email-based authentication remains available.
Reply HELP to any SMS message, or contact help@galveri.ai. Carriers are not liable for delayed or undelivered messages.
For Holders: email address (required), name (required for credential verification), phone number (optional). For Organizations: organization name, administrator name, email address, billing contact, and organization identifier.
Professional certifications, training completions, licenses, and qualification records — including credential type, issuing organization, issue date, expiration date, verification tier, and privacy state — that you add or that an Issuing Organization adds on your behalf.
Credential verification events (who queried your record, when, and the result), zone compliance events (entry and exit from credential-gated zones), session data (login timestamps and IP address, not retained beyond the session), and your disclosure history (a complete log of every grant you have made and every access event under those grants).
Location data is ephemeral and consent-gated. The Service may request GPS location during an active work engagement — while you are within a credentialed zone or during an active load haul — but only with your explicit per-engagement consent. Location data is not retained after the engagement ends. We do not track your location outside of active work engagements. See Section 5 for the full location data architecture.
Payment processing is handled by Stripe, Inc. We do not store credit card numbers or bank account details. Stripe's privacy policy governs payment data handling.
Every credential in your portfolio has an independently controlled privacy state that only you can change:
Privacy state changes take effect immediately. No employer or organization can change your privacy state.
An employer or site operator you have granted access to can see: credentials they issued to you, compliance events on their own assets, your binary compliance status on their site, and attributes you explicitly unfrosed for them. No employer can see credentials issued by a different organization, compliance events at other sites, your full portfolio without your disclosure, or job-search access grants you have made to prospective employers. The latter restriction is enforced at the database query level — not contractually.
Location data is collected only during an active engagement window — while on-site at a credentialed facility or actively hauling a load — and only after you explicitly consent at the start of that engagement. Location sharing stops when the engagement ends.
Engagement boundary timestamps (check-in and check-out times) are retained as part of the compliance event record. Real-time GPS coordinates are not written to permanent storage; they are used only for live compliance evaluation during the engagement window.
In Zone 0 / high-hazard environments where continuous location monitoring is a safety requirement (man-down detection, confined space occupancy), a site operator may configure location monitoring as a condition of zone entry. You must provide explicit consent. Zone-level compliance data is retained as a safety record; second-by-second GPS tracks are not.
Because real-time GPS data is not retained, there is typically no location data to delete following an engagement. If you believe location data was retained in error, submit a withdrawal request from your Person Portal at mi.galveri.ai/withdraw.
When you grant an organization access to your credential data, that organization can query your record within the scope and duration you defined. Your Person Portal shows a complete log of every access event.
We use service providers for transactional email, SMS delivery, and payment processing. They receive only the minimum data necessary and are contractually prohibited from using your data for any other purpose.
We may disclose data when required by valid legal process (court order, subpoena, regulatory demand). We will notify affected users when legally permitted to do so before complying.
Where regulatory observer access is enabled for a site, regulators may access site-level aggregate compliance scores. We do not provide individual holder identity or credential content to regulatory observers without legal process.
Mobile phone numbers and SMS opt-in consent data are never shared with third parties or affiliates for marketing or promotional purposes under any circumstances.
The Service uses cookies solely for authentication session management and user preference storage. We do not use third-party tracking cookies, advertising cookies, or cross-site tracking technologies. The cookies we set:
galveri_session — Authenticated organization session. Expires 24 hours.galveri_holder — Authenticated Holder session. Expires 24 hours.galveri_site_theme — UI theme preference. Expires 1 year.galveri_cookie_consent — Records your consent banner choice. Expires 1 year.Declining non-essential cookies does not affect Service functionality — authentication session cookies are essential and are set regardless of consent choice.
Depending on your jurisdiction, you may have the right to access, correct, delete, or export your personal data; restrict or object to certain processing; and withdraw consent. To exercise these rights:
We respond to verifiable requests within 30 days. We will not discriminate against you for exercising your privacy rights.
We implement industry-standard security measures including encrypted data transmission (TLS), cryptographically signed authentication tokens, bot protection on all subdomains, and access controls limiting data access to authorized parties. No security measure is perfect, and we cannot guarantee absolute security. In the event of force-majeure circumstances beyond our reasonable control — including natural disasters, infrastructure or third-party service failures, pandemics, war, or governmental action — Service availability may be temporarily affected; our commitments to data protection under this Policy remain in effect during such periods. To report a security vulnerability responsibly, contact security@galveri.ai before public disclosure.
The Service is not directed at persons under 18. We do not knowingly collect personal data from minors. If we learn we have collected data from a person under 18, we will delete it promptly.
We may update this Privacy Policy as the Service evolves. Material changes will be communicated by email to registered users at least 14 days before taking effect. Continued use of the Service constitutes acceptance of the updated Policy.
For privacy requests, data deletion, or security disclosures:
American Directional Driller, Inc.
Privacy & legal: legal@galveri.ai
Security disclosures: security@galveri.ai
Web: galveri.ai · Livonia, Michigan, USA