Privacy Policy

The controller of personal data processed through skyfirstlabs.com is Special Option LDA (trading as Sky First Labs), a private limited company registered in Portugal under tax identification number 518824985, with registered office at Estrada Nacional 4, Quinta Fernão Pote, caixa 3, 7350-422 Elvas, Portalegre, Portugal.

For any privacy matter, write to info@skyfirstlabs.com. We have not appointed a Data Protection Officer because the company does not meet the criteria of Article 37 GDPR.

This policy explains how we collect, use, share, and protect personal data when you visit our website, fill in our contact form, request a 5-day audit, or otherwise interact with us through the site.

It does not cover personal data processed inside customer deployments of the Sky platform — that processing is governed by the Data Processing Agreement (DPA) signed with each customer.

We do not collect special categories of data (Article 9 GDPR), and we do not run profiling or automated decision-making with legal effect on visitors.

We use a small number of cookies and similar storage. Strictly necessary storage is used to remember your cookie choice. Analytics cookies (Google Analytics 4, Vercel Analytics) are loaded only after you accept them.

Full details, retention periods, and how to withdraw consent are in our Cookie Policy.

We share personal data only with processors strictly necessary to run the site and our outbound process, under contracts that include Standard Contractual Clauses (SCCs) where applicable:

• Vercel Inc. (USA) — hosting, edge delivery, product analytics.
• Google Ireland Ltd / Google LLC — Google Analytics 4 with IP anonymisation.
• Resend, Inc. (USA) — transactional email delivery for contact form replies.
• HubSpot, Inc. (USA / EU) — CRM for lead and account management.
• Instantly.ai — outbound email delivery for B2B prospecting.
• Calendly LLC (USA) — meeting scheduling. When you book a discovery call, Calendly receives your name, email address, time-zone, and any answers you give to booking questions.

We never sell personal data, and we do not share it for advertising purposes.

Some of the processors above are established outside the European Economic Area, principally in the United States. Where personal data is transferred, we rely on the EU–U.S. Data Privacy Framework where the recipient is certified, and otherwise on the European Commission's Standard Contractual Clauses (Decision 2021/914) plus additional safeguards as appropriate.

A copy of the safeguards in place can be requested at info@skyfirstlabs.com.

• Contact form submissions: up to 24 months after the last meaningful interaction, then deleted or archived under contract retention rules if a customer relationship was formed.
• B2B prospecting records: up to 24 months after the last contact attempt, or immediately on opt-out.
• Analytics: 14 months in Google Analytics, the shortest retention GA4 allows.
• Server logs: up to 30 days unless required for incident investigation.

Under Articles 15 to 22 GDPR you have the right to access, rectification, erasure, restriction, portability, and to object to processing based on legitimate interest. Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of processing already carried out.

To exercise any of these rights, write to info@skyfirstlabs.com. We respond within one month, which may be extended by two further months for complex requests.

You also have the right to lodge a complaint with the Portuguese supervisory authority, Comissão Nacional de Proteção de Dados (CNPD), or with the supervisory authority of your habitual residence.

Data is stored on infrastructure protected by encryption in transit (TLS 1.2+) and at rest. Access to personal data within Sky First Labs is limited to staff with a need to know and is logged. We carry out regular reviews of vendors and access controls.

We will notify the supervisory authority and, where required, affected individuals of personal data breaches in accordance with Articles 33 and 34 GDPR.

The site is intended for business users. We do not knowingly collect personal data from children under 16. If you believe a child has provided personal data, contact us and we will delete it.

We update this policy when our processing changes or when the law requires it. Material changes are announced on this page with a new "last updated" date. Continued use of the site after a change means you have read the updated policy.