Privacy Policy

1. Introduction

Skydda Inc. ("Skydda," "we," "us," or "our") provides cybersecurity and automation tools designed to help organizations protect their digital environments. We understand that you care about your personal privacy, and we take that seriously.

This Privacy Policy describes Skydda's policies and practices regarding the collection and use of your personal data, and sets forth your privacy rights. We recognize that information privacy is an ongoing responsibility and we will update this Privacy Policy from time to time as we undertake new personal data practices or adopt new privacy policies. The most current version will always be posted at skydda.ai/privacy.

Data Controller vs. Processor

Skydda acts as the data controller for personal data of website visitors, business contacts, and job candidates. When we process data on behalf of our customers through the Skydda platform (the "Platform"), we act as a data processor. Processing of customer data is governed by the applicable customer agreement and/or Data Processing Addendum, not this Privacy Policy.

2. Privacy Contact

Skydda is headquartered in the United States. If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Privacy Officer:

3. What Data We Collect

We collect both personal data (information that identifies you) and non-personal data (information that does not identify you on its own). This generally includes:

We do not knowingly collect sensitive personal data such as government identification numbers, health data, precise geolocation, racial or ethnic origin, religious beliefs, or financial account information. If you believe we have inadvertently collected sensitive data, please contact us at [email protected] so we can delete it.

4. How We Collect Data

We collect information in the following ways:

• Data you provide directly: When you request information about our products, sign up for newsletters, download resources, register for an account, or communicate with us via email, phone, or other channels.
• Automatic collection: We automatically gather certain device and usage data when you visit our site through cookies, log files, and similar technologies.
• Third-party sources: We may receive additional information about you from third-party platforms (e.g., LinkedIn) or business intelligence and data enrichment providers. Where we receive data from third-party sources, we rely on the third party's confirmation that the data was collected in accordance with applicable law.

5. How We Use Your Information

We use personal data only where we have a lawful basis. Depending on how you interact with Skydda, we may use your data to:

• Provide and operate our services: communicate about your requests, deliver demo accounts, manage customer relationships, and provide technical support
• Improve our website and services: analyze usage and performance data to understand how visitors use our website, improve user experience, and develop new features
• Send marketing and promotional materials: with your consent, send newsletters or information about new features or events. You can withdraw consent or opt out at any time
• Comply with legal obligations: fulfill contracts, respond to lawful requests, enforce our rights, and protect users
• Detect and prevent fraud: identify and prevent fraudulent or illegal activity, investigate violations, and enforce our policies

We do not sell your personal information. We may share information only in the limited circumstances described in Section 9.

6. Cookies & Tracking Technologies

Cookies are small text files placed on your device when you visit a website. They help the site remember your preferences and improve functionality. Our website uses both first-party cookies (set by Skydda) and third-party cookies (set by analytics providers) for the following purposes:

• Strictly Necessary Cookies: Essential for the operation of the website and platform, including authentication and security. These cannot be disabled.
• Functionality Cookies: Allow us to remember your preferences (e.g., language, region) and provide enhanced features.
• Analytics & Performance Cookies: Help us understand how visitors interact with our website. We may use third-party analytics tools such as Google Analytics.
• Advertising Cookies: Used to deliver relevant advertisements and measure the effectiveness of our marketing campaigns.

Before placing non-essential cookies, we ask for your consent via a cookie consent banner. You can adjust cookie settings in your browser at any time. We honor Global Privacy Control (GPC) signals — where a valid GPC signal is detected, we treat it as a request to opt out of the sale or sharing of personal information and will disable analytics and advertising cookies accordingly. Disabling certain cookies may affect the functionality of our services.

7. Use of the Skydda Platform

When customers use the Platform, we may collect and process additional categories of data to deliver services. Processing of customer data through the Platform is governed by the applicable Customer Agreement and/or Data Processing Addendum. This section provides a general overview:

• Security Telemetry & Log Data: Metadata, configurations, security events, alerts, and log records ingested or analyzed through the Platform on behalf of customers.
• Cloud Environment Configuration: Metadata about cloud infrastructure settings, access permissions, and resource configurations. We collect configuration metadata — not the underlying data stored in your cloud environment.
• User & Access Metadata: User roles, access permissions, associated email addresses, and account configurations needed to deliver security analysis.
• Integration Credentials: API tokens and OAuth credentials required to connect the Platform with third-party tools. These are stored encrypted at rest using AES-256.

Customer data processed through the Platform is used solely to deliver services to the applicable customer. We do not use customer data for marketing, advertising, or any purpose unrelated to service delivery without explicit authorization.

8. Use of Artificial Intelligence

Skydda uses artificial intelligence and automation technologies to enhance our services, including threat detection, workflow automation, alert triage, and generation of actionable security insights. Our approach to AI and data:

• No Training on Customer Data: We do not use customer data to train general-purpose AI or machine learning models. Customer data is processed solely to deliver services to the applicable customer.
• Third-Party AI Providers: Where we use third-party AI providers, we maintain strict contractual safeguards including data isolation and prohibitions on using customer data for model training.
• Data Isolation: AI processing for each customer is segregated using unique tenant identifiers and access controls. One customer's data is never used to generate insights for another customer.
• Human Oversight: AI-generated outputs are designed to augment human analysts. Customers retain full control over how AI-assisted recommendations are actioned.

9. When & How We Share Information

We do not sell personal data to third parties. We may share personal data only in the following limited circumstances:

• Service providers and business partners: companies that help us operate our website and deliver services (e.g., hosting providers, CRM platforms, email service providers). These providers process personal data only under our instructions and are required to implement appropriate safeguards.
• Legal and compliance purposes: when required by law, regulation, or legal process, or when disclosure is necessary to protect our rights, your safety, or the safety of others.
• Business transfers: if Skydda undergoes a merger, acquisition, or sale of assets, user data may be transferred to the acquiring entity. Any new owner will use the data only for the purposes described in this policy.
• With your consent: in any other circumstance where you have provided explicit authorization.

In limited circumstances we may disclose aggregated, anonymized, or de-identified information that cannot reasonably be used to identify you to our partners for analytics or benchmarking purposes.

10. International Transfers

Skydda is headquartered in the United States. If you are located outside of the United States, please be aware that information you provide to us will be transferred to and processed in the United States, which may have data protection laws that differ from those in your jurisdiction.

Where we transfer personal data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to the United States, we implement appropriate safeguards including:

• Standard Contractual Clauses (SCCs) approved by the European Commission and/or the UK International Data Transfer Addendum
• Data processing agreements with vendors and sub-processors that include equivalent contractual protections
• Technical measures including encryption of data in transit (TLS 1.2/1.3) and at rest (AES-256), role-based access controls, and continuous security monitoring

For more information about our international transfer practices or to request a copy of relevant Standard Contractual Clauses, please contact us at [email protected].

11. Data Security

Skydda implements technical and organizational measures designed to protect personal data from unauthorized access, loss, misuse, or alteration. Our security measures include:

• Encryption of data in transit (TLS 1.2/1.3) and at rest (AES-256)
• Role-based access controls and the principle of least privilege
• Multi-factor authentication for internal systems and customer accounts
• Regular vulnerability scanning and third-party penetration testing
• Employee security awareness training
• Incident response procedures and continuous security monitoring

No method of transmission over the internet or electronic storage is 100% secure. While we work hard to protect your data, we cannot guarantee absolute security. In the event of a security incident involving your personal data, we will notify affected individuals and relevant authorities as required by applicable law.

12. Data Retention

We retain personal data only as long as necessary to fulfill the purposes described in this policy and to comply with legal, tax, or regulatory obligations. Our retention schedule is as follows:

• Customer Data: For the duration of the customer relationship and 90 days post-termination, unless otherwise specified in the Customer Agreement.
• Service & Support Data: Three (3) years after last interaction.
• Prospect & Marketing Data: Three (3) years after last contact or until opt-out is requested.
• Job Applicant Data: Two (2) years after the conclusion of the recruitment process, except where longer retention is required by law.

All personal data that Skydda controls may be deleted upon verified request from data subjects, subject to legal retention obligations and legitimate business needs (e.g., financial recordkeeping, litigation holds).

13. Your Privacy Rights

Depending on your location and applicable data protection laws, you may have the following rights:

• Right to Be Informed: You have the right to know what data we collect and why.
• Right of Access: Request copies of the personal data we hold about you.
• Right to Rectification: Request that we correct inaccurate or incomplete data.
• Right to Erasure: Request that we delete your personal data, subject to legal exceptions.
• Right to Restrict Processing: Ask us to limit how we process your data.
• Right to Data Portability: Request a copy of your data in a portable, machine-readable format.
• Right to Object: Object to our use of your data, including for marketing communications.
• Automated Decision-Making: Object to decisions made solely based on automated processing, where applicable.

To exercise any of these rights, please contact us at [email protected]. We may need to verify your identity before processing your request and will respond within 30 days of a verified request. We may not always be able to comply fully if legal obligations require otherwise.

14. California Privacy Rights (CCPA/CPRA)

If you are a California resident, the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides you with additional rights:

• Right to Know: Request information about the categories and specific pieces of personal information we have collected, the sources, the business purposes, and the categories of third parties with whom we share it.
• Right to Delete: Request deletion of your personal information, subject to legal exceptions.
• Right to Correct: Request correction of inaccurate personal information.
• Right to Opt-Out of Sale or Sharing: We do not sell your personal information and do not share it for cross-context behavioral advertising purposes.
• Right to Non-Discrimination: We will not discriminate against you for exercising your privacy rights.

To submit a request under the CCPA, please contact us at [email protected]. We will verify your identity before processing your request and will respond within 45 days, which may be extended by an additional 45 days where reasonably necessary.

15. Job Applicant Data

Where you apply for a position at Skydda, we will collect and process personal data you provide in your application, including your name, contact details, employment history, educational background, references, and any other information included in your CV or resume. We may also collect information from recruitment platforms (e.g., LinkedIn) or referees, where applicable.

Applicant data for unsuccessful candidates is retained for two (2) years after the conclusion of the recruitment process, unless you request earlier deletion. Data for successful candidates becomes part of employment records and is governed by our employee data retention policies. Job applicants have the same data subject rights described in Section 13.

16. Children's Data

Our website and services are intended for business professionals and are not directed at children under the age of 16. We do not knowingly collect personal data from children. If we learn that we have collected personal data from a child below the applicable age threshold, we will take steps to promptly delete that information. If you are a parent or guardian and believe your child has provided us with personal data, please contact us at [email protected].

17. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, or legal requirements. We will post the updated policy on our website with a new effective date. For material changes, we will notify registered users via email. We encourage you to review this page periodically to stay informed about our data practices.

18. Contact Us

If you have questions, concerns, complaints, or would like to exercise your privacy rights, please contact us: