Privacy Policy

1. Introduction

Skyfall Labs (“Skyfall,” “we,” “us,” or “our”) is a global software development and business-process-automation (“BPA”) company serving clients in the United States, Europe, the Middle East, Asia-Pacific, and the Americas. We design, build, customize, integrate, and maintain SaaS products, custom enterprise software, CRM/ERP customizations (including, but not limited to, Zoho One, Zoho CRM, Zoho Creator, Zoho Books, Salesforce, HubSpot, Microsoft Dynamics), AI-enabled automations, and integrations with third-party platforms such as Google Workspace, Google Cloud Platform, and Google APIs.

This Privacy Policy (the “Policy”) describes how Skyfall Labs collects, uses, discloses, retains, transfers, and otherwise processes Personal Data when:

• you visit our website at skyfallhq.net or any subdomain we control (the “Site”);
• you submit a contact, demo, or service-inquiry form, or otherwise correspond with us;
• you engage Skyfall Labs to deliver professional services (custom software, CRM customization, BPA, AI integration, support, or managed services);
• you use a SaaS application or product operated by Skyfall Labs (each, a “Skyfall Product”);
• you interact with content, marketing campaigns, or events run by Skyfall Labs.

This Policy applies globally. It is intended to comply with applicable data-protection and consumer-privacy laws, including: the California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA/CPRA”); the Virginia Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut Data Privacy Act (“CTDPA”); the Utah Consumer Privacy Act (“UCPA”); the Texas Data Privacy and Security Act (“TDPSA”); the Oregon Consumer Privacy Act (“OCPA”); the Montana Consumer Data Privacy Act (“MCDPA”); the Delaware Personal Data Privacy Act (“DPDPA”); the Iowa Consumer Data Protection Act; the Tennessee Information Protection Act (“TIPA”); the U.S. Health Insurance Portability and Accountability Act (“HIPAA”) where Business Associate Agreements apply; the U.S. Gramm-Leach-Bliley Act (“GLBA”) where applicable; the Children’s Online Privacy Protection Act (“COPPA”); the CAN-SPAM Act and the Telephone Consumer Protection Act (“TCPA”); the EU General Data Protection Regulation (“GDPR”); the UK GDPR and UK Data Protection Act 2018; the Swiss Federal Act on Data Protection (“FADP”); the Brazilian Lei Geral de Proteção de Dados (“LGPD”); the Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) and Quebec’s Law 25; Australia’s Privacy Act 1988 and the Australian Privacy Principles (“APPs”); Singapore’s Personal Data Protection Act (“PDPA”); India’s Digital Personal Data Protection Act, 2023 (“DPDP Act”); South Africa’s Protection of Personal Information Act (“POPIA”); and other privacy laws of jurisdictions in which our clients and users reside.

2. Data Controller & Contact

For data we collect directly (e.g., through the Site, marketing channels, sales conversations, and contractual relationships with our direct clients), Skyfall Labs is the “controller” under GDPR/UK GDPR and the “business” or “controller” (as applicable) under U.S. state privacy laws.

• Legal entity: Skyfall Labs.
• Operational / correspondence address: 4th Floor, Tower, Civic Center, 81, Gulberg Greens Executive Block, Islamabad.
• Privacy contact / Data Protection Officer (DPO): info@skyfallhq.net (subject line: “Privacy Request”).
• EU/UK representative: Where required under Article 27 GDPR or Article 27 UK GDPR, we will appoint and publish a designated representative on request.
• U.S. consumer-rights contact: use the email above with the subject “U.S. Privacy Rights Request” — see Section 17.2.

3. Categories of Personal Data We Collect

We collect Personal Data in the categories described below. “Personal Data” means any information relating to an identified or identifiable natural person, and includes “Personal Information” as defined under CCPA/CPRA.

3.1 Information You Provide Directly

• Identity data: first name, last name, job title, company name, country.
• Contact data: business email address, phone number, billing and postal address, preferred messaging handle (e.g., WhatsApp).
• Inquiry data: the contents of demo requests, contact-form submissions, RFPs, scope documents, and email correspondence with our team.
• Account & engagement data: credentials you create for a Skyfall Product, contract details, Statements of Work (“SOWs”), purchase orders, and invoicing details.
• Payment data: bank-account references, wire details, or payment-card last four digits and expiry, processed via PCI-DSS-compliant third-party processors. We do not store full card numbers on our infrastructure.
• Recruitment data (if applicable): CVs, work history, references, and right-to-work documentation submitted to careers@skyfallhq.net.

3.2 Information We Collect Automatically

• Device & technical data: IP address (which may be truncated/pseudonymized), browser type and version, operating system, screen resolution, language preference, time-zone setting.
• Usage data: referring URL, pages visited, time on page, click events, scroll depth, errors, and performance metrics.
• Cookies and similar technologies: first- and third-party cookies, local storage, session storage, pixels, and SDKs (see Section 7 below).

3.3 Information We Receive From Third Parties

• Business contact data from professional networks (e.g., LinkedIn) when you connect with our sales team.
• Analytics, attribution, and advertising data from advertising and analytics partners (subject to your consent where required).
• Information from referral partners and resellers who introduce you to our services.
• Publicly available information (e.g., company registries) used for due diligence and onboarding.

3.4 Client Data and End-User Data Processed on Behalf of Clients

When delivering professional services or operating a Skyfall Product configured for a client, we may process data that the client (or the client’s end users) uploads, transmits, or generates within the system (“Client Data”). Client Data may include names, contact details, customer records, lead pipelines, financial records, support tickets, documents stored in Zoho WorkDrive or Google Drive, calendar entries, email content (where the client has authorized us to access mailboxes), CRM records, and similar operational data.

We process Client Data strictly as a processor / service provider on the documented instructions of the client (the controller). The client is responsible for the lawful basis on which it has collected such data and for providing privacy notices to its own end users. The terms of our processing are governed by the SOW and, where applicable, a separate DPA.

3.5 Sensitive / Special-Category Data

We do not seek, and we discourage clients from sending us, special-category data (health, biometric, genetic, racial or ethnic origin, political opinions, religious beliefs, trade-union membership, sex life or sexual orientation) or government identifiers (national ID, passport, social-security numbers) unless strictly required for the engagement and covered by a written agreement that addresses the heightened protections required by Article 9 GDPR and equivalent laws.

4. Sources of Personal Data

We collect Personal Data from the following sources:

• directly from you when you fill out a form, email us, sign a contract, or use a Skyfall Product;
• automatically through your browser, device, and our analytics tools when you visit the Site or use a product;
• from your employer or organization when they engage us on your behalf;
• from third-party platforms you authorize us to access (e.g., when you connect your Google or Zoho account to a Skyfall integration);
• from publicly available sources, business directories, and professional networking sites;
• from sub-processors, partners, and resellers acting on our or your behalf.

5. Purposes of Processing

We process Personal Data for the following purposes:

• To respond to inquiries and provide quotes: when you submit a contact, demo, or service-inquiry form via the Site or otherwise.
• To deliver contracted services: performing the SOW, providing custom development, BPA, CRM customization, AI integration, deployment, support, and managed services.
• To operate Skyfall Products: authenticating users, provisioning accounts, providing in-product functionality, sending service notifications.
• To bill and collect payment: generating invoices, processing payments through third-party processors, tax reporting.
• To improve and secure our services: performance monitoring, debugging, abuse detection, fraud prevention, capacity planning, security incident response.
• For marketing and business development: sending non-transactional email about our services (only where lawful, see Section 11), running events, publishing case studies (with consent).
• For internal analytics and reporting: understanding aggregate Site usage, measuring marketing campaigns, internal training.
• For compliance and legal purposes: complying with applicable laws, responding to lawful requests by public authorities, enforcing our terms, defending and exercising legal claims.

6. Legal Bases for Processing (GDPR/UK GDPR)

Where GDPR or UK GDPR applies, we rely on the following legal bases:

You may withdraw consent at any time where processing is based on consent. Withdrawal does not affect the lawfulness of processing carried out before withdrawal.

7. Cookies, Pixels, and Similar Technologies

The Site uses a limited number of cookies and similar technologies. We classify cookies as follows:

• Strictly necessary cookies: required for the Site to function (e.g., load-balancing, security). These do not require consent.
• Functionality cookies: remember preferences such as language or region.
• Analytics / performance cookies: measure traffic and improve the Site (e.g., Google Analytics, Vercel Analytics). Used only where lawful (with consent under the ePrivacy Directive / PECR in the EU/UK).
• Marketing / advertising cookies: show relevant ads on third-party properties (e.g., LinkedIn Insight Tag, Meta Pixel). Used only with your consent.

You can manage cookie preferences through our cookie banner (where displayed), your browser settings (most browsers allow blocking or deleting cookies), and platform-specific opt-out tools such as the Network Advertising Initiative opt-out and the Digital Advertising Alliance opt-out.

Blocking strictly-necessary cookies will impair Site functionality.

8. Disclosure of Personal Data to Third Parties

We do not sell Personal Data, and we do not “share” Personal Data for cross-context behavioral advertising as those terms are defined under CCPA/CPRA. We disclose Personal Data only in the following circumstances:

• Sub-processors and service providers who process data on our behalf under written contracts containing GDPR-compliant data-protection terms (Article 28 GDPR), including: cloud hosting and infrastructure providers (e.g., Amazon Web Services, Microsoft Azure, Google Cloud Platform, Vercel), transactional-email providers (e.g., Resend, SendGrid), customer-relationship and support tools, analytics providers, payment processors, and accounting providers.
• Third-party platforms you authorize us to integrate with (e.g., Google Workspace, Zoho One, Salesforce, HubSpot, OpenAI, Anthropic). Data flows to those platforms occur on your instruction and are subject to those providers’ own privacy notices.
• Professional advisors such as our auditors, lawyers, accountants, and insurers under duties of confidentiality.
• Legal and regulatory authorities where required by law, court order, subpoena, or similar lawful process; or where necessary to protect the rights, property, or safety of Skyfall Labs, our clients, or others.
• Corporate transactions in the event of a merger, acquisition, financing, or sale of all or part of our business — subject to confidentiality obligations and notice where required.

A current list of our material sub-processors is available on written request to info@skyfallhq.net.

9. Google APIs & Limited Use Disclosure

When Skyfall Labs builds or operates software that uses Google APIs (including Google Workspace APIs such as Gmail, Google Drive, Google Calendar, Google Contacts; Google Cloud Platform services; and Google identity / OAuth scopes), our use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

Specifically, with respect to data received from Google APIs:

• we use such data only to provide or improve the user-facing features of the application that are visible and prominent in that application’s user interface;
• we do not transfer such data except as necessary to provide or improve the user-facing features, to comply with applicable law, or as part of a merger, acquisition, or sale of assets with the user’s prior consent;
• we do not use such data to serve advertisements, including retargeting, personalized, or interest-based advertising;
• we do not allow humans to read such data unless we have the user’s affirmative agreement for specific messages, it is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for internal operations where the data has been aggregated and anonymized;
• we request only the minimum OAuth scopes necessary to deliver the requested functionality, and we make those scopes prominently visible to the user during the consent flow;
• OAuth refresh tokens and access tokens are stored encrypted at rest and are accessible only to the components of the application that require them.

If you have authorized a Skyfall application to access your Google account, you may revoke access at any time at myaccount.google.com/permissions.

10. Zoho Services & Zoho-Hosted Customer Environments

A substantial portion of our work involves customization of, and integration with, Zoho services (including Zoho One, Zoho CRM, Zoho Creator, Zoho Books, Zoho Desk, Zoho Analytics, Zoho Catalyst, Zoho Mail, and related APIs). Where Skyfall Labs delivers a Zoho customization, develops a Zoho-extension, or operates a managed Zoho environment on behalf of a client:

• Account ownership: the Zoho tenant (organization) is owned by the client. Skyfall accesses it only under credentials or roles the client provisions and may revoke at any time.
• Data residency: the data residency of records in the client’s Zoho tenant (e.g., US, EU, India, Australia) is determined by the client’s Zoho account configuration, not by Skyfall.
• API usage: our use of Zoho APIs is governed by the Zoho API Terms and the Zoho Trust Center privacy and security commitments published at zoho.com/privacy.html. We do not redistribute client Zoho data to third parties except as instructed by the client or as required by law.
• Marketplace listings: where a Skyfall extension is published on the Zoho Marketplace, it is independently subject to the Zoho Marketplace Developer Agreement and any privacy notice attached to that listing.
• Sub-processing: when we act as a sub-processor to Zoho data flowing through a Skyfall extension or integration, our processing is bounded by the client’s instructions and any applicable Zoho-imposed processing terms.

11. Marketing Communications

We may send marketing emails to business contacts where (i) you have consented, or (ii) you are an existing customer and we are marketing similar services (the “soft opt-in” recognized by ePrivacy / PECR), or (iii) marketing is permitted under applicable law (e.g., business-to-business marketing in many jurisdictions, subject to the controller’s legitimate interest).

We comply with the U.S. CAN-SPAM Act, Canada’s Anti-Spam Legislation (“CASL”), the EU ePrivacy Directive, and equivalent rules. Every marketing message includes a working unsubscribe mechanism. You may opt out at any time by clicking “unsubscribe” in any marketing email, or by emailing info@skyfallhq.net. Unsubscribing from marketing does not affect transactional communications related to an active contract, project, or product subscription.

12. Automated Decision-Making & AI

Skyfall does not make decisions about you that produce legal or similarly significant effects based solely on automated processing. Where we build AI features into a client’s product (including large-language-model integrations such as OpenAI, Anthropic Claude, Google Gemini, or self-hosted models), the design, configuration, and human-oversight model is determined by the client as controller.

When training, fine-tuning, or evaluating AI features:

• we do not use a client’s confidential or personal data to train models for other clients or for our own general-purpose models without explicit written consent;
• where third-party model providers are used, we configure their APIs with the strictest available data-retention and no-training options (for example, requesting zero data retention via the relevant API setting where the provider supports it);
• synthetic, anonymized, or properly de-identified data may be used to evaluate and improve our generic toolchains.

13. International Data Transfers

Skyfall Labs operates globally. Personal Data may be transferred to and stored in countries other than the country where it was collected, including Pakistan, the United States, the European Economic Area, the United Kingdom, India (Zoho), and other jurisdictions where our sub-processors operate.

Where Personal Data is transferred from the EEA, the UK, or Switzerland to a country that is not the subject of a European Commission / UK adequacy decision, we rely on appropriate safeguards under Chapter V GDPR, including (i) the European Commission’s Standard Contractual Clauses (“SCCs”), with the UK Addendum or Swiss addendum where applicable, (ii) supplementary technical and organizational measures (e.g., encryption-in-transit and at-rest, pseudonymization, contractual gag orders on third-party access requests), and (iii) a documented transfer-impact assessment where required.

Copies of the SCCs are available on request. You may also contact us for a list of countries to which a specific category of data is transferred.

14. Data Retention

We retain Personal Data only for as long as necessary for the purposes for which it was collected, including to satisfy legal, accounting, tax, or reporting requirements. The criteria we use to determine retention periods include:

• the nature and sensitivity of the data;
• the purposes for which we process the data and whether we can achieve those purposes by other means;
• the potential risk of harm from unauthorized use or disclosure;
• applicable legal, regulatory, tax, accounting, or reporting requirements (e.g., commercial-records retention typically 5–10 years).

Indicative retention periods (subject to override by contract or law):

15. Information Security

Skyfall Labs maintains a written information-security program that is designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, and access. Controls include:

• Encryption: TLS 1.2+ in transit and AES-256 at rest for data stored in our managed systems.
• Identity & access management: single-sign-on, multi-factor authentication, role-based access, least-privilege provisioning, and regular access reviews.
• Secret management: credentials, API tokens, and OAuth refresh tokens stored in encrypted secret stores (e.g., AWS Secrets Manager, GCP Secret Manager) — never in source control.
• Secure SDLC: peer code review, dependency scanning, static and dynamic application security testing on production code paths.
• Infrastructure security: network segmentation, firewalls, hardened production images, and managed vulnerability patching.
• Personnel security: confidentiality obligations for all staff and contractors, security-awareness training, and immediate de-provisioning on offboarding.
• Backups & resilience: regular encrypted backups, defined recovery-point and recovery-time objectives for in-scope services.
• Incident response: a written incident-response plan with defined roles, escalation paths, and notification timelines.

Despite these safeguards, no system is completely secure. We cannot guarantee absolute security of Personal Data transmitted to or from our services.

16. Data-Breach Notification

In the event of a personal-data breach likely to result in a risk to the rights and freedoms of natural persons, we will notify the relevant supervisory authority without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach, in line with Article 33 GDPR.

Where we act as a processor for a client, we will notify the client without undue delay upon becoming aware of a personal-data breach affecting Client Data, in accordance with Article 33(2) GDPR and the applicable DPA.

17. Your Privacy Rights

Subject to applicable law, you may have some or all of the following rights with respect to your Personal Data. You can exercise any of these rights by emailing info@skyfallhq.netwith the subject line “Privacy Request.” We will respond within the period required by applicable law (typically one month under GDPR/UK GDPR, 45 days under CCPA/CPRA).

17.1 Rights under GDPR / UK GDPR

• Right of access — to obtain confirmation of whether we process your data and to receive a copy.
• Right to rectification — to correct inaccurate or incomplete data.
• Right to erasure (“right to be forgotten”) — subject to legal exceptions such as retention obligations.
• Right to restrict processing in defined circumstances.
• Right to data portability — to receive your data in a structured, commonly used, machine-readable format.
• Right to object — including the absolute right to object to direct marketing.
• Right to withdraw consent at any time where processing is based on consent.
• Right to lodge a complaint with a supervisory authority — see Section 19.

17.2 Rights under U.S. State Privacy Laws

If you are a resident of California, Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, Delaware, Iowa, Tennessee, or another U.S. state with a comprehensive consumer-privacy law, you have (subject to that state’s specific definitions, thresholds, and exceptions) the following rights:

• Right to know / access: confirm whether we process your Personal Information and obtain a copy of the categories and, where applicable, specific pieces collected, the sources, the purposes, and the categories of third parties to whom it is disclosed.
• Right to delete Personal Information we have collected from you, subject to statutory exceptions (e.g., to complete a transaction, security, legal obligation).
• Right to correct inaccurate Personal Information.
• Right to data portability — to receive your Personal Information in a portable, machine-readable format.
• Right to opt out of “sale” or “sharing” of Personal Information and of targeted advertising. We do not sell Personal Information for money and we do not share it for cross-context behavioral advertising as those terms are defined under CCPA/CPRA, VCDPA, CPA, CTDPA, TDPSA, OCPA, or similar laws. We honor the Global Privacy Control (GPC) signal as a valid opt-out preference signal.
• Right to opt out of profiling that produces legal or similarly significant effects (where the law provides this right).
• Right to limit use and disclosure of Sensitive Personal Information. We do not use Sensitive Personal Information for purposes that exceed the scope expected by an average consumer.
• Right to non-discrimination / non-retaliation for exercising any privacy right.
• Right to appeal a denial of a request — required under VCDPA, CPA, CTDPA, TDPSA, OCPA, and DPDPA. Appeals may be sent to info@skyfallhq.net with the subject “Privacy Appeal.” We will respond within 60 days and, if denied, identify the state Attorney General to whom you may complain.
• Authorized agents may submit requests on your behalf, subject to verification of authority.

17.3 Rights under Canadian, Brazilian, Australian, and other Global Privacy Laws

Residents of Canada (PIPEDA and Quebec Law 25), Brazil (LGPD), Australia (Privacy Act 1988 / APPs), Singapore (PDPA), India (DPDP Act), Japan (APPI), South Africa (POPIA), and other jurisdictions have analogous rights of access, correction, deletion, objection, withdrawal of consent, data portability (where applicable), and complaint to the competent supervisory authority. To exercise these rights, contact our DPO at the email above. Where local law requires a designated in-country representative or local-language responses, we will accommodate within the response windows required by that law (typically 30–45 days).

17.4 Verification

To protect your data, we will verify your identity before fulfilling a request. We may ask you to confirm information already held about you or to authenticate via the email address on file. Excessive or manifestly unfounded requests may attract a reasonable fee or be refused under applicable law.

18. Children’s Privacy

Our Site and services are directed to businesses and are not intended for children under the age of 16 (or under 13 in the United States as defined by the Children’s Online Privacy Protection Act, “COPPA”). We do not knowingly collect Personal Data from children. If you believe a child has provided Personal Data to us, please contact info@skyfallhq.net and we will delete the data without undue delay.

19. Complaints & Supervisory Authorities

We would prefer the opportunity to address your concerns directly. Please email info@skyfallhq.net in the first instance. You also have the right to lodge a complaint with a supervisory authority:

• California residents — the California Privacy Protection Agency (CPPA) at cppa.ca.gov and the California Attorney General at oag.ca.gov.
• Other U.S. state residents — your state Attorney General (e.g., Virginia AG, Colorado AG, Connecticut AG, Utah Division of Consumer Protection, Texas AG, Oregon AG, Montana AG, Delaware AG, Iowa AG, Tennessee AG).
• EU residents — the data-protection authority of your member state of residence, place of work, or place of alleged infringement (list at edpb.europa.eu).
• UK residents — the Information Commissioner’s Office (ICO) at ico.org.uk.
• Swiss residents — the Federal Data Protection and Information Commissioner (FDPIC).
• Canadian residents — the Office of the Privacy Commissioner of Canada (OPC) at priv.gc.ca; Quebec residents may complain to the Commission d’accès à l’information.
• Brazilian residents — the Autoridade Nacional de Proteção de Dados (ANPD).
• Australian residents — the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
• Singapore residents — the Personal Data Protection Commission (PDPC) at pdpc.gov.sg.
• Indian residents — the Data Protection Board of India (when constituted) under the DPDP Act, 2023.
• South African residents — the Information Regulator at inforegulator.org.za.

20. Third-Party Links

The Site may contain links to third-party websites, applications, or services that we do not operate. We are not responsible for the privacy practices of those third parties. We encourage you to read their privacy notices before submitting Personal Data to them.

21. Changes to This Policy

We may update this Policy from time to time. The “Last Updated” date at the top of this page indicates when the Policy was last revised. Material changes will be notified through a prominent notice on the Site or, where required by law, by email to active contacts. Continued use of the Site or services after an update constitutes acknowledgement of the revised Policy.