Privacy Policy

Skeldy SAS (Skeldy SAS, 12 rue de la Paix, 75002 Paris, France) is the data controller for personal data processed through the Skeldy product. Registered in France, RCS Paris (registration number to be confirmed at incorporation).

For privacy questions, contact [email protected]. For Data Protection Officer enquiries, contact [email protected].

We collect the minimum data necessary to operate Skeldy. Categories include:

• Account data — name, email, role, organisation membership.
• Schedule data — shifts, sections, qualifications, availability, preferences.
• Communications — messages, comments, broadcast translations within the product.
• Billing data — handled by Stripe; we receive non-sensitive metadata only (last four digits of card, country).
• Product analytics — pageviews, clicks, feature usage. Only collected with your explicit consent.
• Technical data — IP address, user agent, request logs (retained 30 days for security).

Each processing activity has a defined purpose and a GDPR Article 6 legal basis:

Provide the service

Performance of the contract (Art. 6(1)(b)). Includes account creation, scheduling, AI-assisted reconfiguration, broadcast translation, and compliance checks.

Billing and tax

Legal obligation (Art. 6(1)(c)) and contract performance.

Security and abuse prevention

Legitimate interest (Art. 6(1)(f)). Includes audit logs, rate limiting, fraud detection.

Product analytics and improvement

Consent (Art. 6(1)(a)). You can withdraw consent at any time via the cookie banner or /cookies.

Customer support

Performance of the contract and legitimate interest.

We host the product on EU infrastructure. Production data resides in eu-central-1 (Frankfurt). Our sub-processors:

• Supabase (database, authentication, storage) — eu-central-1.
• Vercel (web hosting) — EU regions, Vercel Pro EU configuration.
• Resend (transactional email) — EU region.
• Stripe (payments) — EU and US, Standard Contractual Clauses in place.
• Google LLC (Google AI API — LLM inference, text and vision) — global infrastructure; EU data residency not contractually guaranteed. Terms: business.safety.google/sar/
• Sentry (error monitoring) — EU instance.
• PostHog (product analytics, opt-in only) — eu.posthog.com.
• Nango (POS/PMS connectors) — EU region where supported.

Where any transfer outside the EU/EEA is unavoidable, we rely on EU Standard Contractual Clauses (2021/914) and supplementary measures (encryption in transit and at rest, role-based access, audit logging).

⚠ Note: The Google AI API (aistudio.google.com) does not contractually guarantee EU data residency. Data processed by the AI scheduling assistant may be processed on Google's global infrastructure. This differs from our previous Vertex AI europe-west4 arrangement. We are evaluating a return to EU-region AI infrastructure. If this affects your compliance requirements, contact us at [email protected].

• Account data — for the lifetime of your subscription, plus 30 days after termination.
• Schedule data — for the lifetime of your subscription, plus 30 days; you can export anytime via the GDPR export endpoint.
• Audit logs — 13 months (security and dispute resolution).
• Billing records — 10 years (French commercial code requirement).
• Free Compliance Audit photos — encrypted and deleted automatically after 1 hour.
• Product analytics events — 12 months, only when consent is granted.

You have the right to access, rectify, erase, restrict, port, and object to the processing of your personal data, plus the right to withdraw consent at any time without affecting prior lawful processing.

Exercise these rights from your account settings, via our self-service GDPR endpoints (/api/gdpr/export delivers a JSON archive of your data; /api/gdpr/delete schedules deletion subject to legal-retention exceptions), or by writing to [email protected]. We respond within one month, extendable by two further months for complex requests with notice.

You may lodge a complaint with the CNIL (France, www.cnil.fr) or with the supervisory authority of your habitual residence, place of work, or place of the alleged infringement — for example AEPD (Spain), BfDI (Germany), Garante (Italy), or the Information Commissioner's Office (UK).

If your General Manager or Section Manager invites you to Skeldy, we receive your name, email, role, and section assignment from them rather than from you directly (GDPR Art. 14). The legal basis for this collection is the legitimate interest of the organisation in operating its workforce schedule, balanced against your interests via this notice and your rights below. You may object at any time by contacting your General Manager or by writing to us.

Skeldy's AI features (compliance check, schedule reconfiguration, multilingual broadcast, photo OCR for the Free Compliance Audit) propose outcomes; they never automatically apply changes that affect your shifts. A General Manager or Section Manager always reviews and confirms before any schedule is published. You are not subject to a decision based solely on automated processing within the meaning of GDPR Art. 22(1).

If you believe an AI suggestion that was actioned by your manager has unfairly affected you, you have the right to obtain an explanation, contest the decision, and request human re-review. Contact your General Manager first; if unresolved, write to us.

Skeldy is a B2B workforce-management platform and is not directed to children. Where staff under 18 are scheduled (most commonly 16–17-year-olds in apprenticeship), the General Manager is responsible for confirming parental authorisation where required by national law. Skeldy's compliance engine applies country-specific minor restrictions automatically (no late-night shifts, mandatory rest, weekly hours caps). We do not knowingly collect personal data from children under the relevant national age of digital consent without parental authorisation.

Encryption in transit (TLS 1.2+) and at rest (AES-256). Row-level security on every database table. Role-based access aligned with your hierarchy (General Manager, Section Manager, Staff). Audit logs on every privileged action. Annual penetration tests. SOC 2 Type 1 readiness in progress.

Suspected vulnerabilities can be reported confidentially to [email protected].

We notify customers by email at least 14 days before any material change to this policy. The effective date at the top of this page reflects the version currently in force.