Privacy Policy

Last updated: 2026-06-26 · Applies to the Skipaki Pro portal at pro.skipaki.com and the demo at demo.pro.skipaki.com.

Starter content. This page reflects the technical truth of what Skipaki Pro collects, where it lives, and how it's processed. The legal phrasing is under review by counsel before the operator subscription opens.

Roles under GDPR

Skipaki is the controller for operator account data — your business name, contact details, billing, telemetry on how the portal is used.

Skipaki is the processor for your customers' data — names, phones, addresses, orders, invoices that your operators enter into the portal. You are the controller; we process strictly on your instructions and under a Data Processing Agreement (see DPA, coming soon).

What we collect from operators

Account: business name, legal name, VAT number, base city, contact phone and email
Billing: bank IBAN, invoice prefix, default VAT rate, supplier address
Team: invited members' emails and roles
Authentication: email, password hash, session tokens (handled by Supabase)
Usage: timestamps of which pages you visit inside the portal, errors, performance traces

What we process on behalf of operators

Operator's customers: name, phone, email, address, notes, order history
Orders: address (with lat/lng), container size, waste type, dates, prices, payment terms
Invoices: customer name and address frozen at issue time, line items, totals
Audit log: every state change with actor name, action, timestamp (Art. 30 record)

Legal basis (GDPR Art. 6)

Performance of contract — your subscription agreement with Skipaki
Legal obligation — invoice retention under Cyprus tax law
Legitimate interest — service security, fraud prevention, product analytics

Sub-processors

The full, current list with locations and safeguards is at /promo/legal/sub-processors. The main ones: Supabase (EU), Vercel (EU), Google Maps (US, SCCs), OpenAI for AI freeform parsing (US, SCCs + zero-retention), MailerSend (EU).

Cross-border transfers

Operator and customer data primarily lives in Dublin (eu-west-1). Two flows leave the EU under Standard Contractual Clauses:

Google Maps — customer addresses sent to geocode and route. Google operates under SCCs and the EU-US Data Privacy Framework.
OpenAI — freeform job notes sent for parsing into structured fields. Zero-retention enabled at the API layer; OpenAI does not log the prompt/response.

Retention

Operator accounts: while the subscription is active + 90 days
Customer records: while the operator's account exists; soft-deleted records hard-deleted after 90 days
Invoices: 7 years (Cyprus tax law) — personal details may be anonymised after that period on request
Audit log: while the operator's account exists
Authentication sessions: refresh tokens valid 1 year, rotated continuously

Your rights (Art. 15-22)

Access — operators can export their full data set via the export tool at /pro/reports/export (a dedicated DSAR export is on the roadmap)
Rectify — edit any record directly in the portal
Erasure — request account deletion via privacy@skipaki.com
Restrict / object — email us and we'll suspend processing while we review
Portability — JSON/CSV export of operator and customer records on request

We respond within one calendar month.

Security

Row-Level Security on every Postgres table — each operator sees only their own data
HTTPS only, HSTS preload, modern security headers
Auth tokens scoped to *.skipaki.com with same-site lax cookies
Append-only audit log of every state change

Breach notification

If we detect unauthorised access to operator or customer data we notify affected operators within 24 hours and the Cyprus OCDPC within 72 hours per Art. 33.

Complaints

You can complain to the Cyprus Commissioner for Personal Data Protection at dataprotection.gov.cy.

Contact

Privacy questions: privacy@skipaki.com. General support: hello@skipaki.com.