Privacy Policy

1. Introduction

Welcome to Skellig Labs. Skellig Labs ("we," "our," "us") is a company registered in Ireland, committed to protecting the privacy and security of the data of our clients ("Client," "you," "your Organization") and their authorized users ("Users").

This Privacy Policy explains how we collect, use, process, and disclose information, including personal data, in conjunction with your access to and use of our AI Document Validation System (the "Service"). Our Service is a Business-to-Business (B2B) platform designed to streamline document validation, initially for the Irish property sector. As we operate from Ireland, we are bound by the General Data Protection Regulation (GDPR), and we act as a "Data Processor" on behalf of our Clients.

This policy should be read in conjunction with our Terms of Service. By using our Service, you agree to the collection and use of information in accordance with this policy.

2. What Data We Collect and Why

We collect information necessary to provide and improve our Service, maintain account security, and fulfill our contractual obligations to our Clients.

2.1. Information You Provide to Us

• Organization Account Information: When a Client organization signs up for our Service, we collect information about the organization, including Organization Name, Business Address, and primary contact information.
• User Account Information: To create and manage User accounts, we collect personal data from Users, including Full Name, Work Email Address, and Job Title.
• Authentication Credentials: We collect User email addresses and hashed passwords for authentication. We never store plaintext passwords. Passwords are salted and securely hashed using strong, industry-standard cryptographic algorithms (bcryptjs).
• Documents for Processing: The core of our Service involves processing documents you upload (e.g., PDF, DOCX, JPG formats). These documents may contain personal data. We process this data solely on your behalf and according to your instructions to perform the validation service.
• User-Generated Content: We may collect information you voluntarily provide, such as comments or feedback on validation results within the application.

2.2. Information We Automatically Collect

• Document Metadata: We automatically collect metadata associated with uploaded documents, such as the filename, upload timestamp, and the identity of the User who uploaded the file.
• Service Usage Data (Internal): We may collect anonymized, aggregated data about how Users interact with our Service (e.g., features used, clicks). This data is used for internal purposes like service improvement and security monitoring and is not tied to individual user identities.

3. How We Use Your Data

We use the information we collect for the following purposes, based on the legal basis of performing our contract with you and our legitimate interests in operating a secure and efficient service:

• To Provide and Maintain the Service: To create and manage accounts, authenticate Users, process uploaded documents, and display validation results.
• To Manage Our Relationship With You: To communicate with you about your account, including sending essential service notifications, welcome emails, and password reset links. These are transactional emails required for the Service.
• For Security and Compliance: To prevent fraud, secure our platform, and comply with our legal obligations under Irish and EU law. We use server-side validation (zod) to ensure data integrity.
• For Service Improvement: To understand how our Service is used, to troubleshoot issues, and to develop new features and capabilities.

4. Data Sharing and Sub-processors

We do not sell your personal data. We only share data with a limited number of third-party service providers ("Sub-processors") who are essential for us to provide the Service. We have signed Data Processing Agreements (DPAs) with all Sub-processors to ensure they uphold the same level of data protection and privacy standards that we do.

Our key Sub-processors include:

Core AI Service Provider:

• Purpose: To perform the core document validation.
• Data Shared: The content of the documents you upload is sent via a secure, encrypted (HTTPS) API.
• Safeguards: Our provider is contractually obligated to process the data only to provide the validation result and is prohibited from retaining or using the document data for its own purposes after processing is complete.

Hosting and Database:

• Providers: Vercel (Application Hosting) and MongoDB Atlas (Database Hosting).
• Purpose: To host our application infrastructure and store your data securely.
• Data Location: To comply with GDPR, all Client data is stored and processed within the European Union (MongoDB Atlas region: Frankfurt, eu-central-1).

Transactional Email Provider:

• Provider: Resend.
• Purpose: To send essential, non-marketing emails.
• Data Shared: User email addresses and names.

5. Data Security

We take the security of your data very seriously and implement a range of technical and organizational measures to protect it.

• Encryption in Transit: All data transmitted between your browser, our servers, and our Sub-processors is encrypted using Transport Layer Security (TLS 1.2 or higher).
• Encryption at Rest: All data stored in our database (MongoDB Atlas) is encrypted at rest by default.
• Access Control: We implement strict Role-Based Access Control (RBAC) within our application. Users can only access data and documents associated with their own Organization.
• Secure Development: We manage sensitive credentials like API keys and database strings as secure environment variables and do not commit them to source control. Our data schemas are strictly defined to ensure data consistency and integrity.

6. Data Retention

We retain data only for as long as necessary to fulfill the purposes for which it was collected.

• User and Organization Data: We retain your organization's data, including user profiles and uploaded documents, for as long as your Organization maintains an active subscription to our Service.
• Upon Termination: If a Client's contract is terminated, all associated data (including documents and validation results) will be held for a grace period of thirty (30) days. After this period, the data will be permanently and irrevocably deleted from our systems.
• User Deletion: An Organization's administrator can delete individual User accounts. Upon deletion, the User's personal data is either deleted or anonymized in our systems.

7. Cookies and Tracking Technologies

We use cookies and similar technologies for functional purposes only. We do not use third-party advertising or tracking cookies.

• Authentication Cookie: We use a secure, httpOnly cookie to store a JSON Web Token (JWT) that manages your authenticated session. This is essential for keeping you logged in securely.
• Preference Storage: We may use browser local storage to remember your user interface preferences, such as a "dark" or "light" theme choice. This is not a cookie and is stored only in your browser.

8. Your Data Protection Rights (GDPR)

As our services are governed by Irish and European Union law, all Users benefit from the rights granted under the General Data Protection Regulation (GDPR). Please note that since we are a Data Processor, many of these rights must be exercised by your Organization's administrator, who is the Data Controller.

• The Right to Access: You can access most of your personal data directly through your account dashboard. Your Organization can request a complete export of its data by contacting our support team.
• The Right to Rectification: You can update or correct your personal profile information (e.g., name, job title) in your account settings.
• The Right to Erasure ("Right to be Forgotten"): Your Organization's administrator can delete individual User accounts or specific documents. To request the complete deletion of your Organization's account and all associated data, please contact our support team. This is subject to the retention policy outlined in Section 6.
• The Right to Data Portability: Your Organization has the right to receive its data in a structured, commonly used, and machine-readable format.
• The Right to Lodge a Complaint: You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority is the Irish Data Protection Commission (DPC).

To exercise any of these rights, Users should first contact their Organization's administrator. Administrators may contact us directly at legal@skelliglabs.com to make requests on behalf of their Organization.

9. International Data Transfers

As we expand our services into markets like the United Kingdom and the United States, your data may be processed by sub-processors located outside the European Economic Area (EEA). Where we transfer your data outside the EEA, we will ensure that the transfer is lawful and that your data is protected by appropriate safeguards, such as the European Commission’s Standard Contractual Clauses (SCCs) or an adequacy decision.

10. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by posting the new Privacy Policy on this page and updating the "Effective Date" at the top. For material changes, we may also notify your Organization's administrator via email.

11. Contact Us

If you have any questions about this Privacy Policy or our data practices, please contact us at: