1. Who we are
TEGRALAB S.R.L., registered in Romania under CUI 52851778, with registered office at B-dul Dacia nr. 133, Sc. D, Sector 2, București, Romania (“TEGRALAB”, “we”, “us”, “our”) operates SkyLog, a business management platform for commercial drone pilots, accessible at skylog.tech (“Service”).
We are the data controller for personal data processed in connection with the Service.
Contact us at: privacy@skylog.tech
2. What data we collect and why
2.1 Account and profile data
When you register and use SkyLog, we collect:
- Identity data: full name, company name
- Contact data: email address, phone number, mailing address
- Professional data: pilot certificate numbers, regulatory framework (e.g. FAA Part 107, EASA A2), drone registration numbers
- Business data: client names and contact details, job records, invoice data, flight log entries, drone inventory
Legal basis: Article 6(1)(b) GDPR — processing is necessary to perform the contract between you and TEGRALAB (your subscription to SkyLog).
2.2 Payment and billing data
We collect billing name, address, and payment method details necessary to process your subscription. Full card numbers are not stored by us — they are handled directly by Stripe, Inc. We store Stripe customer and subscription identifiers.
Legal basis: Article 6(1)(b) GDPR — performance of contract; Article 6(1)(c) GDPR — compliance with our legal obligation to maintain accounting records.
2.3 Payment details you enter on invoices
If you add bank account details, PayPal, Wise, or other payment handles to your SkyLog profile for display on client invoices, we store this data on your behalf as part of the Service. You are responsible for the accuracy of this information. We do not use it for any purpose other than displaying it on your invoices.
Legal basis: Article 6(1)(b) GDPR — performance of contract.
2.4 Technical and usage data
We automatically collect:
- Log data: IP address, browser type, pages visited, timestamps
- Device data: device type, operating system, browser version
- Usage data: features used, actions taken within the Service (e.g. jobs created, invoices sent), error reports
We use Google Analytics to measure aggregate, anonymised usage of the Service so we can understand which features are used and improve performance. IP addresses are anonymised before processing, and we do not pass personal identifiers to Google. Analytics cookies are only set with your consent — see our Cookie Policy.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in maintaining the security and improving the performance of the Service; Article 6(1)(a) GDPR — your consent, for analytics cookies.
2.5 Communications
If you contact us for support or send feedback, we retain the content of those communications.
Legal basis: Article 6(1)(f) GDPR — our legitimate interest in providing customer support and improving the Service.
2.6 Marketing emails
With your explicit consent, we may send you product updates, feature announcements, and commercial communications. You may withdraw consent at any time using the unsubscribe link in any email or by contacting us.
Legal basis: Article 6(1)(a) GDPR — your consent.
3. How we use your data
We use your personal data to:
- Create and manage your SkyLog account
- Provide and operate the Service, including generating invoices and PDFs on your behalf
- Process subscription payments and issue receipts
- Send transactional emails: credential expiry reminders, invoice delivery, account notifications
- Provide customer support
- Monitor and maintain the security of the Service
- Comply with legal obligations (tax records, accounting)
- Improve and develop new features
We do not sell your personal data to third parties. We do not use your business data (client lists, job records, flight logs) for any purpose other than providing the Service to you.
4. Who we share data with
We share data only with the following categories of recipients:
4.1 Sub-processors
We use the following third-party service providers who process personal data on our behalf under data processing agreements:
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase, Inc. | Database, authentication, file storage | United States | Standard Contractual Clauses |
| Stripe, Inc. | Payment processing | United States | Standard Contractual Clauses |
| Resend, Inc. | Transactional email delivery | United States | Standard Contractual Clauses |
| Mapbox, Inc. | Map display for flight log | United States | Standard Contractual Clauses |
| Google LLC | Analytics (Google Analytics) | United States | Standard Contractual Clauses |
| Vercel, Inc. | Application hosting and infrastructure | United States | Standard Contractual Clauses |
4.2 Legal and regulatory
We may disclose personal data to law enforcement, regulators, or other authorities if required by applicable law, court order, or to protect the rights, property, or safety of TEGRALAB, our users, or others.
4.3 Business transfers
If TEGRALAB is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction. We will notify you before your data is transferred and becomes subject to a different privacy policy.
5. International data transfers
TEGRALAB is established in Romania (EU). Some of our sub-processors are located in the United States. Where we transfer personal data outside the European Economic Area, we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission (Article 46(2)(c) GDPR).
6. Data retention
| Data category | Retention period |
|---|---|
| Account and profile data | For the duration of your account, plus 5 years after closure (accounting obligations) |
| Client, job, and flight log data | Until you delete it, or until your account is closed |
| Invoice records | 10 years from the invoice date (Romanian accounting law — Legea contabilității nr. 82/1991) |
| Payment records | 5 years from the date of transaction |
| Technical logs | 90 days |
| Support communications | 3 years from the date of last communication |
| Marketing consent records | Until consent is withdrawn, plus 1 year thereafter |
When your account is closed, we delete or anonymise personal data within 90 days, except where longer retention is required by law.
7. Your rights under GDPR
As a data subject under GDPR, you have the following rights:
Right of access (Article 15): You may request a copy of the personal data we hold about you.
Right to rectification (Article 16): You may request correction of inaccurate or incomplete data.
Right to erasure (Article 17): You may request deletion of your personal data where we no longer have a lawful basis to hold it. Note that some data may be retained where required by law (e.g. invoice records).
Right to restriction of processing (Article 18): You may request that we limit how we use your data in certain circumstances.
Right to data portability (Article 20): You may request your personal data in a structured, commonly used, machine-readable format. From within SkyLog, you can export your clients, jobs, flight logs, and invoices at any time from the Settings page.
Right to object (Article 21): You may object to processing based on our legitimate interests. Where your objection is valid, we will stop processing for that purpose.
Right to withdraw consent (Article 7(3)): Where processing is based on your consent (e.g. marketing emails), you may withdraw consent at any time without affecting the lawfulness of prior processing.
To exercise any of these rights, contact us at privacy@skylog.tech. We will respond within 30 days. We may request proof of identity before processing your request.
8. Complaints
If you believe we have handled your personal data unlawfully, you have the right to lodge a complaint with the Romanian supervisory authority:
Autoritatea Națională de Supraveghere a Prelucrării Datelor cu Caracter Personal (ANSPDCP)
B-dul G-ral. Gheorghe Magheru nr. 28-30, Sector 1, București, 010336
anspdcp@dataprotection.ro · www.dataprotection.ro
You may also lodge a complaint with the supervisory authority of any EU member state where you habitually reside or work.
9. Security
We implement appropriate technical and organisational measures to protect personal data, including:
- Encryption of data in transit (TLS) and at rest
- Row-level security on all database tables
- Restricted access to production systems
- Sensitive fields (e.g. bank account numbers) are masked in the user interface
- Regular security reviews
No method of transmission or storage is completely secure. In the event of a data breach that poses a risk to your rights and freedoms, we will notify the ANSPDCP within 72 hours and affected users without undue delay, as required by Article 33–34 GDPR.
10. Children
The Service is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a minor has provided personal data to us, contact us and we will delete it promptly.
11. Changes to this policy
We may update this Privacy Policy from time to time. Where changes are material, we will notify you by email or by a prominent notice within the Service at least 14 days before the changes take effect. The current version is always available at skylog.tech/privacy.