Privacy Policy
This Privacy Policy explains what personal data SmartKeep Solutions SRL (registered no. RO43273365, trade reg. J02/1147/2020, based at Arad, Romania — "Skryx", "we") processes, for what purposes, on what legal basis, and what rights you have. It covers skryx.io, the dashboard at app.skryx.io, our API and our plugins (together, the "Service").
Data-protection contact: privacy@skryx.io.
1. Our two roles
Controller. For customer account data (the administrators who sign up and use the dashboard) — name, email, billing details, usage logs — we determine the purposes and means of processing, so we act as a controller.
Processor. For the data you upload and we process on your behalf — your product catalogue and the shopper events from your store — you are the controller and we are the processor. That processing is governed by our Data Processing Agreement (DPA), which forms part of your contract.
2. What data we process
2.1 Account data (Skryx as controller)
- Identity & contact: name, email address, company name, country.
- Authentication: password (stored hashed), session tokens, sign-in logs.
- Billing: plan, invoice history and payment status. Card details never reach us — they are processed directly by Stripe.
- Usage & diagnostics: dashboard actions, IP address, browser type, error and performance logs.
- Communications: your support messages and correspondence with us.
2.2 Data processed on your behalf (Skryx as processor)
- Catalogue: product titles, descriptions, prices, stock, images, categories, brands and SKUs that you sync for indexing.
- Search queries entered by your shoppers.
- Interaction events from shoppers: searches, page/product views, add-to-cart and completed-order events. These carry an anonymous per-session identifier and, transiently, the IP address (for rate-limiting and geographic aggregation). By design we do not request or store shopper names, emails or addresses.
Your catalogue could in theory contain personal data (e.g. an author's name); as the controller, it is your responsibility to establish a lawful basis for uploading it.
3. Purposes & legal bases (GDPR Art. 6)
| Purpose | Legal basis |
|---|---|
| Providing the Service (account, indexing, search, AI, dashboard) | Performance of contract (Art. 6(1)(b)) |
| Billing and tax compliance | Contract + legal obligation (Art. 6(1)(b),(c)) |
| Security, abuse prevention, logging | Legitimate interest (Art. 6(1)(f)) |
| Improving the Service and aggregate analytics | Legitimate interest (Art. 6(1)(f)) |
| Marketing emails | Consent (Art. 6(1)(a)), withdrawable any time |
| Non-essential cookies | Consent — see Cookie Policy |
4. Sub-processors & vendors
We rely on carefully selected vendors, bound by confidentiality and security obligations. The list of sub-processors for data processed on your behalf is maintained in the DPA. Our principal vendors are:
| Vendor | Role | Location |
|---|---|---|
| Stripe | Payment processing | EU / US |
| Google Cloud (GCS) | Encrypted backups | EU |
| Cloudflare | Object storage (R2), CDN, security | Global / EU |
| Anthropic (Claude) | Query understanding (AI) | US |
| Voyage AI | Embeddings for semantic search | US |
| Twilio SendGrid | Transactional email | US |
| Sentry | Error monitoring | US |
Core infrastructure (servers, the search engine) is hosted in the European Union.
5. International transfers
Some vendors are outside the EEA (notably the US). For those transfers we rely on the safeguards provided by the GDPR — principally the European Commission's Standard Contractual Clauses (SCCs) and, where applicable, EU–US Data Privacy Framework certification — together with supplementary technical measures (encryption in transit and at rest).
6. How long we keep data
- Account data: for the duration of the contract and thereafter as required by law (e.g. accounting records under applicable tax law).
- Shopper events: kept for a limited analytics window, then aggregated or deleted.
- Backups: a 7-daily / 4-weekly / 6-monthly encrypted rotation.
- Diagnostic logs: typically under 90 days.
On account closure we delete or anonymise data within a reasonable period, subject to legal retention obligations.
7. Security
We apply appropriate technical and organisational measures: TLS encryption in transit, encryption at rest for backups, role-based access control, isolation on a containerised architecture, monitoring and logging, and hashing of passwords and secret keys. No system is 100% secure, but we follow accepted industry practice.
8. Your rights
Under the GDPR you have the right to access, rectification, erasure, restriction, portability, objection, and withdrawal of consent. You can exercise them from Settings → Privacy (data export and account deletion) or by writing to privacy@skryx.io. We respond within one month. You also have the right to lodge a complaint with a supervisory authority — in Romania, the ANSPDCP.
If you are a shopper of a store that uses Skryx and wish to exercise rights over data we process on that store's behalf, please contact the store (the controller) directly; we will assist the store under the DPA.
9. Children
The Service is aimed at businesses and is not directed at anyone under 18. We do not knowingly collect children's data.
10. Changes
We may update this policy. Material changes will be notified by email or in-dashboard at least 30 days before they take effect. The version and date are shown in the header.
11. Contact
SmartKeep Solutions SRL · Arad, Romania
Privacy / DPO: privacy@skryx.io · General: hello@skryx.io