Skip to main content
grid_view
Skode

GDPR & UK GDPR Data Subject Rights

Last updated: March 15, 2026

This page describes how Skode Technologies ("Skode," "we," "us," or "our") complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation ("UK GDPR") as retained under the Data Protection Act 2018. It outlines the rights available to individuals in the European Union (EU), European Economic Area (EEA), and the United Kingdom (UK). This page supplements our Privacy Policy.

1. Applicability

The GDPR and UK GDPR apply to the processing of personal data of individuals who are in the EU/EEA or the UK, regardless of where the processing takes place. This page applies to you if:

  • You are located in the EU, EEA, or the United Kingdom and use our Services.
  • You are an EU/EEA/UK resident whose data is processed by Skode or by a Skode customer using our platform.
  • Your personal data is transferred to or from the EU/EEA or UK in connection with our Services.

Skode acts as a data controller when processing data of our own users (account holders, website visitors). Skode acts as a data processor when processing data on behalf of our customers (your CRM data, contacts, leads, and communications stored in Skode).

2. Your Rights (Articles 15-22)

Under the GDPR and UK GDPR, you have the following rights regarding your personal data:

2.1 Right of Access (Article 15)

You have the right to obtain confirmation of whether we process your personal data and, if so, to access that data along with information about the purposes of processing, categories of data, recipients, retention periods, and your rights. You may request one copy of your personal data free of charge.

2.2 Right to Rectification (Article 16)

You have the right to request correction of inaccurate personal data without undue delay. You also have the right to have incomplete personal data completed, including by means of providing a supplementary statement.

2.3 Right to Erasure — Right to Be Forgotten (Article 17)

You have the right to request erasure of your personal data without undue delay where:

  • The data is no longer necessary for the purposes for which it was collected.
  • You withdraw consent and there is no other legal basis for processing.
  • You object to processing and there are no overriding legitimate grounds.
  • The data has been unlawfully processed.
  • The data must be erased to comply with a legal obligation.

This right is not absolute. We may retain data where processing is necessary for compliance with a legal obligation, for the establishment, exercise, or defense of legal claims, or for reasons of public interest.

2.4 Right to Restriction of Processing (Article 18)

You have the right to request restriction of processing where you contest the accuracy of the data, where the processing is unlawful but you oppose erasure, where we no longer need the data but you require it for legal claims, or where you have objected to processing pending verification of legitimate grounds.

2.5 Right to Data Portability (Article 20)

You have the right to receive your personal data in a structured, commonly used, and machine-readable format (JSON or CSV), and to transmit that data to another controller without hindrance. This right applies where processing is based on consent or contract performance and is carried out by automated means.

2.6 Right to Object (Article 21)

You have the right to object to processing of your personal data based on legitimate interests (Article 6(1)(f)) or public interest (Article 6(1)(e)), including profiling based on these provisions. We will cease processing unless we demonstrate compelling legitimate grounds that override your interests, rights, and freedoms.

You have an absolute right to object to processing of your personal data for direct marketing purposes, including profiling related to direct marketing. We will cease processing for direct marketing immediately upon receiving your objection.

2.7 Rights Related to Automated Decision-Making (Article 22)

You have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you. This right does not apply where the decision is necessary for a contract, authorized by law, or based on explicit consent.

Skode uses automated processing for lead scoring, deal prediction, and other AI-powered analytics. For more information, see our AI Transparency Policy. Where automated decision-making applies, we provide meaningful information about the logic involved and the significance and envisaged consequences.

3. Right to Lodge a Complaint (Article 77)

You have the right to lodge a complaint with a supervisory authority if you believe that the processing of your personal data infringes the GDPR or UK GDPR. You may lodge a complaint with the supervisory authority in the EU member state where you habitually reside, where you work, or where the alleged infringement took place. UK residents may lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

See our EU and UK Representative page for a list of supervisory authority contact information. We encourage you to contact us first so we can attempt to resolve your concern.

4. Lawful Basis for Processing

We process personal data only where we have a lawful basis under GDPR Article 6. The lawful bases we rely on include:

  • Consent (Article 6(1)(a)): For marketing communications, non-essential cookies, and AI processing where consent is required.
  • Contract Performance (Article 6(1)(b)): For providing the Services you have subscribed to, processing transactions, managing your account, and delivering features.
  • Legal Obligation (Article 6(1)(c)): For retaining billing records as required by tax law, responding to lawful data requests from authorities, and maintaining records required by applicable regulations.
  • Legitimate Interest (Article 6(1)(f)): For improving our Services, preventing fraud, ensuring security, and sending service-related communications. We conduct Legitimate Interests Assessments (LIAs) to balance our interests against your rights.

5. Data We Process

We process the following categories of personal data for EU/EEA and UK individuals:

  • Identity data (name, username, job title).
  • Contact data (email address, phone number, company name, postal address).
  • Technical data (IP address, browser type, device information, cookies).
  • Usage data (features used, pages visited, session duration, interaction patterns).
  • Transaction data (subscription details, payment history, invoices).
  • CRM data (leads, contacts, deals, notes, tasks — as data processor on behalf of customers).
  • Communication data (support inquiries, feedback, chat messages).
  • Audio data (voice input recordings — processed in real-time, not stored after transcription).

6. Retention Periods

We retain personal data only for as long as necessary to fulfill the purposes for which it was collected:

  • Account data: Duration of account plus 30 days after deletion request.
  • CRM data: Duration of subscription, plus 30 days for data export after termination, then permanent deletion within 90 days.
  • Billing records: 7 years as required by tax regulations.
  • Server logs: 90 days.
  • Marketing consent records: Duration of consent plus 5 years.
  • Support communications: 3 years after resolution.
  • Cookie data: As specified in our Cookie Policy.

7. Cross-Border Transfers

Your personal data may be transferred to and processed in countries outside the EU/EEA or the UK. When we transfer personal data internationally, we ensure that appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We use the European Commission-approved SCCs (adopted June 2021) for transfers to countries without an adequacy decision.
  • UK International Data Transfer Agreement (IDTA) and UK Addendum: For transfers of personal data outside the UK, we rely on the UK IDTA or the UK Addendum to the EU SCCs, as approved by the ICO under Section 119A of the Data Protection Act 2018.
  • EU-US Data Privacy Framework (DPF): Where applicable, we rely on the EU-US Data Privacy Framework for transfers to certified US organizations. The UK Extension to the EU-US DPF is used for UK transfers where applicable.
  • Adequacy Decisions: Where the European Commission or UK Government has determined that a country provides an adequate level of data protection, no additional safeguards are required.
  • Supplementary Measures: Where required by our Transfer Impact Assessments (TIAs), we implement supplementary technical and organizational measures (encryption, pseudonymization, access controls) to ensure adequate protection.

8. Sub-Processors

We use third-party sub-processors to assist in providing the Services. A complete list of our sub-processors, including their locations and purposes, is available on our Sub-Processors page. We conduct due diligence on all sub-processors and enter into data processing agreements that require them to protect personal data in accordance with the GDPR.

We will notify customers of any new sub-processors at least 30 days before they begin processing personal data, giving customers the opportunity to object.

9. Data Protection Officer (DPO) Contact

Skode has appointed a Data Protection Officer to oversee GDPR compliance. You may contact our DPO for any questions about data protection or to exercise your rights:

10. EU and UK Representative Contact

As required by GDPR Article 27 and UK GDPR Article 27, Skode has designated representatives in both the EU and UK. For contact details, please visit our EU and UK Representative page.

11. How to Exercise Your Rights

To exercise any of the rights described on this page, you may:

We will respond to your request within 30 days. If we need to extend this period (by up to an additional 60 days for complex requests), we will inform you within the initial 30-day period, along with the reasons for the delay.

12. Children's Data

Our Services are not directed at children under the age of 16 (or the applicable age set by each EU member state, ranging from 13 to 16). We do not knowingly collect personal data from children below this age without verifiable parental consent.

If we become aware that we have collected personal data from a child without proper consent, we will take steps to delete that data promptly. If you believe a child has provided us with personal data, please contact us at privacy@skodeai.com.

13. Contact Information

For any GDPR-related inquiries, please contact: