SkyDesk
Broker CRM

Privacy Policy

BaleAir UG - As of: April 2025

1. Controller

The controller for the processing of personal data in connection with this website and the SkyDesk platform is:

BaleAir UG
Diefenbacherstr. 30
75433 Maulbronn
Germany

Email: john@skydesk.aero

2. General Information

We process personal data in accordance with the General Data Protection Regulation ("GDPR") and applicable German data protection law.

This Privacy Policy explains how we process personal data when you visit our website, register for or use SkyDesk, contact us, receive emails from us, make payments, or connect third-party email accounts to the platform.

SkyDesk is a software platform for brokers in the private aviation sector and is intended for business users only.

3. Categories of Data

Depending on how you interact with us, we may process the following categories of personal data:

  • - account and identification data, such as name, email address, company details, and account identifiers;
  • - authentication data, such as login provider information and OAuth-related account metadata;
  • - contact and communication data, such as email address and message content;
  • - billing and transaction data, such as subscription plan, invoice details, payment status, and transaction-related information;
  • - technical and usage data, such as IP address, browser type, device information, timestamps, log entries, and usage events;
  • - customer-submitted data stored and processed in the SkyDesk platform, including personal data relating to business contacts, requests, passengers, documents, and other customer content;
  • - connected account data, such as email address, provider account identifier, authorization metadata, and tokens required to enable email sending through a connected Google or Microsoft/Outlook account.
4. Purposes and Legal Bases

4.1 Website and Platform Provision

When you access our website or platform, we may process technical data necessary to provide the service securely and reliably, including server requests, IP address, browser/device information, timestamps, and security-related log data. This processing is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.

4.2 Hosting and Infrastructure

SkyDesk is hosted using Firebase / Google infrastructure. Technical and operational data may be processed for hosting, storage, delivery, and related infrastructure services. This processing is based on Art. 6(1)(b) GDPR where necessary for the contracted service, and otherwise on Art. 6(1)(f) GDPR.

4.3 Registration and Login

When you register for or sign in to SkyDesk, we process your login and account data. Authentication is provided via Firebase Authentication using OAuth-based sign-in. This processing is necessary pursuant to Art. 6(1)(b) GDPR.

4.4 Use of the SkyDesk Platform

When you use SkyDesk, we process personal data necessary to provide the platform functions, maintain user accounts, create and manage documents, operate the service, ensure IT security, and improve product performance. This is based on Art. 6(1)(b) and Art. 6(1)(f) GDPR.

4.5 Customer Data Stored in the Platform

Users may store and process personal data in the platform, for example data relating to business contacts, customers, inquiries, passengers, or generated documents. To the extent we process such data on behalf of our customers, we act as a processor pursuant to Art. 28 GDPR. The respective customer remains responsible for the lawful collection and use of that data.

4.6 Payments and Billing

If you purchase paid services, we process billing and payment-related data for subscription management, invoicing, payment handling, fraud prevention, accounting, and legal compliance. This is based on Art. 6(1)(b) and Art. 6(1)(c) GDPR. Payments are processed via Stripe Payments Europe Ltd. We do not store full payment card details ourselves.

4.7 Transactional Emails

We send transactional and service-related emails, such as account notifications, authentication communications, billing emails, and operational notices. Such emails may be sent through Mailgun. This is based on Art. 6(1)(b) and Art. 6(1)(f) GDPR.

4.8 Analytics

We use analytics tools to understand the use, performance, and reach of our website and platform and to improve usability and technical performance. This is based on our legitimate interest pursuant to Art. 6(1)(f) GDPR.

4.9 Contact Requests

When you contact us, we process your contact details and the content of your communication to handle your request. This is based on Art. 6(1)(b) or Art. 6(1)(f) GDPR.

4.10 Connected Google or Microsoft/Outlook Accounts

If you connect your Google or Microsoft/Outlook email account to SkyDesk, we process the data and authorisations necessary to enable the integration solely for the purpose of sending emails and generated documents through your own connected account. SkyDesk does not read your existing emails, does not access your inbox content, does not search your mailbox, and does not import your contacts, except to the extent technically unavoidable for the pure sending function itself.

This processing is based on Art. 6(1)(b) and Art. 6(1)(f) GDPR. Access tokens are stored only for as long as necessary to maintain the integration and are deleted when the integration is removed or the token is revoked. Users can disconnect a connected account at any time through the relevant provider settings or in SkyDesk.

5. Recipients

We may disclose personal data to the following categories of recipients where necessary:

  • - hosting and infrastructure providers, including Google/Firebase;
  • - authentication providers;
  • - payment service providers, including Stripe;
  • - email delivery providers, including Mailgun;
  • - third-party email service providers connected by the user, where the user chooses to send emails through their own Google or Microsoft/Outlook account;
  • - analytics providers;
  • - IT, security, and technical support providers;
  • - professional advisers such as lawyers, accountants, or tax advisers;
  • - courts, supervisory authorities, or other public bodies where legally required.

Where service providers process personal data on our behalf, we conclude data processing agreements where required by law.

6. International Transfers

Some of our service providers may process personal data outside the European Economic Area ("EEA"), in particular in the United States.

Where personal data is transferred to third countries, we ensure that an adequate level of protection is in place as required by law, for example through an adequacy decision, certification under the EU-U.S. Data Privacy Framework, or the use of appropriate safeguards such as the European Commission Standard Contractual Clauses.

7. Storage Periods

We store personal data only for as long as necessary for the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law.

  • - account data is generally stored for as long as the account exists and thereafter for a reasonable period for follow-up issues, security, and legal claims;
  • - billing and invoice-related data is retained for the period required under applicable tax and commercial law;
  • - communication data is retained for as long as necessary to handle the relevant request and for a reasonable follow-up period;
  • - technical logs are retained as long as necessary for security, troubleshooting, and operational purposes;
  • - connected-account integration data and tokens are retained for as long as the integration remains active or until revoked or deleted;
  • - customer data stored in the platform is retained for the duration of the customer relationship and thereafter in accordance with contractual arrangements, legal obligations, and deletion schedules.
8. Obligation to Provide Data

The provision of certain personal data is necessary to enter into and perform a contract with us and to use SkyDesk.

If you do not provide data required for registration, authentication, subscription administration, payment processing, or requested integrations, we may not be able to provide access to the platform or certain functionalities.

9. Your Rights

You have the following rights under the GDPR, subject to the applicable legal requirements:

  • - the right of access pursuant to Art. 15 GDPR;
  • - the right to rectification pursuant to Art. 16 GDPR;
  • - the right to erasure pursuant to Art. 17 GDPR;
  • - the right to restriction of processing pursuant to Art. 18 GDPR;
  • - the right to data portability pursuant to Art. 20 GDPR;
  • - the right to object pursuant to Art. 21 GDPR.

Where processing is based on consent, you also have the right to withdraw your consent at any time with effect for the future.

To exercise your rights, please contact us at: john@skydesk.aero

10. Right to Complain

You have the right to lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work, or place of the alleged infringement.

If BaleAir UG is established in Baden-Württemberg, a relevant supervisory authority is the State Commissioner for Data Protection and Freedom of Information Baden-Württemberg.

11. Changes

We reserve the right to update this Privacy Policy from time to time in order to reflect legal, technical, or business developments. The version published on our website shall apply.

SkyDesk© 2026 SkyDesk. All rights reserved.
PrivacyImprintDPATerms