Privacy Policy

1. Who we are

SkyLog (“SkyLog”, “we”, “us”) is a service operated by Mobileforst. For privacy enquiries, contact contact@skyloglive.com. We act as a data controller for the personal data you provide directly, and as a data processor for any data your dropzone, coach, or team shares with you through the platform.

2. What data we process

We only collect what we need to run SkyLog. By category:

2.1 Account & identity

• Email address, name, and (optionally) profile image and username.
• Authentication identifiers from Firebase Authentication, plus the identity provider you signed in with (Google, Apple, Facebook, or email + password).

2.2 Skydiver profile

• Your home dropzone, country, languages spoken.
• Prior jump count, first jump date, and (optional) body weight used for canopy wing-loading calculations. Body weight is treated as sensitive — never shown on your public profile.
• Licences and instructor ratings, with optional document scans you upload as evidence.

2.3 Jump logs and related data

• Per-jump records: date, dropzone, jump number, discipline, freefall time, notes, visibility setting.
• GPS tracks recorded by your phone, watch, or compatible altimeter (stored as blobs in our cloud storage; only the device that recorded them and you can read them by default).
• Performance and weather metrics for the jump (where you’ve recorded them).
• Coach sign-offs, jump-buddy links, packing and rigging service records you participate in.
• Jump-related costs and standalone spending entries you log.

2.4 Gear and equipment

• Rigs, canopies, AADs, helmets and accessories you register.
• Serial numbers (required for reserve packing records by federation regulations).
• Photos you upload for individual gear items.

2.5 Third-party data you provide

• Emergency contacts — name, phone, email, relation language(s). You’re the one giving us this data about another person; please ensure you have their permission to share it with us. Emergency contact data is never shown on your public profile and is not shared with third parties.

2.6 Dropzone manifest data (SkyView)

If your dropzone uses a manifest provider we integrate with (e.g. SkyView), and you link your SkyLog account to your member record, we receive your member number and (if you’ve completed the verify- link flow) your phone number from the dropzone’s system. This is used to show you live manifest information and notify you when you’re on a load.

2.7 Technical data

• Device push tokens (Firebase Cloud Messaging) so we can send you notifications you’ve opted into.
• App Check signals from Google reCAPTCHA v3 for fraud and abuse prevention. These are processed by Google as part of the App Check service.
• Server logs (timestamps, status codes, anonymised IP) retained for diagnostic and security purposes.
• If you consent to analytics via our cookie banner, Firebase Analytics + Performance Monitoring (anonymous usage metrics and page-load timings). Off by default; revocable at any time via Settings → Privacy & cookies.

3. Why we process it (lawful basis)

• To provide the service you’ve requested (GDPR Art 6(1)(b) — contract): account creation, logbook, gear, coaching, packing, rigging, sign-off workflow, dropzone manifest integration, notifications you’ve opted into.
• To keep the service secure (GDPR Art 6(1)(f) — legitimate interest): Firebase Authentication, App Check (reCAPTCHA v3), rate limiting, fraud detection, the verify-then-admin Data Connect authorisation model.
• To comply with our legal obligations (Art 6(1)(c)): retention of reserve packing records and similar federation-required logs.
• With your consent (Art 6(1)(a)): non-essential cookies, analytics, performance monitoring, marketing communications (none currently).

4. Who we share data with

We use a small set of vetted third-party services to operate SkyLog. They’re listed at /legal/subprocessors with their role and region. We don’t sell your data, and we don’t share it for cross-context behavioural advertising.

Data is shared with other SkyLog users only when you choose to share it — your jump’s visibility setting (PRIVATE, BUDDY, FRIENDS, PUBLIC), a coach you’ve sent a sign-off request to, a buddy you’ve added to a jump, or someone you’ve explicitly granted logbook access to.

5. International data transfers

Our infrastructure runs on Google Cloud Platform in us-central1. If you’re in the EU/EEA, UK, or Switzerland, your data is transferred to and processed in the United States. We rely on Standard Contractual Clauses (the EU Commission’s 2021 SCCs) included in our vendors’ data processing agreements as the transfer mechanism. The full subprocessor list at /legal/subprocessors notes each vendor’s region and the DPA covering them.

6. How long we keep your data

We aim to retain personal data only as long as it’s needed for the purposes set out above. Specifically:

• Account & jump data: kept for the life of your account. If you delete your account, we delete the data per Section 9.
• Reserve packing records and sign-off records: retained for as long as federation regulations require, even after you delete your account where law mandates.
• Read in-app notifications & routine logs: pruned automatically after 90 days.
• Buddy invites & expired session tokens: pruned after their expiry.
• Server diagnostic logs: retained up to 30 days before automatic deletion.

We’re still rolling out automated enforcement for some of the above categories — if you have a specific retention concern, write to contact@skyloglive.com and we’ll handle it manually.

7. Your rights

Under GDPR (and equivalent laws in the UK, Switzerland, California and elsewhere), you have the right to:

• Access a copy of the personal data we hold about you. Use the export tool at /legal/data-export.
• Rectify data that’s inaccurate — most fields are editable directly in the app; for anything that isn’t, email us.
• Erase your data (“right to be forgotten”). See /legal/data-export.
• Restrict or object to processing in specific circumstances.
• Withdraw consent at any time (e.g. analytics) via Settings → Privacy & cookies.
• Receive your data in a portable format — the export from /legal/data-export is machine-readable JSON/CSV.
• Complain to a supervisory authority in your country (for EU users, the relevant Data Protection Authority).

We respond to verifiable requests within 30 days (the GDPR default; can be extended once by 60 days for complex requests, in which case we’ll tell you why).

8. Security

We follow industry-standard practices. All connections are TLS; data is encrypted at rest by Google Cloud; authentication uses short-lived Firebase ID tokens server-side-verified before any database call; and our Data Connect queries enforce row-level ownership at both the GraphQL schema layer and the API layer. For more, see /legal/security.

We’re not currently SOC 2 or ISO 27001 certified — we’ll update this section when we are.

9. Cookies, analytics & tracking

On your first visit you see a cookie consent banner. Strictly necessary cookies (sign-in session, App Check fraud-prevention, theme preference) are required for the service and cannot be disabled. Analytics & performance (Firebase Analytics, Performance Monitoring) is off by defaultand only enabled if you consent. You can change your choice at any time via Settings → Privacy & cookies.

We don’t use marketing cookies or cross-site trackers.

10. Children

SkyLog isn’t designed for children. We don’t knowingly collect data from anyone under 16. If you believe we’ve inadvertently collected data from a child, please contact us and we’ll delete it. Skydiving itself has minimum-age requirements that vary by jurisdiction; we rely on dropzones to enforce those.

11. Changes to this policy

If we materially change how we process your data, we’ll update this page, bump the “Last updated” date, and our in-app cookie banner will re-prompt you to acknowledge the new policy. We’ll never materially reduce your rights without telling you.

12. Contact

Privacy questions: contact@skyloglive.com.

If you don’t get a response within 30 days, or you’re unsatisfied with our response, you can lodge a complaint with your local Data Protection Authority. Find yours via the European Data Protection Board’s directory at edpb.europa.eu.