Privacy Policy

Skode Technologies ("Skode," "we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you visit our website at https://skode.ai, use our CRM platform, Flow messaging platform, or any related services (collectively, the "Services").

By accessing or using our Services, you agree to the terms of this Privacy Policy. If you do not agree, please discontinue use of the Services immediately.

1. Information We Collect

1.1 Information You Provide Directly

Account Information: Name, email address, phone number, company name, job title, and billing information when you register for an account.
CRM Data: Leads, contacts, deals, notes, tasks, invoices, and any other data you enter into the Skode CRM platform.
Communications: Messages you send through our support channels, feedback forms, or live chat.
Payment Information: Credit card numbers, billing addresses, and transaction details processed through our payment provider (Stripe).

1.2 Information Collected Automatically

Usage Data: Pages visited, features used, clicks, session duration, and interaction patterns within our platform.
Device Information: Browser type, operating system, device identifiers, IP address, and screen resolution.
Cookies and Tracking Technologies: We use cookies, web beacons, and similar technologies as described in our Cookie Policy.
Log Data: Server logs including access times, referring URLs, and error logs for debugging and security purposes.

1.3 Information from Third Parties

OAuth Providers: If you sign in via Google or other OAuth providers, we receive your name, email, and profile picture.
Integration Partners: Data synced from third-party services you connect to Skode (e.g., email providers, calendar services).

2. How We Use Your Information

We use the information we collect to:

Provide, maintain, and improve our Services.
Process transactions, send invoices, and manage billing.
Send you service-related communications, updates, and security alerts.
Provide customer support and respond to your inquiries.
Personalize your experience and deliver relevant content and recommendations.
Analyze usage trends and platform performance to improve our products.
Detect, prevent, and address fraud, abuse, and security issues.
Comply with legal obligations and enforce our Terms of Service.
Send marketing communications (only with your consent, and you may opt out at any time).

3. AI and Automated Data Processing

Skode uses artificial intelligence features to enhance your CRM experience, including voice input transcription, lead scoring, deal predictions, and analytical tools. Here is how we handle data in these contexts:

Voice Input: Audio recordings submitted via the voice input feature are transcribed using third-party AI providers (OpenAI Whisper). Audio is processed in real-time and is not stored after transcription is complete.
AI Analysis: Your CRM data may be processed by AI models to generate insights, predictions, and recommendations. This processing occurs within our secure infrastructure.
No Model Training: We do not use your data to train AI models. Your data is used solely to provide you with AI-powered features within the Services.
Third-Party AI Providers: When data is sent to third-party AI providers for processing (e.g., OpenAI for transcription), it is governed by our data processing agreements with those providers, which prohibit them from using your data for training.

AI Connector Data Sharing

When you activate an AI connector (ChatGPT, Claude, or Gemini), selected CRM data is transmitted to the AI provider for processing. Data shared may include: contact names and details, deal values and stages, task descriptions, invoice amounts, e-commerce order data, and Flow message content — limited to modules you explicitly select.

Data NOT shared: passwords, payment card numbers, data from other tenants, internal system logs.

Each AI provider operates under a zero-data-retention API agreement. Your CRM data is not used for model training.

You can enable/disable each connector independently, select which modules are accessible, and request deletion of transmitted data at any time.

4. How We Share Your Information

We do not sell your personal information. No mobile information will be shared with third parties or affiliates for marketing or promotional purposes. All the above categories exclude text messaging originator opt-in data and consent; this information will not be shared with any third parties.

We may share your information with:

Service Providers: Third-party vendors who assist us in operating the Services (hosting, payment processing, email delivery, analytics). See our Sub-Processors page for a complete list.
Legal Requirements: When required by law, regulation, legal process, or governmental request.
Business Transfers: In connection with a merger, acquisition, or sale of all or a portion of our assets.
With Your Consent: When you explicitly authorize us to share your information with a third party.

4A. Platform-Specific Data Disclosures

When you connect third-party platforms to Skode Flow, we access and process data from those platforms as described below. Data from each platform is processed solely to provide the Services you have requested and is subject to our security measures described in Section 8.

4A.1 Meta (Facebook Messenger & Instagram)

When you connect your Facebook Page or Instagram Professional account to Skode Flow, we access the following data through the Meta Platform API:

Page and profile metadata: Page name, profile picture, page category, and business information associated with your Page or Instagram account.
Messaging data: Messages sent and received through Facebook Messenger and Instagram Direct Messages, including text content, attachments, timestamps, and sender/recipient identifiers.
User profile information: Name, profile picture, and locale of users who message your Page (as permitted by Meta).
Engagement data: Comments, reactions, and post interactions on your Page.

Data collected from Meta platforms is encrypted at rest (AES-256) and in transit (TLS 1.2+). Messaging data is retained for the duration of your subscription. We do not sell or share Meta platform data with third parties except as necessary to provide the Services. Our use of Meta platform data complies with the Meta Platform Terms and Developer Policies. You may disconnect your Meta account and request deletion of associated data at any time via Data Deletion.

4A.2 WhatsApp Business

When you connect your WhatsApp Business account to Skode Flow via the WhatsApp Cloud API, we access:

Business profile information: Business name, description, address, email, website, and profile picture.
Message data: Messages sent and received (text, media, documents, location, contacts), delivery/read receipts, and timestamps.
Phone numbers: Customer phone numbers who message or are messaged by your business.
Template data: Message templates you create and their approval status.

WhatsApp messages are encrypted in transit (TLS 1.2+) and at rest (AES-256). We do not access end-to-end encrypted personal WhatsApp messages — only WhatsApp Business API messages. Our use complies with the WhatsApp Business Terms and Commerce Policy. See our WhatsApp Compliance page for additional opt-in and messaging requirements.

4A.3 TikTok

When you connect TikTok for Business to Skode Flow, you authorize Skode via TikTok's OAuth 2.0 flow, which grants limited access to your TikTok Business account without exposing your TikTok password. We may access:

Business account information: Account name, profile data, and business verification status.
Messaging data: Direct messages sent and received via TikTok Business messaging features.
Lead data: Information submitted through TikTok Lead Generation forms, imported into your CRM for sales follow-up and lead management.
Conversion event data: Where TikTok Events API (Conversions API) is enabled, we may share hashed event data (hashed email, hashed phone number, event type, timestamp) with TikTok for ad optimization, measurement, and attribution purposes.

Device Data Collection Tools (DDCTs): Where TikTok Pixel is deployed on your website through Skode, your website uses device data collection tools operated by third parties including TikTok. These tools collect data about user interactions for the purpose of ad measurement, conversion tracking, and audience targeting. Users may opt out of TikTok ad tracking through TikTok's privacy settings or through our Cookie Policy consent controls.

TikTok data is processed in accordance with the TikTok Terms of Service, TikTok for Business Privacy Policy, and the TikTok Business Products (Data) Terms. We do not sell, share, or disclose TikTok data to third parties except as necessary to provide the Services to you or as required by law. TikTok data is not used to create user profiles, audience segments, or lookalike audiences beyond what is authorized by TikTok's Business Products Data Terms. Upon disconnection of TikTok integration or termination of our developer access, TikTok data is deleted from active systems immediately. Backup purge completes within 90 days. TikTok cookies (where TikTok Pixel is deployed) have a maximum duration of 13 months. See our Cookie Policy for details. You may disconnect your TikTok account and request deletion of associated data at any time via Data Deletion.

4A.4 LinkedIn

When you connect LinkedIn to Skode, you authorize access via LinkedIn's OAuth 2.0 flow. We collect LinkedIn data when you first connect your account and periodically refresh profile data to keep your CRM records current. We may access:

Profile data (authenticated members): Name, headline, profile picture, and company information of members who have authenticated with Skode.
Lead Gen Form response data: Information submitted through LinkedIn Lead Gen Forms, stored per-client in your CRM. Lead Gen Form data is not aggregated across unaffiliated LinkedIn advertising accounts.
Page messaging data: LinkedIn Page messages managed through LinkedIn's authorized Page Messaging API. This does not include access to members' private LinkedIn messages.

Data Retention Limits: We comply with LinkedIn's Data Storage Requirements. Profile data for LinkedIn members who have not directly authenticated with Skode is cached for no more than 24 hours and is not permanently stored. LinkedIn member social activity data (likes, comments, shares) is retained for no more than 48 hours. Lead Gen Form response data is stored in your CRM for as long as your account is active or until you request deletion.

Data Use Restrictions: We do not scrape LinkedIn profiles or access data beyond what is authorized through LinkedIn's official APIs. We do not automate LinkedIn messaging, posting, or connection requests. LinkedIn member data obtained through Community Management APIs is displayed within Skode only and cannot be exported or transferred to third-party systems. We use LinkedIn data only for the specific use cases approved in our LinkedIn Developer Platform application. When processing LinkedIn Lead Gen Form submissions, we capture and respect all consent preferences and custom consent texts configured by the advertiser.

Consent and Deletion: When your LinkedIn OAuth Access Token expires, you will be prompted to re-authenticate and re-consent before data collection resumes. You may withdraw your LinkedIn authorization at any time by visiting LinkedIn Settings > Data Privacy > Permitted Services and removing Skode, or by contacting us. Upon request, we will delete all LinkedIn-sourced data within 10 days. We will comply with any data deletion requests from LinkedIn within the timeframes specified in their API Terms and are prepared to certify compliance upon request.

LinkedIn data is processed in accordance with the LinkedIn API Terms of Use and LinkedIn Marketing Developer Terms. LinkedIn may audit our use of their APIs and data at any time. We maintain records and processes to demonstrate compliance with LinkedIn's API Terms of Use. All LinkedIn-sourced data is subject to the same GDPR and privacy rights described in Section 7 of this Privacy Policy.

4A.5 Google (OAuth, Calendar, Email, Gemini)

When you sign in with Google or connect a Google service to Skode, we may access:

OAuth profile: Name, email address, and profile picture.
Calendar data: Calendar events for CRM activity sync (only if you explicitly enable Google Calendar sync).
Email data: Email headers and content for email tracking and logging (only if you explicitly enable Gmail sync).
Gemini / Agentspace connector: If and when a customer connects Skode as a Gemini Extension or Google Agentspace connector, Skode transmits only the CRM records that the signed-in user selects (contacts, deals, tasks, invoices, activities) to the Google model of the user's choice, over TLS, for the sole purpose of generating the user-requested response. No Google user data or Workspace content is stored by Skode beyond the minimum needed to return the response.

Google API Services User Data Policy — Limited Use disclosure. Skode's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, Skode affirms that we:

Use data received from Google APIs only to provide or improve user-facing features that are prominent in the Skode user experience;
Do not transfer data received from Google APIs to third parties except as necessary to provide or improve those features, to comply with applicable law, or as part of a merger, acquisition or sale of assets with notice to users;
Do not use data received from Google APIs for serving advertisements, including retargeting, personalised, or interest-based advertising; and
Do not allow humans to read data received from Google APIs unless we have obtained your affirmative consent to view specific messages, doing so is necessary for security purposes (such as investigating abuse), to comply with applicable law, or for Skode's internal operations, and then only when the data have been aggregated and anonymised.

The same Limited Use restrictions apply to any data Skode receives from Google's Workspace APIs through Gemini, Google Agentspace, or a Workspace Add-on. Sensitive or Restricted scopes, if we ever request them, will be subjected to annual CASA Tier 2 or Tier 3 assessment as required by Google's OAuth verification process.

4A.6 Snapchat (Snap Kit & Marketing API)

When you connect Snapchat to Skode via Snap Kit (Login Kit), you authorize access through Snap's OAuth flow. We may access:

Profile data: Display name, Bitmoji avatar, and external ID for authentication and personalization.
Conversions API (CAPI) data: Where Snap Conversions API is enabled, we share hashed event data (hashed email, hashed phone number, event type, timestamp) with Snapchat for ad optimization, measurement, and attribution. Users may opt out of Snap ad tracking through their Snapchat privacy settings.
Marketing API data: Ad campaign performance data and audience insights for connected Snapchat advertising accounts.

Snap user data may be shared with sub-processors listed in Section 4 solely as necessary to provide the Services. We do not sell, share, or disclose Snap user data to third parties for their marketing purposes. Snap profile data is retained for a maximum of 36 months; accounts inactive for 90 days are automatically disconnected and associated data deleted. User-level Snap ad attribution data is removed after 2 months in compliance with Snap's data retention requirements. Where Snap Pixel is deployed, consent is obtained before Pixel activation in compliance with GDPR and ePrivacy requirements. See our Cookie Policy for Snap Pixel cookie details.

Our use of Snap data complies with the Snap Developer Terms, Snap Business Services Terms, Snap Conversion Terms, and the Snap Privacy Policy (incorporated by reference). US state privacy laws (including CCPA) apply to Snap user data. You may revoke Snap Kit access through Snapchat Settings and request deletion of Snap-sourced data via Data Deletion. Skode will certify deletion of Snap data upon Snap's request.

4A.7 Telegram (Bot API)

When you connect a Telegram Bot to Skode Flow, we access data through the Telegram Bot API when users interact with your connected Telegram bot. We may access:

User identifiers: Telegram user ID, username, first name, last name, and language code of users who message your bot.
Message data: Text content, media files (photos, documents, voice messages), and chat IDs for conversations with your bot.
Interaction metadata: Timestamps, message delivery status, and callback query data.

Telegram data is used for delivering and receiving messages on your behalf, managing conversations, routing messages to the appropriate team member, providing AI-powered response suggestions (real-time processing only), and analytics. Telegram message content may be processed by AI systems (e.g., OpenAI) for real-time features such as suggested replies and conversation summaries. Telegram data is not used for training, fine-tuning, or developing machine learning or AI models. We only store Telegram data necessary for the messaging service functionality (data minimization).

We do not share Telegram user data with third parties without explicit user authorization or as required by law. Telegram data shared with sub-processors (listed in Section 4) is limited to what is necessary to provide the Services. Telegram data is retained for the duration of your subscription. Upon disconnection of the Telegram integration or account termination, Telegram data is deleted from active systems within 30 days. Backup purge completes within 90 days.

Our use of the Telegram Bot API complies with the Telegram Bot Developer Terms of Service and Telegram Privacy Policy. Users may request deletion of Telegram-sourced data by contacting us at privacy@skode.ai. Deletion requests are processed within 30 days. Users can also block the bot at any time through Telegram to immediately stop data collection. In the event of a data breach affecting Telegram data, we will notify affected users in accordance with applicable laws.

5. Cookies and Tracking

We use cookies and similar tracking technologies to enhance your experience. For detailed information about the types of cookies we use, how to manage them, and your choices, please refer to our Cookie Policy.

6. Data Retention

We retain your personal information only for as long as we need it to provide the Services, to comply with our legal obligations, or to resolve disputes. Specifically:

Account Data: Retained for the duration of your account plus 30 days after a deletion request.
CRM Data (leads, contacts, notes, tasks, messages): Retained for the duration of your subscription. Upon termination, data is available for export for 30 days, then permanently deleted within 90 days.
Billing and invoice records: Retained for 7 yearsfrom the end of the relevant financial year, as required by the Indian Income-tax Act, 1961 and the Central Goods and Services Tax Act, 2017 (Section 36, which mandates a 72-month retention of records by every registered person). Equivalent tax-retention obligations in other jurisdictions may extend this period where applicable.
AI Connector audit logs: Successful events are automatically purged after 30 days; failed events are kept longer for investigation.
Lead-assignment logs: Automatically purged after 90 days.
Password-reset tokens: Expire within 30–60 minutes. Workspace-invite tokens: Expire after 7 days. User sessions: Maximum 7-day lifetime.
Server and application logs: Retained for 90 days for security, debugging, and abuse-investigation purposes.
Marketing data (if you opted in): Retained until you unsubscribe or request deletion.

We are actively working to shorten the indefinite retention on CRM records through workspace-level retention controls. If you require a specific retention cap, contact us at privacy@skode.ai.

7. Your Privacy Rights

7.1 Rights Under GDPR (European Economic Area)

If you are located in the EEA, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your personal data ("right to be forgotten").
Restrict processing of your personal data.
Data portability (receive your data in a structured, machine-readable format).
Object to processing based on legitimate interests or direct marketing.
Withdraw consent at any time where processing is based on consent.
Lodge a complaint with your local data protection authority.

7.2 Rights Under CCPA (California)

If you are a California resident, you have the right to:

Know what personal information we collect about you.
Request deletion of your personal information.
Opt out of the sale of your personal information (we do not sell personal information).
Non-discrimination for exercising your privacy rights.

7.3 Rights Under Indian Data Protection Laws

If you are located in India, you have rights under the Digital Personal Data Protection Act, 2023 and the Information Technology Act, 2000. You may contact our Grievance Officer for any concerns.

7.4 Rights Under UK GDPR (United Kingdom)

If you are located in the United Kingdom, you have rights under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, including the right to access, rectify, erase, restrict processing, data portability, and object to processing. You may also lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk. Our EU/UK representative can be contacted via our EU/UK Representative page.

7.5 Rights Under New Zealand Privacy Act 2020

If you are located in New Zealand, you have rights under the Privacy Act 2020, including the right to access your personal information, request correction of inaccurate information, and complain to the Office of the Privacy Commissioner. Under Information Privacy Principles (IPPs) 6 and 7, you may request access to and correction of any personal information we hold about you. We will respond to requests within 20 working days. To make a request, contact us at privacy@skode.ai. You may also lodge a complaint with the Office of the Privacy Commissioner.

7.6 Rights Under UAE Personal Data Protection Law (PDPL)

If you are located in the United Arab Emirates, you have rights under Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data (PDPL) and its Executive Regulations. Your rights include the right to access your personal data, request correction or deletion, restrict or object to processing, request data portability, and withdraw consent. We will process requests within 14 days. Personal data of UAE residents is processed in accordance with the requirements of the UAE Data Office. For requests, contact us at privacy@skode.ai.

8. Data Security

We implement industry-standard security measures to protect your data, including:

Encryption in transit (TLS 1.2 or higher). At rest, customer files and backups are stored on AWS S3 (Mumbai region) with AWS-managed server-side encryption; payment-gateway credentials are Fernet-encrypted inside our database; user passwords are stored as PBKDF2-SHA256 hashes.
Role-based access controls with strict workspace (org_id) isolation and fail-closed query filters. SAML 2.0 and OIDC single sign-on for enterprise customers.
API keys used by the AI Connector are stored as SHA-256 hashes with 90-day automatic expiry and 256-bit generation entropy. Mutual TLS (mTLS) is enforced on the OpenAI Connectors endpoint.
Session cookies are HTTP-only, Secure (in production), and SameSite=Lax with a 7-day maximum lifetime.
Regular, encrypted backups retained per our disaster-recovery plan.
Hosting on AWS Mumbai (ap-south-1), which operates within an AWS SOC 2 Type II-attested environment. Skode Technologies Private Limited does not itself hold a SOC 2 attestation today; SOC 2 readiness is on our security roadmap. Two-factor authentication for user accounts is also on our roadmap but not yet available; we recommend a strong, unique password until it ships.

While we strive to protect your information, no method of transmission over the Internet or electronic storage is 100% secure. We cannot guarantee absolute security.

9. International Data Transfers

Your information may be transferred to and processed in countries other than your own. When we transfer data outside your jurisdiction, we ensure appropriate safeguards are in place:

9.1 EU/EEA Transfers

For transfers of personal data outside the EU/EEA, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission (adopted June 2021), the EU-US Data Privacy Framework where applicable, or adequacy decisions. We conduct Transfer Impact Assessments (TIAs) and implement supplementary technical measures (encryption, pseudonymization) where required.

9.2 UK Transfers

For transfers of personal data outside the United Kingdom, we rely on the UK International Data Transfer Agreement (UK IDTA) issued by the Information Commissioner's Office (ICO), and/or the UK Addendum to the EU Standard Contractual Clauses (the "UK Addendum"), as approved under Section 119A of the Data Protection Act 2018. Where the UK Government has made adequacy regulations recognising a country as providing adequate data protection, no additional safeguards are required for transfers to that country. We assess each transfer to ensure that the laws of the recipient country do not undermine the protections guaranteed by UK GDPR.

10. Children's Privacy

Our Services are not directed to individuals under the age of 16. We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly. If you believe a child has provided us with personal data, please contact us at privacy@skode.ai.

11. Third-Party Links and Services

Our Services may contain links to third-party websites, services, or integrations. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party service you interact with.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on our website and updating the "Last updated" date. For significant changes, we will provide additional notice via email or an in-app notification. Your continued use of the Services after changes become effective constitutes acceptance of the revised policy.

13. Security Vulnerability Reporting

If you discover a security vulnerability in any Skode product or service, we encourage you to report it responsibly. Please email security@skode.ai with a detailed description of the vulnerability, steps to reproduce, and any supporting evidence. We will acknowledge receipt within 2 business days and work to address confirmed vulnerabilities promptly. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

14. Contact Us

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

Data Controller & Privacy Contact

Data Controller	Skode Technologies Private Limited, a company incorporated under the Companies Act, 2013 (CIN: U62011KL2026PTC102406), with its registered office at Thirumangalath, Chelavur, Kozhikode – 673571, Kerala, India.
Privacy Contact / Grievance Officer	Mr. Hifsul Ali, acting as the Company's nominated Privacy Contact, Grievance Officer under India IT Rules 2021 and DPDPA 2023, and as the Data Protection Officer for the purposes of the UK GDPR / EU GDPR where a DPO appointment is recommended.
Email	privacy@skode.ai · grievance@skode.ai
Postal Address	Mr. Hifsul Ali, Privacy Contact / Grievance Officer, Skode Technologies Private Limited, Thirumangalath, Chelavur, Kozhikode – 673571, Kerala, India

Other Contact Channels

General Privacy Inquiries: privacy@skode.ai
Legal Inquiries: legal@skode.ai
Security Vulnerabilities: security@skode.ai (see also security.txt)
Grievance Officer (India — IT Rules 2021 & DPDPA 2023): View named Officer and details
Data Deletion Requests: Submit a Request
EU / UK Representatives: Skode does not currently have an establishment in the EU or UK and therefore has no Article 27 representative appointed. If you are an EEA or UK resident with a privacy concern, please write to privacy@skode.ai. We will update this section if and when a Representative is appointed.