Privacy Policy

Scope & Roles
Information We Collect
How We Use Information
How We Do NOT Use Information
Tenant Isolation & Cross-Tenant Privacy
Data Storage, Security & Encryption
Sub-Processors
SMS Messaging & Opt-In Data
Electronic Signature Audit Data
Lead Network Data
Cookies & Tracking Technologies
Anti-Scraping & Continuous Monitoring
AI Features & Model Training
Data Retention
Children’s Privacy
International Data Transfers
Your Rights as a Customer Company
Your Rights as an End-User (CCPA / GDPR / State)
Security Incident Notification
Law-Enforcement & Legal Requests
Changes to This Policy
Contact

1. Scope & Roles

This Policy covers personal information processed (a) about our customers — the contracting, restoration, construction, and home-improvement businesses that subscribe to the Service (“Customer Companies”) — and the individuals within those companies who use the Service (“Authorized Users”); and (b) through the Service on behalf of our customers — the homeowners, claimants, suppliers, adjusters, and other natural persons whose information a Customer Company submits or generates inside the Service (“End-Users”).

Our role. For information about Customer Companies and Authorized Users we are a “business”, “controller”, or equivalent under applicable privacy law. For End-User information processed through a Customer Company’s Account we act as a “service provider”, “processor”, or “sub-processor”: we process End-User data only on the Customer Company’s instructions and as needed to deliver the Service.

If you are an End-User and want to exercise rights over your information, please contact the Customer Company that holds your data. We will route requests we receive directly from End-Users to that Customer Company and assist as required by law.

2. Information We Collect

2.1 Information you provide when signing up as a Customer Company

Company legal name, doing-business-as name, principal address, contractor license number, market(s) served.
Authorized representative name, work email, phone, role.
Billing information: cardholder name, last four digits of payment card, expiration, billing address, and a tokenized payment-method identifier returned by Stripe. Skallix never stores full payment-card numbers.
Authentication credentials: hashed password (bcrypt cost 10), two-factor codes, recovery email, SSO identifiers.
Configuration data: team-member list, role assignments, integrations enabled, custom workflows.

2.2 Information your Customer Company processes about End-Users

When you use the Service, Customer Data you submit may include the following categories of End-User personal information. Skallix processes this information solely on your instructions:

Contact identifiers: name, postal address, email, phone, alternate phones.
Property and job data: site / roof / room measurements, photos, inspection notes, claim and policy numbers, insurance carrier and adjuster contact, deductible, scope of loss, building permits.
Financial data: estimate line items, contract value, deposits, invoices, payment status, financing applications submitted to third-party lenders.
Communications: SMS transcripts, call recordings (where enabled), emails sent through the Service, signed contracts, e-signature metadata.
Geolocation: site address, derived geocodes, driving-route data for crew dispatch.
Other content the Customer Company chooses to upload (photos, scanned documents, signed waivers, drone footage, etc.).

2.3 Information collected automatically

Device and browser data: IP address, user-agent string, operating system, device type, screen resolution, language, time zone.
Usage data: pages visited, actions taken, feature use, click-through, query strings, timestamps.
Security telemetry: failed-login attempts, two-factor challenges, geographic anomalies, request-rate fingerprints, API key usage.
Crash and performance logs.

2.4 Information from third-party integrations

From Google Maps Platform and Google Solar API: geocoding, distance calculations, solar irradiance, imagery metadata.
From accounting integrations (QuickBooks Online, Sage): invoice and payment status.
From roof-measurement providers (EagleView, GAF QuickMeasure, SkyMeasure): roof area, pitch, eave/ridge/valley measurements.
From SSO providers (Google, Microsoft): basic profile and email used to authenticate.
From email and calendar providers (Google, Microsoft 365): inbound messages and calendar events when you enable that integration.

3. How We Use Information

We use personal information for the following purposes, each of which is necessary to provide the Service, to perform our contract with you, to comply with law, or to pursue legitimate interests including security, fraud prevention, and improvement of the Service:

To create and maintain Accounts, authenticate Users, and enforce role-based access controls.
To deliver the Service: render Customer Data, route leads, send SMS and email through Sub-Processors, generate documents, calculate estimates, run AI features the Customer Company has enabled.
To bill and collect Fees through our payment processor.
To investigate, detect, prevent, and respond to fraud, abuse, scraping, security incidents, unauthorized access, and breaches of the Terms.
To monitor service performance, debug, and improve reliability.
To send service announcements, billing notices, security alerts, and required legal notices.
To send marketing communications to Authorized Users about Skallix products (you may opt out at any time using the unsubscribe link or by emailing support@skallix.com).
To produce de-identified, aggregated analytics for product and business reporting.
To comply with legal obligations, respond to legal process, enforce the Terms, defend Skallix against claims, and protect the rights, property, and safety of Skallix, our customers, End-Users, and the public.

4. How We Do NOT Use Information

Customer Data is a Customer Company’s most valuable asset. To protect it, Skallix imposes strict limits on how we and our personnel may interact with it. We expressly commit that we will not:

sell or share Customer Data as those terms are defined under the CCPA / CPRA, or trade it for any monetary or other valuable consideration;
use Customer Data for cross-context behavioral advertising or rent it to data brokers;
use one Customer Company’s Customer Data to market to or solicit business from another Customer Company’s End-Users;
compile, license, or publish any list of End-Users, leads, homeowners, contact details, prices, or claim numbers extracted from Customer Data;
train, fine-tune, or evaluate any third-party AI model on Customer Data, except for AI features built into the Service that we expressly describe and that operate inside zero-retention enterprise contracts with our model providers (see Section 13);
access Customer Data in production except for narrowly defined operational purposes — resolving a support ticket the Customer Company has opened, investigating a security or abuse incident, responding to a legal request, performing fraud or carrier-compliance review, or troubleshooting a feature outage — and in every case the access is logged and limited to the minimum necessary scope;
disclose Customer Data to any third party except (a) Sub-Processors strictly to provide the Service, (b) professional advisors under confidentiality, (c) the Customer Company itself, (d) in connection with a corporate transaction subject to confidentiality undertakings, or (e) as required by law.

We do not poach your clients. Skallix is not, and will not be, a general contractor, restoration company, roofing contractor, remodeler, siding installer, solar installer, HVAC, plumbing, electrical, painting, landscaping, concrete, or any other competing service provider in any trade we serve. We do not contact, market to, or solicit business from your End-Users for any contracting, construction, restoration, insurance, or related service. Lead-Network operations are a separate matter (Section 10) governed by the Customer Company that purchased the lead.

5. Tenant Isolation & Cross-Tenant Privacy

Each Customer Company’s Customer Data resides in a logically isolated Tenant. Tenant isolation is enforced at multiple layers: (a) every database query is scoped by company identifier; (b) application-level role-based access controls deny access to any record outside the requesting Tenant; (c) file storage paths are partitioned per Tenant; (d) background jobs carry the originating Tenant identifier; (e) Skallix-operator access is gated behind a separate super-admin role with mandatory two-factor authentication and continuous audit logging; and (f) authentication tokens and sessions cannot be reused across Tenants.

We will never disclose to one Customer Company that another Customer Company exists in the Service, the identity of its End-Users, the leads it has purchased, the prices it charges, or any other data attributable to it. Customer Companies are contractually and technically prevented from accessing each other’s data, and any attempt to do so — including by a former employee — is a material breach of the Terms and may be referred to law enforcement.

6. Data Storage, Security & Encryption

Customer Data is hosted by DigitalOcean in U.S. data centers, encrypted in transit (TLS 1.2+) and at rest (AES-256). File and document storage uses object storage with private-only ACLs and signed-URL access. Passwords are stored as bcrypt hashes (cost 10). Two-factor authentication is available to every Authorized User and is required for super-admin and selected sensitive roles.

Our security program includes role-based access controls, principle-of-least-privilege provisioning, centralized audit logging, secrets management, network segmentation, automated vulnerability scanning, dependency monitoring, regular code review, restricted production-database access, and periodic third-party penetration testing. We maintain disaster-recovery procedures with encrypted off-site backups taken at least daily and tested on a regular cycle.

No method of electronic transmission or storage is 100% secure. While we use industry-recognized safeguards, we cannot guarantee absolute security. You are responsible for maintaining the security of your devices, credentials, two-factor tokens, and recovery email accounts, and for promptly reporting suspected compromise to support@skallix.com.

7. Sub-Processors

We engage the following categories of Sub-Processors to deliver the Service. Each is bound by written agreements requiring confidentiality, security measures no less protective than our own, and processing limited to the purpose for which engaged.

Sub-Processor	Purpose	Location
DigitalOcean	Cloud hosting, compute, object storage, backups	United States
Stripe	Payment processing, subscription billing, payment-method tokenization	United States / global
Twilio	SMS / MMS, voice, 10DLC and Toll-Free Verification registration	United States / global
SendGrid (Twilio), Postmark, Resend	Transactional and notification email	United States
Google LLC	Maps Platform, Solar API, OAuth SSO, Google Calendar sync	United States / global
Microsoft	Microsoft 365 calendar / email integration, Azure AD SSO	United States / global
OpenAI	AI-assisted features (summaries, draft replies, transcription) under zero-retention enterprise terms	United States
Anthropic	AI-assisted features under zero-retention enterprise terms	United States
EagleView / GAF QuickMeasure / SkyMeasure	Roof-measurement reports on demand	United States
QuickBooks Online (Intuit), Sage	Accounting export, invoice sync (only when enabled)	United States / global
Cloudflare	DNS, CDN, WAF, bot & scraper mitigation	Global
Sentry	Error and performance monitoring	United States

We may update this list as we add or replace Sub-Processors. Material additions affecting how Customer Data is processed will be reflected here at least thirty (30) days before they take effect, except in security or carrier-compliance emergencies.

8. SMS Messaging & Opt-In Data

Customer Companies may send SMS messages to their End-Users through our Twilio integration. When an End-User opts in to receive SMS from a Customer Company — by ticking a consent checkbox on a website form, or by becoming a paying customer of that business — we record the phone number, timestamp, IP address, source of the opt-in (e.g. “website_form”), and the exact disclosure language the End-User agreed to. This record is held to satisfy U.S. carrier audit requirements for A2P 10DLC and Toll-Free Verification (TFV).

Skallix does not share phone numbers, SMS opt-in records, or message content with third parties or affiliates for marketing purposes. SMS opt-in data is not transferred to any third party. Opt-in records are visible only to the Customer Company that captured them, plus Skallix platform operators for the limited purpose of supporting carrier audits and resolving abuse reports. End-Users may opt out at any time by replying STOP, STOPALL, UNSUBSCRIBE, CANCEL, END, or QUIT to any message from the originating phone number; opt-outs are honored across every subsequent send. Replying HELP returns assistance.

9. Electronic Signature Audit Data

When a client signs a contract through Skallix CRM, we record the following audit information to comply with the E-SIGN Act, UETA, and to protect both parties in case of a dispute: (a) timestamp of when the signer ticked the consent checkbox; (b) timestamp of when the signature was applied; (c) IP address of the signer’s device; (d) the signer’s user-agent string (browser / OS / device type); (e) the signer’s typed name; (f) a SHA-256 cryptographic hash of the signed PDF, used to detect any tampering. This audit data is visible only to platform super-admins for legal-dispute purposes — it is intentionally hidden from CRM Users (sales, managers, etc.) and from the signer themselves. Audit data is retained for the lifetime of the signed document plus seven (7) years, regardless of Account status, to satisfy the typical statute of limitations on contract disputes.

10. Lead Network Data

Leads delivered through the Skallix Lead Network are sourced from publicly available data and verified homeowner interactions (online forms, partner integrations, inbound consent flows). Each lead is licensed on a limited-distribution basis to a single purchasing contractor. Lead records include the homeowner’s name, contact information, property address, type of project of interest, and source-of-consent metadata required by TCPA. Lead data is never resold to a second buyer for the same campaign, and Skallix does not share lead data with any party other than the purchaser, the relevant Sub-Processors used to deliver it, and (where required) regulators or law enforcement.

11. Cookies & Tracking Technologies

We use only the cookies and similar technologies necessary to operate the Service:

Session cookies — keep you signed in.
Functional cookies — remember preferences such as selected market, table column order, and dismissed banners.
Security cookies — CSRF tokens, anti-bot challenges issued by Cloudflare, and rate-limit fingerprints.

We do not use third-party advertising cookies, cross-site tracking pixels, or session replay on the authenticated Service. On the public marketing pages we use minimal first-party analytics; you may disable non-essential cookies in your browser. Skallix honors Global Privacy Control (GPC) signals where required by law.

12. Anti-Scraping & Continuous Monitoring

Customer Data has substantial commercial value and is the target of scraping, harvesting, and competitor- intelligence attempts. To protect it, Skallix runs continuous, automated monitoring of every request to the Service. We collect and analyze:

IP address, ASN, reverse-DNS, and geolocation of every request, including those made through a Skallix-issued API token.
User-agent strings, TLS fingerprints, JA3/JA4 hashes, and request-header order.
Per-credential request rate, response-size ratio, distinct-record-access patterns, and time-of-day distribution.
Cross-credential and cross-Tenant access patterns indicating credential reuse or unauthorized harvesting.
Webhook delivery, export, and bulk-download events.

When this monitoring detects activity inconsistent with a normal Authorized User — for example, a credential issuing thousands of GETs from a residential proxy network in an unusual timezone, or a single IP cycling through End-User records faster than human navigation could explain — Skallix may, without prior notice and at its sole discretion: throttle the credential, present a challenge-response, block the IP or fingerprint, suspend the Authorized User or the Account, demand forensic preservation, and pursue every remedy available under the Terms § 31 including liquidated damages and injunctive relief.

Cloudflare provides edge-level bot and scraper mitigation, including challenge-response, IP-reputation scoring, and rate limiting. Persistent, sophisticated, or large-scale scraping may be referred to law enforcement under the Computer Fraud and Abuse Act, the California Comprehensive Computer Data Access and Fraud Act, and other applicable statutes.

13. AI Features & Model Training

The Service includes AI-assisted features built on top of large-language-model APIs from OpenAI, Anthropic, and other providers. When you use those features, the prompt and necessary context are transmitted to the relevant provider over TLS. Skallix configures each AI Sub-Processor with zero-retention, no-training contractual terms, meaning the provider does not use Customer Data to train, improve, or evaluate its models, and the provider does not retain prompts or completions beyond the limited duration required to deliver the response.

Skallix itself does not use Customer Data to train any model, including its own. We may use de-identified, aggregated metrics (e.g., feature-adoption counts, latency, error rates, telemetry) to operate and improve the Service.

AI output may be inaccurate. We do not make automated decisions that produce legal or similarly significant effects on End-Users without human review; you are responsible for reviewing AI-generated content before relying on it.

14. Data Retention

Skallix retains personal information for as long as it is necessary to deliver the Service, comply with legal obligations, resolve disputes, prevent fraud and abuse, and enforce agreements. Specific retention windows:

Active Customer Data — for the life of the Account.
Customer Data after Account termination — available for self-service export for thirty (30) days; deleted from production within sixty (60) days; encrypted backup copies purged on normal rotation within one hundred eighty (180) days thereafter.
SMS opt-in records — minimum four (4) years to satisfy carrier audit requirements.
Electronic-signature audit data — lifetime of the document plus seven (7) years, regardless of Account status.
Financial / billing records — minimum seven (7) years for tax and accounting purposes.
Security and abuse logs — minimum eighteen (18) months.
Authentication logs (login, 2FA) — minimum twelve (12) months.
Backups — encrypted; rotated on a documented schedule.

Where legal hold, regulatory inquiry, or pending dispute applies, retention may be extended.

15. Children’s Privacy

The Service is intended for businesses and their employees, not for children. We do not knowingly collect personal information from anyone under the age of sixteen (16). If you believe a child has provided personal information through the Service, contact support@skallix.com and we will delete it.

16. International Data Transfers

Skallix is established in the United States and primarily processes Customer Data in U.S. data centers. If you access the Service from outside the United States, your information will be transferred to and processed in the United States, where data- protection laws may differ from those of your jurisdiction. By using the Service you consent to that transfer. Where required by law (e.g., GDPR), transfers are made under appropriate safeguards, including Standard Contractual Clauses with the applicable Sub-Processor.

17. Your Rights as a Customer Company

As a Customer Company you may, at any time: access, correct, export, or delete the personal information about your company and your Authorized Users in your Account; export Customer Data in CSV / PDF format; deactivate Users; rotate API tokens and passwords; configure two-factor authentication; and contact us to obtain a Data Processing Addendum, sub-processor list, or audit report. Requests should go to support@skallix.com.

18. Your Rights as an End-User (CCPA / GDPR / State)

If you are an End-User (a homeowner or other natural person whose information was submitted to the Service by a Customer Company), the Customer Company is the controller / business of your data. Skallix processes your data only on the Customer Company’s instructions and does not respond directly to deletion, access, correction, or opt-out requests — please contact the Customer Company.

Depending on where you live, you may have the following rights, exercisable through the Customer Company:

California (CCPA / CPRA): right to know, delete, correct, limit use of sensitive personal information, opt out of sale or sharing (Skallix does not sell or share), and non-discrimination. To exercise: contact the Customer Company that holds your data.
Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana: rights of access, correction, deletion, portability, and opt-out as defined under each state’s consumer-privacy statute.
European Economic Area / United Kingdom: rights of access, rectification, erasure, restriction, portability, objection, and lodging a complaint with a supervisory authority, subject to the GDPR / UK GDPR.
Canada (PIPEDA / CASL): rights of access, correction, withdrawal of consent, and complaint to the Office of the Privacy Commissioner.
SMS opt-out: reply STOP / STOPALL / UNSUBSCRIBE / CANCEL / END / QUIT to any message; the Customer Company will not send you another message from that number.

If you submit a privacy request directly to Skallix, we will forward it to the Customer Company we identify as holding your data and assist as required by law. We will not respond on the Customer Company’s behalf for substantive matters.

19. Security Incident Notification

In the event of a confirmed security incident affecting your Customer Data, Skallix will notify the affected Customer Company without undue delay and in any event within seventy-two (72) hours of confirmation, providing the information reasonably available to it at that time and updating as the investigation progresses. The Customer Company is responsible for any onward notification obligations to End-Users or regulators.

20. Law-Enforcement & Legal Requests

Skallix carefully reviews every law-enforcement, government, or third-party legal request and produces information only when legally required to do so. Where lawful, we notify the affected Customer Company before producing data, give them an opportunity to object or quash, and limit production to the narrowest scope required. We do not provide bulk data, build back-doors, or grant standing access. Routine subpoena, civil-discovery, or warrant requests should be addressed to support@skallix.com.

21. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email to the address on file and/or by in-app notification at least thirty (30) days before they take effect. Non-material updates (clarifications, typo fixes, sub-processor additions) take effect on posting. The “Last updated” date at the top reflects the most recent change.

22. Contact

For privacy questions, rights requests, security or incident reports, abuse / scraping reports, and law-enforcement requests under this Policy, please email support@skallix.com or submit a message through our contact form. We will route your message internally to the appropriate team.

Updated May 13th, 2026

Table of contents