Privacy Policy
This Privacy Policy ("Policy") describes how SkyL4rk (Pty) Ltd ("SkyL4rk", "we", "us", or "our") collects, uses, stores, shares, and protects personal information in connection with all services operated under the SkyL4rk umbrella, including but not limited to xCrypt, Verilink, TermsCon, SkyVault, and SkyDome.
This Policy applies to all individuals and entities who interact with our platforms, including merchants, API clients, sub-clients, end users, website visitors, and business contacts.
1. Who We Are
SkyL4rk (Pty) Ltd is a South African technology company registered in the Republic of South Africa, headquartered in Ballito, KwaZulu-Natal. We develop and operate SaaS platforms, API infrastructure, and digital licensing tools for business and consumer markets across South Africa and internationally.
SkyL4rk is a responsible party as defined under the Protection of Personal Information Act 4 of 2013 ("POPIA") and, where applicable, a data controller under the EU General Data Protection Regulation 2016/679 ("GDPR").
Where SkyL4rk processes personal data on behalf of a client merchant (for example, when a merchant uses xCrypt to manage their own downstream customers), SkyL4rk may also act as an operator / data processor. In such cases, our Data Processing Agreement ("DPA") governs that relationship.
2. Information Officer
| Detail | Information |
|---|---|
| Name | Michael Beuster |
| Title | Information Officer |
| legal@xcrypt.co.za | |
| Postal Address | SkyL4rk (Pty) Ltd, Ballito, KwaZulu-Natal, South Africa |
| Regulator | Information Regulator (South Africa) — inforegulator.org.za |
3. What Personal Information We Collect
We collect personal information in various categories depending on your relationship with us. We only collect information that is adequate, relevant, and not excessive for the purpose.
3.1 Identity and Contact Information
- First name, last name, and display name
- Email address and phone number
- Physical address, city, province, country, and postal code
- Date of birth (where required for identity verification)
- Identity document type and number (passport, national ID, driver's licence)
- Biometric identifiers (where Verilink identity verification is used — facial scan data, liveness scores, MRZ data)
3.2 Business and Account Information
- Company or trading name
- Business email and registration details
- Assigned merchant UUID, client ID, and API credentials
- Webhook URLs and integration endpoints
- Subscription plan, billing tier, and account status
- Sub-client relationships and downstream registrations
3.3 Financial and Billing Information
- Subscription and billing history
- Invoice records and payment status
- Payment method metadata (we do not store full card numbers — payment processing is handled by PCI-DSS compliant providers)
- Overage usage and billing adjustments
3.4 Technical and Usage Data
- IP addresses (at time of API call, login, or registration)
- Device identifiers and browser/client fingerprints
- API call logs including endpoints accessed, timestamps, and HTTP response codes
- License key generation, activation, validation, and revocation events
- Webhook delivery logs including payloads and responses
- Session tokens and authentication metadata
- Error logs and diagnostic data
3.5 Communications Data
- Emails and messages sent to our support or legal addresses
- Contact form submissions
- Records of consent given and withdrawn
3.6 Data We Do Not Collect
Unless explicitly required by a specific service and disclosed at point of collection, we do not collect: racial or ethnic origin, political opinions, religious beliefs, trade union membership, health information (beyond what Verilink processes for KYC), genetic data, or sexual orientation.
4. How We Collect Personal Information
- Directly from you — registration forms, API onboarding, contact submissions
- Automatically — API calls, log files, authentication events
- From merchants — when a merchant registers you as a sub-client through their integration of our platform
- From third parties — identity verification providers, payment processors, and fraud detection services
5. Purpose and Legal Basis for Processing
| Purpose | Categories of Data Used | Legal Basis (POPIA) | Legal Basis (GDPR) |
|---|---|---|---|
| Account creation and management | Identity, contact, account info | Contractual necessity | Art. 6(1)(b) — Contract |
| Delivering API and licensing services | Account, technical, usage data | Contractual necessity | Art. 6(1)(b) — Contract |
| Identity verification (KYC/AML via Verilink) | Identity, biometric, document data | Legal obligation / consent | Art. 6(1)(c) — Legal obligation |
| Billing and invoice management | Financial, account data | Contractual necessity | Art. 6(1)(b) — Contract |
| Security monitoring and fraud prevention | Technical, usage, IP data | Legitimate interest | Art. 6(1)(f) — Legitimate interests |
| Legal compliance and regulatory reporting | All relevant categories | Legal obligation | Art. 6(1)(c) — Legal obligation |
| Service communications and support | Contact, communications data | Contractual necessity / consent | Art. 6(1)(b) / Art. 6(1)(a) |
| Product improvement and analytics | Aggregated/anonymised usage data | Legitimate interest | Art. 6(1)(f) — Legitimate interests |
6. Cross-Border Transfers of Personal Information
SkyL4rk operates infrastructure across multiple jurisdictions. In the course of delivering our services, your personal information may be transferred to, stored in, or processed in countries outside the Republic of South Africa, including but not limited to:
- United States — cloud infrastructure (Google Cloud Platform), analytics, and email services
- United Kingdom — registered business operations (SkyL4rk UK Ltd) and associated data processing
- European Union — where EU-resident end users interact with merchant platforms built on xCrypt
- Other jurisdictions — where sub-processors or API integrations operate
These transfers are made in compliance with POPIA Section 72, which permits cross-border transfers where:
- The recipient country has comparable data protection laws, or
- The data subject has consented to the transfer, or
- The transfer is necessary for the performance of a contract, or
- Adequate contractual protections are in place (such as Standard Contractual Clauses under GDPR)
Where we transfer data to sub-processors in jurisdictions without equivalent protections, we require those sub-processors to sign data processing agreements that impose obligations equivalent to this Policy and applicable law.
7. Sharing of Personal Information
We do not sell, rent, or trade your personal information. We may share it in the following circumstances:
7.1 Service Providers and Sub-Processors
We engage trusted third parties to assist in delivering our services. These sub-processors are contractually bound to process data only on our instructions and in accordance with applicable data protection law:
| Category | Examples | Purpose |
|---|---|---|
| Cloud Infrastructure | Google Cloud Platform | Hosting, storage, database |
| Payment Processing | PayFast, Stripe | Subscription billing and invoicing |
| Email Delivery | Transactional email provider | System notifications, license delivery |
| Identity Verification | Verilink (SkyL4rk brand) | KYC/AML, biometric verification |
| Domain and DNS | Domain registrar / CDN provider | Platform availability |
7.2 Merchant Clients
Where you are registered as a sub-client through a merchant's integration of xCrypt, that merchant will have access to your account data (name, email, license status, API key) to the extent necessary for them to manage their platform. Merchants are bound by their own DPA with SkyL4rk and are responsible for their own compliance obligations toward their users.
7.3 Legal and Regulatory Disclosure
We may disclose personal information to law enforcement, regulatory authorities, or courts where we are legally required to do so, including under POPIA, FICA, or court order. We will notify you where permitted by law.
7.4 Business Transfers
In the event of a merger, acquisition, or sale of assets, personal information may be transferred as part of that transaction. We will notify affected parties where required.
8. Data Security
We implement technical and organisational measures appropriate to the risk of processing your data, including:
- TLS 1.2+ encryption in transit for all API and web communications
- AES-256 encryption at rest for sensitive data fields
- bcrypt hashing for all stored passwords
- Role-based access control (RBAC) limiting data access to authorised personnel only
- Two-factor authentication (2FA) for administrative accounts
- Daily encrypted database backups with 30-day rolling retention
- Geo-fenced administrative access controls
- Security incident logging and 24-hour investigation protocols
No system is completely secure. If you believe your account has been compromised, contact us immediately at legal@xcrypt.co.za.
9. Data Breach Notification
In the event of a data breach that poses a risk to your rights and freedoms, SkyL4rk will:
- Notify the South African Information Regulator within 72 hours of becoming aware of the breach
- Notify affected data subjects without undue delay where the breach is likely to result in high risk
- Notify merchant clients whose data or sub-clients are affected, within 72 hours
- Maintain an internal breach register regardless of notification obligation
10. Your Rights
Depending on your jurisdiction, you have the following rights regarding your personal information:
| Right | Description | POPIA | GDPR |
|---|---|---|---|
| Access | Request a copy of your personal information | ✓ | ✓ Art. 15 |
| Correction | Request correction of inaccurate data | ✓ | ✓ Art. 16 |
| Deletion / Erasure | Request deletion of your data | ✓ | ✓ Art. 17 |
| Objection | Object to processing based on legitimate interests | ✓ | ✓ Art. 21 |
| Restriction | Request restriction of processing | Limited | ✓ Art. 18 |
| Portability | Receive your data in machine-readable format | Limited | ✓ Art. 20 |
| Withdraw Consent | Withdraw consent at any time (where consent is the basis) | ✓ | ✓ Art. 7(3) |
| Complain | Lodge a complaint with the relevant supervisory authority | ✓ | ✓ Art. 77 |
To exercise any of these rights, submit a written request to legal@xcrypt.co.za. We will respond within 30 days. We may need to verify your identity before processing the request. Certain rights are subject to legal exceptions and retention obligations.
11. Retention of Personal Information
We retain personal information for as long as necessary to fulfil the purposes described in this Policy, and in accordance with our Data Retention Policy. Key periods are summarised below:
- Active account data — for the duration of the relationship plus 5 years post-termination
- License and transaction records — 7 years (financial record-keeping obligations)
- API usage logs — 12 months rolling
- Biometric data (Verilink) — as specified in the Verilink Privacy Notice; generally not retained beyond verification event
- Backup copies — 30 days rolling, encrypted
12. Children's Privacy
Our services are directed at businesses and adult individuals. We do not knowingly collect personal information from persons under the age of 18 without appropriate parental or guardian consent. If we become aware of such collection, we will delete the information promptly.
13. POPIA & GDPR Compliance
SkyL4rk is committed to compliance with the Protection of Personal Information Act 4 of 2013 (POPIA) as the primary applicable legislation for our South African operations, and with the General Data Protection Regulation (GDPR) to the extent that we process personal data of individuals in the European Economic Area or United Kingdom.
Where POPIA and GDPR impose different standards, we apply the higher standard of protection.
14. Changes to This Policy
We may update this Policy from time to time to reflect changes in our practices, legal requirements, or service offerings. Where changes are material, we will:
- Update the "Last Reviewed" date at the top of this Policy
- Notify active merchants via email at least 14 days before the changes take effect
- Display a notice on the dashboard for logged-in users
Continued use of our services after the effective date of any update constitutes acceptance of the revised Policy.
15. Contact Us
For all privacy-related enquiries, access requests, or complaints:
- Email: legal@xcrypt.co.za
- Information Officer: Michael Beuster
- Postal: SkyL4rk (Pty) Ltd, Ballito, KwaZulu-Natal, South Africa
You also have the right to lodge a complaint with the Information Regulator of South Africa:
Website: inforegulator.org.za
Email: legal@xcrypt.co.za