GDPR & EEA/UK privacy

Last updated: April 5, 2026

1. Controller

For personal data we determine the purposes and means of processing in connection with our website and business development activities, Scaileo acts as the data controller. For personal data we process solely on behalf of a client under instruction (for example when delivering a managed service or platform for the client’s own users), the client is typically the controller and we act as a processor; that relationship is governed by contract and, where required, a data processing agreement (DPA).

2. Scope

This page supplements our general Privacy Policy. It is intended for visitors, prospects, clients, and applicants who are in the EEA, Switzerland, or the UK. Terms such as “personal data,” “processing,” “controller,” and “processor” have the meanings given in the GDPR and UK GDPR.

3. Legal bases

We process personal data only where a valid legal basis applies. Depending on the activity, we may rely on:

• Contract (Art. 6(1)(b)): processing necessary to respond to your request, prepare a proposal, or perform an agreement with you or your organization.
• Legitimate interests (Art. 6(1)(f)): for example securing our Site, improving our services, limited business-to-business outreach that is proportionate, and internal reporting, balanced against your rights.
• Consent (Art. 6(1)(a)): where we ask for consent (such as certain marketing cookies or newsletters), you may withdraw consent at any time without affecting the lawfulness of processing before withdrawal.
• Legal obligation (Art. 6(1)(c)): where we must retain or disclose information to comply with law.

4. Categories of data

We process the categories described in our Privacy Policy, including identity and contact details, professional information, communications content, limited technical data, and recruitment information. We avoid collecting special categories of data unless strictly necessary and lawful (for example diversity monitoring only where permitted and with appropriate safeguards).

5. Recipients and transfers

We use vetted service providers (hosting, communications, productivity, analytics, etc.) who may access personal data as subprocessors. Some providers may be located outside the EEA/UK. Where we transfer personal data to countries not subject to an adequacy decision, we implement appropriate safeguards such as the EU Commission Standard Contractual Clauses and the UK International Data Transfer Addendum or UK IDTA, together with supplementary measures where appropriate.

6. Retention

We retain personal data for as long as necessary for the purposes described in our Privacy Policy and this page, including statutory retention periods for business and tax records, and the duration of the client relationship plus a reasonable post-termination period for dispute resolution.

7. Your rights

Subject to applicable law, you may have the right to:

• Access your personal data and receive a copy.
• Rectify inaccurate or incomplete data.
• Erase data in certain circumstances (“right to be forgotten”).
• Restrict processing in certain circumstances.
• Data portability for data you provided where processing is based on consent or contract and is automated.
• Object to processing based on legitimate interests, including profiling in some cases.
• Withdraw consent where processing is based on consent.
• Lodge a complaint with a supervisory authority in your country of habitual residence, place of work, or place of an alleged infringement.

To exercise these rights, contact us via scaileo.com/contact. We will respond within the timeframes required by law (typically within one month, extendable in complex cases). You may also have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects; we do not use such automated decision-making for Site visitors in a way that falls under that definition without human review and, where required, explicit safeguards.

8. Supervisory authorities

Examples of supervisory authorities include the EEA data protection authorities and, for the UK, the Information Commissioner’s Office (ICO). We encourage you to contact us first so we can address your concern.

9. Automated processing & AI

When we deliver AI-enabled solutions for clients, processing of personal data in those systems is governed by the applicable Engagement Agreement and DPA. We assist clients, where contracted, with obligations such as impact assessment support and technical measures; primary responsibility for lawful basis and transparency to end users typically sits with the client when they are the controller of end-user data.

10. Updates

We may update this page to reflect regulatory guidance or changes in our processing. Please review the “Last updated” date when you visit.

11. Contact

For GDPR-related requests, use scaileo.com/contact. Our Terms and Conditions govern use of the Site and services.