Privacy Policy

SK102 LLC is a software development and AI integration consulting firm registered and licensed in Tamuning, Guam, USA. We are the data controller for sk102.co.

This policy covers visitors to sk102.co. When SK102 processes data on behalf of a client (under a Master Services Agreement, Statement of Work, or Data Processing Addendum), that engagement is governed by separate written terms and is not covered by this policy. A standard DPA is available on request.

We collect only what we need. We use data only for the purposes we tell you about. We keep data accurate. We delete data on a schedule. We protect data in transit and at rest. We hold ourselves accountable to these principles in code, not just in copy — the retention table below is enforced by automated purge jobs.

What you give us: contact form submissions (name, email, optional organization, message, request type); chat interactions (messages and, if you verify, your email and name); meeting bookings (name, email).

What we collect automatically: IP address, user-agent string, referrer URL, pages viewed, and standard analytics events via Google Analytics 4.

What we do not do: we do not buy enrichment data, scrape LinkedIn, or use third-party data brokers. We do not collect data from third parties about you.

Aggregated and anonymized data (for example, "X% of visitors viewed the Services page") is not personal data and is used freely for product and content decisions.

When you provide an organization name in the contact form, we treat that as business contact information in a B2B context; it is associated with your individual contact record but used only for the purpose of responding to your inquiry.

Legitimate interest: analytics (understanding which pages help visitors), security logs, basic site operation.

Contract or pre-contractual measures: contact form submissions and meeting bookings — we need this data to respond to your request.

Consent: chat OTP email verification (you opt in by submitting); analytics cookies in EU/UK/EEA jurisdictions where opt-in is required.

Legal obligation: short-term retention of records relevant to tax, audit, or legal hold requirements.

We retain data for the periods listed below. After the retention period, automated purge jobs delete the data on a daily schedule.

We use a small number of cookies. Essential cookies (admin authentication) are used regardless of consent. Analytics cookies (Google Analytics 4) are subject to consent.

We use a geo-aware cookie consent banner: visitors from the EU, UK, or EEA are shown an opt-in banner on first visit, and analytics cookies are not set until consent is given. You can change or withdraw your choice at any time using the "Cookie preferences" link in the site footer. You can also opt out of Google Analytics across all sites using the browser add-on below, or email privacy@sk102.co to request that we exclude your IP from analytics.

You can opt out of Google Analytics across all sites using the official browser add-on at https://tools.google.com/dlpage/gaoptout. We honor Global Privacy Control (GPC) signals as an opt-out request from California residents.

We use the following third-party services (subprocessors) to operate this website. We prefer subprocessors with SOC 2 or ISO 27001 attestations where available, and update this list as our stack evolves.

SK102 is based in Guam, a United States territory. Our hosting infrastructure (Hostinger) is headquartered in the European Union, with global data-center options. Our other subprocessors (Anthropic, Google, Slack) are US-based.

For visitors in the EU, UK, or EEA, transfers of personal data to the United States rely on Standard Contractual Clauses (SCCs) and, where applicable, our subprocessors' adequacy mechanisms — for example, Google's certification under the EU-US Data Privacy Framework, and Anthropic's SCCs.

You may request a copy of the SCCs in place by emailing privacy@sk102.co.

Universal: you may request access to, correction of, or deletion of your personal data.

GDPR / UK GDPR (Articles 15–22): access, rectification, erasure, restriction of processing, portability, objection. The chatbot generates responses but does not produce legal or similarly significant effects; we do not perform automated decision-making within the meaning of Article 22.

CCPA / CPRA (California): right to know, delete, correct, opt-out of sale or sharing for cross-context behavioral advertising (we do not sell or share for that purpose), and limit use of sensitive personal information. We do not collect sensitive PI as defined under CPRA: SSN, driver's license, financial account, precise geolocation, racial or ethnic origin, religion, union membership, mail or email contents, genetic data, biometrics, health data, sex life or orientation, immigration status, or citizenship status.

California Shine the Light (Civil Code §1798.83): California residents may request a list of personal information shared with third parties for direct marketing. We do not share for direct marketing.

Other US state privacy laws (Virginia, Colorado, Connecticut, Utah, Texas, Nevada, Oregon, Montana, Iowa, Indiana, Tennessee, Delaware, New Hampshire, Minnesota, New Jersey, Maryland, Rhode Island, Kentucky, and others as enacted): residents have rights similar to those above.

Withdrawing consent: where processing is based on consent (chat OTP, analytics cookies in EU/UK), you may withdraw at any time without affecting the lawfulness of prior processing. Withdrawing is as easy as giving consent — clear the cookie, decline the banner, or ask us to stop.

How to exercise: use the privacy request form below or email privacy@sk102.co.

Response time: 30 days from a verified request (45 days for CCPA, with one possible 45-day extension on notice).

Right to lodge a complaint with a supervisory authority: ICO (UK) at https://ico.org.uk/make-a-complaint/, EDPB list of EU supervisory authorities at https://edpb.europa.eu/about-edpb/about-edpb/members_en, California Attorney General at https://oag.ca.gov/privacy/ccpa, and US Federal Trade Commission at https://reportfraud.ftc.gov.

Use the form below to submit any of the requests described above. We will reply to the email you provide to verify your identity before acting on the request.

This site is not intended for and is not directed at anyone under 18 years of age. We do not knowingly collect personal information from minors. If we learn we have, we delete it promptly.

Encryption in transit: TLS 1.2 or higher, HSTS-eligible.

Network isolation: internal services (Redis cache, RAG backend) are bound to the host loopback interface and run on a private container network — they are not exposed to the public internet. Host filesystem encryption is applied per the hosting provider's capabilities.

Access control: least-privilege. Admin access is single-user, authenticated with a bcrypt-hashed password and a session token; admin sessions expire after 24 hours.

Logging: admin actions and access to personal data are logged via a structured logger; logs are reviewed periodically. We do not log OTP codes, passwords, or full chat content in audit logs.

Rate limiting: applied to all public endpoints (form submissions, chat, OTP issuance).

Vendor management: we prefer subprocessors with SOC 2 or ISO 27001 attestations where available; the current list is in section 07.

No system is 100% secure. We work to keep this site as secure as we reasonably can, and we follow the breach-notification commitments in section 14 if something goes wrong.

If you believe you have found a security vulnerability affecting sk102.co, please email security@sk102.co. We acknowledge reports within 72 hours and aim to remediate before public disclosure. Coordinated disclosure is preferred.

Our security contact file is published at https://sk102.co/.well-known/security.txt per RFC 9116.

We do not currently operate a paid bug bounty program. Good-faith research is welcomed and credited (with permission).

If we become aware of a personal data breach affecting visitor data, we follow this commitment:

We notify the relevant supervisory authority within 72 hours where required (GDPR Article 33).

We notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms (GDPR Article 34) or where required by US state law.

Notifications include: the nature of the breach, categories and approximate number of affected individuals, likely consequences, and the measures taken or proposed.

We maintain an internal incident response runbook covering triage, containment, notification, and post-incident review.

The chat assistant on this site sends your messages to Anthropic's Claude API under Anthropic's terms of service. Per Anthropic's published policy, API inputs and outputs are not used to train Anthropic's models by default.

A separate retrieval-augmented generation (RAG) backend uses Google's Gemini API to summarize relevant content from public sk102.co pages and pass it to the chat assistant. Only your queries and the public site content are sent to Gemini — no internal documents are exposed.

Chat transcripts are retained for 90 days from last activity; after that they are deleted automatically. If you verify your email during a chat (for example, to schedule a meeting), that email is stored on the chat session record and is purged when the session is purged.

The chatbot does not produce legal or similarly significant effects on you. We do not perform automated decision-making within the meaning of GDPR Article 22.

You may decline to use the chatbot at any time without affecting your ability to use the rest of the site.

SK102 currently relies on the GDPR Article 27(2) exception: processing of EU/EEA data subjects' data via this website is occasional and not large-scale, and does not involve special-category data on a large scale. We review this position annually.

If EU traffic and processing volumes warrant, we will engage a third-party EU representative service and update this section with named contact details.

EU/EEA visitors with concerns may contact privacy@sk102.co directly in the meantime.

This site links to external services (LinkedIn, Google Meet, others). When you follow an external link, you leave sk102.co and become subject to that site's privacy policy. We are not responsible for the content or privacy practices of third-party sites.

We update this policy from time to time. Material changes will be highlighted at the top of this page with a new effective date. For substantive changes affecting your rights, we will provide at least 30 days' notice in the policy header before the new version takes effect. Continued use of sk102.co after the effective date constitutes acceptance.

Full version history is at the bottom of this page.

Privacy and data requests: privacy@sk102.co

Vulnerability disclosure: security@sk102.co

General inquiries: info@sk102.co

SK102 LLC, Tamuning, Guam, USA. Mailing address available on written request.