For the purposes of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018, the Data Controller for all personal data processed through this website and associated services is:
Organisation: Skyline Drone Services (trading as Skyline Visuals)
Type: Sole trader
Location: Northamptonshire, United Kingdom
Contact: info@skylinevisual.co.uk
ICO Registration: Pending — registration in progress
This page should be read alongside our Privacy Policy and Terms & Conditions, which together form our full data governance documentation.
Skyline Drone Services processes personal data in accordance with the following legislation and standards:
| Regulation / Standard | Status | Scope |
|---|---|---|
| UK GDPR (retained EU law) | Compliant | All personal data processing activities |
| Data Protection Act 2018 | Compliant | Supplements UK GDPR — national provisions |
| Privacy and Electronic Communications Regulations (PECR) | Compliant | Cookie consent and electronic marketing |
| ICO Registration | Pending | Annual registration as a data controller — in progress |
| Stripe PCI-DSS | Compliant | Payment card data — handled exclusively by Stripe |
| CAA Drone Code & Air Navigation Order | Compliant | Operational data collected during flights (imagery, coordinates) |
The table below is a summary of our data processing activities as required by UK GDPR Article 30 (Records of Processing Activities).
| Activity | Data Categories | Purpose | Lawful Basis |
|---|---|---|---|
| Booking & enquiry management | Name, email, phone, address, service details | Service delivery | Contract |
| Payment processing | Payment method (Stripe only — we hold no card data) | Collecting deposits and balances | Contract |
| Booking confirmation emails | Name, email, booking reference | Transactional communication | Contract |
| Calendar management | Name, date, service type, location postcode | Scheduling and availability | Contract |
| Aerial imagery capture | Property imagery, thermal data, survey data | Service deliverable production | Contract |
| Inspection report generation | Property address, imagery, thermal analysis data | Delivering inspection reports | Contract |
| AI chat widget | User-typed messages (session only) | Customer support via Skyline AI | Consent |
| Website analytics | Anonymised usage data, page views, device type | Improving website performance | Consent |
| Financial record-keeping | Name, address, transaction value, date | HMRC compliance | Legal obligation |
| Post-service follow-up | Name, email, service history | Customer relationship continuity | Legitimate interest |
The following third-party sub-processors handle personal data on our behalf. Each is contractually bound to process data only for the stated purpose and in accordance with applicable data protection law.
| Sub-Processor | Role | Data Transferred | Location | Safeguards |
|---|---|---|---|---|
| Netlify | Website hosting & serverless functions | Server logs, function request data | USA / EU | DPA ↗ |
| Stripe | Payment processing | Payment method — no card data held by us | USA / EU | PCI-DSS / DPA ↗ |
| Google (Calendar API) | Booking availability & scheduling | Name, date, service type, postcode | USA / EU | DPA ↗ |
| Google (Maps API) | Postcode lookup & service area mapping | Postcode / location query | USA / EU | DPA ↗ |
| Google (Analytics GA4) | Website usage analytics (consent only) | Anonymised usage data | USA / EU | DPA ↗ |
| Anthropic (Claude API) | AI chat assistant (consent only) | User chat messages (session only) | USA | Privacy Policy ↗ — not used for training; 30-day max retention |
| Gmail API (Google) | Booking confirmation emails | Name, email, booking reference | USA / EU | DPA ↗ |
Several sub-processors are based in the United States. All transfers are covered by Standard Contractual Clauses (SCCs) or equivalent adequacy mechanisms under UK GDPR. We do not transfer personal data to any country without appropriate safeguards in place.
Personal data is retained only for as long as is necessary for its original purpose or as required by law. The following schedule applies to all data processed by Skyline Drone Services.
| Data Category | Retention Period | Legal Basis | Deletion Method |
|---|---|---|---|
| Payment & transaction records | 7 years from transaction date | Legal obligation (HMRC) | Secure deletion from accounting records |
| Booking records | 6 years from last financial transaction | Legal obligation / legitimate interest | Secure deletion from calendar & booking system |
| Customer names & email addresses | 2 years after last service or contact | Legitimate interest | Deleted on request at any time; auto-deleted at expiry |
| Aerial imagery captured on site | 12 months after delivery to client | Contract / legitimate interest | Securely deleted from storage unless archival is contracted |
| Inspection reports (PDF) | 12 months after delivery | Contract | Deleted from our systems; client retains their copy |
| AI chat messages (our systems) | Session only — not retained | Consent | Not stored; cleared on session end |
| AI chat messages (Anthropic) | Up to 30 days | Consent / Anthropic safety monitoring | Deleted by Anthropic per their data retention policy |
| Website analytics (GA4) | 26 months (Google default) | Consent | Anonymised and aggregated — not linked to individuals |
| Cookie consent records | Until consent is withdrawn or browser storage cleared | PECR compliance | Stored in browser localStorage — cleared by user or on withdrawal |
Customers may request deletion of their personal data at any time by contacting us at info@skylinevisual.co.uk. We will action all valid erasure requests within 30 days. Note that data subject to a legal obligation retention period (e.g. HMRC financial records) cannot be deleted until that period expires.
We implement technical and organisational measures proportionate to the risk presented by our processing activities. As a small sole trader, these measures are practical and targeted.
In the event of a suspected or confirmed personal data breach, we will follow the procedure below in accordance with UK GDPR Article 33 and 34.
| Timeframe | Action |
|---|---|
| Immediately on discovery | Contain the breach — isolate affected systems, revoke compromised credentials, cease affected processing |
| Within 24 hours | Internal assessment — determine what data was affected, how many individuals, likely impact |
| Within 72 hours | Notify the ICO if the breach is likely to result in a risk to individuals' rights and freedoms (once ICO registration is complete) |
| Without undue delay | Notify affected individuals directly if the breach poses a high risk to their rights — by email to the address on record |
| Within 30 days | Document the breach, root cause, actions taken and preventative measures — retained for ICO audit purposes |
If a breach occurs within a sub-processor's infrastructure (e.g. Stripe, Google, Netlify), we will follow their incident notification procedures and relay relevant information to affected customers as quickly as possible. Sub-processors are contractually required to notify us of breaches without undue delay.
Any individual whose personal data we process has the right to request a copy of that data, ask for corrections, or request deletion. We take all such requests seriously and handle them promptly and free of charge.
| Request Type | Response Time |
|---|---|
| Subject Access Request (copy of data) | Within 30 days of receipt |
| Rectification (correction of data) | Within 30 days of receipt |
| Erasure (deletion of data) | Within 30 days — subject to legal retention obligations |
| Data Portability | Within 30 days — provided in a structured, machine-readable format |
| Objection to processing | Acknowledged within 5 working days; resolved within 30 days |
We may ask you to verify your identity before releasing personal data, to protect against unauthorised requests. This is standard practice and not intended to obstruct your rights.
Our cookie consent system is implemented in accordance with the Privacy and Electronic Communications Regulations (PECR) and UK GDPR. Consent is obtained before any non-essential scripts are loaded.
| Category | Services | Consent Model | Storage |
|---|---|---|---|
| Essential | Netlify, Stripe, Google Calendar API | No consent required — necessary for site function | Session / functional |
| Functional | Google Maps API | No consent required — directly enables a requested feature | Session |
| Analytics (GA4) | Google Analytics | Explicit opt-in — not loaded until consent given | localStorage (browser) |
| AI Features | Claude / Anthropic API | Explicit opt-in — not active until consent given | localStorage (browser) |
Consent preferences are stored locally in the user's browser under the key
skyline_cookie_consent_v1
and are not transmitted to our servers. Users may withdraw or change their consent at any time
by clearing their browser's local storage or revisiting the cookie preference panel.
This Data Compliance statement is reviewed whenever there is a material change to our processing activities, a new sub-processor is engaged, or applicable legislation is updated — and at minimum once per calendar year.
The current version was last reviewed in May 2026. Any questions or concerns about this statement should be directed to: