Privacy Policy
Effective date: 3 June 2026
1. Overview and Roles
SkyState is operated by Developer Jones AB. Full company information: Company information.
For account, billing, support, security, product-usage, and service-administration data, Developer Jones AB is the data controller. For state data that a customer stores in SkyState about that customer's own users, visitors, employees, or other individuals, the customer is normally the controller and Developer Jones AB acts as a processor or service provider. In that processor role, we process customer-controlled state data only to provide, secure, support, and maintain the Service, as instructed by the customer through the Service and the Terms of Service. Customers are responsible for their own privacy notices, legal bases, and end-user requests for data they store in SkyState.
For customer-controlled state data, SkyState's processor obligations are set out in the Data Processing Agreement, which forms part of the Terms of Service for business customers acting as controllers.
The sub-processors we engage to process customer-controlled state data are listed on the Sub-processors page.
We do not sell personal data.
2. Data We Collect
Account data. When you register, we collect your email address and, where applicable, your name, profile image, identity-provider identifier, and related profile information provided by your authentication provider.
Authentication and session data. We process login tokens, refresh state, browser/session identifiers, and sign-in flow metadata needed to keep you signed in and protect account access.
Usage and metering data. We collect information about how you use the Service, including API requests, state reads and writes, command invocations, project and environment identifiers, quota counters, session timestamps, user-agent strings, IP addresses, and other client metadata. This data is used for metering, billing, security monitoring, abuse prevention, support, and Service improvement.
State data. We store the key-value state you submit to the Service. State data may include personal data if you or your application put personal data into it. You are responsible for the content of state data, for providing privacy notices and legal bases to your own users where required, and for ensuring that state data complies with applicable law. The Service is not intended for sensitive or regulated personal data, payment-card data, bank-account data, passwords, API secrets, authentication credentials, children's data, or special-category personal data under the GDPR unless SkyState has expressly agreed in writing.
Payment and subscription data. If you subscribe to a paid plan, checkout and payment are processed by Creem as merchant of record. We do not store full card numbers. We retain Creem customer identifiers, subscription identifiers, subscription status, tier, billing-event metadata, and related records needed to provide paid access, handle support, and reconcile billing.
Support and communications data. If you contact us, we process the email address, message content, attachments, and related support metadata you provide.
3. Purposes and Legal Bases
Where the GDPR or similar law applies, we rely on the following legal bases:
| Purpose | Data categories | Legal basis |
|---|---|---|
| Create accounts, authenticate users, provide the console, CLI, SDKs, API, state storage, and support | Account, authentication, usage, state, and support data | Contract necessity |
| Process subscriptions, paid access, invoices, refunds, chargebacks, quota enforcement, and billing support | Account, payment, subscription, usage, and support data | Contract necessity and legitimate interests |
| Send transactional account, billing, security, usage-limit, and service notices | Account, usage, subscription, and support data | Contract necessity and legitimate interests |
| Detect, prevent, and investigate abuse, fraud, security incidents, prohibited use, and platform-risk issues | Account, authentication, usage, state metadata, support, and technical data | Legitimate interests and legal obligation |
| Maintain, debug, improve, and develop the Service | Account, usage, technical, and aggregated or de-identified data | Legitimate interests |
| Comply with legal, tax, accounting, consumer, regulatory, and dispute obligations | Account, payment, subscription, support, and records needed for the obligation | Legal obligation |
If we ask for consent for a specific processing activity, you may withdraw that consent at any time without affecting processing that occurred before withdrawal.
4. Data Sharing
We share data with:
- Infrastructure and authentication providers. Google Cloud Platform and Firebase services used for hosting, storage, databases, authentication, and operations.
- Payment provider and merchant of record. Creem processes checkout, payment, invoicing, tax, refund, chargeback, and customer-portal data under its own terms and privacy policy.
- Email provider. Resend processes email addresses and message content for transactional emails such as usage-limit, account, billing, or security notices.
- Professional and compliance providers. Accountants, legal advisers, auditors, banks, payment providers, and compliance vendors where needed for business, tax, accounting, legal, or regulatory purposes.
- Legal, safety, and rights recipients. Courts, regulators, law enforcement, or other parties where required by law or where necessary to protect the rights, property, safety, security, or integrity of SkyState, our users, Creem, or the public.
Our service providers are required to process personal data under appropriate confidentiality, security, and data-processing terms.
5. International Transfers
Developer Jones AB is based in Sweden. We and our providers may process personal data in the EU/EEA and in other countries where our providers operate. Where personal data is transferred outside the EU/EEA, we use appropriate safeguards such as European Commission standard contractual clauses, adequacy decisions, provider data-processing terms, or other lawful transfer mechanisms.
6. Data Retention
We retain personal data only for as long as needed for the purposes described in this Policy, unless a longer period is required by law.
- Account and ordinary usage data are retained while your account is active and for up to 30 days after account deletion unless a longer retention period is required for billing, fraud prevention, legal, tax, dispute, security, or backup reasons.
- State data is deleted on account deletion or earlier if you delete it through the Service, subject to backup, security, and legal-retention limits.
- Billing, refund, chargeback, tax, and accounting records may be retained for the period required by applicable law and payment-provider requirements.
- Support records are retained as needed to resolve the request, maintain business records, and defend legal claims.
7. Security
We use security measures designed to protect personal data, including TLS for data in transit, encryption at rest, access controls, audit logging, and operational monitoring. No system is completely secure, and we cannot guarantee absolute security.
8. Your Rights
Depending on your jurisdiction, you may have rights to access, correct, delete, port, restrict, or object to processing of your personal data. You may also have the right to withdraw consent where processing is based on consent.
To exercise your rights, contact us at support@skystate.io or through the support channel listed in the console. We may need to verify your identity before completing a request. If your request concerns state data controlled by one of our customers, we may direct you to that customer or assist the customer in responding.
If you are in the EU/EEA, you may lodge a complaint with your local data-protection authority. In Sweden, the supervisory authority is Integritetsskyddsmyndigheten (IMY), https://www.imy.se/.
9. Data Required to Use the Service
Account email, authentication data, and technical usage data are required to create an account and provide the Service. If you do not provide required data, we may be unable to provide some or all features. Payment data is required only for paid plans and is handled by Creem.
10. Automated Decision-Making
SkyState does not use personal data for automated decision-making that produces legal or similarly significant effects. The Service may automatically enforce usage limits, authentication checks, abuse-prevention rules, and billing-state access based on account, usage, and subscription data.
11. Cookies and Tracking
The Service uses browser local and session storage solely to maintain authentication state, login tokens, and the PKCE sign-in flow. It does not set tracking or advertising cookies and does not use third-party analytics. Because this storage is strictly necessary to provide the Service, no consent banner is required.
12. Children's Privacy
SkyState is a tool for businesses and developers and is not intended for, or directed to, anyone under 13. We do not knowingly create accounts for or process personal data of people under 13. If you believe an under-13 account exists, contact us at support@skystate.io and we will remove it.
13. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be communicated by updating the effective date and, where feasible, by in-app notice. Continued use of the Service after changes constitutes acceptance.
14. Contact
For privacy-related questions or requests, contact us at support@skystate.io or via the support channel listed in the console.
See also: Terms of Service · Data Processing Agreement · Sub-processors · Third-Party Notices