GDPR Compliance

1. Our Commitment to GDPR

SkyGate Travel Technology ("SkyGate") is fully committed to compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Although registered in Tbilisi, Georgia, we process personal data of individuals within the European Economic Area (EEA) and therefore adhere to GDPR requirements as both a data controller and data processor.

2. Roles and Responsibilities

SkyGate as Data Controller: When we collect and process data directly from users of our website and platform (e.g., partner registrations, support inquiries).

SkyGate as Data Processor: When we process data on behalf of our white-label partners (travel agencies) who are the data controllers for their end customers. In this capacity, we process data strictly in accordance with our partners' instructions and applicable Data Processing Agreements (DPAs).

3. Data Processing Principles

We adhere to the core GDPR principles:

• Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and transparently.
• Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes only.
• Data Minimization: We collect only the data that is necessary for the stated purposes.
• Accuracy: We take reasonable steps to ensure data is accurate and kept up to date.
• Storage Limitation: Data is retained only as long as necessary for its intended purpose.
• Integrity and Confidentiality: Appropriate security measures protect data against unauthorized access, loss, or damage.
• Accountability: We maintain documentation demonstrating compliance with these principles.

4. Data Subject Rights

Under the GDPR, data subjects have the following rights:

• Right of Access (Art. 15): Obtain confirmation of whether personal data is being processed and access to that data.
• Right to Rectification (Art. 16): Request correction of inaccurate personal data without undue delay.
• Right to Erasure (Art. 17): Request deletion of personal data when it is no longer necessary, consent is withdrawn, or processing is unlawful.
• Right to Restriction (Art. 18): Request limitation of processing in specific circumstances.
• Right to Data Portability (Art. 20): Receive personal data in a structured, commonly used, machine-readable format.
• Right to Object (Art. 21): Object to processing based on legitimate interests or for direct marketing purposes.
• Right Not to Be Subject to Automated Decision-Making (Art. 22): Not be subject to decisions based solely on automated processing that produce legal or significant effects.

Requests can be submitted to sales@skygate.travel. We respond within 30 days, extendable by two months for complex requests.

5. Legal Bases for Processing

• Contract Performance (Art. 6(1)(b)): Processing required to deliver services under our agreements.
• Consent (Art. 6(1)(a)): Where you have given clear consent for specific processing activities (e.g., marketing emails, non-essential cookies).
• Legitimate Interests (Art. 6(1)(f)): Where processing is necessary for our legitimate business interests (e.g., fraud prevention, analytics), balanced against your rights.
• Legal Obligation (Art. 6(1)(c)): Where processing is required by law (e.g., tax records, regulatory reporting).

6. Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with all partners and sub-processors in accordance with GDPR Art. 28. These agreements specify the scope, nature, and purpose of processing, confidentiality obligations, security measures, sub-processing restrictions, and data breach notification procedures.

7. International Data Transfers

When personal data is transferred outside the EEA, we ensure adequate safeguards through: Standard Contractual Clauses (SCCs) as approved by the European Commission; adequacy decisions by the European Commission; or binding corporate rules where applicable. We regularly assess the data protection landscape of recipient countries.

8. Data Breach Response

In the event of a personal data breach, SkyGate will: (1) notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Art. 33; (2) notify affected data subjects without undue delay where the breach is likely to result in a high risk to their rights and freedoms (Art. 34); (3) document the breach, its effects, and remedial actions taken; and (4) notify affected partners in accordance with our Data Processing Agreements.

9. Data Protection Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for processing activities that are likely to result in a high risk to individuals' rights and freedoms, including large-scale processing of travel booking data, automated profiling, and new technology implementations.

10. Security Measures

• 256-bit SSL/TLS encryption for all data in transit.
• AES-256 encryption for data at rest.
• Role-based access controls with principle of least privilege.
• Regular penetration testing and vulnerability assessments.
• Automated intrusion detection and monitoring systems.
• Secure development lifecycle (SDLC) practices.
• Employee training on data protection and security awareness.
• Physical security measures at data center facilities.

11. Sub-Processors

We maintain a list of sub-processors and their processing activities. Partners are notified of any changes to sub-processors and have the right to object. Current sub-processor categories include: cloud hosting providers, payment processors, email delivery services, analytics platforms, and travel supply aggregators.

12. Supervisory Authority

If you believe your data protection rights have been violated, you have the right to lodge a complaint with the relevant supervisory authority in your country of residence. For EEA residents, a list of supervisory authorities is available at edpb.europa.eu.

13. Contact

For GDPR-related inquiries or to exercise your data protection rights:
SkyGate Travel Technology
Email: sales@skygate.travel
Phone: +995 550 002 283