1.Who we are

Controller: SKY Mobility (Malta) Ltd. (“SKY Mobility”, “we”, “our”, “us”)

Registered office: The Brokerage, Triq Santa Marta, Rabat, Ghawdex, VCT 2551, Malta

Company No.: C107863

Website: www.skymobility.aero
Data Protection Officer (DPO): Alexander Esslinger — compliance@skymobility.aero

 

General support: support@skymobility.aero

For the purposes of the EU General Data Protection Regulation (GDPR) and Malta’s Data Protection Act, Chapter 586, SKY Mobility is the data controller of personal data processed via our website and related online services (the “Service”).

 

Our voice is clear, confident, and authentic: Our goal is to explain what we collect, why, and how to use your rights without unnecessary complexity.

 

2.Scope

This Privacy Policy applies to personal data processed when you visit www.skymobility.aero, interact with our forms or communications, or engage us for drone-as-a-service (“UAS”)  operations. It does not cover third-party websites or services we link to.

 

3.Definitions (plain-English)

• Personal data: information that identifies or can identify you or any of your clients (e.g., name, email, IP address).

• Processing: anything done with personal data (e.g., collecting, storing, using, sharing, etc.).).

• Controller/Processor: we decide “why/how” data is processed; vendors acting on our behalf are processors.

 

4.The data we collect

A. You provide directly

• Identifiers and contact details (name, email, phone, company, role).

• Messages and attachments sent to sent to our support or compliance inboxes Preferences (e.g., newsletter opt-ins).

B. Collected automatically

• Usage/technical data: IP address, device/browser type, operating system, pages viewed, referring URLs, timestamps.

• Cookies & similar tech (see Section 10).

C. Operations (UAS) data:

 

Depending on the mission, we may process:

 

• Images, video, audio, location and telemetry captured during drone operations
• Flight path data, GNSS coordinates, geofencing status, payload information, obstacle-avoidance sensors, aircraft health indicators
• UAS footage that may incidentally capture individuals in public spaces, processed under Article 6(1)(f) GDPR for safety and operational compliance

We may share UAS technical data with equipment manufacturers inside or outside the EEA for safety analysis or defect diagnostics. If transfers occur outside the EEA/UK, we use Standard Contractual Clauses and conduct transfer risk assessments.

We implement UAS-specific safeguards including encrypted command-and-control links, secure firmware updates, hardened ground control stations, role-based access control, anti-spoofing measures, and secure deletion of onboard storage.

We do not intentionally collect special category data. If we receive sensitive data that is not required for our services, we delete it as soon as possible.

 

We do not intentionally collect special categories of data via the website (e.g., health, biometric). Please don’t send sensitive data unless we specifically ask for it and provide a secure channel. Should we receive data not needed for the services provided, we will delete this as soon as possible.

 

5.Why we use your data (purposes & legal bases)

We process personal data only where a GDPR legal basis applies:

• Provide and operate the Service (contract / legitimate interests)
  Operating and maintaining the website and online features

• Customer support & communications (contract / legitimate interests / consent)
  Responding to enquiries, troubleshoot, manage your requests; send service notices.

• Marketing with your choice (consent / legitimate interests)
  Newsletters or updates, you can unsubscribe anytime.

• Improve safety, security, and performance (legitimate interests)
  Monitor for abuse, debug issues, enhance features.

• Compliance & enforcement (legal obligations / legitimate interests)
  Meet legal duties, respond to lawful requests, enforce our Terms and defend claims.

 

"Where UAS operations support healthcare or emergency logistics, processing may be necessary for tasks carried out in the public interest (Article 6(1)(e) GDPR), where applicable."

6.Data minimisation & accuracy

We collect only what we need, keep it accurate and up-to-date and delete what we no longer need for stated purposes.

7.Retention

We keep personal data only as long as necessary for the purposes in this policy (or longer if required by law). Typical periods:

• Website contact & correspondence: up to 24 months after the last interaction.

• Support tickets/incident records: up to 36 months where needed for follow-up or legal obligations.

• Analytics/usage data: up to 14 months (or the tool’s nearest setting meeting our needs).

• UAS telemetry & logs: up to 24 months (see Section 8).

• UAS images/video: typically 30–90 days, longer only for incident investigation, safety reporting, insurance, regulatory, or legal claims (then kept just as long as necessary).

 

8.UAS operations (drone services)

In delivering drone-as-a-service operations, we may incidentally capture images, video, audio, location and telemetry in public or client-controlled areas.

• Purposes & legal bases

  1. to provide and evidence our services (contract/legitimate interests),

  2. to ensure safety and compliance with applicable aviation requirements (legal obligations/legitimate interests),

  3. to investigate incidents and defend legal claims (legitimate interests/legal obligations).

• Minimisation & safeguards

We avoid unnecessary capture; restrict live views to authorised personnel only; apply access controls, audit trails, and least-privilege permissions; watermark operational logs where relevant.

• Retention
  See Section 7 (UAS telemetry/logs; images/video).

• Sharing
  We may share relevant UAS data with clients, insurers, regulators, law-enforcement, or legal advisers where necessary or required by law. In addition to this we might share information about trips and performance of drones use to the manufacture in for control and safety purposes.

• We may retain and disclose UAS data required for safety audits, airspace authorisation, incident reports, or operational approvals and process and share flight logs, telemetry and safety data to comply with CAD, Transport Malta, EASA, and EU Regulation 376/2014.

 

9.Sharing your data

We may share personal data with:

• Service providers (processors) for hosting, security, analytics, email delivery, and support—bound by Article 28 GDPR contracts (confidentiality, security, assistance with rights, deletion/return at end of service).

• Professional advisers (legal, compliance, insurance, accounting) under confidentiality.

• SKY Group companies and affiliates. We may share personal data with our parent, subsidiaries, and affiliated companies (collectively, the “SKY Group”) for safety analytics, service performance analysis, research and development, and to improve and tailor our service offering. Our legal basis is legitimate interests in running, securing, and enhancing our services (and your consent where a particular use requires it, e.g., direct marketing by another group entity). Where feasible, we use aggregated or de-identified data; where personal data is needed, we limit access to the minimum necessary, apply role-based controls and audit, and require each group entity to implement appropriate technical and organisational measures.

Depending on the context, a SKY Group entity may act as our processor, joint controller, or independent controller. We put in place appropriate intra-group data sharing agreements (including Article 26/28 GDPR arrangements). If data is shared outside the EEA/UK, we use the safeguards described in Section 11 (International transfers) (e.g., EU Standard Contractual Clauses, adequacy decisions, and supplementary measures). You can object to processing based on legitimate interests at any time (see Section 14/15).

• Authorities or third parties where required by law, to protect rights, safety, and security, or in relation to claims.

 

• Business transfers in case of merger, acquisition, or reorganisation, with appropriate safeguards.

 

We do not sell or part exchange personal data.

 

10.Cookies & similar technologies

We use cookies to operate the site, remember preferences, and understand usage.

• Strictly necessaryessential for site operation.

• Preferences meant toremember previously chosen settings.

• Analytics to help us improve the Service.

Where required, we seek your consent via a cookie banner and honour your choices. You can also manage cookies in your browser. For Google Analytics specifically, you may use:

• Google Ads Settings: https://adssettings.google.com

• GA Opt-out Add-on: https://tools.google.com/dlpage/gaoptout

Disabling certain cookies may affect site functionality.

 

11.International transfers

If personal data is transferred outside the EEA/UK, we use lawful safeguards such as adequacy decisions, EU Standard Contractual Clauses (and UK IDTA/Addendum as needed), along with transfer risk assessments and supplementary measures where appropriate.

 

12.Security

We implement appropriate technical and organisational measures, including encryption in transit (TLS), access controls and least-privilege permissions, segmentation, logging and monitoring, vendor due diligence, and periodic testing of controls. No method of transmission or storage is perfectly secure, but we continuously strengthen our safeguards.

 

13.Children’s privacy

Our Service is not intended for individuals under 18. For information society services, where consent is the legal basis, Malta sets the child’s age of consent at 13. If a child is under 13, consent must be given or authorised by a holder of parental responsibility.

 

If you believe a minor has provided personal data, contact compliance@skymobility.aero and we will take appropriate steps to delete it.

 

14.Your rights (EEA/UK)

Subject to conditions and exceptions in applicable law, you have the right to:

• Access your personal data;

• Rectify inaccurate or incomplete data;

• Erase your data (“right to be forgotten”);

• Restrict processing;

• Object to processing based on legitimate interests and to direct marketing;

• Data portability (for data you provided, processed by automated means, based on consent or contract);

• Withdraw consent at any time (does not affect prior lawful processing).

 

Timelines & verification. We respond within one month of receipt; we may extend by up to two months for complex requests and will notify you. We may request information to verify your identity.

 

Fees. Requests are free of charge. We may charge a reasonable fee or refuse to act only where a request is manifestly unfounded or excessive.

 

15.How to exercise your rights

Email compliance@skymobility.aero with the subject “Privacy Request” and tell us which right(s) you wish to exercise. We’ll guide you through verification and next steps.

You can also unsubscribe from marketing at any time via the link in our emails.

 

16.Supervisory authority

You have the right to lodge a complaint with your local authority in Malta:

 

Office of the Information and Data Protection Commissioner (IDPC)
Floor 2, Airways House, Triq Il-Kbira, Tas-Sliema SLM 1549, Malta
Email: idpc.info@idpc.org.mt
Website: https://idpc.org.mt

 

In any case, We’d appreciate the chance to address your concerns first please contact us at compliance@skymobility.aero.

 

17.Personal data breaches

We will notify the IDPC without undue delay and, where feasible, within 72 hours after becoming aware of a personal data breach, unless the breach is unlikely to result in a risk to individuals’ rights and freedoms. Where required, we will also notify affected individuals without undue delay, describing a contact point, likely consequences, and measures taken or proposed.

 

18.Links to other sites

Our site may contain links to third-party sites. Their privacy practices are their own. We encourage you to review their privacy notices. We are not responsible for third-party content or policies.

 

19.Changes to this policy

We may update this policy from time to time. We will post the updated version with a new “Last updated” date. For material changes, we’ll provide a notice we consider appropriate.

 

20.Contact us

• Privacy & DPO: compliance@skymobility.aero

• General support: support@skymobility.aero

• Postal: The Brokerage, Triq Santa Marta, Rabat, Ghawdex, VCT 2551, Malta

• Website: www.skymobility.aero