ONE Identity Services Privacy Policy

1. Data controller

The data controller for personal data processed through the Service is:

Legal entity: Skyfallen Limited (Companies House registration number 13431214), trading as The Skyfallen Company
Registered office: 14/2e Docklands Business Centre, 10-16 Tiller Road
London E14 8PX, United Kingdom
Privacy contact: [email protected]

Where an organisation uses the Service to manage workforce or member accounts, that organisation may also act as an independent controller for certain processing it directs through its tenant configuration, member management, and published applications.

2. Scope

This Privacy Policy applies to personal data processed when you create or use a ONE account, sign in, manage your profile or security settings, administer an organisation tenant, complete verification, connect optional integrations, or interact with identity features made available through subdomains of the Skyfallen ONE application domain.

The Service includes customer identity, workforce identity, organisation administration (IAM), and related sign-in, account, and integration features. Use of the Service is also subject to the ONE Identity Services Terms of Use.

This policy does not govern websites, applications, or services operated by third parties, including Connected Applications accessed through CAS or SAML, except as described in Section 14.

3. Information we collect

The information we collect depends on how you use the Service and the role you hold within an organisation.

3.1 Account and profile information

Name, email address, and optional secondary email addresses
Phone number and phone verification status
Postal address, city, province or state, postcode, and country
Date of birth, used for age verification
Account status, region, and organisation membership details
Custom metadata associated with your account where configured by Skyfallen or your organisation

3.2 Security and authentication information

Hashed passwords and indicators of whether a password has been set
Passkey and WebAuthn credential records, including aliases you assign to credentials
Authentication codes, session identifiers, and sign-in activity
ONE Pass device certificate validation data where ONE Pass is enabled for your account
SMS consent timestamp and the IP address recorded when SMS consent is given

3.3 Organisation and tenant information

Organisation legal name, trading name, registration details, and business contact information
Tenant type, configuration, branding, subdomain, and administrative settings
Member roles, permissions, invitations, and import records
Verification request status and related tenant associations

3.4 Verification documents

Where verification is required, we may collect documents you upload through the verification centre, such as:

Business verification: incorporation documents, proof of address, proof of authority, and signature images
Personal verification: identity document images, proof of address, and signature images

3.5 Google Workspace connection data

If an organisation administrator connects Google Workspace, we may process:

Google administrator identity information obtained through OAuth (OpenID, email, and profile scopes)
Google directory user data where sync or provisioning is enabled, including Google user ID, primary email, aliases, name, suspension status, organisational unit, and related directory fields
OAuth tokens and granted scope records needed to maintain the connection

Google authorisation occurs in IAM during an administrator sign-in flow, not during normal user sign-in.

3.6 Technical and usage information

IP address, browser type, device information, and request metadata
Session data, including session lifetime and last activity
API, webhook, and integration activity where authorised
Skyfallen first-party analytics data described in Section 8

3.7 Information we do not collect for advertising

We do not use the Service to build advertising profiles, sell personal data, or permit third-party advertising trackers on the Service.

4. How we use information

We use personal data to:

create, authenticate, and maintain accounts and organisation tenants
provide sign-in, account recovery, passkeys, profile management, and security features
verify age, identity, and organisation eligibility where required
send transactional communications, including verification codes, security alerts, invitations, and account notices
send SMS messages necessary for phone verification and account security where you have provided consent
administer memberships, roles, permissions, workforce portals, and published applications
operate optional Google Workspace directory sync and provisioning when enabled by an administrator
provide CAS and SAPP identity services to authorised Skyfallen applications
detect, prevent, and investigate fraud, abuse, and security incidents
comply with legal obligations and respond to lawful requests
improve, maintain, and secure the Service using Skyfallen first-party analytics

4.1 Lawful bases

Depending on your location and the processing activity, we rely on one or more of the following lawful bases:

Contract. Processing necessary to provide the Service you request or to take steps at your request before creating an account.
Legitimate interests. Processing necessary for security, fraud prevention, service improvement, and internal administration, balanced against your rights.
Legal obligation. Processing required to comply with applicable law.
Consent. Where required, including SMS verification consent and optional processing for which we request explicit agreement.

We do not send marketing SMS messages through the Service.

5. How we share information

We may share personal data with:

5.1 Service providers

We use trusted providers that process data on our behalf under contractual safeguards, including:

Brevo — transactional email delivery
Twilio — SMS and related messaging for verification and account security
Google — OAuth and Google Workspace Directory API services where an administrator connects Google Workspace
Infrastructure providers — hosting, storage, networking, and operational services in the regions described in Section 6

5.2 Authorised Skyfallen applications

CAS and SAPP interfaces are available only to Skyfallen applications authorised under separate Skyfallen terms. Those applications receive only the identity and tenant data permitted by the integration and your sign-in or consent flow.

5.3 Organisation administrators

If you are a member of an organisation tenant, administrators with appropriate permissions may access certain profile, membership, and security information according to tenant configuration and applicable law.

5.4 Legal and safety disclosures

We may disclose information where required by law, regulation, court order, or competent authority, or where necessary to protect rights, safety, and security.

5.5 Business transfers

If Skyfallen undergoes a reorganisation, merger, acquisition, or sale of assets, personal data may be transferred subject to continued protection consistent with this policy.

We do not sell personal data.

6. Storage locations and international transfers

6.1 Where data is stored

Skyfallen stores and processes Service data in France, Turkey, and the United States. We apply data residency rules based on customer location and service configuration:

European Union and EEA customers. Primary processing and storage for EU customers takes place in the European Union, currently in France.
Other customers. Data may be processed or stored in France, Turkey, or the United States depending on service routing, redundancy, support, and operational requirements.

6.2 International transfers

When personal data is transferred from the United Kingdom, the European Economic Area, or Turkey to a country that has not received an adequacy decision, we implement appropriate safeguards, which may include:

the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU Standard Contractual Clauses, where UK GDPR applies;
the European Commission Standard Contractual Clauses (2021 modules), where EU GDPR applies;
supplementary technical and organisational measures where required by applicable transfer assessments;
mechanisms recognised under KVKK for cross-border transfers where Turkish law applies, including contractual safeguards and, where required, approval or notification to the Turkish Personal Data Protection Authority.

You may request further information about applicable transfer safeguards by contacting [email protected].

6.3 United States state law notice

Where applicable state privacy laws require it, we provide notice that personal data may be transferred to and processed in the United States and other countries. Those transfers are subject to the safeguards described above and our contractual protections with service providers.

7. Cookies and similar technologies

The Service uses cookies and similar technologies that are necessary to operate sign-in, maintain sessions, protect against cross-site request forgery, remember language or flow preferences where applicable, and keep the Service secure.

Examples include:

Session cookies — maintain authenticated sessions across Service subdomains
CSRF tokens — protect form submissions and state-changing requests
Remember-me cookies — where you choose to remain signed in on a trusted device

We do not use third-party advertising cookies on the Service. Because these technologies are necessary for the Service to function, they are used based on our legitimate interests and, where required, your use of the Service.

8. Analytics

Skyfallen uses its own first-party analytics to understand how the Service is used, diagnose errors, measure performance, and improve reliability and security. We do not use third-party advertising analytics platforms such as Google Analytics or social advertising pixels on the Service.

Analytics data may include page views, feature usage, technical events, and coarse usage patterns. It is used internally by Skyfallen and is not sold.

9. Security

We implement administrative, technical, and organisational measures designed to protect personal data, including access controls, encryption in transit, hashed credential storage, permission-based administration, and monitoring for abuse.

No method of transmission or storage is completely secure. If you believe your account or data has been compromised, contact [email protected] promptly.

10. Retention

We retain personal data only for as long as necessary for the purposes described in this policy, unless a longer period is required or permitted by law.

10.1 Active accounts

Account, profile, membership, and tenant information is retained while your account or organisation tenant remains active and as needed to provide the Service.

10.2 Security and session records

Web sessions expire after 120 minutes of inactivity unless renewed by activity.
Account deletion confirmation links expire after 30 minutes.
Tenant invitations expire 96 hours after creation unless accepted or revoked sooner.
Short-lived authentication codes, CAS session records, and ONE Pass validation nonces are retained only until they expire or are used.
Google OAuth access tokens are retained only for as long as needed to maintain an active Google Workspace connection.

10.3 Verification documents

Verification documents are retained while a verification request is active and for a reasonable period thereafter to document verification decisions, handle disputes, and meet legal and compliance obligations. Documents are deleted when no longer required for those purposes.

10.4 Deleted accounts

When eligible self-service deletion is completed, we delete the account and linked direct tenant data from primary production systems. Residual copies may persist for a limited period in encrypted backups, security logs, or other systems required for legal compliance, fraud prevention, or disaster recovery before being overwritten or deleted according to our backup and log retention schedules.

10.5 Legal retention

We may retain certain records longer where necessary to comply with law, establish or defend legal claims, or investigate security incidents.

11. Your privacy rights

Depending on where you live, you may have rights over your personal data. To exercise a right, email [email protected] from the email address associated with your account or provide sufficient information for us to verify your identity.

11.1 Rights under UK GDPR and EU GDPR

Subject to applicable law, you may have the right to:

request access to personal data we hold about you
request correction of inaccurate or incomplete data
request deletion of personal data
request restriction of processing in certain circumstances
object to processing based on legitimate interests
request data portability for information you provided in a structured, commonly used, machine-readable format
withdraw consent where processing is based on consent, without affecting prior lawful processing
lodge a complaint with a supervisory authority

We aim to respond to GDPR requests within 30 days. Where permitted by law, we may extend the response period by up to an additional 30 days for complex requests and will inform you within the initial period if an extension is needed.

11.2 Rights under Turkish KVKK

If you are located in Turkey or otherwise protected by KVKK, you may have rights including access, correction, deletion, objection to automated processing where applicable, and compensation for unlawful processing. We aim to respond to KVKK requests within 30 days, or within the period required by applicable KVKK guidance.

11.3 Rights under United States state privacy laws

Where applicable state privacy laws grant additional rights, such as rights to know, delete, correct, or obtain a copy of personal information, you may submit a request to [email protected].

We aim to respond to verified United States state privacy requests within 45 days. Where permitted by applicable law, we may extend the response period once by an additional 45 days and will notify you of the extension and reason.

We do not sell personal data and do not use it for cross-context behavioural advertising through the Service.

11.4 Verification and refusal

We may need to verify your identity before responding. We may refuse requests that are manifestly unfounded, excessive, or prohibited by law, or where retention is required for legal compliance or security.

12. Account deletion

Where the Service provides self-service account deletion, you may delete your account through the available flow in My ONE or through an authorised CAS session, subject to eligibility rules.

Self-service deletion is available only where your account belongs to exactly one direct tenant. If your account is linked to commercial or enterprise tenants, has multiple memberships, or is otherwise ineligible for self-service deletion, contact [email protected] for assistance.

Deletion requires email-link confirmation. The confirmation link expires after 30 minutes. Deletion may be delayed or limited where we must retain information for security, fraud prevention, legal compliance, dispute resolution, or backup integrity, as described in Section 10.

13. Children

The Service is not directed to individuals under 18 years of age, and we do not knowingly collect personal data from anyone under 18. You must be at least 18 to create or use an account. We may use date of birth to verify eligibility.

If you believe a person under 18 has provided personal data to us, contact [email protected] and we will take appropriate steps to delete the information where required by law.

14. Connected applications and integrations

14.1 SAML and third-party applications

When you access a Connected Application through SAML or another supported integration, that application is operated by its developer or provider. Your use of the Connected Application is governed by that provider’s own terms and privacy policy. Skyfallen shares only the identity information required for the integration and your authorisation flow.

14.2 Skyfallen CAS and SAPP applications

CAS and SAPP are available only to Skyfallen applications authorised under separate Skyfallen terms. Those applications receive identity and tenant data according to the permissions configured for the integration and your sign-in or consent flow.

14.3 Google Workspace

Only enterprise administrators with the connections:google:manage permission can connect Google Workspace. Google directory data is used only to match members, show sync status, and provision or update Google accounts when an administrator enables that option. Google data is used only for the connected organisation and is not used for advertising or sold to third parties.

Google’s own terms and privacy policies apply to your use of Google services.

15. Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will post the updated policy on this page and update the effective date and revision number. Where required by law, we will provide additional notice or request consent.

Your continued use of the Service after the effective date of an updated policy constitutes acknowledgement of the update, except where applicable law requires a different form of acceptance.

16. Contact and complaints

Privacy requests and questions: [email protected]
Security incidents and account compromise: [email protected]
Registered office: Skyfallen Limited trading as The Skyfallen Company
14/2e Docklands Business Centre, 10-16 Tiller Road
London E14 8PX, United Kingdom
CRN 13431214

Supervisory authorities

If you are in the United Kingdom, you may lodge a complaint with the Information Commissioner’s Office. If you are in the European Economic Area, you may contact your local data protection authority. If you are in Turkey, you may lodge a complaint with the Personal Data Protection Authority (KVKK Kurumu).

We encourage you to contact us first at [email protected] so we can try to resolve your concern.