Privacy Policy
Last updated: June 15, 2026
This Privacy Policy explains how Skyelight collects, uses, shares, and protects personal data when you use the Skyelight website, web application, browser extension, and embeddable feedback chip (together, the “Service”). It also describes the rights you have over your personal data, including under the EU General Data Protection Regulation (GDPR) and the UK GDPR.
Skyelight is operated by PLASTR LTD, 3916 Clock Pointe Trail, Suite 103, Stow, OH 44224, United States (“Skyelight”, “we”, “us”, or “our”). For any privacy question or to exercise your rights, contact us at support@skyelight.ai.
1. The roles we play
For the account, identity, and usage data we process to run the Service, Skyelight acts as the data controller.
When you use Skyelight to capture feedback on pages, prototypes, or products that you or your organization control — including text, URLs, page content, and screenshots captured by the browser extension or the embeddable chip — your workspace or organization decides what is collected and why. In that context, your organization is the controller of that content and Skyelight acts as a processor on its behalf. You are responsible for having a lawful basis to capture that content and for informing the people whose data may appear on the pages you annotate. See “Your responsibilities” below.
2. Information we collect
Account and identity data
Authentication and identity are handled by our identity provider, Clerk. When you create an account or sign in, we collect and store your email address, your name and avatar (if provided), an account identifier, and session information. Where you sign in through a third-party provider (for example, a single sign-on option), we receive the basic profile information that provider shares. We never receive or store your password.
Workspace and organization data
We store the workspaces, projects, and surfaces you create, including their names, settings, and your role and membership. When you invite someone to a workspace, we store the invitee’s email address and invitation details so we can deliver the invitation and manage access.
Feedback content (“pins”)
The core of the Service is feedback you create, called pins. For each pin and reply we store: the comment text you write, any @-mentions, emoji reactions, assignment and resolution status, the author’s identity, and timestamps.
Page and element context
To anchor a pin to the exact spot on a page, the browser extension and the chip capture and store technical context about the page and the element you click, including:
- the full page URL at the time of the pin, including any query string and fragment, the page path, and the page title;
- the favicon and hostname of the page;
- a CSS selector, an XPath, and a structural fingerprint of the element you pinned;
- the click coordinates and your browser’s viewport dimensions;
- a short, truncated excerpt of the element’s visible text, and any text you had selected on the page (also truncated).
Because the extension works on any page you can reach in your browser, including internal tools and pages behind a login, this context can include information about the pages you choose to annotate.
Screenshots and images
When you create the first pin on a new page (a new “surface”), the browser extension captures a screenshot of the visible area of that browser tab and stores it so the feedback has visual context. This screenshot may include other content visible on the page at that moment. You can also upload images to a pin. Screenshots and uploaded images are stored as files within our backend (Convex).
Notifications, preferences, and connected accounts
We store your notification preferences and a record of notifications we send. If you connect Slack, we store your Slack identity (Slack user ID, team, display name, email, and avatar) and the references needed to deliver and sync messages. Connecting Slack is optional and off by default.
Billing data
Skyelight is currently provided as a free beta and we do not charge for it. When we introduce paid plans, payments will be handled by our payment processor, Stripe, which will process your billing contact details and subscription information. We do not store full payment card numbers.
Technical and usage data
Our infrastructure providers automatically process technical data needed to operate and secure the Service, such as IP address, device and browser information, and log data. We use cookies and similar technologies as described in “Cookies and local storage”.
3. How we use your information, and our lawful bases
Under the GDPR and UK GDPR we rely on the following legal bases:
- To provide the Service (performance of a contract): creating and managing your account and workspaces, storing and displaying your pins, anchoring feedback to pages, and enabling collaboration.
- To classify and summarize feedback (legitimate interests, or contract): we use AI to tag pins (for example, as a bug, idea, or feedback) and to generate summaries and decision briefs. See “AI processing”.
- To send notifications: in-app and email notifications are part of providing the Service (contract or legitimate interests). Slack notifications are sent only with your consent (you opt in and can disconnect at any time).
- To secure and improve the Service (legitimate interests): preventing abuse, debugging, maintaining reliability, and understanding how the Service is used.
- To communicate with you (legitimate interests or consent): responding to requests and sending important service messages.
- To comply with legal obligations and to establish, exercise, or defend legal claims.
- To process payments (contract and legal obligation): when paid plans are introduced.
Where we rely on legitimate interests, we have balanced those interests against your rights. You can object to this processing as described in “Your rights”.
4. AI processing
Skyelight uses Anthropic’s Claude models to classify pins and to generate summaries and decision briefs. When this happens, we send the relevant text to Anthropic’s API: the feedback content and replies, author display names, page titles and paths, short page-text excerpts associated with the pin, and your project context. We do not send screenshots or uploaded images to the AI provider.
These features support your work and do not make decisions that produce legal or similarly significant effects about you. AI-generated tags are suggestions and can be corrected.
5. Cookies and local storage
We use a small number of strictly necessary cookies and local storage keys to operate the Service:
- Authentication cookies set by our identity provider to keep you signed in to the web app.
- A cross-site overlay cookie (named
__skyelight_overlay, set withSameSite=None) that allows the embeddable chip to authenticate you securely across the different domains where the chip is installed. - Local storage used by the chip and extension to hold a scoped access token and interface preferences (for example, chip position and which pins you have already seen).
We do not use advertising cookies. For more detail, see our Cookie Policy.
6. How we share information
We do not sell your personal data. We share it only as described here.
Service providers (sub-processors)
We use the following providers to operate the Service. Each processes personal data only as needed to provide its service to us:
| Provider | Purpose | Data involved |
|---|---|---|
| Clerk | Authentication and identity | Email, name, avatar, sign-in identifiers, session data |
| Convex | Application database, file storage, and backend | All workspace and account data, including feedback content, screenshots, and uploaded images |
| Vercel | Website and application hosting | Technical request data such as IP address, device/browser data, and logs |
| Anthropic (Claude) | AI classification and summarization | Feedback text, author display names, page-text excerpts, project context (not screenshots or uploaded images) |
| Resend | Transactional email delivery | Recipient email and name, and notification content |
| Slack | Optional notifications and two-way sync | Slack identity, message content, and related identifiers (only if you connect Slack) |
| Stripe | Payment processing (for future paid plans) | Billing contact and subscription details (not used to charge during the beta) |
| Google (favicon service) | Displaying site icons for annotated pages | The hostname of pages you annotate |
Within your workspace
Content you create is visible to other members of your workspace according to their role and permissions.
Legal, safety, and business transfers
We may disclose personal data if required by law or to protect the rights, safety, and security of Skyelight, our users, or the public. If Skyelight is involved in a merger, acquisition, or sale of assets, personal data may be transferred as part of that transaction, subject to this Policy.
7. International data transfers
Several of our providers are based in, or process data in, the United States and other countries outside the European Economic Area and the United Kingdom. Where we transfer personal data internationally, we rely on appropriate safeguards such as the European Commission’s Standard Contractual Clauses (and the UK Addendum) or an adequacy decision. You may contact us for more information about these safeguards.
8. How long we keep your data
We keep personal data for as long as your account and workspace are active and as needed to provide the Service, then for as long as necessary to comply with our legal obligations, resolve disputes, and enforce our agreements. Some content uses a “soft delete” so it can be removed from view and later purged.
Please note that deleting your account removes your profile and membership, but feedback you authored may remain within your workspaces, attributed to you, so that conversations stay intact. If you want that content removed as well, contact us at support@skyelight.ai and we will action your request as described below.
9. How we protect your data
We use reasonable technical and organizational measures designed to protect personal data, including encryption of data in transit, encryption of sensitive secrets at rest, scoped access tokens, and role-based access controls within workspaces. No method of transmission or storage is completely secure, and because the Service is offered as a beta, you should not rely on it for highly sensitive information. We will notify you and any relevant authority of a personal data breach where required by law.
10. Your rights
Depending on where you live, you have rights over your personal data. If you are in the EEA or the UK, these include the rights to:
- access a copy of your personal data;
- correct inaccurate or incomplete data;
- erase your data (the “right to be forgotten”);
- restrict or object to certain processing, including processing based on legitimate interests;
- data portability;
- withdraw consent at any time, where we rely on consent (for example, Slack notifications); and
- lodge a complaint with your local data protection supervisory authority.
You can update your profile and delete your account from your account settings. To exercise any other right, email support@skyelight.ai. We will respond within the time required by law (generally within one month). We will not discriminate against you for exercising your rights.
United States privacy rights
We do not sell or share your personal data for cross-context behavioral advertising. Depending on your state (for example, California), you may have rights to know, access, correct, and delete your personal data and to be free from discrimination for exercising them. You can exercise these rights using the contact details above.
11. Your responsibilities when capturing feedback
When you use the browser extension or the chip to capture feedback on pages, prototypes, or products, you are responsible for:
- having the authority and a lawful basis to capture and store the content you pin, including any screenshots;
- not capturing pages or content you are not permitted to, and avoiding capturing sensitive personal data, credentials, or confidential information you do not have the right to process;
- informing the people who use your sites or products, where required, that feedback (which may include page content) is being collected; and
- where you act as a controller and Skyelight as your processor, ensuring your own privacy notices and lawful bases cover that processing.
12. Children
The Service is not directed to children and is not intended for anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us personal data, contact us and we will delete it.
13. Changes to this Policy
We may update this Policy from time to time. When we make material changes, we will update the “Last updated” date above and, where appropriate, notify you. Your continued use of the Service after an update means you accept the revised Policy.
14. Contact us
For any question about this Policy or your personal data, contact us at support@skyelight.ai. Our postal address is PLASTR LTD, 3916 Clock Pointe Trail, Suite 103, Stow, OH 44224, United States.