This notice explains, in operational terms, what personal data SKY7 Fintech Solutions collects, the UK lawful bases on which we hold it, who else sees it, how long we keep it, and how you exercise your rights. It applies to our website, client engagements and regulator correspondence we run on your behalf.
About this notice
SKY7 is a regulated-services consultancy. We work with founders and operators on fintech, payment, crypto, iGaming and related licensing matters, including market selection, regulatory applications, corporate structuring, compliance and AML implementation, banking and payment-infrastructure introductions, and operational go-live support.
To do that work, we necessarily process personal data — yours, your colleagues’, your ultimate beneficial owners’ and your customers’ where relevant to a regulator’s file.
This document is the single source of truth for how that data is handled on the website and in ordinary client operations. Where a specific engagement letter, data processing addendum or regulator package gives more detail, that written agreement controls; this notice fills the gaps.
Who we are
Controller. SKY7 Fintech Solutions Ltd, company number 15764792, is a UK company with its registered office at 128 City Road, London EC1V 2NX, United Kingdom. We are the controller of personal data collected through this website, our newsletter, our intake forms and client correspondence.
Supervisory authority. Our supervisory authority for UK data protection matters is the UK Information Commissioner’s Office (ICO).
Data Protection Office. Day-to-day privacy enquiries reach the Data Protection Office through sky7.legal. The Data Protection Office reports to the firm’s Managing Partner and is independent of commercial functions.
Data we collect
We try to collect the minimum needed to do the work properly. Practically, that breaks into five buckets:
- Contact data — name, business email, telephone, employer and role. Provided by you when you fill in our intake form, subscribe to the newsletter or contact us directly.
- Engagement data — the brief you send us, target licence categories, transaction-flow descriptions, project documents and any commercial deck.
- Regulatory-file data — identification documents, source-of-funds evidence, ownership charts, criminal-record certificates and references for individuals named in a regulatory application, including directors, MLROs, qualifying shareholders and ultimate beneficial owners.
- Correspondence — emails, meeting notes, regulator letters, internal memos and matter records that name individuals. These are stored in our practice-management systems for the life of the matter.
- Technical data — IP address, user-agent, referrer, pages visited, consent choices and security logs. This is collected automatically through cookies, similar technologies and server logs.
We do not knowingly collect special-category data such as race, religion, biometrics or health data. Where criminal-offence data is required for a regulatory file, we handle it only where necessary and under an appropriate UK lawful basis.
How we use your data
Each category of data is processed for a defined purpose under a specific UK lawful basis. The table below is the operative summary — when a regulator audits how we handle a particular data point, this is what we point them at.
We do not make decisions based solely on automated processing that produce legal or similarly significant effects for you.
| Data | Purpose | UK lawful basis | Retention |
|---|---|---|---|
Contact data | Respond to intake, schedule a scoping call, follow up on a quote and manage basic business communications. | Legitimate interests under UK GDPR Art. 6(1)(f): running a business-to-business advisory practice. | 24 months after last meaningful contact, unless a matter opens. |
Engagement data | Prepare a scoping memo, draft an engagement letter, run conflict checks and plan the work. | Steps before contract under UK GDPR Art. 6(1)(b) and legitimate interests under UK GDPR Art. 6(1)(f). | Life of matter + 7 years. |
Regulatory-file data | Build and manage an application or onboarding package; respond to regulator, bank or provider clarifications. | Contract, legitimate interests and, where applicable, legal obligation under UK GDPR Art. 6(1). | Life of matter + 10 years, unless a shorter written engagement rule applies. |
Criminal-offence data | Support fit-and-proper, background, integrity or regulatory assessment of named individuals. | UK GDPR Art. 10 and Data Protection Act 2018 Schedule 1 condition where applicable, including substantial public interest, legal claims or regulatory requirements. An appropriate policy document is maintained where required. | Life of matter + 10 years, then secure deletion unless retention is legally required. |
Correspondence | Run the engagement, evidence professional duties, supervise quality and defend against claims. | Legitimate interests under UK GDPR Art. 6(1)(f). | Life of matter + 7 years. |
Newsletter and service updates | Send insights updates you requested, relevant business-to-business updates and unsubscribe confirmations. | Consent, or legitimate interests for corporate communications where PECR permits. Suppression records are kept to respect opt-outs. | Until you unsubscribe; suppression record retained as needed to honour the opt-out. |
Technical data and cookies | Make the site work, keep it secure, record consent choices and measure traffic or campaign performance where consent is required. | Strictly necessary processing, consent for non-essential storage/access technologies, and legitimate interests for security logging. | Usually 1–13 months; security logs may be kept longer where needed for an incident or legal claim. |
Sharing & sub-processors
We do not sell personal data and we do not share it for third-party marketing. We share it only where one of the following applies:
- Regulators and public authorities. Files are submitted to the supervisory body, public authority or official register named in your engagement letter or written instructions.
- Banking, payment and infrastructure partners. Where we arrange operating banking, payment-rail or onboarding introductions, we share only the minimum onboarding pack required for that purpose.
- Sub-processors. We use professional technology vendors for email, productivity, practice management, electronic signature, invoicing, hosting, security, analytics and similar operational functions. A current category-level list, with the relevant data processing terms and transfer safeguards, is available on request.
- Professional advisers. Our auditors, external counsel, accountants and other professional advisers may see personal data where needed, subject to confidentiality duties.
- Successors. A buyer, investor or restructuring counterparty may receive limited information in the unlikely event of a corporate transaction, under equivalent protections.
Every sub-processor is bound by a written contract that mirrors the protections in this notice. We review the list when sub-processors change and post or notify material updates where the change materially affects processing.
Restricted transfers outside the UK
Our default position is to process and store personal data in the UK where reasonably practicable. Some processors, professional advisers, regulators, counterparties or service providers may need to receive or access personal data outside the UK.
Where that is a restricted transfer under UK data protection law, SKY7 uses one or more UK-approved safeguards, including adequacy regulations, approved transfer terms or another recognised transfer mechanism. Where a transfer is necessary for a regulatory or contractual file you have instructed us to run, we limit the transfer to what is needed for that file.
Before relying on a safeguard, we take a proportionate risk-based view of the data, recipient, protections and purpose. A summary of the relevant safeguard is available on written request through sky7.legal.
Cookies & analytics
We use cookies and similar technologies to operate the site, protect it and understand how it is used. We keep the stack deliberately lean:
- Strictly necessary — session, CSRF, security, load, cookie-consent state and similar functionality needed to provide the website you requested. These do not require opt-in consent under PECR, but we still explain them.
- Functional — settings or preferences that improve the site experience. These are used only where enabled and lawful.
- Analytics — aggregate site measurement and performance reporting. Non-essential analytics run only with consent unless a UK PECR exemption clearly applies.
- Marketing — campaign measurement or similar technology, if enabled. It is not set unless you consent.
You can withdraw or change consent at any time using the cookie settings link in the footer. The cookie settings panel is the live inventory for cookie name, purpose, expiry and party.
Retention
Default retention periods are set out in the section 04 table. The principle behind them is simple: keep data only as long as the regulator file, the limitation period for claims, AML/KYC obligations, tax/accounting rules or our documented operational need requires — then delete it under a retention schedule.
Where a regulator, law or written engagement term requires us to keep records longer, that requirement overrides the default. Where we can lawfully shorten retention for a specific matter, the shorter period applies.
At the end of the applicable period, electronic records are securely deleted from primary and backup stores within 90 days. Paper records are shredded by a certified contractor.
Your rights
Under UK data protection law, your rights depend on the context and the lawful basis for the processing. We will respond to a valid request within one month. If a request is complex or numerous, we may extend by up to two further months and will tell you why.
We may ask for proof of identity before actioning a rights request. We do not charge a fee unless UK data protection law allows one for a manifestly unfounded or excessive request.
Access
Ask for a copy of the personal data we hold about you, plus the information required by the UK GDPR.
Rectification
Correct inaccurate or incomplete data. We will propagate the correction to any sub-processor that holds the same record where required.
Erasure
Ask us to delete data. This is subject to regulator-mandated retention, legal claims, AML/KYC files and other lawful retention grounds.
Restriction
Ask us to pause processing while a complaint is being resolved, accuracy is being checked or an objection is being assessed.
Portability
Receive relevant data in a machine-readable format and have it transmitted to another controller where the UK GDPR gives that right.
Objection
Object to processing based on legitimate interests. You have an absolute right to object to direct marketing.
Withdraw consent
Where we rely on consent, withdraw it at any time. Past processing remains lawful.
Lodge a complaint
Complain to the UK Information Commissioner’s Office. We would appreciate the chance to address the concern first.
Security & breach
We use the controls a regulator would expect of a firm advising on AML and fit-and-proper matters: encryption in transit and at rest, role-based access, mandatory MFA, hardware-key enforcement for partners, periodic access reviews and ISO 27001-aligned operational controls. Penetration tests are run periodically by an external firm.
If we suffer a personal-data breach that is likely to result in a risk to your rights, we will notify the ICO within 72 hours of becoming aware where required and notify affected individuals without undue delay where required.
Children
SKY7 provides business-to-business services. Our site and services are not directed to children under 18, and we do not knowingly process personal data of children. If you become aware that a child has provided us personal data, contact the Data Protection Office through sky7.legal and we will delete it where required.
Changes to this notice
We update this notice when our processing changes materially — for example, a new sub-processor, new processing purpose, new product, material retention change or material sharing change. The version and effective date at the top of this document always reflect the live version; superseded versions are archived for ten years and available on request.
For material changes that increase what we process or how we share it, we will notify subscribed contacts in advance where reasonably practicable.
Contact & complaints
For any privacy enquiry, rights request or breach notification, please contact the Data Protection Office through sky7.legal. We aim to acknowledge within two working days and substantively respond within one month.
If you are not satisfied with our response, you have the right to lodge a complaint with the UK Information Commissioner’s Office. We would, however, appreciate the chance to address the concern first.
Data Protection Office
For access, rectification, erasure, restriction, portability, objection, consent withdrawal and breach notices.
- Contact route
sky7.legal
- Post · Controller
SKY7 Fintech Solutions Ltd
128 City Road
London EC1V 2NX
United Kingdom- Supervisory authority
UK Information Commissioner’s Office (ICO)
ico.org.uk