Privacy Policy

Last Edited : Jun 02, 2026

How Sakura Sky collects, uses, and protects personal data on www.sakurasky.com — in compliance with GDPR, CCPA, and the Australian Privacy Principles.

Last reviewed: 2 June 2026.

Introduction

Sakura Sky (“we,” “our,” “us”) is committed to protecting your personal data. This Privacy Policy describes how we collect, use, disclose, and protect personal information when you interact with https://www.sakurasky.com (the “Site”) and the services accessible through it.

We aim to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK Data Protection Act 2018 / UK GDPR, the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA), and the Australian Privacy Principles (APP) under the Privacy Act 1988.

1. Who is the controller

Sakura Sky operates through legal entities in the United States and the Netherlands. Both entities act as joint controllers for personal data collected via this Site. The European entity provides our establishment for EU GDPR purposes; the US entity covers CCPA/CPRA and contractual operations in North America.

For all privacy-related contact, including the rights set out in section 6 below:

Email: [email protected]

2. What we collect and why

2.1 Website analytics (no cookies)

We run two privacy-focused, cookieless web analytics tools alongside each other:

Plausible (plausible.io). Aggregate page-view counts, referrers, browser/OS classes, country-level geolocation. No personal data, no cookies. See Plausible’s data policy.
Betterlytics, self-hosted at analytics.sakurasky.dev. Open-source, cookieless analytics built for the same use case as Plausible. We host it on our own infrastructure for resilience and to keep aggregate metrics under our direct control. No cookies, no cross-site tracking, no fingerprinting. See the Betterlytics project for the underlying software.

Neither tool sets cookies. Neither identifies individual visitors. We do not run any third-party advertising, retargeting, or marketing tracking on this Site.

2.2 Contact form

When you submit our contact form, the following data is processed by Formspree (formspree.io) on our behalf and forwarded to a Sakura Sky inbox:

Name
Company
Email address
Anything else you write in the message body

We use this data solely to respond to your inquiry. See Formspree’s privacy policy for their processing details.

2.3 White paper and research downloads

Some of our published research (e.g. the Trustworthy Agentic AI Blueprint, the Autonomous Horizon white paper) is gated behind a short form. When you submit that form we collect:

Name
Work email address
Company

The form is processed by Formspree as in section 2.2. The download itself is served from a separate static asset host (whitepaper.download) that does not require authentication once the form is submitted. We use the data to send you the requested paper, to understand which papers are resonating with which industries, and (with your separate, explicit opt-in only where required) to invite you to related future content. You can opt out of any further contact at any time by replying to any message you receive or by emailing [email protected].

We do not sell, rent, or trade form-collected data with third parties.

2.4 Service delivery (client data, where Sakura Sky is a processor)

When you engage Sakura Sky to deliver cloud, data, security, or AI engineering work, we may process personal data that you (the client) have collected from your own users, customers, or staff. In that scenario:

You are the controller, we are the processor. The lawful basis, the purposes of processing, the retention periods, and the categories of data subjects are defined by you.
We process that data strictly in line with our written agreement with you and your documented instructions.
We sign Data Processing Agreements (DPAs) and, where relevant, Standard Contractual Clauses (SCCs) for international transfers.
We engage sub-processors only with your prior approval, and they are bound by terms no less protective than ours.

This Privacy Policy does not govern that processor relationship — the DPA you sign with us does.

3. Technical and infrastructure data

Independent of the above, the following technical data is observed by infrastructure providers when you load this Site:

Cloudflare (CDN, DDoS protection, DNS): records request metadata (IP address, user agent, timestamp, requested URL) for security, abuse prevention, and CDN operation. Subject to Cloudflare’s privacy policy. Cloudflare also serves the email-obfuscation script (/cdn-cgi/scripts/email-decode.min.js) referenced by our pages.
GitHub (source hosting): the source repository for this Site is hosted on GitHub. GitHub does not see end-user traffic to www.sakurasky.com.

We do not log IP addresses ourselves on the Site. We rely on Cloudflare’s standard operational logging.

4. Cookies

This Site does not set first-party cookies for analytics, marketing, or personalisation. The third-party services we use (Plausible, Betterlytics, Formspree) are configured to operate without cookies. Cloudflare may set a __cf_bm bot-management cookie on rare occasions when our security posture triggers it; this is a strictly necessary cookie used only to distinguish humans from automated traffic and expires within 30 minutes.

If we ever introduce a cookie that requires consent, we will display a consent banner before setting it and update this policy.

5. Legal bases for processing

Under GDPR / UK GDPR we rely on the following bases:

Consent — when you submit the contact form or a white paper download form, providing your details constitutes consent for the purpose stated.
Legitimate interests — for cookieless aggregate analytics, basic infrastructure logs, and to secure the Site against fraud and abuse. We have assessed these against your privacy expectations.
Contractual necessity — when we process data under a client engagement as processor.
Compliance with legal obligations — to meet our own statutory and regulatory duties.

Under CCPA/CPRA we treat all visitors as having opted out of any “sale” or “share” of personal information — because we do not engage in either.

6. Your rights

Subject to the law that applies to you, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data (“right to be forgotten”) in certain circumstances.
Restrict processing in certain circumstances.
Portability — receive your data in a structured, commonly used, machine-readable format.
Object to processing based on legitimate interests or direct marketing.
Withdraw consent at any time (without affecting prior lawful processing).
Non-discrimination — under CCPA/CPRA, you cannot be discriminated against for exercising these rights.
Anonymity / pseudonymity — under APP, you have the right to interact with us anonymously or under a pseudonym, unless it is impracticable or required by law.
Lodge a complaint with a supervisory authority — in the EU, the Dutch Autoriteit Persoonsgegevens or your local DPA; in the UK, the ICO; in California, the Attorney General or CPPA; in Australia, the OAIC.

To exercise any of these rights, email [email protected]. We will respond within statutory timeframes (one month under GDPR/UK GDPR; 45 days under CCPA, extendable to 90).

7. Data retention

Data	Retention period
Contact form submissions	12 months from the date of the last interaction, then deleted.
White paper download form submissions	24 months from submission; longer if you opt in to ongoing communications.
Cookieless analytics aggregates (Plausible, Betterlytics)	Indefinite at aggregate level (no personal data).
Cloudflare infrastructure logs	Per Cloudflare’s retention.
Client (processor) data	Per the DPA with the client; deleted or returned on contract termination.

We do not sell personal data. We do not share personal data with third parties for their independent marketing or advertising purposes.

We share data only with:

Processors / service providers acting on our written instructions (currently: Formspree, Plausible, the hosting infrastructure for our self-hosted Betterlytics instance, Cloudflare).
Authorities if compelled by valid legal process, court order, or other binding obligation.
Successors in the event of a merger, acquisition, or asset transfer — under continued protection equivalent to this policy.

9. International transfers

Personal data may be transferred from your country to the United States and the Netherlands, and to the locations of our sub-processors (which include the EU, United States, and other jurisdictions where our providers operate).

Where we transfer personal data out of the EEA, UK, or other restricted jurisdictions, we rely on the European Commission’s Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement (IDTA) where applicable, or other lawful mechanisms.

10. Security

We apply technical and organisational measures appropriate to the risk, including encryption in transit (TLS 1.2+ for all Site traffic), least-privilege access controls for our internal systems, and contractual obligations on our processors.

No method of internet transmission or electronic storage is 100% secure. If we become aware of a personal data breach that is likely to result in risk to your rights, we will notify the relevant supervisory authority and (where the risk is high) affected individuals, in line with our statutory obligations.

11. Children

This Site is not directed to children under 16, and we do not knowingly collect personal data from them. If you believe a child has provided us data, contact [email protected] and we will delete it.

12. Changes to this policy

We may update this Privacy Policy from time to time. The “Last reviewed” date at the top reflects the most recent revision. Material changes will be flagged at the top of this page for a reasonable period.

13. Contact

For any privacy question, request, or complaint: