004915560101200
128 City Road, London, United Kingdom, EC1V 2NX
Facebook-f X-twitter Dribbble Linkedin-in
Let’s Talk
Let’s Talk

Privacy Notice

Effective: 09 Aug 2025 · Applies to sukaygmbh.ltd (SUKAY GMBH LIMITED) with regional addenda for the EU/EEA (incl. Germany), the UK, the UAE (incl. Dubai/DIFC), and selected other jurisdictions.

1) Who we are

SUKAY GMBH LIMITED (the “Company”, “we”, “us”) operates sukaygmbh.ltd and related pages.
Registered office: 128 City Road, EC1V 2NX, London, United Kingdom.
Company number: 15289541 (Companies House, UK).
Email: info@sukaygmbh.ltd · Tel: +49 155 60101200.

We offer web & media servicesbusiness setup & consulting, and travel/visa referrals. Bookings and payments for travel take place directly with third‑party providers (e.g., airlines/OTAs). We also provide trading education (no investment advice).

Controller. For this website and our direct communications, SUKAY GMBH LIMITED is the controller. Third‑party providers you interact with (e.g., airlines/OTAs, scheduling platforms) are independent controllers under their own notices.

2) Scope

This notice covers personal data collected on this site, including contact/scheduling forms, server logs, cookies/consent choices, embedded media, and security tooling. It does not cover third‑party sites we link to (they provide their own notices).

3) What we collect

  • Technical data (server logs, truncated IP, user agent, timestamps, referrer) for security and troubleshooting.
  • Communication data (email, phone, form messages) to respond to enquiries and perform requested services.
  • Referral/click data (time, outbound merchant, non‑identifying referral parameters). Booking/payment data remain with the third‑party provider.
  • Consent signals via our cookie banner (CMP) for cookies/device access and embeds.
  • Scheduling (if used): appointment details you submit via our scheduling provider (EU region) to arrange calls.
  • Embedded media (e.g., YouTube/Vimeo) only after your activation/consent.

4) Purposes & legal bases

We process data to operate the site, ensure IT security, respond to requests, perform contracts, account for referral commissions, and comply with law.

  • Contract / steps at your request (handling enquiries, quotes): GDPR/UK GDPR Art. 6(1)(b).
  • Legitimate interests (security, fraud prevention, basic service analytics without tracking where feasible): Art. 6(1)(f).
  • Consent for non‑essential cookies/device access and third‑party embeds: Art. 6(1)(a) and local device‑access laws (see Section 7).
  • Legal obligations (accounting, defence of claims).

5) Hosting & processors

We host with reputable EU providers and conclude data processing agreements with service vendors. Current core vendors include:

  • Hosting/Infrastructure: EU‑based hosting provider(s) with GDPR DPA.
  • Security & error logging: tools used to protect the site and investigate incidents.
  • Scheduling (EU1): appointment booking provider (loaded on click or embedded only after consent).

We keep this list up‑to‑date in our cookie banner/vendor list. Third parties only receive data necessary for their task, under contract.

6) Analytics (privacy‑friendly)

We use privacy‑friendly, local analytics (e.g., WP‑Statistics) in a cookieless configuration with IP anonymisation/hashing. If features that write to your device are enabled in the future, we will obtain consent first.

7) Cookies & device access

We use a consent banner (CMP). Non‑essential cookies or similar technologies are blocked until you opt in. Essential cookies (e.g., load balancing, security) may run regardless but are minimised. You can change choices anytime via the banner.

Embedded media & bot protection. We use a 2‑click solution for media (e.g., YouTube/Vimeo). Security tools (e.g., reCAPTCHA) may process IP and behavioural signals; where they require device access or non‑essential storage, we load them only after consent or provide a functional alternative.

8) International transfers

  • EU→UK: Transfers rely on the European Commission’s UK adequacy decision (currently extended to 27 Dec 2025), subject to review.
  • EU/EEA→US: Where recipients are certified under the EU‑US Data Privacy Framework, we rely on adequacy; otherwise we use Standard Contractual Clauses (SCCs) with supplementary measures.
  • UK→non‑adequate countries: We use the ICO’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, with a transfer risk assessment.
  • UAE/Dubai: For users or operations subject to the UAE PDPL and/or DIFC Data Protection Law, we ensure appropriate contractual safeguards aligned with those regimes.

9) Retention

We keep personal data only as long as needed for the stated purposes and legal retention duties, then delete or anonymise it. Typical log retention: up to 30 days unless needed for incident review. Contract/billing records follow statutory retention periods.

10) Security

We apply TLS encryption and appropriate technical and organisational measures (role‑based access, MFA for admins, backups, least‑privilege, vendor due diligence). No internet transmission is perfectly secure.

11) Your rights

Your rights depend on where you live. Subject to applicable law, you may have the right to access, rectify, erase, restrict, object, port your data, and withdraw consent without affecting earlier lawful processing. You also have the right to complain to a supervisory authority.

12) Children

Our services target adults. We do not knowingly process children’s data. If local law requires parental consent for minors (e.g., EU 13–16; UK 13 for online services), we comply accordingly.

13) Contact

Primary contact: info@sukaygmbh.ltd · +49 155 60101200
Postal: SUKAY GMBH LIMITED, 128 City Road, EC1V 2NX, London, UK.

14) Regional addenda

14.A — EU/EEA (incl. Germany)

  • Legal bases and rights per GDPR. For device access (cookies, SDKs, local storage, fingerprinting), we follow §25 TDDDG: non‑essential access/storage requires prior consent (opt‑in).
  • If we do not maintain an establishment in the EU/EEA for GDPR purposes, we will appoint an EU Representative under Art. 27 GDPR; contact details will appear here. If we do maintain an establishment, a representative is not required.
  • Supervisory authorities: you may contact your local DPA. Example: HBDI (Hesse), Gustav‑Stresemann‑Ring 1, 65189 Wiesbaden, Germany.

14.B — United Kingdom

  • We comply with the UK GDPR and the Privacy and Electronic Communications Regulations (PECR) for cookies/device access (consent except strictly necessary).
  • International transfers outside the UK use the ICO’s IDTA or UK Addendum to EU SCCs, with a transfer risk assessment.
  • Complaint: Information Commissioner’s Office (ICO), Wycliffe House, Water Lane, Wilmslow, Cheshire SK9 5AF, UK.

14.C — United Arab Emirates (incl. Dubai and DIFC)

  • For users in the UAE, we comply with Federal Decree‑Law No. 45 of 2021 (PDPL) where applicable (transparency, lawful bases, breach notification).
  • If processing is subject to the DIFC Data Protection Law No. 5 of 2020 (for activities in the DIFC free zone), we apply the DIFC requirements (lawful bases, notifications/registration where required, and cross‑border transfer rules).

14.D — California

  • We do not “sell” personal information as defined by the CCPA/CPRA, nor do we share it for cross‑context behavioural advertising without offering an opt‑out where required.
  • California residents can exercise access, deletion, correction and opt‑out rights. Use the contact details above; we will verify requests as required by law.

14.E — Brazil

  • We comply with the LGPD (Lei 13.709/2018) where applicable. You may exercise rights to confirm processing, access, correction, anonymisation, portability, deletion, and information on sharing.

14.F — Canada

  • For commercial activities in Canada, we align with PIPEDA’s 10 Fair Information Principles (accountability, purpose, consent, limiting collection/use/retention, accuracy, safeguards, openness, access, challenging compliance).

15) Financial services / trading education

Any trading‑related content we provide is educational only and not investment advice. We do not accept client funds for trading and we are not a broker or investment firm. Links to third‑party trading tools or platforms lead to independent providers with their own privacy terms.

16) Changes

We will update this notice when our services, vendors, or laws change. We will post the new version here and adjust the effective date above.

References (links):

  • EU GDPR (EUR‑Lex): https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng
  • Germany – §25 TDDDG (device access): https://www.gesetze-im-internet.de/ttdsg/__25.html
  • UK ICO – Cookies & PECR: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/cookies-and-similar-technologies/
  • EU‑US Data Privacy Framework Decision (EU) 2023/1795: https://eur-lex.europa.eu/eli/dec_impl/2023/1795/oj/eng
  • UK adequacy decision (2021/1772) — extended to 27 Dec 2025: European Commission/EDPB notices
  • ICO – International Data Transfer Agreement (IDTA) & Addendum: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/
  • UAE PDPL (Federal Decree‑Law 45/2021): https://www.uaelegislation.gov.ae
  • DIFC Data Protection Law No. 5 of 2020: https://www.difc.com/business/laws-and-regulations/legal-database/difc-laws/data-protection-law-difc-law-no-5-2020
  • California CCPA/CPRA: https://oag.ca.gov/privacy/ccpa
  • Brazil LGPD (ANPD): https://www.gov.br/anpd
  • Canada PIPEDA (OPC): https://www.priv.gc.ca/en/

© 2025 SUKAY GMBH LIMITED — sukaygmbh.ltd