Skip to main content

Privacy Policy

Last updated: February 16th, 2026

This Privacy Policy describes how Skylab LLC ("Skylab", "we", "us", or "our") collects, uses, stores, and protects personal data when you access or use EntryRocket (the "Service"), including our website and any related communications.

We believe that users — especially businesses trusting us with sensitive accounting data — deserve a clear and honest explanation of how their data is handled. This policy is therefore intentionally detailed.

1. Who We Are

Company name: Skylab LLC
Registered location: Kikinda, Serbia
Contact email: hi@skylab.rs

Skylab LLC is the legal entity responsible for processing personal data in connection with EntryRocket.

We do not have a formally appointed Data Protection Officer (DPO). All privacy-related requests can be sent to the email address above.

2. Who This Policy Applies To

This Privacy Policy applies to:

  • Visitors to the EntryRocket website
  • Companies and authorized users using the EntryRocket platform
  • Individuals submitting enquiries or consultation requests
  • Customers sending files via email for processing

EntryRocket is a business-to-business (B2B) service primarily used by companies that rely on Xero for accounting.

The Service is not intended for individuals under the age of 18, and we do not knowingly collect personal data from children.

3. Applicable Laws & Jurisdictions

EntryRocket is used globally. Our primary markets include:

  • Australia
  • New Zealand
  • The United Kingdom
  • The European Union
  • The United States
  • Canada
  • South Africa

We are aware of the data protection frameworks in these regions, including:

  • The Australian Privacy Act 1988 (Australian Privacy Principles)
  • The New Zealand Privacy Act 2020
  • The EU General Data Protection Regulation (GDPR)
  • The UK GDPR and Data Protection Act 2018
  • Canada's Personal Information Protection and Electronic Documents Act (PIPEDA)
  • South Africa's Protection of Personal Information Act (POPIA)

We aim to handle personal data in a manner consistent with the data protection expectations of these regions. If you have questions about how your data is handled under a specific framework, please contact us.

4. Personal Data We Collect

4.1 Information You Provide Directly

Depending on how you interact with EntryRocket, you may provide us with:

  • Full name
  • Email address
  • Company name
  • Messages, enquiries, or support requests (including via live chat)
  • Files sent via email for processing (including accounting or financial documents)
  • Information submitted via:
    • Lead forms
    • Free consultation forms

Payment Information

All payments are handled by Paddle, which acts as our Merchant of Record.

  • We do not collect, process, or store payment card details.
  • We may receive limited transactional metadata (e.g. subscription status) from Paddle for account management purposes.

4.2 Information Collected Automatically

When you visit our website or use the Service, certain data may be collected automatically, including:

  • IP address
  • Browser type and version
  • Operating system and device type
  • Approximate geographic location (derived from IP)
  • Pages visited, actions taken, and usage patterns
  • Referring URLs

This data is collected using tools such as:

  • Umami – privacy-focused website analytics (no cookies, no personal data collection)
  • Front – live chat and customer communication (may collect your name, email, and messages)

Additionally, our server logs (managed by Logtail / Better Stack) automatically record technical information about requests, which may include IP addresses and other data. Server logs are automatically purged after 15 days.

5. Files, Email & Xero Integration

File processing and Xero integration are core functions of EntryRocket, and we want to be especially transparent here.

5.1 How Files Arrive

Files are sent to EntryRocket via email. Each customer is assigned a unique email address to which they send documents for processing. When we receive an email, we have access to:

  • The sender's email address
  • Email metadata (subject line, timestamps)
  • File attachments (the documents to be processed)

Incoming emails are received and processed through Postmark, our email delivery provider.

5.2 Nature of Files

Files may include:

  • Accounting exports
  • Invoices
  • Financial records
  • CSV, PDF, or Excel files
  • Other business-related documents

These files may contain personal data, depending on their content.

5.3 How Files Are Processed

  • Files are parsed automatically by our systems and converted into accounting documents (such as invoices, bills, or journal entries).
  • The resulting documents are then automatically created in the customer's connected Xero organization.
  • In very rare cases, files may be manually inspected by authorized personnel solely for debugging or support purposes (e.g. resolving file format issues).
  • Manual inspection is not part of normal operations and is limited to what is strictly necessary.

5.4 Xero Integration

To provide the Service, customers connect their Xero account to EntryRocket via OAuth 2.0 (Xero's standard authorization mechanism). This grants EntryRocket access to:

  • Accounting transactions (invoices, bills, credit notes, etc.)
  • Contacts
  • Account settings (chart of accounts, tax rates, branding themes)
  • File attachments

This access is used solely to create and manage documents on the customer's behalf within their own Xero organization. We do not access other Xero organizations or use this data for any other purpose. Customers can revoke access at any time through their Xero settings.

5.5 Storage & Retention of Files

  • Original files are stored in our database for processing and reference purposes.
  • Files and associated records are automatically deleted after one year.
  • We do not retain files longer than necessary to provide the Service.

5.6 File Sharing

  • We do not share client files with third parties.
  • Parsed data is sent to Xero only, as part of the Service the customer has configured.
  • No files are sold, rented, or used for any other purpose.

6. How We Use Personal Data

We use personal data for the following purposes only:

  • Providing and operating the EntryRocket platform
  • Processing files and creating documents in customers' Xero accounts
  • Managing user accounts and access
  • Communicating service-related information (processing confirmations, error alerts, password resets, and account setup emails)
  • Providing customer support (including via live chat)

We do not send unsolicited marketing emails.

7. Legal Bases for Processing (GDPR)

For users in the European Union and the United Kingdom, where the GDPR and UK GDPR apply, we rely on one or more of the following legal bases:

  • Performance of a contract – to provide the Service you requested
  • Legitimate interests – to operate and secure EntryRocket
  • Consent – where specifically requested (e.g. consultation bookings)

8. Cookies & Tracking Technologies

Essential Cookies

We use only essential cookies required for the website to function:

  • Session cookie – maintains your login session
  • Remember me cookie – keeps you signed in across visits

Analytics

We use Umami, a privacy-focused analytics tool, to understand how visitors use our website. Umami does not use cookies, does not collect personal data, and does not track individual visitors across sessions. All analytics data is aggregated and anonymous.

Our live chat provider (Front) uses your browser's local storage to maintain your conversation state. This is considered functional storage.

You can manage or disable cookies at any time through your browser settings.

9. Third-Party Service Providers

We rely on carefully selected third-party providers to operate the Service:

  • Heroku – application and database hosting (United States)
  • Postmark – incoming and transactional email processing
  • Xero – accounting platform where parsed documents are created in the customer's own organization
  • Paddle – payment processing (Merchant of Record)
  • Rollbar – error monitoring and debugging
  • Logtail / Better Stack – server log management (logs may contain personal data and are purged after 15 days)
  • Front – live chat and customer communication
  • Umami – privacy-focused website analytics (hosted in the EU, no personal data collected)

These providers process personal data only as necessary to perform services on our behalf.

10. International Data Transfers

Our company is based in Serbia, and our application infrastructure is hosted in the United States (via Heroku). Most of our third-party service providers are also US-based companies.

This means that personal data from users in Australia, New Zealand, the European Union, the United Kingdom, Canada, South Africa, and other regions is transferred to and processed in the United States.

Many of our US-based service providers are certified under the EU-U.S. Data Privacy Framework, which provides a legal basis for data transfers from the EU. By using the Service, you acknowledge that your data may be transferred to and processed in the United States.

11. Data Retention

We retain personal data only for as long as necessary:

  • Files and associated records: automatically deleted after one year
  • Server logs: automatically purged after 15 days
  • Account data: retained for as long as your account is active. After cancellation, account data is typically deleted within a few months. You may request immediate deletion at any time by contacting us.

12. Data Security

We take data security seriously and implement appropriate technical and organizational measures, including:

  • All data transmitted between your browser and our servers is encrypted via HTTPS (TLS encryption in transit)
  • Our database is encrypted at rest
  • Access to production systems is restricted to two authorized personnel
  • Administrative access is protected with two-factor authentication
  • Error monitoring and server logging for operational oversight

While no system can guarantee absolute security, we continuously work to reduce risk.

13. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction of inaccurate or incomplete data
  • Request deletion of your personal data
  • Restrict or object to certain processing
  • Request data portability
  • Withdraw consent where processing is based on consent

Requests can be sent to hi@skylab.rs. We will make reasonable efforts to fulfill your request. We may need to verify your identity before doing so.

In some cases, full deletion from all systems (such as server logs) may not be immediately possible, but data in server logs is automatically purged after 15 days.

14. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements.

The most current version will always be available on our website, with the "Last updated" date revised accordingly.

15. Contact Information

For any privacy-related questions or requests, please contact:

Skylab LLC
Kikinda, Serbia
hi@skylab.rs