Privacy Policy

The data controller is ATOMIRA TECHNOLOGIES, S.L. (CIF B27662717), registered office at Calle Lepant 270, 08013 Barcelona, Spain, registered with the Registro Mercantil de Barcelona.

For any privacy question or to exercise your rights under the GDPR, contact privacy@skillox.io. We will respond within one month, extendable by a further two months for complex requests as Article 12(3) permits.

We only collect data you actively give us or that arises directly from your use of SkillOx. We do not buy data, we do not enrich it with third-party trackers, and we do not run advertising.

Anonymous scans

• The SKILL.md URL you submitted
• The content of the file we fetched at that URL (public content; we never fetch private repositories)
• Repository metadata returned by the source platform (stars, license, last-commit date, ownership)
• A salted HMAC-SHA-256 hash of your IP address (not the address itself) — used solely for rate-limiting and abuse protection
• The Cloudflare Turnstile challenge result (a pass/fail signal, not your behavioural fingerprint)

Creator accounts

• Your GitHub username, primary email address, display name and avatar URL (transferred from GitHub when you sign in)
• Any creator profile fields you fill in (bio, optional links)
• Listings you have claimed and skills you follow
• Audit-log entries recording moderation-relevant actions you took or that affected you

Billing (Pro tier and above)

• Stripe customer and subscription identifiers
• The last four digits and brand of the payment instrument (returned by Stripe; we never see the full PAN)
• Invoice metadata (subscription tier, amount, status, period)

Email engagement

• Whether you have unsubscribed from optional grade-drop alerts and digests
• For test sends from /admin/emails: the recipient address and a timestamp, written to the audit log

API key usage

• A salted hash of each key (we cannot recover the plaintext)
• The timestamp of the last successful authentication with each key

Server logs

Standard request logs (method, path, status code, duration, salted IP hash, user-agent) are kept for at most 14 days for operational debugging and security forensics.

• Anonymous scans: legitimate interest (Art. 6(1)(f)) in providing a security-grading service for the AI-agent ecosystem.
• Creator accounts: contract (Art. 6(1)(b)) to provide the account, claim, follow, and (where applicable) Pro features you signed up for.
• Billing: contract (Art. 6(1)(b)) and legal obligation (Art. 6(1)(c)) for tax and bookkeeping.
• Transactional email: contract (Art. 6(1)(b)) — sign-in confirmations, grade-drop alerts on listings you own or follow, billing confirmations. We do not send marketing email.
• Rate limiting and abuse protection: legitimate interest (Art. 6(1)(f)) in keeping the service available and secure.
• Audit log: legitimate interest (Art. 6(1)(f)) in accountability, and legal obligation where applicable.

Production data is stored in the European Union. Our application servers and Postgres database run on Hetzner Online GmbH infrastructure in Finland (Helsinki). Encrypted off-site backups are written to Backblaze B2 in the EU region. Transactional email leaves through a Hetzner-hosted SMTP relay.

Local development data lives only on developer machines and is never connected to production.

We use a small set of well-known subprocessors. Each has a current Data Processing Agreement with us and processes data only as instructed.

• Hetzner Online GmbH (DE; servers in Finland) — application hosting, Postgres storage, SMTP relay
• Backblaze B2 (EU region) — encrypted off-site backups
• Cloudflare Inc. (US, EU edge) — CDN, DNS, WAF and the Turnstile abuse-protection challenge. Cloudflare is signatory to EU Standard Contractual Clauses (SCCs).
• Stripe Payments Europe Ltd. (IE) — payment processing for Pro and higher tiers; we never see full card numbers
• GitHub, Inc. (US) — OAuth identity when you sign in. Only the minimum profile data needed to identify your account is transferred to us. GitHub is signatory to SCCs.
• Resend, Anthropic, Google or other LLM providers — only when the operator has wired a semantic-probe provider via env, and only for the SKILL.md text being scanned in real time. Self-hosted operators can run Ollama locally to keep all probing on-prem; the public hosted instance uses one of the cloud providers.

We will update this list before adding a new subprocessor in any material capacity. The latest version is always at this URL.

• Anonymous scans: automatically deleted 30 days after the scan completes. The shareable /r/<id> URL stops resolving at that point.
• Creator-claimed scans: kept for as long as the listing is live so the public catalog stays browseable. You can delete a listing you own at any time from the creator dashboard; deletion removes the scan, findings and the public Report Card.
• Account data: kept while the account is open, plus six years for billing-related records as Spanish tax law requires. On account closure we delete what is not legally required to keep.
• Audit log: 18 months, then aggregated into anonymous statistics.
• Server logs: 14 days.
• Salted IP hashes: 24 hours rolling for rate-limit windows, then expired.

As a data subject you have the right to:

• Access — request a copy of your personal data we hold;
• Rectification — ask us to correct inaccurate data;
• Erasure — ask us to delete your personal data, subject to records we are legally required to keep;
• Restriction — ask us to limit how we process your data while a request is being resolved;
• Portability — receive your data in a machine-readable format and have us transfer it where technically feasible;
• Objection — object to processing based on our legitimate interest, on grounds relating to your particular situation;
• Withdraw consent — where we relied on consent, you may withdraw it at any time without affecting the lawfulness of past processing;
• Complain to a supervisory authority — in Spain that is the Agencia Española de Protección de Datos (www.aepd.es).

Send all rights requests to privacy@skillox.io. We will respond within one month, extendable by two months for complex requests, as Article 12(3) GDPR permits.

Our primary infrastructure is in the European Union. Transfers to non-EU subprocessors (Cloudflare, Stripe and GitHub) take place under the European Commission's Standard Contractual Clauses adopted in Decision (EU) 2021/914, supplemented where applicable by additional safeguards in line with EDPB recommendations.

TLS in transit, encrypted backups at rest, scoped database connection pools, short-lived session tokens, HMAC-signed unsubscribe links, salted API-key hashes, rate-limiting on every public endpoint, and a least-privilege admin layer that records every grade/skill change to the audit log. We do not store full payment card numbers or plaintext API keys.

Despite reasonable measures, no system is unbreachable. If a personal-data breach occurs we will notify the AEPD within 72 hours where required by Article 33 GDPR and, where the breach is likely to result in a high risk to your rights, notify you directly.

We use only functional cookies needed to keep you signed in and to remember your light/dark theme. We do not set analytics, advertising or social-media cookies. The full list — what each cookie is, what it does, and how long it lives — is at /legal/cookies.

SkillOx is not intended for users under the age of 16. We do not knowingly collect personal data from anyone under 16. If you become aware that a minor has provided personal data to us, contact privacy@skillox.io and we will delete it.

We mention it here too because it bears on what you should do with the scan reports we generate: every grade SkillOx publishes is a best-effort security signal, not a certification of safety. You remain responsible for your own review of any skill you install. See the Terms of Service for the full disclaimer and limitation of liability.

We may update this Privacy Policy. When we make material changes we will update the date and version at the top of this page and notify account holders by email before the change takes effect.

Privacy-related questions and rights requests: privacy@skillox.io. General queries: hello@skillox.io. Postal: ATOMIRA TECHNOLOGIES, S.L., Calle Lepant 270, 08013 Barcelona, Spain.