# Privacy Policy

**Last updated:** 3 April 2026

SkillAgenie ("we", "us", "our") operates the website skillagenie.com and the SkillAgenie platform (together, the "Service"). This Privacy Policy explains how we collect, use, share, and protect your personal data when you use our Service.

We are a data controller under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. If you have questions about this policy, contact us at privacy@skillagenie.com.

## 1. Information we collect

**Account information:** When you create an account, we collect your name, email address, and authentication credentials. If you sign in with Google, we receive your name, email, and profile picture from Google.

**Payment information:** When you subscribe to a paid plan, your payment details are processed by Stripe. We do not store your full card number, CVC, or bank details. We receive and store your Stripe customer ID, subscription status, and billing history.

**Pipeline data:** When you build and run pipelines, we process the objective you describe, the skills you select, any files you upload, and the outputs produced. Uploaded files are stored temporarily for processing and deleted within 30 days of the pipeline run completing.

**Usage data:** We automatically collect information about how you use the Service, including pages visited, features used, pipeline run history, credit consumption, and error logs.

**Device and connection data:** We collect your IP address, browser type, operating system, and referring URL. This is collected through server logs, not tracking cookies.

## 2. How we use your data

We use your personal data for the following purposes and legal bases:

- **Providing the Service** (contractual necessity): processing your pipelines, managing your account, handling billing, and delivering outputs.
- **AI processing** (contractual necessity): sending your pipeline inputs and objectives to third-party AI model providers (such as Anthropic, OpenAI, and Google) to generate outputs. See section 5 for details.
- **Service improvement** (legitimate interest): analysing usage patterns to improve features, fix bugs, and optimise performance. We aggregate and anonymise data where possible.
- **Security** (legitimate interest): detecting and preventing fraud, abuse, and security incidents.
- **Communications** (consent or legitimate interest): sending you service updates, billing notifications, and — only with your consent — product announcements.
- **Legal compliance** (legal obligation): responding to lawful requests from authorities and meeting our regulatory obligations.

## 3. How we share your data

We share personal data only with the following categories of recipients:

- **AI model providers** (Anthropic, OpenAI, Google): Your pipeline inputs are sent to these providers for processing. They act as data processors on our behalf. We have data processing agreements in place. Your data is not used to train their models when accessed via their API. See section 5.
- **Stripe:** Payment processing. Stripe acts as an independent data controller for payment data. See Stripe's privacy policy at stripe.com/privacy.
- **Supabase:** Authentication and database hosting. Supabase acts as a data processor. Data is stored in EU/UK regions.
- **Firecrawl:** Web scraping for search/research pipelines. Only processes URLs and content you request — no personal data is shared unless contained in your pipeline inputs.
- **Resend:** Email delivery for pipelines that include email sending steps. Receives recipient email addresses and email content you provide.

We do not sell your personal data. We do not share your data with advertisers. We do not use your data for profiling or automated decision-making that produces legal effects.

## 4. Data retention

- **Account data:** Retained while your account is active. Deleted within 30 days of account deletion.
- **Pipeline inputs and outputs:** Retained for 30 days after pipeline completion for you to review and download, then automatically deleted.
- **Uploaded files:** Deleted within 30 days of pipeline completion.
- **Billing records:** Retained for 7 years as required by UK tax law.
- **Server logs:** Retained for 90 days, then deleted.
- **Anonymised analytics:** Retained indefinitely (no personal data).

## 5. AI and your data

SkillAgenie uses third-party AI models to execute pipeline steps. When you run a pipeline:

- Your pipeline objective, uploaded files, and intermediate outputs are sent to AI model providers via their APIs.
- **Your data is not used to train AI models.** All API providers we use (Anthropic, OpenAI, Google) confirm that data sent via their APIs is not used for model training.
- AI-generated outputs may contain inaccuracies. You are responsible for reviewing outputs before using them.
- We do not store AI model provider conversations beyond the pipeline run lifecycle (30 days).
- You can request deletion of all pipeline data at any time.

## 6. Cookies and tracking

We use only strictly necessary cookies:

- **Session cookie:** Maintains your login state. Essential for the Service to function. Expires when you close your browser or after 7 days.
- **Supabase auth token:** Stores your authentication session. Essential. Expires after 1 hour (auto-refreshed).

We do **not** use:
- Analytics cookies (no Google Analytics, no Meta Pixel)
- Advertising or tracking cookies
- Third-party cookies for profiling

Because we only use strictly necessary cookies, we do not require a cookie consent banner under the UK Privacy and Electronic Communications Regulations (PECR).

## 7. Your rights

Under the UK GDPR, you have the right to:

- **Access:** Request a copy of the personal data we hold about you.
- **Rectification:** Ask us to correct inaccurate data.
- **Erasure:** Ask us to delete your data (subject to legal retention requirements).
- **Restriction:** Ask us to limit how we process your data.
- **Portability:** Receive your data in a structured, machine-readable format.
- **Object:** Object to processing based on legitimate interests.
- **Withdraw consent:** Where processing is based on consent, withdraw it at any time.

To exercise any of these rights, email privacy@skillagenie.com. We will respond within 30 days.

You also have the right to lodge a complaint with the Information Commissioner's Office (ICO) at ico.org.uk.

**For California residents (CCPA/CPRA):** You have the right to know what personal information we collect, request deletion, and opt out of the sale of personal information. We do not sell personal information. To make a request, email privacy@skillagenie.com.

## 8. International transfers

Your data is primarily processed within the UK and EU. Where data is transferred to AI model providers in the United States, these transfers are protected by Standard Contractual Clauses (SCCs) approved by the UK Information Commissioner, or the provider participates in the EU-US Data Privacy Framework.

## 9. Security

We implement appropriate technical and organisational measures to protect your data, including:

- Encryption in transit (TLS 1.2+) and at rest
- Access controls and authentication via Supabase Auth
- Regular security reviews
- Minimal data collection principle
- Automatic deletion schedules

No system is completely secure. If we become aware of a data breach that poses a risk to your rights, we will notify you and the ICO within 72 hours as required by the UK GDPR.

## 10. Children

The Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, contact us and we will delete it.

## 11. Changes to this policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email or by posting a notice on the Service. The "last updated" date at the top indicates when this policy was last revised.

## 12. Contact

SkillAgenie
Email: privacy@skillagenie.com
Website: skillagenie.com

For data protection enquiries, contact our data protection contact at privacy@skillagenie.com.