Last updated: April 27, 2026

Privacy Policy

SkillVault (“we”, “us”, “our”) operates skillvault.sh. This policy explains what data we collect, why we collect it, and how we protect it. We are committed to your privacy and compliant with the EU General Data Protection Regulation (GDPR).

1. Data We Collect

Email address (optional) — collected only when you voluntarily provide it on the skill scan form. Used solely to notify you if the risk level of a scanned skill changes. You may omit it entirely.

Scan results — when you submit a GitHub URL for scanning, we store the URL, scan findings, risk score, and timestamp. This data is used to power the public security report and improve our detection pipeline.

Usage data — standard web server logs (IP address, browser type, pages visited) collected automatically. Retained for 30 days for security and debugging purposes.

We do not collect payment information directly (handled by Stripe), passwords, or any sensitive personal data beyond what is listed above.

2. How We Use Your Data

We use collected data exclusively to:

Deliver scan results and security reports
Notify you of risk-level changes for skills you scanned (email only, if provided)
Maintain and improve the security scanning pipeline
Prevent abuse and ensure system integrity

We do not sell, rent, or share your personal data with third parties for marketing or advertising purposes.

3. Data Storage and Security

Data is stored in Supabase (PostgreSQL) hosted in the EU (eu-west-1 / Frankfurt region), supporting GDPR data residency requirements for European users.

All data is encrypted in transit (TLS 1.3) and at rest. Access is restricted to SkillVault services via service-role credentials; no public direct database access is permitted.

Scan results are retained indefinitely as they form the public security record of the registry. Email addresses collected via the scan form are retained until you request deletion.

4. Third-Party Services

SkillVault uses the following third-party services, each with their own privacy policies:

Supabase — database and authentication (supabase.com/privacy)
Stripe — payment processing (stripe.com/privacy)
Vercel — frontend hosting (vercel.com/legal/privacy-policy)
Anthropic — LLM-based skill analysis (anthropic.com/privacy)

5. Your Rights (GDPR)

If you are an EU resident, you have the right to:

Access — request a copy of the personal data we hold about you
Rectification — request correction of inaccurate data
Erasure — request deletion of your personal data (“right to be forgotten”)
Portability — receive your data in a machine-readable format
Objection — object to processing of your data

To exercise any of these rights, email support@skillvault.sh with the subject line “GDPR Request”. We will respond within 30 days.

6. Cookies

SkillVault uses only technically necessary cookies (session management, CSRF protection). We do not use advertising, tracking, or analytics cookies. No cookie consent banner is required for technically necessary cookies under GDPR.

7. Data Deletion Requests

To request deletion of your email address or any other personal data we hold, contact us at support@skillvault.sh. We will process deletion requests within 30 days. Note that anonymised scan results (with no personally identifying information) may be retained as part of the public security record.

8. Changes to This Policy

We may update this policy as our services evolve. Changes will be posted on this page with an updated date. Continued use of SkillVault after changes constitutes acceptance of the updated policy.

9. Contact

Questions about this policy: contact us at support@skillvault.sh or security@skillvault.sh for security-related privacy concerns.