Privacy Policy

skillsvaulthttps://skillsvault.io

Last updated: July 2026

This privacy policy describes how Abdelfettah Latrache & Niklas Goby GbR ("skillsvault", "we", "us", or "our") collects, uses, and shares personal data when you:

  • visit our website at https://skillsvault.io,
  • create an account and use the skillsvault cloud service (registry, policy management, dashboard),
  • install and run the skillsvault CLI or harness plugins (the "gate") on your machines, or
  • contact us or interact with us in any other way.

Questions? Contact us at info@skillsvault.io or by post at the address in Section 13.


1. Who is responsible for data processing?

The data controller for the processing described in this policy is:

Abdelfettah Latrache & Niklas Goby GbR Moosweg 41 79350 Sexau, Germany Email: info@skillsvault.io

Important — controller vs. processor: When your organisation uses skillsvault, the audit records and policy data created within your organisation's workspace (see Section 4) are processed by us on behalf of your organisation. In those cases, your organisation is the data controller and we act as a data processor under a data processing agreement (DPA). Questions about how your employer or organisation uses skillsvault should be directed to them. This policy applies to the processing for which we are the controller: our website, account management, billing, support, and service operations.

2. Our local-first principle

skillsvault is designed so that policy decisions are made locally on your machines. The invocation gate evaluates skills against your organisation's policies on-device. Skill contents, prompts, agent inputs and outputs, and the files your agents work on are not transmitted to us as part of gate decisions, and the gate does not send usage telemetry about your prompts or workloads.

What the service does record is the audit trail your organisation has enabled: metadata about which skill version was invoked, by which actor, on which host, under which policy, and with which verdict (see Section 4.3).

3. Data we collect on the website

3.1 Server log data

When you visit skillsvault.io, our hosting provider automatically records technical information such as IP address, date and time of the request, browser type and version, operating system, and the referring URL. This data is required to deliver the website securely and reliably and is processed on the basis of our legitimate interest (Art. 6(1)(f) GDPR). Log data is deleted or anonymised after 30 days.

We use cookies only where necessary. Essential cookies (e.g. session and security cookies) are always active. If we use optional analytics or marketing cookies, they are loaded only after you consent via the cookie banner (Art. 6(1)(a) GDPR), and you can change or withdraw your choice at any time.

We use Vercel Web Analytics and Vercel Speed Insights, privacy-friendly measurement tools that do not use cookies and do not track visitors across sites; visits are counted via an anonymised hash that cannot be used to identify you (Art. 6(1)(f) GDPR). Where enabled with your consent, we additionally use Google Tag Manager to manage measurement tags.

3.3 Contact

If you contact us by email, we store your message and contact details to handle your enquiry and possible follow-up questions (Art. 6(1)(b) or (f) GDPR).

4. Data we collect when you use the service

4.1 Account data

When you register, we collect your name, email address, and authentication data. If you sign in via a third-party identity provider (e.g. Google, GitHub, or your organisation's SSO/SAML provider), we receive the profile information that provider shares with us — typically your name, email address, and avatar. We use account data to create and manage your account, authenticate you, and communicate with you about the service (Art. 6(1)(b) GDPR).

For Business plans with SSO/SAML and SCIM, your organisation's identity provider controls which user attributes are provisioned to us.

4.2 Registry and policy data

Skills published to your organisation's registry are stored as versioned, content-addressed, and (where enabled) signed bundles, together with metadata such as publisher, timestamp, and checksum. Policies authored by your organisation's admins are stored to enforce them across your machines. Publisher identity (e.g. the email of the user who pushed a skill) is personal data and is processed to provide the service (Art. 6(1)(b) GDPR) — for organisation workspaces, on behalf of your organisation as processor.

4.3 Audit trail

The audit trail records, per skill invocation: timestamp, actor (e.g. user email or service account), host identifier, skill name and version, applied policy, verdict (allow / warn / block), decision latency, and a cryptographic signature. This data is personal data of the users in your organisation. We process it on behalf of your organisation as data processor; your organisation determines retention and access. Retention depends on your plan (e.g. 7 days on Free, 30 days on Team, configurable/unlimited with export on Business). Audit records are append-only and exportable by your organisation.

4.4 Operational and diagnostic data

To operate the cloud service, we process technical logs (API request metadata, error reports, security events) on the basis of our legitimate interest in keeping the service secure and reliable (Art. 6(1)(f) GDPR).

5. Payments

Paid plans are billed through Stripe. Payment data (card details, billing address) is collected and processed directly by Stripe; we do not store full payment card numbers. Stripe is certified to PCI DSS. Legal basis: Art. 6(1)(b) GDPR. See Stripe's privacy policy for details: https://stripe.com/privacy

6. Transactional email

We send transactional emails (e.g. account verification, invoices, security notices, policy alerts) via Resend, with whom we have a data processing agreement. Legal basis: Art. 6(1)(b) and (f) GDPR. We send marketing emails only with your consent, and every such email contains an unsubscribe link.

7. Hosting and sub-processors

The skillsvault website and cloud service are hosted at Vercel; service data (accounts, registry metadata, audit records) is stored with Supabase. Data processing agreements are in place with both providers.

We use a limited number of sub-processors to operate the service (hosting, database, payments, email, error monitoring, support tooling). A current list of sub-processors is available on request at info@skillsvault.io. All sub-processors are bound by contracts that restrict their use of personal data to providing services to us.

8. International data transfers

Where personal data is transferred to countries outside the EU/EEA that do not provide an adequate level of data protection (in particular to sub-processors in the United States), we rely on appropriate safeguards such as the EU Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework.

9. How long we keep your data

We keep personal data only as long as needed for the purposes described in this policy, unless a longer retention period is required by law (e.g. tax and commercial record-keeping obligations):

  • Account data: for the lifetime of your account and up to 30 days after deletion.
  • Audit trail data: according to your organisation's plan and configuration (see Section 4.3); as processor, we delete or return this data per your organisation's instructions.
  • Billing records: as required by statutory retention obligations.
  • Server logs: 30 days.

10. How we protect your data

We apply technical and organisational measures appropriate to the risk, including encryption in transit, content-addressed and tamper-evident storage, signed skill bundles, access controls, and append-only audit logging. No transmission or storage system is completely secure, so we cannot guarantee absolute security, but we work continuously to protect your data.

11. Your rights

Under the GDPR (and comparable laws where applicable), you have the right to:

  • access the personal data we hold about you (Art. 15),
  • rectification of inaccurate data (Art. 16),
  • erasure ("right to be forgotten", Art. 17),
  • restriction of processing (Art. 18),
  • data portability (Art. 20),
  • object to processing based on legitimate interests (Art. 21), and
  • withdraw consent at any time with effect for the future (Art. 7(3)).

To exercise these rights, email info@skillsvault.io. If we process your data as a processor on behalf of your organisation, we will refer your request to your organisation or assist them in responding, as required by our DPA.

You also have the right to lodge a complaint with a supervisory authority, in particular in the EU member state of your residence, workplace, or the place of the alleged infringement. The supervisory authority responsible for us is the Landesbeauftragte für den Datenschutz und die Informationsfreiheit Baden-Württemberg.

12. Minors

Our services are directed at businesses and professionals. We do not knowingly collect personal data from children under 16. If you believe a child has provided us with personal data, please contact us so we can delete it.

13. Contact

For any questions about this privacy policy or our data practices:

Abdelfettah Latrache & Niklas Goby GbR Moosweg 41 79350 Sexau, Germany Email: info@skillsvault.io

14. Changes to this policy

We may update this policy from time to time to reflect changes in our services or legal requirements. The current version is always available at https://skillsvault.io/privacy. For material changes, we will notify registered users by email or via an in-product notice.