Privacy Policy
Last updated: 13 April 2026
SkillInvoke ("we", "us", "our") operates the skillinvoke.com website and the SkillInvoke platform, including the CLI tool and API (together, the "Service"). This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and your rights under the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.
1. Data controller
SkillInvoke is the data controller for the personal data processed through the Service. You can reach us at:
- Email: privacy@skillinvoke.com
- Location: United Kingdom
2. What data we collect
2.1 Account data
When you create an account, we collect:
- Full name
- Email address
- Password (stored as a one-way hash — we never store your password in plain text)
2.2 GitHub data
If you sign in with GitHub or connect a GitHub account, we receive:
- Your GitHub username and user ID
- Your GitHub email address (if not already provided)
- An OAuth access token (encrypted at rest) used to access repositories you have explicitly connected
When you install the SkillInvoke GitHub App, we receive the installation ID and the GitHub account name. The App has read-only access to connected repositories and only reads SKILL.md files and pack manifests. We do not store the content of your skill files — your code and skill content remains in GitHub at all times.
2.3 Organisation and team data
If you create or join an organisation, we collect:
- Organisation name
- Billing email address
- Team membership details (role, date joined)
- Invitations sent (recipient email, role, expiry)
2.4 Billing data
Payments are processed by Stripe. We store:
- Your Stripe customer ID
- Subscription status and plan
- Last four digits and expiry date of your payment method (for display purposes)
- Charge and refund records
We do not store full card numbers, CVVs, or bank account details. Stripe handles this data directly under their own privacy policy as an independent data controller.
2.5 Usage and activity data
We collect data about how you use the Service, including:
- Skill configuration changes (timestamps, action type, branch, PR details)
- Skill feedback (sentiment, optional comments)
- API key usage (last used timestamp, scopes)
- Audit logs (who did what, when, within your organisation)
2.6 Device authorisation data
When you authenticate the CLI, we generate temporary device codes and access tokens. Device codes expire after 15 minutes.
2.7 Cookies and session data
We use the following cookies:
- Session cookie — essential for keeping you signed in. Expires when you close your browser or after 30 minutes of inactivity.
- Remember-me cookie — optional, set only if you choose "Remember me" at sign-in. Allows persistent authentication across browser sessions.
- CSRF token — essential for protecting against cross-site request forgery.
We do not use third-party tracking cookies, advertising cookies, or analytics cookies. We do not use any third-party analytics services.
3. How we use your data
We process your personal data for the following purposes:
| Purpose | Legal basis (UK/EU GDPR) |
|---|---|
| Providing and operating the Service | Performance of contract (Art. 6(1)(b)) |
| Sending transactional emails (confirmations, password resets, invitations) | Performance of contract (Art. 6(1)(b)) |
| Processing payments and managing subscriptions | Performance of contract (Art. 6(1)(b)) |
| Maintaining audit logs for your organisation | Legitimate interest (Art. 6(1)(f)) — accountability and security |
| Enforcing rate limits and preventing abuse | Legitimate interest (Art. 6(1)(f)) — security |
| Improving the Service based on aggregated usage patterns | Legitimate interest (Art. 6(1)(f)) — product improvement |
| Complying with legal obligations | Legal obligation (Art. 6(1)(c)) |
4. Third-party data sharing
We share personal data only with the following categories of third parties, and only to the extent necessary:
4.1 Stripe (payment processor)
We share your billing email and payment information with Stripe to process subscriptions and charges. Stripe acts as an independent data controller. See Stripe's privacy policy.
4.2 GitHub
We exchange authentication tokens and repository metadata with GitHub via OAuth and the GitHub App. GitHub acts as an independent data controller. See GitHub's privacy statement.
4.3 Email service provider
We use an SMTP email provider to send transactional emails. This provider processes recipient email addresses and message content on our behalf as a data processor.
4.4 Infrastructure providers
Our servers and databases are hosted by third-party infrastructure providers. These providers process data on our behalf as data processors under appropriate contractual safeguards.
We do not sell, rent, or trade your personal data. We do not share data with advertising networks or data brokers.
5. International data transfers
Our primary infrastructure is based in the United Kingdom. Some third-party processors (including Stripe and GitHub) may process data outside the UK and EEA. Where this occurs, we rely on:
- UK adequacy regulations
- Standard contractual clauses (SCCs) or equivalent safeguards
- The processor's own compliance frameworks (e.g., Stripe and GitHub maintain their own transfer mechanisms)
6. Data retention
| Data type | Retention period |
|---|---|
| Account data | Until you delete your account |
| Organisation data | Until the organisation is deleted by an admin |
| Audit logs | Retained for the lifetime of the organisation for accountability purposes |
| Billing records | 7 years after the last transaction (legal requirement for tax and accounting) |
| Device authorisation codes | 15 minutes (automatically expired) |
| Team invitations | 7 days (automatically expired), then retained until organisation deletion |
| Session cookies | Cleared on sign-out or after 30 minutes of inactivity |
When you delete your account, we remove your personal data from our active systems. Some data may persist in encrypted backups for up to 30 days before being permanently deleted.
7. Data security
We implement appropriate technical and organisational measures to protect your data, including:
- Encryption at rest for OAuth tokens and sensitive credentials
- One-way hashing (bcrypt) for passwords
- SHA-256 hashing for API keys (only a prefix is stored in readable form)
- TLS/SSL encryption for all data in transit
- CSRF protection on all form submissions
- Rate limiting on authentication endpoints and API access
- Account lockout after repeated failed sign-in attempts
- Paranoid mode on authentication (we don't reveal whether an email is registered)
8. Your rights
Under the UK GDPR and EU GDPR, you have the following rights:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your personal data ("right to be forgotten").
- Restriction — ask us to restrict processing of your data in certain circumstances.
- Data portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
- Withdraw consent — where processing is based on consent, withdraw it at any time.
To exercise any of these rights, email privacy@skillinvoke.com. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. In the UK, this is the Information Commissioner's Office (ICO).
9. Data processing agreements
If your organisation requires a Data Processing Agreement (DPA) for compliance purposes, please contact us at privacy@skillinvoke.com. We will provide a DPA that covers our obligations as a data processor when processing personal data on behalf of your organisation.
10. Children's privacy
The Service is not directed at children under 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it.
11. Changes to this policy
We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice on the Service before the changes take effect. Your continued use of the Service after the changes take effect constitutes acceptance of the updated policy.
12. Contact
For privacy-related questions, data requests, or complaints:
- Email: privacy@skillinvoke.com
- General support: support@skillinvoke.com