Privacy
Privacy Policy
How Codenskills handles account, company Workspace, skill-package and service-operation data.
1. Scope and who we are
Effective July 14, 2026. This Privacy Policy applies to the Codenskills website, company Workspace, hosted connector and MCP services, support channels and related services (together, the Service).
The Codenskills entity identified in your Order Form or other agreement is the controller of customer account and commercial data. Codenskills Tech GmbH, Codenskills Tech Ltd, Codenskills Tech Inc. and Codenskills Tech S.L. operate as the Codenskills group and may process data for the Service as applicable. A customer company remains responsible for the skill content and personal data it chooses to place in its Workspace.
2. Information we collect
We collect information you provide, information created through use of the Service, and limited technical information needed to operate and secure it.
- Account and identity data, such as name, work email, authentication provider, profile details and company affiliation.
- Workspace data, including memberships, roles, invitations, groups, access grants, review assignments, approvals and audit events.
- Customer content, including skill packages, SKILL.md files, scripts, references, assets, versions, sources, collections, policy criteria and security-scan results.
- Connection data, including connector authorizations, API-key prefixes and one-way hashes, credential scopes, expiry, last use, client type and install-session metadata. We do not store the plaintext value of a direct access key after it is displayed.
- Commercial and transaction data, such as company, licensed capacity, billing contacts, subscription state and invoice references. Payment-card details are handled by our payment provider rather than stored by Codenskills.
- Support and feedback data, including your message, account, active Workspace and optional bounded technical context such as app path without query parameters, browser, deployment version and error reference.
- Device and operational data, such as IP address, browser or user agent, timestamps, request and security logs, rate-limit events and reliability diagnostics.
3. How we use information
We use information to provide and administer the Service; authenticate users and connected clients; create and enforce Workspace permissions; import, version, scan, review and distribute skill packages; generate signed install sessions; send operational messages; provide support; prevent abuse; investigate incidents; maintain auditability; improve reliability; administer contracts and billing; and comply with legal obligations.
Codenskills does not sell personal information or use private Workspace content for third-party advertising. We do not execute code contained in a skill package as part of package validation or security scanning.
4. Legal bases
Where the GDPR, UK GDPR or similar law applies, we rely on performance of a contract to provide the Service; legitimate interests in operating, securing and improving a business service; consent where the law requires it; and compliance with legal obligations. A customer may separately rely on its own legal bases when it places personal data in a Workspace.
5. How we share information
We share information only as needed to operate the Service, follow customer instructions, complete a transaction, comply with law, protect rights and security, or complete a corporate transaction. Service providers receive only the data needed for their role and act under contractual restrictions.
- Supabase for authentication, database, storage and Edge Function infrastructure.
- Vercel for web hosting, delivery and operational logs.
- Resend for transactional and governance email when enabled.
- Stripe for checkout, subscriptions, invoices, tax and payment operations when billing is enabled.
- DeepSeek for the bounded skill-package security profile submitted to the configured scanning service; package content is treated as untrusted data and is not executed.
- GitHub when a user requests a repository import, provenance check or source synchronization.
- Google or a customer-configured identity provider when a user chooses that authentication method.
- Professional advisers, authorities or transaction counterparties where reasonably necessary and permitted by law.
6. International transfers
Codenskills and its providers may process information in countries other than the country where it was collected. Where required, we use recognized safeguards such as adequacy decisions, standard contractual clauses or equivalent transfer mechanisms.
7. Cookies and similar technologies
The Service uses essential browser storage and cookies for authentication, security, active-Workspace selection and theme preferences. Optional analytics runs only when configured. We do not use the Service for cross-site behavioral advertising, and a browser Do Not Track signal does not change essential Service operation.
8. Retention
We retain personal data for as long as needed to provide the Service, satisfy the customer agreement, preserve security and audit records, resolve disputes and meet legal obligations. Retention can vary by data type and contractual Workspace policy. When data is no longer required, we delete or de-identify it, subject to backups and legal holds.
9. Security
We use access controls, Workspace isolation, database authorization, one-way access-key hashing, short-lived signed downloads, audit records, rate limits and package security gates to protect the Service. No method of storage or transmission is completely secure, so we cannot guarantee absolute security. Please report a suspected security issue to notifications@codenskills.com.
10. Your choices and rights
Depending on your location, you may have rights to access, correct, delete, restrict or object to processing, receive a portable copy, withdraw consent and complain to a supervisory authority. You may also have rights to know the categories and sources of personal information, request deletion or correction, and receive equal service when exercising a right.
For data controlled by your employer or another Codenskills customer, contact that organization first; we assist customers with valid requests. For Codenskills-controlled data, email notifications@codenskills.com. We may need to verify identity and authority before acting.
11. Children
Codenskills is a business service and is not directed to children. We do not knowingly collect personal data from children under 16 through the Service.
12. Changes and contact
We may update this policy as the Service or law changes. We will post the revised version here and change the effective date; material changes may also be communicated through the Service or by email.
Questions, privacy requests and security notices can be sent to notifications@codenskills.com. Please identify the relevant company Workspace and country so we can route the request to the applicable Codenskills entity.