Privacy Policy

Last updated: April 22, 2026

SkillAudit ("we", "our", "us") operates skillaudit.dev. This page explains what data we collect, why, and how you can control it.

1. What we collect

• Email address — when you join the waitlist or sign up, so we can contact you about the product.
• Repository metadata — when you submit a repo for audit: the URL, file tree, manifest files, and source code, processed in an ephemeral sandbox and discarded after the report is generated.
• Audit results — the report card itself, retained on your account so you can view scan history and badges resolve.
• Usage data — pages you visit, scans you run, session duration. Used to improve the product, never sold.
• Device info — browser type, screen size, approximate location (country level) inferred from IP.
• Communications — emails you send us and our replies.

We do not collect: financial information beyond what Stripe needs to bill you, government IDs, health data, precise location, or information from children under 16. We do not retain repository source code after the scan completes — only the report card.

2. Why we collect it

• To run the audit you requested.
• To notify you about product updates and rescans (you can opt out at any time).
• To fix bugs and improve features based on aggregate usage patterns.
• To comply with legal obligations (tax records, anti-fraud, etc.).

3. Who we share with

We share the minimum necessary data with these categories of processors:

• Email delivery — to send waitlist and product emails. No marketing list resale.
• Payment processing (Stripe) — if you upgrade to a paid plan. We never store your card details.
• LLM provider (Anthropic) — for the LLM-assisted prompt-injection probe step of an audit. We send only the parsed prompt surface and tool definitions, never your env vars or credentials. Anthropic's API does not retain inputs for training under our enterprise agreement.
• Analytics — only aggregate, anonymised website traffic.

We do not sell your data. Ever. We do not share it with advertisers.

4. Cookies

We use a minimal set of first-party cookies for session management. No third-party tracking cookies. If you disable cookies, some features (like staying logged in) won't work, but browsing stays functional.

5. Your rights

Under GDPR (if you're in the EU) and similar laws elsewhere, you have the right to:

• Access — request a copy of everything we have on you.
• Correction — ask us to fix incorrect data.
• Deletion — ask us to delete your data ("right to be forgotten"). We'll comply within 30 days unless legally required to retain (e.g. tax records).
• Portability — get your data in a machine-readable format.
• Objection — opt out of any processing based on legitimate interest.

Email privacy@skillaudit.dev to exercise any of these rights.

6. Data retention

We keep your account data while you have an account, plus 90 days after deletion (for backup recovery). Waitlist entries are deleted after 2 years of inactivity. Source code submitted for audit is discarded immediately after the report is generated; only the report card is retained.

7. Security

Data is encrypted in transit (HTTPS) and at rest. Repository sandboxes are isolated per-scan and torn down after each audit. Access is limited to the people who need it to operate the service. We are not perfect; if a breach affects you, we will notify you within 72 hours.

8. International transfers

Our servers are in the EU. If you access the service from outside the EU, your data may be transferred to and processed in the EU — which has strong privacy laws.

9. Changes

We'll update this page if material things change. If we do, we'll notify registered users by email at least 14 days before the change takes effect.

10. Contact

Questions? Email privacy@skillaudit.dev. We reply within 2 business days.