Privacy Policy
How SkillRepo collects, processes, and protects personal data under GDPR.
Privacy Policy
Last updated: 2026-04-27
1. Controller
The controller responsible for data processing under Art. 4(7) GDPR is Matthias Roßbach, Rudi-Dutschke-Straße 23, 10969 Berlin, Germany. See the Imprint for full legal information.
Privacy contact: privacy@skillrepo.app.
2. Scope
This policy covers personal data processed when you visit the public site, authenticate via GitHub OAuth, submit feedback, contact the enterprise address, or interact with any analytics.
3. What we collect and why
| Purpose | Data | Lawful basis | Retention |
|---|---|---|---|
| Service delivery (public browsing) | None beyond what the browser sends for each request (no tracking cookies for anonymous users) | Art. 6(1)(f) legitimate interest | Request lifetime |
| Pseudonymous analytics (PostHog, EU Cloud) | In-memory session data only. No IP address (ip: false), no cookies (persistence: 'memory') | Art. 6(1)(f) legitimate interest | Browser tab lifetime |
| Authenticated analytics | Persistent user id (from GitHub OAuth) linked to anonymous session via alias() on login | Art. 6(1)(b) contract | 24 months or account deletion |
| Session replay | Currently disabled — pending an explicit opt-in consent mechanism (Art. 7) | — | n/a |
| Feedback widget | Free-text feedback, page path, and (if signed in) your authenticated user id. Stored in our EU-based Convex deployment only — not relayed to any third party | Art. 6(1)(f) legitimate interest | 24 months |
| Enterprise contact | Only what you voluntarily send to the contact email; no form submission is stored server-side | Art. 6(1)(f) legitimate interest | Until matter resolved |
| Security rate-limiting | Hashed IP + counters, in-memory | Art. 6(1)(f) legitimate interest | ≤24h |
4. Third parties and hosting regions
- PostHog (EU Cloud, Frankfurt) — first-party proxied via
/ph. No IP collection, no cookies for anonymous users (persistence: 'memory'). Authenticated users get pseudonymous identification linked to their GitHub user id. Session replay is disabled pending an explicit opt-in mechanism. - Convex — managed database. User-generated authenticated data (profile, feedback) is stored in the EU-based Convex deployment. Data is encrypted at rest and in transit. Convex's underlying AWS infrastructure handling and any non-EU backup transfers are covered by the EU Standard Contractual Clauses (2021/914).
- GitHub (OAuth, USA) — authentication provider. Redirects to GitHub; we receive only the minimum scopes (profile id, email). Transfer is covered by GitHub's Standard Contractual Clauses.
- Vercel (EU edge, hosting) — application hosting and edge delivery. No analytics cookies. Logs are anonymised and retained for operational troubleshooting only.
- Google Generative AI (Gemini) — operator-triggered translation of catalogue content (extension descriptions, summaries, rationales) into the supported display locales. Only public catalogue content is sent (no personal data, no user input, no IP, no identifiers); the request is initiated by the operator from the EU pipeline, not by site visitors. Transfer to the US is covered by Standard Contractual Clauses (2021/914) and Google's supplementary safeguards.
No data is transferred to non-EU countries except for GitHub OAuth (US) and operator-triggered Google Generative AI translation calls (US, public catalogue content only), each under Standard Contractual Clauses.
5. Your rights (Art. 15–22 GDPR)
You have the right to:
- access your personal data (Art. 15)
- rectify inaccurate data (Art. 16)
- erasure / "right to be forgotten" (Art. 17)
- restrict processing (Art. 18)
- data portability (Art. 20)
- object to processing based on legitimate interest (Art. 21)
To exercise any of these rights, email the privacy contact above. We respond within one month as required by Art. 12(3) GDPR; complex requests may be extended by up to two further months with notice.
Until a self-service deletion UI is shipped, account deletion is handled manually via the same email address — this is covered in the privacy policy to avoid misleading claims about in-app controls.
You may also lodge a complaint with a supervisory authority. For Germany, the competent authority depends on the controller's seat (e.g. Bayerisches Landesamt für Datenschutzaufsicht for Bavaria, Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit for Hamburg, etc.). The list of German DPAs is maintained by the BfDI at https://www.bfdi.bund.de.
6. Automated decision-making
We use AI to score and rank skills. No automated decision produces legal or similarly significant effects on users (Art. 22 GDPR). Scoring influences ranking in the public catalogue only.
7. Changes to this policy
Material changes are announced on the site and dated above.