Перейти к основному содержимому

Privacy Policy

How SkillRepo collects, processes, and protects personal data under GDPR.

Этот контент пока недоступен на вашем языке и отображается на английском.

Privacy Policy

Last updated: 2026-04-27

1. Controller

The controller responsible for data processing under Art. 4(7) GDPR is Matthias Roßbach, Rudi-Dutschke-Straße 23, 10969 Berlin, Germany. See the Imprint for full legal information.

Privacy contact: privacy@skillrepo.app.

2. Scope

This policy covers personal data processed when you visit the public site, authenticate via GitHub OAuth, submit feedback, contact the enterprise address, or interact with any analytics.

3. What we collect and why

PurposeDataLawful basisRetention
Service delivery (public browsing)None beyond what the browser sends for each request (no tracking cookies for anonymous users)Art. 6(1)(f) legitimate interestRequest lifetime
Pseudonymous analytics (PostHog, EU Cloud)In-memory session data only. No IP address (ip: false), no cookies (persistence: 'memory')Art. 6(1)(f) legitimate interestBrowser tab lifetime
Authenticated analyticsPersistent user id (from GitHub OAuth) linked to anonymous session via alias() on loginArt. 6(1)(b) contract24 months or account deletion
Session replayCurrently disabled — pending an explicit opt-in consent mechanism (Art. 7)n/a
Feedback widgetFree-text feedback, page path, and (if signed in) your authenticated user id. Stored in our EU-based Convex deployment only — not relayed to any third partyArt. 6(1)(f) legitimate interest24 months
Enterprise contactOnly what you voluntarily send to the contact email; no form submission is stored server-sideArt. 6(1)(f) legitimate interestUntil matter resolved
Security rate-limitingHashed IP + counters, in-memoryArt. 6(1)(f) legitimate interest≤24h

4. Third parties and hosting regions

  • PostHog (EU Cloud, Frankfurt) — first-party proxied via /ph. No IP collection, no cookies for anonymous users (persistence: 'memory'). Authenticated users get pseudonymous identification linked to their GitHub user id. Session replay is disabled pending an explicit opt-in mechanism.
  • Convex — managed database. User-generated authenticated data (profile, feedback) is stored in the EU-based Convex deployment. Data is encrypted at rest and in transit. Convex's underlying AWS infrastructure handling and any non-EU backup transfers are covered by the EU Standard Contractual Clauses (2021/914).
  • GitHub (OAuth, USA) — authentication provider. Redirects to GitHub; we receive only the minimum scopes (profile id, email). Transfer is covered by GitHub's Standard Contractual Clauses.
  • Vercel (EU edge, hosting) — application hosting and edge delivery. No analytics cookies. Logs are anonymised and retained for operational troubleshooting only.
  • Google Generative AI (Gemini) — operator-triggered translation of catalogue content (extension descriptions, summaries, rationales) into the supported display locales. Only public catalogue content is sent (no personal data, no user input, no IP, no identifiers); the request is initiated by the operator from the EU pipeline, not by site visitors. Transfer to the US is covered by Standard Contractual Clauses (2021/914) and Google's supplementary safeguards.

No data is transferred to non-EU countries except for GitHub OAuth (US) and operator-triggered Google Generative AI translation calls (US, public catalogue content only), each under Standard Contractual Clauses.

5. Your rights (Art. 15–22 GDPR)

You have the right to:

  • access your personal data (Art. 15)
  • rectify inaccurate data (Art. 16)
  • erasure / "right to be forgotten" (Art. 17)
  • restrict processing (Art. 18)
  • data portability (Art. 20)
  • object to processing based on legitimate interest (Art. 21)

To exercise any of these rights, email the privacy contact above. We respond within one month as required by Art. 12(3) GDPR; complex requests may be extended by up to two further months with notice.

Until a self-service deletion UI is shipped, account deletion is handled manually via the same email address — this is covered in the privacy policy to avoid misleading claims about in-app controls.

You may also lodge a complaint with a supervisory authority. For Germany, the competent authority depends on the controller's seat (e.g. Bayerisches Landesamt für Datenschutzaufsicht for Bavaria, Der Hamburgische Beauftragte für Datenschutz und Informationsfreiheit for Hamburg, etc.). The list of German DPAs is maintained by the BfDI at https://www.bfdi.bund.de.

6. Automated decision-making

We use AI to score and rank skills. No automated decision produces legal or similarly significant effects on users (Art. 22 GDPR). Scoring influences ranking in the public catalogue only.

7. Changes to this policy

Material changes are announced on the site and dated above.