Legal
Privacy Policy
Operator: AtomEons, LLC · Effective: April 29, 2026 · Last updated: April 29, 2026 · DPO contact: legal@skil.ski
AtomEons, LLC. ("AtomEons," "we," "us") operates skil.ski ("Platform"). This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use the Platform and its services ("Services"). It applies to all users globally and is designed to meet the requirements of the General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act and California Privacy Rights Act ("CCPA/CPRA"), and the Children's Online Privacy Protection Act ("COPPA").
By using the Services, you agree to the collection and use of information as described in this Privacy Policy. If you do not agree, please discontinue use of the Services.
1. Information We Collect
1.1 Information You Provide
- Authentication data: When you sign in via Google OAuth or GitHub OAuth (processed through Supabase Authentication), we receive your name, email address, profile picture URL, and OAuth provider user ID. We do not receive your OAuth provider password.
- Billing information: When you subscribe or make a purchase, billing data (card number, billing address, VAT ID) is collected and stored by our payment processor, Stripe. We receive confirmation of payment status, billing address, and tax jurisdiction — we do not receive or store raw payment card data.
- Communications: If you contact us at legal@skil.ski or billing@skil.ski, we collect the content of your communications for customer support and compliance purposes.
1.2 Information We Collect Automatically
- Usage logs: We log requests to the Platform including page views, skill catalog interactions, vault dashboard actions, MCP endpoint requests (including which skills were queried), and error events.
- MCP access patterns: We record which Skilskis were accessed, enabled, disabled, or invoked via MCP, and the frequency and timing of such access — to support billing, creator royalty calculation, and security monitoring.
- Device and network data: IP address, browser type and version, operating system, referrer URL, and general geographic location derived from IP.
- Cookies and local storage: We use cookies and browser local storage as described in Section 6 and our Cookie Policy at skil.ski/legal/cookies.
1.3 Information We Do Not Collect
We do not collect, store, or have access to: raw payment card numbers or PAN data; your OAuth provider password; the content of your AI prompts or queries sent to Skilskis (queries are processed in-memory by the MCP server and are not persisted by us by default); biometric data; government ID numbers; or sensitive health information.
2. How We Use Your Information
We use personal information for the following purposes, with the indicated legal basis under GDPR:
| Purpose | GDPR Legal Basis (Art. 6) |
|---|---|
| Creating and managing your account | Art. 6(1)(b) — Contract performance |
| Processing subscriptions and payments | Art. 6(1)(b) — Contract performance |
| Delivering Skilskis via MCP endpoint | Art. 6(1)(b) — Contract performance |
| Computing creator royalties from MCP usage | Art. 6(1)(b) — Contract performance |
| Sending transactional emails (receipts, renewal notices) | Art. 6(1)(b) — Contract performance |
| Security monitoring and fraud prevention | Art. 6(1)(f) — Legitimate interests |
| Platform analytics and performance improvement | Art. 6(1)(f) — Legitimate interests |
| Compliance with legal obligations | Art. 6(1)(c) — Legal obligation |
We do not use your personal information to build advertising profiles, sell targeted advertising, or share data with advertising networks.
3. Sharing of Information
We do not sell your personal information. We do not share personal information with advertising networks or data brokers. We share personal information only in the following circumstances:
3.1 Service Providers (Data Processors)
| Processor | Purpose | Data Shared |
|---|---|---|
| Supabase, Inc. | Authentication, database hosting | Account data, usage data |
| Stripe, Inc. | Payment processing, subscription billing, invoicing, customer portal | Billing name, email, address, payment data, tax ID |
| Vercel, Inc. | Platform hosting, CDN, edge functions | Request logs, IP addresses |
Each processor is bound by a Data Processing Agreement ("DPA") and processes personal information only on our instructions and in accordance with applicable data protection law.
3.2 Legal Disclosure
We may disclose personal information if required to do so by law, regulation, court order, or government request, or if we believe in good faith that disclosure is necessary to protect the rights, property, or safety of AtomEons, our users, or the public.
3.3 Business Transfers
In the event of a merger, acquisition, reorganization, or sale of all or substantially all of AtomEons' assets, personal information may be transferred to the acquiring entity. We will notify you via email or prominent Platform notice if your data becomes subject to a different privacy policy.
3.4 Skill Creators
We share aggregated, anonymized usage statistics (e.g., invocation counts) with Skilski creators to support royalty calculations. We do not share individual user identity with creators.
4. Your Rights
4.1 GDPR Rights (EEA, UK, and Switzerland)
If you are located in the European Economic Area, United Kingdom, or Switzerland, you have the following rights under the GDPR (Regulation (EU) 2016/679) and applicable national implementing legislation:
- Art. 15 — Right of access: Request a copy of your personal data we hold.
- Art. 16 — Right to rectification: Request correction of inaccurate or incomplete data.
- Art. 17 — Right to erasure ("right to be forgotten"): Request deletion of your personal data, subject to legal retention requirements.
- Art. 18 — Right to restriction of processing: Request that we limit processing of your data in certain circumstances.
- Art. 20 — Right to data portability: Receive your personal data in a structured, commonly used, machine-readable format.
- Art. 21 — Right to object: Object to processing based on legitimate interests or for direct marketing.
- Right to withdraw consent: Where processing is based on consent, withdraw it at any time without affecting prior lawful processing.
- Right to lodge a complaint: Lodge a complaint with your local supervisory authority (e.g., the UK ICO, Ireland DPC, or other EU data protection authority).
4.2 CCPA/CPRA Rights (California Residents)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (Cal. Civ. Code § 1798.100 et seq., as amended by Prop. 24/CPRA):
- Right to know: Request disclosure of the categories and specific pieces of personal information we collect, use, disclose, and sell/share.
- Right to delete: Request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to correct: Request correction of inaccurate personal information.
- Right to opt out of sale/sharing: We do not sell or share personal information for cross-context behavioral advertising. If this changes, we will provide an opt-out mechanism.
- Right to limit use of sensitive personal information: We do not use sensitive personal information for purposes beyond those permitted under CPRA § 1798.121.
- Right to non-discrimination: We will not discriminate against you for exercising your CCPA rights.
To exercise your rights, contact us at legal@skil.ski. We will respond within the timeframe required by applicable law (generally 45 days under CCPA, 30 days under GDPR Art. 12(3)). We may need to verify your identity before processing your request.
5. Data Retention
- Account data: Retained while your account is active and for 90 days after account closure or deletion, to allow re-activation and handle disputes. After 90 days, personal data is deleted or anonymized.
- Billing records: Retained for 7 years from the date of the transaction to meet tax, accounting, and legal obligations.
- Usage logs and MCP access logs: Retained for 30 days for security monitoring and debugging, then deleted.
- Legal hold: Data subject to a legal hold, active dispute, or regulatory inquiry may be retained beyond standard retention periods until resolution.
6. Cookies and Tracking
We use cookies and similar technologies as described in our Cookie Policy at skil.ski/legal/cookies. Key cookies include session authentication tokens, the skilski_mode site-mode preference cookie, and optional analytics cookies. We do not use third-party advertising cookies or cross-site tracking.
7. International Data Transfers
AtomEons is based in the United States. If you access the Services from the EEA, UK, or other jurisdictions with data protection laws that may differ from those in the US, your data will be transferred to and processed in the United States and other countries where our service providers operate. For transfers from the EEA or UK, we rely on the European Commission's Standard Contractual Clauses ("SCCs") (Commission Implementing Decision (EU) 2021/914) and, where applicable, the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs, as our lawful transfer mechanisms. Copies of applicable SCCs are available on request at legal@skil.ski.
8. Data Security
We implement technical and organizational security measures to protect personal information against unauthorized access, loss, alteration, or disclosure, including TLS encryption in transit, encrypted storage, access controls, and regular security reviews. However, no method of transmission over the internet or electronic storage is 100% secure, and we cannot guarantee absolute security.
In the event of a personal data breach that is likely to result in a high risk to your rights and freedoms, we will notify you and applicable supervisory authorities as required by GDPR Art. 33–34 and other applicable law.
9. Children's Privacy (COPPA)
The Services are not directed to children under 13 years of age, and we do not knowingly collect personal information from children under 13. If you are under 13, do not use the Services. If we learn that we have collected personal information from a child under 13 without verifiable parental consent, we will take steps to delete that information promptly.
If you are a parent or guardian and believe your child under 13 has used the Services or provided us with personal information, please contact us at legal@skil.ski.
10. Contact and DPO
For privacy questions, rights requests, or complaints, contact:
- Privacy Contact / Data Protection Officer (DPO): legal@skil.ski
- Mailing address: AtomEons, LLC, 1209 Orange Street, Wilmington, DE 19801, United States
- EU Representative: [To be designated by counsel for GDPR Art. 27 compliance if AtomEons' EEA user base exceeds thresholds requiring an EU representative]
We aim to respond to all privacy requests within 30 days. For requests under GDPR Art. 15–20, we will respond within 30 days (with possible extension to 90 days for complex requests with written notice). For CCPA requests, we will respond within 45 days.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice by posting the updated policy at skil.ski/legal/privacy and by emailing the address associated with your account. Your continued use of the Services after the effective date constitutes acceptance of the updated policy.
This Privacy Policy is not legal advice. Effective: April 29, 2026. AtomEons, LLC.