Security / Pattern Tracking
Anonymized Pattern Tracking
Operator: AtomEons Systems Laboratory · Published: May 4, 2026 · Privacy contact: privacy@skill.ski
skil.ski collects fully anonymized aggregate execution patterns to improve platform routing, ranking, and skill quality. No user identifier, token, IP address, prompt, or output is collected. The data is legally anonymous under GDPR Recital 26 — not pseudonymous — and no opt-out mechanism is required or offered because there is nothing identifying to withdraw.
What is collected
Each invocation contributes one increment to an aggregate counter row. The row is keyed on the combination of five dimensions:
| Column | Type | Description | Example |
|---|---|---|---|
skill_slug | text | Which skill ran | database-migration-runbook |
sector | text | Skill industry sector from frontmatter | tech-startup |
outcome | text | Structured execution result | success |
latency_bucket | text | Bucketed response-time range | lt500ms |
day | date | Calendar day (not timestamp) | 2026-05-04 |
count | integer | Number of invocations with this combination on this day | 42 |
What is NOT collected
- User ID, account email, or any account identifier
- Bearer token or token hash
- IP address or network information
- Prompt content or structured input JSON
- Skill output or structured output JSON
- Session ID or request ID
- Anthropic-AUP-protected field contents (legal, medical, or financial advice content)
Why this is legally anonymous
GDPR Recital 26 states that data protection law does not apply to information that has been rendered anonymous in such a manner that the data subject is not identifiable. The pattern_tracking table contains no field — individually or in combination — that could identify a natural person. There is no user_id, no token, no IP address, and no timestamp narrower than a calendar day. The combination (slug, sector, outcome, latency bucket, day) identifies a category of execution, not a person.
The legal basis cited in the Privacy Policy for this collection is GDPR Art. 6(1)(f) legitimate interest: platform improvement, self-healing, and quality benchmarking for which there is a genuine business need and no disproportionate impact on data subjects (because no personal data is processed).
How the data is used
- Dynamic skill ranking: High-success, low-latency skills surface higher in catalog search results.
- Self-healing routing: Skills with elevated error or timeout rates are flagged for review before they affect additional subscribers.
- Verified-skill quality benchmark: The Operator-Verified badge process uses aggregate field outcome data as one input to ongoing quality scoring.
- Fill-rate public reporting: Aggregated pattern data is the source for the public /api/registry/fill-rate endpoint, which exposes anonymized catalog-level health metrics.
Access and read access
The pattern_tracking table is protected by Supabase Row-Level Security. Only the platform operator account can read aggregate rows. No subscriber, creator, or third party has read access. The table is append-only for the write path (service role); no individual row can be modified or deleted through the normal invocation path.
Opt-out
No opt-out is offered for active subscribers. Because the data is fully anonymous under GDPR Recital 26, there is no personal data to which Art. 21 (right to object) attaches. Terminating your subscription ends any further pattern contributions.
Contact
Questions about this data model: privacy@skill.ski. Security findings: security@skill.ski.
See also: Privacy Policy §4b · Trust page · Published: May 4, 2026 · AtomEons Systems Laboratory.