SkillKnex policy
Privacy Policy
How SkillKnex collects, uses, shares, and protects your personal data, and the rights you have under UK data protection law.
Version 1.0 · June 20261. Who we are
SkillKnex Ltd ("SkillKnex", "we", "us", "our") is the controller of your personal data. SkillKnex Ltd is being incorporated in England and Wales. Before this policy is published as final, we will add the Companies House number ([Companies House number: to confirm]), registered office ([registered office address: to confirm]), and ICO registration number ([ICO registration number: to confirm]).
We process personal data in line with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable UK data protection law.
- Privacy enquiries and data-rights requests: privacy@skillknex.com
- Data Protection contact / representative: privacy@skillknex.com [DPO or UK representative details: to confirm]
2. The personal data we collect
Account and profile
- Username, email address, and password (stored only as a secure hash: never in plain text)
- Optional: full name, profile photo, short bio, and country
- Settings such as timezone, theme, and notification and analytics preferences
Content you create
Comments, AI prompts, and, if you are a creator, lessons and lesson media.
Action Proofs, including any text, image, or video you submit. Media may show people, places, or other personal information; you control whether an Action Proof is shared publicly, and you should not include other people without their consent.
Activity and learning behaviour
- Lessons watched, liked, saved, and committed to ("I Did This"), prompts used, comments, and shares
- Watch history, streaks, category interests, and follow-up responses ("did you actually do it?")
- Leaderboard and ranking data
Some of these are kept as permanent, append-only records (for example "I Did This" logs and your interaction history). We rely on them for streak integrity, reward and fraud checks, and analytics. After account deletion they are retained only in pseudonymised form (see Section 8).
Social
Accounts you follow and that follow you, and users you block.
Creator and verification data
If you apply to be a creator or for verification, we collect your application details and, for professional ("Tier 2") credentials, the profession, regulator, jurisdiction, and a public credential reference so we can check it against the relevant public register. We do not ask you to upload private identity documents for this.
Rewards and virtual economy
Your SKX and XP balances and an append-only ledger of how they were earned, spent, held, or reversed. SKX and XP have no monetary value (see the Virtual Currency Terms).
Device, technical, and notification data
- Device type, operating system, and app version
- IP address (used transiently for security and rate-limiting) and request identifiers in short-lived logs
- A push notification identifier and delivery logs, when you enable notifications
- Device-integrity signals used to prevent abuse (via Firebase App Check)
Communications and support
Emails we send you (verification, account, and service messages) and any support requests, appeals, or reports you send us.
Analytics (only if you opt in)
If you turn on analytics in Settings, we collect product-usage events to understand and improve the app. Analytics is off by default and you can turn it off again at any time.
3. How we use your data, and our lawful bases
| Purpose | Lawful basis |
|---|---|
| Create your account and provide the Service | Performance of a contract |
| Show your profile, content, and activity to other users as you direct | Performance of a contract |
| Calculate streaks, progress, rewards, and rankings | Performance of a contract |
| Send account and service emails | Performance of a contract |
| Keep the Service safe: moderation, anti-fraud, anti-abuse, security | Legitimate interests; legal obligation |
| Verify creator credentials against public registers | Legitimate interests |
| Improve the app, fix problems, and develop features | Legitimate interests |
| Product analytics | Consent (opt-in) |
| Send push notifications | Consent |
| Comply with legal obligations and respond to lawful requests | Legal obligation |
We do not sell your personal data, and we do not show you advertising based on your data.
4. Sensitive information
We do not intentionally collect special-category data such as health, beliefs, or sexuality. Because Action Proofs can include images, video, and free text, they may inadvertently reveal sensitive information. Please do not share sensitive personal information about yourself or others in content you post. You can keep Action Proofs private, and you can delete your content at any time.
5. Who we share data with
We use carefully selected service providers ("processors") to run SkillKnex. They may only process your data on our instructions under a data processing agreement, and not for their own purposes.
| Provider | What it does | Data it receives | Location |
|---|---|---|---|
| Supabase | Database, authentication, file storage | Account, profile, content, activity, creator data | London, UK (AWS eu-west-2) |
| Railway | API hosting | Request data in transit (no separate store) | US |
| Mux | Video hosting, encoding, captions/transcripts | Lesson and Action Proof videos; auto-generated transcripts | US / global edge |
| Cloudflare | Image storage (R2), website CDN, DNS, security | Avatars, thumbnails, lesson/proof images; IP address for security | Global edge |
| OneSignal | Push notification delivery | A user/device push identifier and notification content | US |
| Resend | Transactional and account email | Email address, name, message content | US / EU |
| Google Firebase (App Check) | App-integrity / anti-abuse checks | Device-attestation tokens and app/device signals | US |
| PostHog | Product analytics (only if you opt in) | Usage events, device/app info, a user identifier | US |
| Expo / EAS | Mobile builds and app updates | App bundle; limited update-check signals | US |
| Anthropic (Claude) | AI features (e.g. understanding search queries) | The text you submit to that feature (e.g. a search query) | US |
We also share data with other users where you choose to make content or your profile public; with authorities, advisers, or others where needed to comply with the law, enforce our terms, or protect people's safety; and with a buyer or successor if our business is reorganised, sold, or transferred. If your data becomes subject to a different privacy policy, we will tell you where required.
6. International data transfers
Your data is primarily stored in the UK through Supabase in London. Some providers above are based in the United States or operate globally. Where we transfer personal data outside the UK, we use appropriate safeguards such as the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, or rely on a UK adequacy decision where one applies.
7. How long we keep your data
| Data | Retention |
|---|---|
| Account and profile | Until you delete your account, then removed or anonymised (see below) |
| Content (comments, prompts, lessons, Action Proofs) | Until you delete it, or it is removed under our policies; then deleted or anonymised |
| Activity, streak, and reward-ledger records | Append-only; retained in pseudonymised form after deletion for fraud prevention, ledger integrity, and audit |
| Push delivery logs | Short-term, for deliverability and troubleshooting |
| Email delivery logs (Resend) | About 30 days |
| API request logs (Railway) | About 7 days |
| Anonymised / aggregated analytics | Indefinitely (no longer identifies you) |
When you delete your account, deletion is scheduled with a 30-day grace period (so you can change your mind). After that, we delete or anonymise your personal data and write a minimal, hashed "tombstone" record so the account cannot be re-created with the same identity and to evidence that erasure was completed. Permanent, append-only records are retained only in pseudonymised form for the purposes above.
8. Your rights
Under UK data protection law you have the right to: be informed; access your data; have inaccurate data corrected; have your data erased; restrict or object to processing; data portability; withdraw consent; and not be subject to decisions based solely on automated processing that have a legal or similarly significant effect (we do not make such decisions).
How to use them in the app
- Access / portability: Settings / Privacy / Download My Data exports your data in a machine-readable format (limited to once every 7 days).
- Rectification: edit your profile in Settings / Edit Profile.
- Erasure: Settings / Account / Delete Account (30-day grace period, then permanent).
- Withdraw consent: turn analytics off in Settings / Privacy, and notifications off in Settings / Notifications or your device settings.
For any other request, contact privacy@skillknex.com. We will respond within one month (we may extend by up to two further months for complex requests, and will tell you if so). Exercising your rights is free unless a request is manifestly unfounded or excessive.
9. How to complain
If you are unhappy with how we have handled your data, please contact us first at privacy@skillknex.com. We will acknowledge your complaint within 30 days, investigate, and tell you the outcome.
You also have the right to complain to the UK Information Commissioner's Office (ICO) at ico.org.uk or on 0303 123 1113. We'd appreciate the chance to resolve things first.
10. Children's privacy
SkillKnex is for users aged 13 and over and is not directed at children under 13. We do not knowingly collect personal data from under-13s; if we learn that we have, we will delete it. If you believe a child under 13 has given us personal data, contact privacy@skillknex.com.
We design with the ICO's Age Appropriate Design Code (Children's Code) in mind and apply extra care to users we know to be under 18. Users aged 13-17 should use SkillKnex with parent or guardian involvement. Before launch, we must confirm the age-capture and age-assurance flow matches this policy.
11. How we protect your data
- Encryption in transit (HTTPS / TLS) for all traffic
- Passwords hashed by our authentication provider; never stored in plain text
- Database access restricted by row-level security policies
- Rate limiting and app-integrity checks to deter abuse
- Session tokens held in device secure storage (iOS Keychain / Android Keystore)
- Regular security reviews and dependency audits
No system is perfectly secure, but we work hard to protect your data and will notify you and the ICO of a personal data breach where the law requires.
12. Cookies and similar technologies
The mobile app does not use cookies. The website uses a small number of essential and (with your consent) analytics technologies. See our Cookie Policy for details.
13. Changes to this policy
We may update this policy from time to time. For significant changes we will give notice (for example in-app) before they take effect. The current version is always available in the app under Settings / Legal and at skillknex.com/privacy.
14. Contact
- Privacy: privacy@skillknex.com
- Support: support@skillknex.com
- Legal: legal@skillknex.com
- Abuse and safety reports: abuse@skillknex.com