← AiSkillsGuard
Please Read

Privacy Policy

Effective Date: March 21, 2026  ·  Last Updated: March 21, 2026

1. Introduction and Identity of the Controller

This Privacy Policy describes how AiSkillsGuard ("we", "us", "our"), operated by Panam Leishangthem, collects, uses, stores, and protects personal data of users ("you", "your") who access or use the security scanning service available at www.aiskillsguard.com (the "Service").

For the purposes of the European Union General Data Protection Regulation 2016/679 ("GDPR"), the UK General Data Protection Regulation ("UK GDPR"), and all other applicable data protection legislation, Panam Leishangthem is the data controller.

Contact for privacy matters: privacy@aiskillsguard.com

2. Scope and Applicability

This Privacy Policy applies to all users of the Service globally, including but not limited to:

  • Users in the European Economic Area (EEA) — covered under GDPR (Regulation (EU) 2016/679)
  • Users in the United Kingdom — covered under UK GDPR and the Data Protection Act 2018
  • Users in California, USA — covered under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • Users in Canada — covered under the Personal Information Protection and Electronic Documents Act (PIPEDA)
  • Users in Brazil — covered under the Lei Geral de Proteção de Dados (LGPD)
  • Users in India — covered under applicable Indian data protection regulations
  • All other users globally — covered under this policy and applicable local laws

3. Data We Collect

3.1 Data You Provide Directly

  • Email address — when you subscribe to updates, unlock unlimited scans, or contact us
  • Skill or MCP server content — the code, configuration, or URLs you submit for scanning
  • Communications — any messages you send us via email or support channels

3.2 Data Collected Automatically

  • IP address — for rate limiting, abuse prevention, and security purposes
  • Browser type and version — for compatibility and analytics
  • Operating system — for compatibility purposes
  • Referring URL — to understand how users find our Service
  • Pages visited and time spent — via privacy-respecting analytics (Plausible Analytics, which does not use cookies)
  • Scan count — stored locally in your browser via localStorage, not on our servers
  • Approximate geographic location (country/region level only) — derived from IP address

3.3 Data We Do NOT Collect

  • We do not collect or store credit card numbers or payment instrument details directly (handled by Stripe PCI-DSS compliant infrastructure)
  • We do not collect biometric data
  • We do not collect data from children under the age of 16 knowingly
  • We do not use advertising cookies or tracking pixels
  • We do not sell your personal data to third parties under any circumstances

4. How We Use Your Data

We process your personal data for the following purposes and legal bases:

PurposeLegal Basis (GDPR)
Providing and operating the scanning ServicePerformance of contract / Legitimate interests
Sending welcome and feature update emailsConsent (freely given, withdrawable at any time)
Rate limiting and abuse preventionLegitimate interests
Improving scan detection qualityLegitimate interests
Responding to support enquiriesPerformance of contract / Legitimate interests
Complying with legal obligationsLegal obligation
Analytics to understand usage patternsLegitimate interests (anonymised data only)

5. Skill Content Submitted for Scanning

Critical disclosure: When you paste, upload, or link skill content for scanning, that content is transmitted to Anthropic's Claude API for security analysis. By using the Service, you acknowledge and consent to this transmission.

  • Submitted skill content is processed in real-time by Anthropic's API and is not permanently stored by us after the scan completes
  • Scan results (risk scores, findings) may be temporarily cached for performance purposes and deleted within 24 hours
  • Do NOT submit skill content containing your personal secrets, API keys, passwords, or private credentials — use test or anonymised content only
  • We are not responsible for any sensitive information you choose to include in submitted skill content
  • Anthropic's own privacy policy governs their processing of content sent to their API: anthropic.com/privacy

6. Data Retention

  • Email addresses: retained until you unsubscribe or request deletion, maximum 3 years from last interaction
  • Scan content: not retained after scan completion — processed transiently
  • Scan results: cached maximum 24 hours, then permanently deleted
  • IP address logs: retained maximum 30 days for security purposes, then deleted
  • Analytics data: aggregated and anonymised, retained indefinitely
  • Support communications: retained 2 years from resolution

7. Third-Party Service Providers

We share data with the following carefully selected third-party processors under appropriate data processing agreements:

  • Anthropic, PBC (USA) — AI analysis of submitted skill content. Anthropic maintains SOC 2 Type II compliance. Privacy policy: anthropic.com/privacy
  • Supabase Inc. (USA) — Database storage for email subscribers. Data stored in your selected region. Privacy policy: supabase.com/privacy
  • Resend Inc. (USA) — Transactional email delivery. Privacy policy: resend.com/legal/privacy-policy
  • Vercel Inc. (USA) — Application hosting and deployment. Privacy policy: vercel.com/legal/privacy-policy
  • Plausible Analytics (EU) — Privacy-first analytics. No cookies. No personal data collected. GDPR compliant by design. Privacy policy: plausible.io/privacy
  • GoDaddy (USA) — Domain registration. Privacy policy: godaddy.com/legal/agreements/privacy-policy
  • Stripe Inc. (USA) — Payment processing when applicable. PCI-DSS Level 1 certified. Privacy policy: stripe.com/privacy

All processors are required to process data only on our instructions and in accordance with applicable data protection law. We do not sell personal data to any third party.

8. International Data Transfers

AiSkillsGuard is operated globally and some of our third-party providers are based in the United States. When we transfer personal data from the EEA, UK, or other jurisdictions with data transfer restrictions to the USA or other third countries, we rely on:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The EU-US Data Privacy Framework where applicable
  • UK International Data Transfer Agreements (IDTAs) for UK transfers
  • Adequacy decisions where available

9. Your Rights

Depending on your jurisdiction, you have the following rights regarding your personal data:

9.1 Rights Under GDPR / UK GDPR (EEA and UK Users)

  • Right of access — obtain a copy of personal data we hold about you (Article 15 GDPR)
  • Right to rectification — correct inaccurate personal data (Article 16 GDPR)
  • Right to erasure ('right to be forgotten') — request deletion of your personal data (Article 17 GDPR)
  • Right to restriction of processing — limit how we use your data (Article 18 GDPR)
  • Right to data portability — receive your data in a machine-readable format (Article 20 GDPR)
  • Right to object — object to processing based on legitimate interests (Article 21 GDPR)
  • Right to withdraw consent — withdraw consent at any time without affecting prior lawful processing
  • Right to lodge a complaint with a supervisory authority — in particular the authority in your Member State of residence

9.2 Rights Under CCPA / CPRA (California Users)

  • Right to know — what personal information is collected, used, shared, or sold
  • Right to delete — request deletion of personal information
  • Right to opt-out of sale — we do not sell personal information
  • Right to non-discrimination — we will not discriminate for exercising your rights
  • Right to correct — correct inaccurate personal information
  • Right to limit use of sensitive personal information

9.3 Exercising Your Rights

To exercise any of these rights, contact us at privacy@aiskillsguard.com. We will respond within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

10. Cookies and Local Storage

We use minimal browser storage technologies:

  • localStorage — used exclusively to track scan count and email unlock status on your device. This data never leaves your browser and is not transmitted to our servers.
  • Strictly necessary cookies — session management only, no tracking cookies
  • No advertising cookies, no third-party tracking cookies, no fingerprinting

Our analytics provider (Plausible) does not use cookies and is fully GDPR compliant without requiring a cookie consent banner.

11. Data Security

We implement appropriate technical and organisational measures to protect your personal data against unauthorised access, alteration, disclosure, or destruction:

  • All data transmitted between your browser and our servers is encrypted via TLS 1.2/1.3
  • API keys and secrets are stored as environment variables, never in source code
  • Database access is protected by Row Level Security (RLS) policies
  • No payment card data is stored on our infrastructure — handled entirely by Stripe
  • Access to personal data is restricted to the minimum necessary
  • Regular security reviews of our codebase and dependencies

Despite these measures, no method of transmission over the internet is 100% secure. We cannot guarantee absolute security but commit to promptly notify affected users in the event of a data breach as required by applicable law.

12. Children's Privacy

The Service is not directed to children under the age of 16 (or 13 in jurisdictions where that is the applicable minimum age). We do not knowingly collect personal data from children. If you become aware that a child has provided us with personal data without parental consent, please contact us at privacy@aiskillsguard.com and we will delete such information promptly.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify registered email subscribers and update the effective date at the top of this document. Your continued use of the Service after changes constitutes acceptance of the updated policy. We recommend reviewing this policy periodically.

14. Supervisory Authority

If you are in the EEA and believe we have not handled your data correctly, you have the right to lodge a complaint with your local data protection supervisory authority. A list of EEA supervisory authorities is available at: edpb.europa.eu/about-edpb/board/members_en

UK users may contact the Information Commissioner's Office (ICO): ico.org.uk

15. Contact Us

For any privacy-related questions, requests, or complaints:

  • Email: privacy@aiskillsguard.com
  • Website: www.aiskillsguard.com
  • Operator: Panam Leishangthem
  • Response time: within 30 days of receipt