Yours, not ours.

SkillFlirt is operated by SkillFlirt, Inc., a Delaware corporation based in the United States. We are the data controller for the information described in this policy. Reach our privacy team at privacy@skillflirt.net.

Note: legal entity name is a placeholder pending incorporation — confirm the registered company name before public launch.

EU representative (Art. 27 GDPR): If you reside in the EU/EEA or UK, our representative for data protection inquiries can be reached at [TBD — to be appointed before EU launch].

We collect your account details (email, name), the inputs and outputs from your generations, and basic usage stats. We use them to provide the service, bill you, and prevent abuse. We share with a small set of trusted sub-processors (listed below) — never with advertisers or data brokers.

You can delete your account in Settings → Account → Delete or email privacy@skillflirt.net. We honor deletion within 7 days.

• Account: email, name, profile photo (if you upload one). Your password is hashed and stored by Clerk — we never see it in plain text.
• Generations: every input you submit (chat text, profile details, role-play context) and every output we generate (lines, bios, replies, scorecards), stored in our database so you can revisit them. Chat-screenshot images are processed in-memory at the moment of analysis and not stored server-side.
• Usage: how many generations you’ve used today (for rate limiting), feature breakdown by month (for usage stats inside Settings).
• Payment: handled by Stripe (web) or Apple/Google via RevenueCat (mobile). We receive a customer ID, your plan, and subscription status — we never see card numbers, CVCs, or bank details.
• Tech: standard web logs (IP address, user agent, timestamps) for security, debugging, and abuse prevention.

• Provide the service — auth, generations, history. Lawful basis: contract.
• Transactional email — security, billing, account notifications. Lawful basis: contract.
• Abuse prevention + rate limiting — fraud, spam, scrape protection. Lawful basis: legitimate interest in keeping the service safe and available.
• Optional analytics — only when you opt in via the cookie banner. Lawful basis: consent.
• Marketing email — only if you opt in. Lawful basis: consent. Unsubscribe any time from the email or in Settings.
• Aggregate product improvement — de-identified, aggregated metrics only. Lawful basis: legitimate interest.

• Clerk — authentication. Holds passwords (hashed), session tokens, and sign-in history.
• Vercel — hosting and CDN. Stores request logs.
• Neon — primary Postgres database. Encrypted at rest, hosted in the US.
• Stripe — web subscription payments. PCI-compliant; handles all card data.
• RevenueCat — mobile subscription management on iOS and Android.
• Apple App Store + Google Play — mobile in-app billing for App Store and Play Store purchases.
• OpenRouter + Google Gemini — AI inference. Receive your inputs (text and screenshots) only at the moment of generation. OpenRouter does not retain prompts beyond the request; Gemini handles vision/OCR for chat-screenshot analysis.
• Sentry — crash and error reporting (optional, scrubbed of PII).
• PostHog — product analytics (opt-in only, via the cookie banner).
• Firebase Cloud Messaging — push notification delivery on mobile (optional).

We do not sell your data to advertisers, data brokers, or third-party marketers.

• Account data: kept while your account is active.
• After deletion: erased within 7 days from primary stores; encrypted backups overwrite within 30 days.
• Generation outputs: kept while your account is active. Chat-screenshot images are processed in-memory and not stored server-side.
• Usage logs: 12 months, for fraud and abuse prevention.

• Access: request a copy of your data by emailing privacy@skillflirt.net.
• Deletion: Settings → Account → Delete or email us. We process requests within 7 days.
• Correction: update your profile in Settings, or ask us.
• Portability: we can export your generation history as JSON.
• Object / restrict: you can object to processing based on legitimate interest, or ask us to restrict it.
• Withdraw consent: any consent (analytics, marketing) can be withdrawn at any time without affecting past lawful processing.

EU/UK residents have the right to complain to a supervisory authority. Find yours at edpb.europa.eu/about-edpb/board/members_en. We’d rather you came to us first — but it’s your right either way.

California residents have the right to know, delete, correct, and limit use of sensitive personal information. We do not sell or share personal information for cross-context behavioral advertising. To exercise these rights, email privacy@skillflirt.net.

Notice of Right to Opt-Out.

Your data is processed in the United States. We rely on the EU-US Data Privacy Framework (where available) and Standard Contractual Clauses for transfers from the EU/EEA/UK. We’ve evaluated and rely on the safeguards built into our sub-processors (Clerk, Neon, Vercel, Stripe, RevenueCat) for cross-border transfers.

We send opt-in push notifications about your account activity, daily quota resets, and product updates. Disable them in iOS Settings → Notifications, Android Settings → Apps → SkillFlirt → Notifications, or in Settings → Notifications inside the app.

SkillFlirt is for adults 18+. We do not knowingly collect data from anyone under 18. If you believe a minor created an account, email privacy@skillflirt.net and we’ll delete it.

See the Cookie Policy for the full breakdown of which cookies we set, why, and how to opt out of analytics.

We protect your data with TLS 1.2+ in transit, encryption at rest in Neon Postgres, principle-of-least-privilege access controls, and regular dependency audits. We’ve never had a breach. If we ever do, we’ll notify affected users within 72 hours of confirming it, as required by GDPR.

We may update this Privacy Policy. For material changes, we’ll notify you via email at least 30 days before they take effect. Otherwise, we’ll update the “Last updated” date at the top of this page. Continued use after the effective date means you accept the new policy.

Privacy questions, data access requests, or anything else:
privacy@skillflirt.net
Our Data Protection Officer (DPO) is reachable at the same address.