Privacy Policy

This Privacy Policy (“Policy”) describes how localskills.sh (“Company,” “we,” “us,” or “our”) collects, uses, stores, and protects information when you use our website, APIs, command-line interface tool, and related services (collectively, the “Service”). By using the Service, you consent to the practices described in this Policy.

1. Information We Collect

1.1 Account Information. When you sign in via a third-party OAuth provider (currently Google), we receive and store the following:

• Name
• Email address
• Profile image URL
• OAuth provider account identifiers

You may also provide a username and bio through your profile settings. We do not receive or store your OAuth provider password.

1.2 User-Generated Content. When you publish Skills, rules, or other content, we store that content (including version history) to provide the Service. Skill content is limited to 512 KB per version.

1.3 Download Analytics. When a Skill is downloaded, we collect:

• A one-way cryptographic hash (HMAC-SHA256) of the requester’s IP address — we never store raw IP addresses
• User agent string
• Download source (web, CLI, or API)
• Timestamp

If you are authenticated at the time of download, your user ID may be associated with the download record for attribution within your Team’s analytics dashboard.

1.4 Team and Organization Data. If you create or join a Team, we store team metadata (name, description, avatar), membership records, role assignments, and invitation records.

1.5 Enterprise Authentication Data. If your organization configures SAML SSO, SCIM provisioning, or OIDC trust policies, we process and store identity provider metadata, SAML assertions (for replay prevention), SCIM provisioning events, external user identifiers, and group membership mappings as necessary to provide these features.

1.6 API Tokens and Device Codes. We store cryptographic hashes (SHA-256) of API tokens and CLI device codes. We do not store plaintext tokens after issuance.

1.7 Audit Logs. For Teams, we log administrative actions (skill publication, membership changes, SSO events, token management) for security and compliance purposes. Audit logs include the action performed, the actor, the affected resource, and a timestamp.

1.8 Automatically Collected Data. Our infrastructure provider (Cloudflare) may automatically collect standard request metadata such as IP addresses, request headers, and access timestamps for security, performance, and abuse prevention purposes. This data is subject to Cloudflare’s Privacy Policy.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including authenticating your identity and managing your account;
• Display your profile information (name, username, avatar) to other users as part of the platform’s social features;
• Generate aggregate, anonymized download statistics to display Skill popularity;
• Provide Team administrators with activity analytics and audit trails;
• Detect, prevent, and respond to security incidents, fraud, abuse, and violations of our Terms of Service;
• Enforce rate limits and protect platform stability;
• Comply with applicable legal obligations; and
• Communicate with you about the Service (e.g., security alerts, material changes to these terms).

3. Cookies and Similar Technologies

We use a minimal set of cookies, all strictly necessary for the operation of the Service:

All cookies are set with the HttpOnly, Secure, and SameSite=Lax attributes. We do not use advertising cookies, tracking pixels, analytics scripts, or any third-party tracking technologies.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data. We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

4.2 Service Providers. We share information with the following categories of service providers, solely as necessary to operate the Service:

• Cloudflare — hosting, content delivery, database (D1), object storage (R2), DDoS protection, and rate limiting
• Google — OAuth authentication

4.3 Enterprise Identity Providers. If your organization uses SAML SSO, SCIM, or OIDC, data is exchanged between the Service and your organization’s configured identity provider as necessary to authenticate users and synchronize provisioning data. This data exchange is initiated and controlled by your organization’s administrator.

4.4 Legal Obligations. We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or abuse; or (d) protect the safety of users or the public.

4.5 Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via the Service or email before your information becomes subject to a different privacy policy.

5. Data Retention

• Account data is retained for as long as your account is active. Upon account deletion, your personal information is removed, subject to reasonable backup periods and any legal retention obligations.
• User Content (Skills and versions) is retained until you delete it or your account is terminated.
• Audit logs are automatically purged ninety (90) days after the date of the logged event.
• Download analytics are retained indefinitely in anonymized, aggregated form. Individual download records containing hashed IP addresses may be retained for analytics purposes.
• SAML assertion identifiers are retained until their expiration timestamp for replay prevention, then automatically deleted.
• Expired API tokens and device codes are periodically purged from the database.

6. Data Security

We implement reasonable technical and organizational measures to protect your information, including:

• Encryption in transit via HTTPS/TLS for all communications;
• Cryptographic hashing of API tokens, device codes, and SCIM tokens (SHA-256) — plaintext values are never stored;
• One-way HMAC-SHA256 hashing of IP addresses for download analytics — raw IP addresses are never stored in our database;
• HttpOnly, Secure session cookies to prevent cross-site scripting attacks;
• SAML assertion replay prevention via assertion identifier logging;
• Rate limiting to prevent brute-force and abuse attacks; and
• Role-based access control for Team resources.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — Request a copy of the personal data we hold about you;
• Correction — Update or correct inaccurate personal information via your account settings;
• Deletion — Request deletion of your account and associated personal data;
• Portability — Request an export of your data in a structured, machine-readable format;
• Restriction — Request that we restrict the processing of your personal data under certain circumstances; and
• Objection — Object to the processing of your personal data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us via the information provided in Section 12 below. We will respond to verifiable requests within thirty (30) days or as required by applicable law.

8. International Data Transfers

The Service is operated from and data is stored on Cloudflare’s global network, which includes infrastructure in multiple countries. By using the Service, you acknowledge that your information may be transferred to, stored, and processed in jurisdictions outside your country of residence, including the United States, which may have data protection laws that differ from those in your jurisdiction.

9. CLI Tool Privacy

The localskills CLI tool stores authentication credentials locally on your machine at ~/.config/localskills/config.json. The CLI communicates with our API servers to authenticate, search, and download Skills. We do not collect telemetry, usage analytics, or crash reports from the CLI tool.

10. Children’s Privacy

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the “Last Updated” date at the top of this page and, where practicable, by providing notice through the Service. Your continued use of the Service after such changes constitutes your acceptance of the revised Policy. We encourage you to review this Policy periodically.

12. Contact

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us via GitHub.