Privacy Policy

This Privacy Policy (“Policy”) describes how EZ Game Host, LLC (“Company,” “we,” “us,” or “our”), the owner and operator of localskills.sh, collects, uses, stores, and protects information when you use our website, APIs, command-line interface tool, and related services (collectively, the “Service”). By using the Service, you consent to the practices described in this Policy.

1. Information We Collect

1.1 Account Information. When you sign in via a third-party OAuth provider (currently Google), we receive and store the following:

• Name
• Email address
• Profile image URL
• OAuth provider account identifiers

You may also provide a username and bio through your profile settings. We do not receive or store your OAuth provider password.

1.2 User-Generated Content. When you publish Skills, rules, or other content, we store that content (including version history) to provide the Service. Skill content is limited to 512 KB per version.

1.3 Download Analytics. When a Skill is downloaded, we collect:

• A one-way cryptographic hash (HMAC-SHA256) of the requester’s IP address — we never store raw IP addresses
• User agent string
• Download source (web, CLI, or API)
• Timestamp

If you are authenticated at the time of download, your user ID may be associated with the download record for attribution within your Team’s analytics dashboard.

1.4 Team and Organization Data. If you create or join a Team, we store team metadata (name, description, avatar), membership records, role assignments, and invitation records.

1.5 Enterprise Authentication Data. If your organization configures SAML SSO, SCIM provisioning, or OIDC trust policies, we process and store identity provider metadata, SAML assertions (for replay prevention), SCIM provisioning events, external user identifiers, and group membership mappings as necessary to provide these features.

1.6 API Tokens and Device Codes. We store cryptographic hashes (SHA-256) of API tokens and CLI device codes. We do not store plaintext tokens after issuance.

1.7 Audit Logs. For Teams, we log administrative actions (skill publication, membership changes, SSO events, token management) for security and compliance purposes. Audit logs include the action performed, the actor, the affected resource, and a timestamp.

1.8 Automatically Collected Data. Our infrastructure provider (Cloudflare) may automatically collect standard request metadata such as IP addresses, request headers, and access timestamps for security, performance, and abuse prevention purposes. This data is subject to Cloudflare’s Privacy Policy.

1.9 Optional Product Analytics and Session Replay. If you accept analytics cookies, we use PostHog to collect product usage events, feature flag evaluations, page navigation, browser and device metadata, account identifiers for signed-in users, and session replay recordings. Session replay is configured to mask or block sensitive surfaces such as tokens, secret fields, SSO/SCIM configuration, audit-log details, and Skill content. PostHog traffic is sent through our first-party ingest proxy at https://f.localskills.sh.

2. How We Use Your Information

We use the information we collect to:

• Provide, operate, and maintain the Service, including authenticating your identity and managing your account;
• Display your profile information (name, username, avatar) to other users as part of the platform’s social features;
• Generate aggregate, anonymized download statistics to display Skill popularity;
• Provide Team administrators with activity analytics and audit trails;
• With your consent, understand product usage, evaluate feature flags, and improve the Service using PostHog analytics and session replay;
• Detect, prevent, and respond to security incidents, fraud, abuse, and violations of our Terms of Service;
• Enforce rate limits and protect platform stability;
• Comply with applicable legal obligations; and
• Communicate with you about the Service (e.g., security alerts, material changes to these terms).

2.1 Automated Decision-Making

We do not engage in automated decision-making that produces legal or similarly significant effects on you, including profiling.

3. Cookies and Similar Technologies

We use strictly necessary cookies for the operation of the Service and optional analytics storage only after you consent:

Authentication cookies are set with HttpOnly, Secure, and SameSite=Lax attributes. Optional analytics uses PostHog only after consent and is sent through https://f.localskills.sh. We do not use advertising cookies or sell personal information.

You can review and update your cookie preferences at any time:

3.5 Notice at Collection (California)

In the past twelve (12) months, we have collected the following categories of personal information, as those categories are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA):

We do not sell or share personal information for cross-context behavioral advertising.

4. Data Sharing and Disclosure

4.1 We Do Not Sell Your Data. We do not sell, rent, or trade your personal information to third parties for marketing or advertising purposes.

4.2 Sub-processors. We use a limited set of sub-processors to operate the Service. The current list, with each sub-processor’s role and links to their data protection terms, is maintained at /legal/sub-processors. We will update that page when sub-processors change and, where commercially reasonable, provide thirty (30) days’ advance notice via the Service before adding a new sub-processor that processes personal data.

4.3 Enterprise Identity Providers. If your organization uses SAML SSO, SCIM, or OIDC, data is exchanged between the Service and your organization’s configured identity provider as necessary to authenticate users and synchronize provisioning data. This data exchange is initiated and controlled by your organization’s administrator.

4.4 Legal Obligations. We may disclose your information if required to do so by law, court order, or governmental regulation, or if we believe in good faith that such disclosure is necessary to: (a) comply with a legal obligation; (b) protect and defend our rights or property; (c) prevent fraud or abuse; or (d) protect the safety of users or the public.

4.5 Business Transfers. In the event of a merger, acquisition, reorganization, bankruptcy, or sale of assets, your information may be transferred as part of that transaction. We will notify you via the Service or email before your information becomes subject to a different privacy policy.

5. Data Retention

• Account data is retained for as long as your account is active. Upon account deletion, your personal information is removed, subject to reasonable backup periods and any legal retention obligations.
• User Content (Skills and versions) is retained until you delete it or your account is terminated.
• Audit logs are automatically purged ninety (90) days after the date of the logged event.
• Download analytics are retained indefinitely in anonymized, aggregated form. Individual download records containing hashed IP addresses may be retained for analytics purposes.
• PostHog analytics are retained according to our PostHog project retention settings and are collected only after analytics consent.
• SAML assertion identifiers are retained until their expiration timestamp for replay prevention, then automatically deleted.
• Expired API tokens and device codes are periodically purged from the database.

6. Data Security

We implement reasonable technical and organizational measures to protect your information, including:

• Encryption in transit via HTTPS/TLS for all communications;
• Cryptographic hashing of API tokens, device codes, and SCIM tokens (SHA-256) — plaintext values are never stored;
• One-way HMAC-SHA256 hashing of IP addresses for download analytics — raw IP addresses are never stored in our database;
• HttpOnly, Secure session cookies to prevent cross-site scripting attacks;
• SAML assertion replay prevention via assertion identifier logging;
• Rate limiting to prevent brute-force and abuse attacks; and
• Role-based access control for Team resources.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security.

6.1 Data Breach Notification

In the event of a personal data breach affecting your information, we will notify affected users without undue delay and, where required, within seventy-two (72) hours of becoming aware of the breach, in accordance with applicable law.

7. Your Rights and Choices

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — Request a copy of the personal data we hold about you;
• Correction — Update or correct inaccurate personal information via your account settings;
• Deletion — Request deletion of your account and associated personal data;
• Portability — Request an export of your data in a structured, machine-readable format;
• Restriction — Request that we restrict the processing of your personal data under certain circumstances; and
• Objection — Object to the processing of your personal data where we rely on legitimate interests as the legal basis.

To exercise any of these rights, please contact us via the information provided in Section 12 below. We will respond to verifiable requests within thirty (30) days or as required by applicable law.

7.1 California Privacy Rights

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), including the right to know, delete, correct, limit the use of sensitive personal information, and not be discriminated against for exercising these rights. To exercise these rights, email support@ezgamehost.com. You may use an authorized agent by providing written authorization signed by you.

Do Not Sell or Share My Personal Information. We do not sell your personal information or share it for cross-context behavioral advertising. To submit a request related to this right, email support@ezgamehost.com with subject “Do Not Sell or Share.”

7.2 European Economic Area, United Kingdom, and Switzerland

EZ Game Host, LLC is the data controller for personal information processed through the Service. Our lawful bases for processing under Article 6 of the GDPR (and equivalent UK/Swiss law) are: (a) performance of a contract (operating your account and the Service); (b) legitimate interests (security, fraud prevention, abuse detection); (c) compliance with legal obligations; and (d) your consent for optional PostHog analytics, feature flags, and session replay.

We do not currently maintain an Article 27 EU/UK representative because we do not target EU/UK markets and do not engage in large-scale processing of personal data of individuals in the EU or UK. We will designate a representative if these circumstances change. Where personal data is transferred outside your jurisdiction, we rely on appropriate safeguards, including Standard Contractual Clauses where applicable.

You have the right to lodge a complaint with your local supervisory authority.

8. International Data Transfers

The Service is operated from and data is stored on Cloudflare’s global network, which includes infrastructure in multiple countries. By using the Service, you acknowledge that your information may be transferred to, stored, and processed in jurisdictions outside your country of residence, including the United States, which may have data protection laws that differ from those in your jurisdiction.

9. CLI Tool Privacy

The localskills CLI tool stores authentication credentials locally on your machine at ~/.config/localskills/config.json. The CLI communicates with our API servers to authenticate, search, and download Skills. We do not collect telemetry, usage analytics, or crash reports directly from the CLI tool. Browser-based CLI authorization pages may send PostHog analytics only after you have accepted analytics consent in that browser, and direct CLI/API requests without that consent signal do not send PostHog telemetry.

10. Children’s Privacy

The Service is not directed at individuals under the age of sixteen (16). We do not knowingly collect personal information from children. If we become aware that a child under 16 has provided us with personal information, we will take steps to delete such information promptly. If you believe we have inadvertently collected information from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the “Last Updated” date at the top of this page and, where practicable, by providing notice through the Service. Your continued use of the Service after such changes constitutes your acceptance of the revised Policy. We encourage you to review this Policy periodically.

12. Contact

For questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact EZ Game Host, LLC at support@ezgamehost.com.

13. Change History

• May 10, 2026 — Added opt-in PostHog product analytics, feature flags, session replay disclosures, and consent preference details.
• April 25, 2026 — Identified EZ Game Host, LLC as operator; added CCPA Notice at Collection, EEA/UK rights section, breach notification, sub-processors page reference.
• February 20, 2026 — Initial publication.