Privacy Policy
Effective date: April 14, 2026 · Last updated: April 17, 2026
This policy explains what data SecureSkill collects, why we collect it, how long we keep it, and what rights you have over it. We've written it to be direct and specific — not to bury important details in legal language.
1. Who we are
SecureSkill is a product operated by CleverMind AI LLC, an Arizona limited liability company, doing business as SecureSkill. References to “SecureSkill,” “we,” “us,” or “our” mean CleverMind AI LLC d/b/a SecureSkill. Our privacy contact is support@secureskill.ai.
2. What we collect and why
2.1 Account data (OAuth authentication)
SecureSkill uses GitHub and Google OAuth for authentication. We do not store passwords. When you sign in, we receive from your OAuth provider:
- Your email address
- Your display name and profile picture URL
- A unique identifier assigned by the OAuth provider
We use this data solely to create and maintain your account and to associate your scans and scan history with your account. We do not use it for advertising or share it with third parties for marketing purposes.
2.2 Submitted content
When you submit a skill for scanning, we receive and process the content you submit — which may include code, scripts, configuration files, package manifests, or URLs. We use submitted content to perform the scan and generate your permanent, shareable scan report accessible via a unique URL.
Do not submit content containing passwords, credentials, private keys, trade secrets, or other sensitive proprietary information. This includes internal organizational workflows, proprietary business logic, or any skill containing information that if disclosed would cause competitive or legal harm to your organization. Scan reports are accessible to anyone who has the report link — see Section 3.
We retain submitted content for up to 12 months as described in Section 5.
2.3 Scan results and metadata
We store the results of each scan — including the verdict (SAFE, CAUTION, or BLOCK), findings, scoring data, and the scan report itself — associated with your account. This data is used to provide you with your scan history, generate shareable scan reports, and improve our detection capabilities.
2.4 Usage and analytics data
We use Vercel Analytics to understand how the platform is used. Vercel Analytics is cookieless and does not collect personal identifiers. It collects:
- Page views and navigation paths
- Referring URL
- Device type, operating system, and browser
- Country-level location (not city or street level)
This data cannot be used to identify you individually. It is used to improve platform performance and user experience.
2.5 Server and API logs
Our infrastructure automatically generates logs containing IP addresses, request timestamps, endpoints accessed, and response codes. These logs are used for security monitoring, rate limiting, debugging, and service reliability. They are not used to build profiles of individual users.
2.6 Cookies and tracking
We use a session cookie solely to maintain your authenticated state after sign-in. We do not use advertising cookies, third-party tracking cookies, or fingerprinting technologies.
3. Scan report visibility
Scan reports are accessible via unique shareable URLs. Anyone who has the link can view the report — there is no additional authentication required to view a report URL. We do not currently maintain a public index or registry of scan reports; reports are only discoverable if the URL is shared.
You should treat any scan report URL as potentially public. Do not share scan report URLs for content you consider confidential.
Enterprise plan subscribers may request private scan reports accessible only to authenticated account members. Contact support@secureskill.ai to enable private reporting.
4. How we use your data
| Data | Purpose | Legal basis (GDPR) |
|---|---|---|
| Account data (email, name, OAuth ID) | Authentication, account management, service communications | Performance of a contract |
| Submitted content | Performing scans, generating scan reports | Performance of a contract |
| Scan results and metadata | Providing scan history, generating reports, improving detection | Performance of a contract / Legitimate interest |
| Anonymized scan data | Improving detection models and platform capabilities | Legitimate interest |
| Analytics data (Vercel) | Platform improvement, performance monitoring | Legitimate interest |
| Server logs | Security monitoring, rate limiting, debugging | Legitimate interest |
We do not use your data for advertising. We do not sell, rent, or trade personal data to third parties.
5. Data retention
| Data type | Retention period |
|---|---|
| Account data (email, name, OAuth ID) | Until you delete your account, then 30 days for recovery purposes |
| Submitted content | Up to 12 months from submission date |
| Scan results and reports | Up to 12 months from scan date |
| Server and API logs | 90 days |
| Vercel Analytics data | Controlled by Vercel per their data retention policy |
You may request earlier deletion of your account data and submitted content by contacting support@secureskill.ai. See Section 7 for your full rights. We may retain certain data longer where required by law.
6. Data sharing and third-party services
We do not sell, rent, or trade your personal data. We share data only as follows:
6.1 Infrastructure providers
We use Firebase (Google) for database and authentication infrastructure, and Vercel for application hosting and analytics. These providers process data on our behalf as part of standard service delivery and are bound by their own data processing terms.
6.2 Email communications
We intend to add Klaviyo for email communications such as scan notifications and product updates. We will update this policy before Klaviyo is integrated. We will only send email communications to users who have opted in.
6.3 Threat intelligence feeds
The scanning pipeline queries third-party threat intelligence sources and vulnerability databases. Submitted content metadata such as package names or file hashes may be sent to these services as part of the scanning process. No account data is sent to these services.
6.4 Legal requirements
We may disclose data if required to do so by law, court order, or lawful request from a government authority, or if we believe disclosure is necessary to protect the rights, property, or safety of SecureSkill, our users, or the public.
6.5 Business transfers
If CleverMind AI LLC is involved in a merger, acquisition, or sale of assets, user data may be transferred as part of that transaction. We will notify users via email or a prominent notice on the platform before data becomes subject to a different privacy policy.
6.6 Aggregated, anonymized data
We may publish aggregated, anonymized statistics derived from scan data — for example, in research reports or blog posts — where no individual user or submitted skill can be identified.
7. Your rights
Depending on your location, you may have the following rights regarding your personal data:
- Access. Request a copy of the personal data we hold about you.
- Correction. Request correction of inaccurate or incomplete data.
- Deletion. Request deletion of your account and associated personal data, subject to legal retention obligations.
- Portability. Request a machine-readable export of your personal data where technically feasible.
- Opt-out of model training. Request that your anonymized scan data not be used to improve our detection models. Contact support@secureskill.ai.
- Withdraw consent. Where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
California residents have additional rights under the CCPA, including the right to know what personal information we have collected and the right to non-discrimination for exercising privacy rights. We do not sell personal information as defined by the CCPA.
To exercise any of these rights, contact support@secureskill.ai. We will respond within 30 days. We may need to verify your identity before fulfilling a request.
8. International data transfers
SecureSkill is operated from the United States. If you access the platform from outside the U.S., your data will be transferred to and processed in the United States. We rely on standard contractual clauses and other lawful transfer mechanisms where required under applicable law, including the GDPR.
9. Security
We implement reasonable technical and organizational measures to protect your data, including encrypted connections (HTTPS/TLS), access controls, secure credential management via OAuth, and Firebase security rules. No method of transmission or storage is completely secure. In the event of a data breach that poses a risk to your rights, we will notify affected users and relevant authorities as required by applicable law.
10. Children's privacy
SecureSkill is not directed at children under 13 and does not knowingly collect personal data from children. If we learn that we have inadvertently collected data from a child under 13, we will delete it promptly. Contact support@secureskill.ai if you believe we have received data from a child.
11. Changes to this policy
We may update this policy from time to time. For material changes, we will update the effective date above and notify registered users via email or a prominent notice on the platform at least 14 days before the changes take effect. Continued use of the platform after the effective date constitutes acceptance of the updated policy.
12. Governing law
This policy is governed by the laws of the State of Arizona, United States. For GDPR-related matters, CleverMind AI LLC acts as the data controller for personal data processed through SecureSkill.
Privacy questions and data rights requests
CleverMind AI LLC, doing business as SecureSkill
Scottsdale, AZ, United States
support@secureskill.ai
We aim to respond to all privacy-related requests within 30 days.