Skip to content
SkillRepo
Sign InSign Up

Privacy Policy

Version 1.5 · Effective June 1, 2026

This privacy policy explains how SkillRepo LLC, a Texas limited liability company (“SkillRepo,” “we,” “us,” “our”), collects, uses, stores, and protects your information when you use the SkillRepo platform. We believe in being straightforward about data practices, so we have written this policy in plain language.

1. Information We Collect

Account Information

When you sign up using GitHub or Google OAuth, we receive and store your profile information from those providers. This typically includes your name, email address, and avatar image. We do not receive or store your passwords from these providers.

Content You Publish

SkillRepo is a registry for AI agent skills. When you publish a skill, we store the content you provide, including SKILL.md files, YAML frontmatter metadata, and any supporting files you upload (scripts, reference documents, and static assets). This content is stored so it can be discovered and consumed by other users and AI coding agents.

Usage Data

We collect usage events to help you understand how your skills are being used and to improve the platform. This includes skill activation events, file download events, and API call records, each with associated timestamps.

Product Analytics on Public Pages

We use PostHog to understand how visitors discover and navigate the public, unauthenticated parts of SkillRepo — the home page, pricing, public documentation, the public skills catalog (/skills), and other marketing pages. On those pages we collect:

  • Page views and navigation paths between public pages
  • Anonymous click, scroll, and form-interaction events captured by PostHog’s autocapture
  • Session recordings of mouse movement, scrolling, and DOM interactions. Password fields are always masked; other form-input values entered on public pages are included in the recording
  • A randomly-generated anonymous identifier stored in your browser’s localStorage and a PostHog cookie (see Section 6)
  • Your IP address, which PostHog uses to derive approximate geographic location (city and country level) and which may be stored alongside the associated events
  • Browser type, operating system, device class, and the referring URL

Legal basis and retention. For visitors in the European Economic Area and the United Kingdom, our legal basis for this analytics processing is your consent (see Section 6, where we describe our current approach and the opt-in consent prompt we are working to add). For visitors in other regions, we process this data on the basis of our legitimate interest in understanding and improving the public parts of the service. Analytics data is retained for up to 12 months, and is deleted sooner if you make a verified deletion or opt-out request as described in Sections 5 and 6.

This PostHog collection is scoped to public pages only. PostHog capture and session recording do not run on any /app route, on sign-in or sign-up pages, or on the authenticated dashboard. The PostHog SDK does load globally to keep the anonymous identifier consistent if you cross between public and authenticated pages, which is why the cookie below is set on every visit; capture only occurs on public pages.

Vercel Web Analytics and Speed Insights

Separately from PostHog, we use Vercel’s built-in Web Analytics and Speed Insights, which are provided by our hosting platform. Unlike PostHog, these run on all pages of the site, including authenticated /app pages. They collect:

  • Aggregate page-view counts and the routes visited
  • Referrer and approximate (country-level) location
  • Device type, operating system, and browser
  • Performance measurements (Core Web Vitals such as load and interaction timings)

Vercel Web Analytics and Speed Insights do not set cookies, do not record sessions, and are not used to build individual visitor profiles. They are used to understand aggregate traffic and to monitor site performance.

Audit Logs

We maintain audit logs of significant account activity for security purposes. These logs cover events such as sign-in and sign-out activity, account and team settings changes, team membership changes, and skill publishing events.

API Keys

If you create API keys for programmatic access, we store a cryptographic hash of each key along with its associated name, scopes, and creation date. We do not store API keys in plain text after initial generation.

Session Data

We use session tokens to keep you signed in. Session data is tied to your authenticated account and is used solely to maintain your login state.

2. How We Use Your Information

We use the information we collect for the following purposes:

  • Providing the service. Your account information lets you sign in. Your published content is stored and served so others can discover and use your skills via the SkillRepo CLI in their IDEs, MCP connections from remote agents, or direct API calls.
  • Analytics and insights. First-party usage data lets you see how your skills are being adopted. PostHog data on public pages helps us understand how visitors find SkillRepo, which pages they read, and where they drop off, so we can improve onboarding, documentation, and the public catalog.
  • Security and integrity. Audit logs and session data help us protect your account, detect unauthorized access, and investigate potential abuse.
  • Communication. We may use your email address to send you important service notifications, such as security alerts or changes to our terms. We do not send marketing emails without your consent.

What We Do Not Do

We want to be explicit about what we do not do with your data:

  • We do not sell your data. Your information is never sold to anyone, for any reason.
  • We do not use your data for AI model training. The skills and content you publish are not used to train artificial intelligence or machine learning models.
  • We do not serve advertising. There are no ads on SkillRepo, and we do not share data with advertising networks.
  • We do not share your data with third parties beyond the infrastructure and analytics providers described in Section 4 below.

3. How We Store and Protect Your Information

Your data is stored using industry-standard cloud infrastructure with the following security measures:

  • Encryption in transit. All data transmitted between your browser or IDE and our servers is encrypted using TLS.
  • Encryption at rest. Database records and stored files are encrypted at rest by our infrastructure providers.
  • Hashed credentials. API keys are stored as cryptographic hashes, not in plain text.
  • Access controls. Internal access to production systems is restricted and follows the principle of least privilege.
  • Serverless architecture. Our deployment model reduces the attack surface compared to traditional server infrastructure.

While we take reasonable measures to protect your data, no system is completely immune to security risks. We encourage you to protect your account by safeguarding your OAuth credentials and API keys.

4. Third-Party Services

We rely on a limited set of infrastructure providers to operate SkillRepo. These providers process your data only as necessary to deliver their services to us:

  • Vercel — Application hosting, serverless functions, and file storage. Vercel processes request data and stores uploaded skill files. We also use Vercel Web Analytics and Speed Insights, which collect the aggregate traffic and performance data described in Section 1 across all pages of the site.
  • Neon — PostgreSQL database hosting. Neon stores your account records, skill metadata, usage events, and audit logs.
  • Upstash — Redis-compatible data store used for rate limiting. Upstash processes request metadata for operational purposes.
  • GitHub and Google — OAuth authentication providers. These services process your authentication requests when you sign in. We receive only the profile information described in Section 1.
  • PostHog — Product analytics on public pages. PostHog processes the page-view, autocapture, and session-recording events described in Section 1, scoped to unauthenticated marketing and catalog pages, and does not receive data from authenticated /app routes. PostHog processes and stores this data on infrastructure located in the United States.

We do not use advertising platforms or data brokers. Our analytics providers are PostHog and Vercel’s built-in Web Analytics and Speed Insights, both described in Section 1 above.

International Data Transfers

PostHog, our analytics provider, processes and stores data on infrastructure located in the United States. If you access the public parts of SkillRepo from the European Economic Area, the United Kingdom, or another region with cross-border data-transfer restrictions, the analytics data described in Section 1 is transferred to and stored in the United States. Our other infrastructure providers may also process data in the United States.

5. Your Rights

Access and Export

You can access the skills you have published, your account information, and your usage data through the SkillRepo dashboard at any time. We support data export upon request.

Deletion

You may request deletion of your account and associated data by contacting us at the address provided in Section 8. Upon receiving a verified deletion request, we will:

  • Delete your account and profile information
  • Delete all skills you have published
  • Delete your usage data, audit logs, and API keys
  • Remove your session data

Deletion requests are processed within 30 days. Some data may be retained in encrypted backups for a limited period as part of our disaster recovery procedures, after which it is permanently purged.

Correction

If any of your account information is inaccurate, you can update it through your OAuth provider (GitHub or Google), and the changes will be reflected in SkillRepo upon your next sign-in.

6. Cookies and Similar Technologies

SkillRepo uses cookies and browser storage for the following purposes:

  • Session cookies. A session cookie keeps you signed in after authentication. This cookie contains a session identifier and is not used to track activity across other websites.
  • Security cookies. We may use cookies to protect against cross-site request forgery (CSRF) and other security threats.
  • Analytics cookies and storage. PostHog sets a cookie (named like ph_<token>_posthog) and writes to your browser’s localStorage to maintain an anonymous identifier across visits. This identifier is used to deduplicate sessions and stitch a single visitor’s page views together on public pages. It is not used for advertising or cross-site tracking.

We do not use advertising cookies and do not participate in cross-site advertising networks.

EU and UK visitors: the analytics cookies described above are not strictly necessary for the service to function, and we acknowledge that GDPR and the ePrivacy Directive require opt-in consent before they are set. We are working to add an opt-in consent prompt for the public pages where analytics runs. Until that prompt is live, if you would like analytics disabled for your visits to SkillRepo, please email the address in Section 8 and we will tie an opt-out to your account.

7. Changes to This Policy

We may update this privacy policy from time to time to reflect changes in our practices or for legal and regulatory reasons. When we make changes, we will update the “Last updated” date at the top of this page.

For significant changes that materially affect your rights or how we use your data, we will make reasonable efforts to notify you in advance, such as through an in-app notification or an email to the address associated with your account.

8. Contact

If you have questions about this privacy policy, want to exercise your data rights, or have concerns about how your information is handled, you can reach us at:

Email: hello@skillrepo.dev

We aim to respond to all privacy-related inquiries within 14 business days.

Command Palette

Search for a command to run...