Skip to main content
skilder

Privacy Policy

Last updated: May 29, 2026

Version: 2.0
Effective date: May 29, 2026
Supersedes: Privacy Policy dated January 2026

1. Who we are and how to reach us

This Privacy Policy is issued by skilder.ai Ltd. (the "skilder platform", "we", "our", "us"), a Swiss limited liability company with its registered office in Buchillon, Canton of Vaud, Switzerland.

For all data-protection matters, including exercising the rights described in Section 10, you may contact us at:

  • Postal address: skilder.ai Ltd., 1164 Buchillon, Switzerland
  • Data-protection contact: contact@skilder.ai

1.1 EU representative

For data subjects in the European Economic Area and the United Kingdom, our representative under Article 27 GDPR and, where applicable, Article 27 UK GDPR is:

  • Email: contact@skilder.ai

If no EU representative is yet appointed when this Policy is published, EU/UK data subjects may instead contact us directly at contact@skilder.ai.

2. Scope of this Policy

This Policy describes how we process personal data when we act as a data controller, that is, when we determine the purposes and means of processing. It applies to:

  • visitors to skilder.ai websites and marketing properties;
  • account holders and authorised users of the skilder platform ("Users");
  • individuals who contact us, attend our events, or take part in pilots, demos, or partnerships.

2.1 When skilder acts as a processor (Customer Personal Data)

When organisations ("Customers") use the skilder platform to design, deploy, govern, or execute Skills, Hats, and related artefacts, those artefacts and their inputs and outputs typically contain personal data of the Customer's own employees, end-users, contractors, or counterparties ("Customer Personal Data"). For Customer Personal Data, the Customer is the controller and skilder acts as the processor on the Customer's documented instructions.

For Customer Personal Data, the relevant rules, including subject matter, duration, nature and purpose of processing, types of personal data, categories of data subjects, our obligations under Art. 28 GDPR / Art. 9 nFADP, our use of sub-processors, audit rights, and our return-or-delete obligations on termination, are set out in the Processing of Customer Personal Data clause of the Terms of Service. This Privacy Policy continues to apply only to the limited categories of data we process about Users in our own right (e.g. account credentials, billing data, audit-log entries identifying who took which administrative action, security telemetry).

End-users reached via Chat SDK or embedded experiences

Where a Customer uses the skilder platform to expose an experience to its own end-users, for example through the skilder Chat SDK or an embedded Hat, those end-users' personal data is Customer Personal Data. skilder processes it only as processor on the Customer's instructions, and the Customer's own privacy notice governs the relationship with those end-users. If you are such an end-user and you do not know who the Customer is, you may contact us at contact@skilder.ai and we will route your request to the Customer or, where applicable, handle it directly.

2.2 Out of scope

This Policy does not apply to:

  • third-party websites, AI models, or services that you connect to skilder (including via BYOK, see Section 6.4);
  • data processed on infrastructure that you host yourself when running the open-source skilder runtime, in respect of processing carried out exclusively on that infrastructure (see Section 6.5);
  • data processed by your own employer or organisation as controller.

3. The personal data we collect

We collect only what we need to operate, secure, and improve the skilder platform.

3.1 Data you provide

CategoryExamples
Identity & contact dataName, business email, employer, role
Account dataLogin credentials (hashed), MFA factors, workspace membership
Commercial dataBilling contact, plan, invoice records
Support dataContent of messages you send us via forms, email, or chat
Programme dataInformation you provide when joining pilots, demos, partner programmes, or events

3.2 Data we collect automatically

CategoryExamples
Device & connection dataIP address, browser type, operating system, language
Usage dataPages visited, features used, timestamps, referrer
Security logsAuthentication events, suspected abuse signals, rate-limit triggers
TelemetryPerformance metrics, error reports
Hat configurations and Hat content The Hats you create, edit, version, or compose, including their schema (system prompts, instructions, tool bindings, attached Skills, configuration parameters) and the content they encapsulate, are stored automatically as you work in the platform and form part of your workspace's persisted state

Cookies and similar technologies used to collect this data are described in Section 12.

To the extent a Hat's schema or content contains personal data of individuals other than the User (for example, contact information embedded in instructions, or end-user data captured through a deployed Hat), that personal data is Customer Personal Data and is processed under §2.1 and the Terms of Service, not as data we collect in our controller role.

3.3 Data we receive from third parties

CategoryExamples
Authentication providers When you sign in with Google, Microsoft, Infomaniak or similar, we receive the identity data those providers share according to the scopes you approve
OAuth-connected tools When you authorise skilder to connect to a third-party tool (e.g. an Infomaniak kDrive), we may receive access tokens and metadata describing what we are authorised to access; see Section 6.4

We do not buy personal data from data brokers.

4. Why we process your data and on what legal basis

PurposeCategories usedLegal basis (GDPR Art. 6)nFADP basis
Provide the skilder platform and respond to your requests Identity, account, support, usage Performance of contract (b); pre-contract steps at your request Contract performance
Bill you and manage commercial relationships Identity, commercial Performance of contract (b); legal obligation (c) for tax/accounting Contract; legal obligation
Secure the platform and prevent abuse Device, security logs, usage Legitimate interests (f) in protecting the platform and Users Overriding legitimate interest
Comply with legal, tax, accounting, and AML obligations Identity, commercial Legal obligation (c) Legal obligation
Improve the platform, aggregated analytics and Trace Data (execution traces, prompt and Output content, error reports, support session content, tool invocation traces) Usage, telemetry, device, support data, and, for non-Enterprise plans unless opted out, or for Enterprise plans where opted in, prompt and Output content Legitimate interests (f), balancing test on file. We do not rely on this basis to train AI models on your content (training requires separate opt-in consent, see Section 5 and §5.3(a) of the Terms). Non-Enterprise plans are processed by default with a right to opt out; Enterprise plans are processed only where the Customer opts in (§5.3(b)–(c) of the Terms) Overriding legitimate interest
Send service communications (security notices, breach notifications, material change notifications) Identity, account Legal obligation (c); legitimate interests (f) Legal obligation
Send marketing communications Identity Consent (a), revocable at any time Consent
Host pilots, demos, partnership programmes Identity, programme Consent (a) or performance of contract (b) Consent or contract

For each processing activity based on legitimate interests, we have carried out a balancing test. You can request a summary by contacting contact@skilder.ai.

4.1 What happens if you do not provide certain data

Where the provision of personal data is necessary to enter into a contract with us (for example, to create an account or to pay for a subscription), failing to provide it means that we cannot perform the relevant function, typically, you will not be able to register, sign in, or be billed correctly. Provision of marketing data is always optional.

4.2 Special categories of personal data

We do not seek to process special categories of personal data (Art. 9 GDPR, health, racial or ethnic origin, religious or philosophical beliefs, biometric or genetic data used to uniquely identify a person, etc.) in our controller role. If you choose to include such data in support communications or pilot programmes, please be aware that this is at your initiative and we will process it strictly as needed to respond to you. Where Customers process special categories through Skills, this is governed by the Terms of Service.

5. AI processing and training

skilder is, by design, an execution pipeline between Customers and external AI models. The way personal data flows through that pipeline matters, so this Section summarises the principles; the operational detail (which providers, with which keys, with which retention) is in Section 6.4.

  • No training on your content without opt-in consent. We do not, and we do not permit our subprocessors to, use your content, Skills, prompts, tool inputs, or AI outputs to train, fine-tune, or evaluate any AI model, except where you have given separate, written, opt-in consent (for example, by joining a named pilot or research programme). This commitment is reflected in §5.3(a) of the Terms of Service and is unconditional.
  • Product-improvement usage and trace data, opt-out. Separately from model training, we process usage and trace data generated by your use of the Services (execution traces, prompt and Output content captured for evaluation and debugging, error reports, support session content, tool invocation traces) to operate, debug, secure, and improve the Services. We rely on legitimate interests (Art. 6(1)(f) GDPR) for this processing and have carried out a balancing test. For non-Enterprise plans this is on by default and you may opt out at any time from workspace settings or by writing to contact@skilder.ai. For Enterprise plans this is off by default unless you opt in. See §5.3(b)–(c) of the Terms for the full mechanics and retention is governed by Section 8 below.
  • Aggregated and anonymised metrics. Independently of the above, we may compute and use aggregated and irreversibly anonymised metrics (counts, latencies, error rates, feature-use statistics) to operate and improve the platform. These do not identify you, your Customer, or the content of your Skills.
  • Customer-selected providers. Where you, your Customer, or a Skill invokes a third-party AI model through skilder, the prompt, context, tool inputs, and model output transit that provider. The provider's own terms and privacy practices apply to that processing. We list the providers we route to in /legal/subprocessors, together with the country of processing and the relevant transfer safeguard.
  • BYOK is different. Where you connect your own API keys to a third-party AI provider ("Bring Your Own Key"), skilder is not in a controller-to-processor relationship with that provider for the resulting inferences, you are. See Section 6.4.3.

6. Sharing and subprocessors

We share personal data only with the categories of recipients listed below.

6.1 Categories of recipients

  • Subprocessors (service providers acting on our behalf): hosting and database infrastructure, AI-model providers (for skilder-managed routing), Customer-authorised OAuth connector providers, product analytics, email delivery, payment processing, and internal issue tracking. The current list, including the legal entity and country of processing, is published and kept up to date at /legal/subprocessors.
  • Authentication and OAuth providers: only as needed to operate the integrations you enable.
  • Professional advisers (lawyers, auditors, accountants) under duties of confidentiality.
  • Acquirers or investors in the context of a corporate transaction, subject to confidentiality obligations.
  • Public authorities, only where required by law and after legal review.

6.2 What we do not do

  • We do not sell personal data.
  • We do not share personal data with third parties for advertising or profiling purposes.
  • We do not allow subprocessors to use your data for their own purposes.

6.3 Subprocessor governance

All subprocessors are bound by written contracts that impose confidentiality, security, and data-protection obligations no less protective than those described here. We carry out due-diligence reviews before onboarding any subprocessor that processes personal data.

6.4 AI providers, OAuth tokens, and BYOK

6.4.1 AI model providers (skilder-managed routing)

When a Skill is executed and routed through a model whose API access is provided by skilder, the following data is sent to the model provider on a per-request basis:

  • the system prompt and conversation context required to fulfil the request;
  • the tool descriptions and the inputs and outputs of any tools invoked;
  • where relevant, attachments uploaded for the request.

For these routings, the relevant model provider acts as our subprocessor. We bind each such provider by written contract to:

  • process the data only on our documented instructions (and ultimately on the Customer's instructions under the Terms of Service);
  • not use the data to train, fine-tune, or evaluate AI models;
  • apply appropriate security and confidentiality measures;
  • support our compliance with applicable data-protection laws, including handling of data-subject requests.

We publish the current list of model-provider subprocessors at /legal/subprocessors. Customers can in their workspace settings restrict which providers are permitted, and can pin routing to a single provider or region (for example, Switzerland-only or EU-only).

We log metadata about each model invocation (which provider, which model, when, by which User, how many tokens, success or failure) for security, audit, and billing purposes.

For non-Enterprise plans, we additionally log prompt and Output content as part of Trace Data (see §5 of this Policy and §5.3(b) of the Terms of Service) by default, for product improvement, debugging, and support. You may opt out at any time. For Enterprise plans, prompt and Output content is not logged for product-improvement purposes unless you opt in. Retention applies as set out in Section 8.

6.4.2 OAuth tokens for third-party tools

When you authorise skilder to connect to a third-party tool (such as Infomaniak kDrive, a Google Workspace document, a Microsoft 365 mailbox, or a similar integration), skilder receives an OAuth access token and, where the provider supports it, a refresh token. These tokens are credentials that allow skilder to act on your behalf within the scopes you approved at the consent screen.

We handle these tokens as follows:

  • Encrypted at rest using authenticated symmetric encryption (AES-256-GCM) with workspace-scoped data-encryption keys wrapped by a key-management-service master key. Encryption keys are not co-located with encrypted token material.
  • Used only to execute the Skills, tools, and integrations you authorise. Tokens are not used for analytics, marketing, or model training.
  • Scope-limited: we request the narrowest scopes needed for the feature you enable, and we display the scopes at the consent screen.
  • Revocable: you can revoke tokens at any time from workspace settings; we will also call the provider's token-revocation endpoint where available. Tokens are revoked automatically when the Skill or integration is removed, when a workspace is closed, or when the underlying account is closed.
  • Retention: tokens are retained for as long as the underlying integration is active, plus 30 days after deactivation, after which they are securely deleted.
  • Logging: we log when tokens are issued, refreshed, and revoked, but we never log token material.

If a provider's token cannot be revoked from skilder for technical reasons, we will tell you how to revoke it directly with the provider.

6.4.3 Bring Your Own Key (BYOK)

You may connect your own API keys for third-party AI models or tools ("BYOK keys"). For BYOK:

  • BYOK keys are credentials and are protected with the same encryption and access controls as OAuth tokens (Section 6.4.2).
  • BYOK keys are used only when a Skill you have authorised invokes the corresponding provider. We do not use BYOK keys for any other purpose, and we never log key material.
  • For inferences carried out using your BYOK key, the third-party provider is your subprocessor, not ours. You are responsible for your contract with that provider, including its data-protection terms, its training-on-content settings, and any associated charges.
  • BYOK keys can be rotated or revoked at any time from workspace settings; revocation takes effect immediately for new requests, and we will discard cached credentials.
  • We retain BYOK keys for as long as the connection is active, plus 30 days after deactivation, after which they are securely deleted.

6.5 Self-hosted skilder runtime (edge execution)

The skilder runtime is distributed as an open-source package (@skilder/runtime on npm). Customers may run it on their own infrastructure to execute Skills locally or within their own network perimeter ("edge execution").

Edge execution does not disconnect the runtime from the skilder cloud. To function, a self-hosted runtime instance continues to communicate with the skilder cloud workspace over the control plane, in particular to:

  • authenticate the runtime instance against your workspace;
  • fetch Hat schemas, Skill definitions, tool bindings, configuration parameters, and any versioned updates;
  • look up entries in the skilder catalogue and registries;
  • report execution status, audit-trail entries, billing usage, and error telemetry back to your workspace (in line with your workspace settings);
  • receive governance updates such as policy changes, revocations, or kill-switch signals.

What changes with edge execution is where the data plane runs: the actual prompts, tool inputs, tool outputs, AI model invocations, and any Customer Content materialised at execution time are processed by the runtime on infrastructure that you operate, and travel from there directly to the model or tool you have configured. They do not transit skilder-operated infrastructure, unless your configuration explicitly routes them to a skilder-managed endpoint (for example, when you choose skilder-managed model routing under §6.4.1).

For data processed exclusively on your self-hosted runtime in the data plane, you remain controller and operator of that infrastructure, and this Privacy Policy does not govern that processing. This Privacy Policy continues to apply to all control-plane interactions described above and to any data that flows back to your skilder cloud workspace.

The open-source runtime is licensed separately under its published licence; nothing in this Policy modifies that licence.

7. International transfers

skilder is headquartered in Switzerland. Personal data is primarily processed in Switzerland and the European Economic Area. Some subprocessors may process personal data outside Switzerland or the EEA.

For each transfer outside Switzerland or the EEA, we rely on one of the following safeguards:

  • an adequacy decision of the Swiss Federal Council (FDPIC) and/or the European Commission, where one exists for the destination country;
  • the European Commission's Standard Contractual Clauses (SCCs, Decision 2021/914) as supplemented by the Swiss Transfer Annex issued by the FDPIC, and where relevant the UK International Data Transfer Addendum;
  • where appropriate, additional technical and organisational measures (encryption in transit and at rest, pseudonymisation, access controls);
  • a transfer impact assessment for transfers to countries whose legal framework is not assessed as adequate (including, for the United States, reliance on participants' EU-US Data Privacy Framework certification where available, in addition to SCCs).

The current list of subprocessors, with their country of processing and the applicable transfer mechanism, is published at /legal/subprocessors.

You can request a copy of the safeguards we use for a specific transfer by contacting contact@skilder.ai.

8. How long we keep personal data

We retain personal data only for as long as needed for the purposes set out in this Policy. Specific retention periods are:

CategoryRetention
Account data (active User) For the duration of the account, plus the periods below after closure
Account data (closed account) 90 days for recovery and dispute handling, then deleted or anonymised
Billing and commercial records 10 years from the end of the calendar year, as required by Swiss CO Art. 958f
Support correspondence3 years from last interaction
Security and authentication logs 12 months, unless a longer period is required to investigate an incident
Audit trail entries on the platform (administrative actions) 24 months by default; longer if required by your subscription plan or by law
Cookies and analytics events As described in our cookie notice (Section 12)
OAuth access and refresh tokens, BYOK keys Active life of the integration + 30 days; securely deleted thereafter
AI model invocation metadata (provider, model, timestamps, token counts) 12 months by default; longer where required for audit or billing
AI prompt / Output content (Trace Data), non-Enterprise plans, unless opted out; Enterprise plans only where opted in 90 days by default, configurable by the Customer within the limits offered by the plan
Marketing consent records Until you withdraw consent, plus 3 years for proof-of-consent purposes

After expiry, data is securely deleted or irreversibly anonymised. Backups follow our standard backup-rotation schedule (currently 35 days) and are then overwritten.

Soft deletion vs. hard deletion. When you or your administrator delete a workspace, account, or artefact in the platform, the item is first marked as deleted and removed from normal views (this is called "soft deletion"). Items in soft-deleted state are retained for 30 days to allow recovery in case of error, after which they are permanently deleted from primary storage and removed from backups according to the rotation schedule above.

9. How we protect personal data

We apply technical and organisational measures appropriate to the risks of our processing, including:

  • encryption of data in transit (TLS 1.2+) and at rest for stored credentials, OAuth tokens, and customer secrets;
  • role-based access controls, mandatory multi-factor authentication for staff with access to production systems, and least-privilege provisioning;
  • segregation of environments (development, staging, production) and segregated tenant data within the platform;
  • continuous monitoring, vulnerability scanning, dependency auditing, and timely patching;
  • documented incident-response procedures including, where required by law, notification of the FDPIC, competent EU/UK supervisory authorities, and affected individuals within statutory deadlines (72 hours for GDPR Art. 33);
  • regular review of subprocessors and access rights;
  • staff training and confidentiality obligations.

A current summary of our technical and organisational measures is available on request.

10. Your rights

Subject to the conditions and exceptions set out in Swiss nFADP, GDPR, and UK GDPR, you have the right to:

  • access the personal data we hold about you;
  • rectify inaccurate or incomplete data;
  • erase ("right to be forgotten") personal data where one of the legal grounds applies;
  • restrict processing in certain circumstances;
  • object to processing based on legitimate interests, including profiling;
  • portability, receive your data in a structured, commonly used, machine-readable format;
  • withdraw consent at any time, without affecting the lawfulness of processing carried out before withdrawal;
  • not be subject to a decision based solely on automated processing (including profiling) that produces legal or similarly significant effects on you (see Section 11).

To exercise any of these rights, contact contact@skilder.ai or use our web form. We will respond within one month of receiving a complete request, extendable by up to two further months for complex requests; we will inform you of any extension within the initial month.

No fee, except for manifestly unfounded or excessive requests, in which case we may charge a reasonable administrative fee or refuse to act, in line with GDPR Art. 12(5).

10.1 Right to lodge a complaint

You have the right to lodge a complaint with a supervisory authority. In particular:

We would, however, appreciate the chance to address your concerns directly before you do so.

11. Automated decision-making

We do not, in the course of our own controller-role processing, take decisions based solely on automated processing, including profiling, that produce legal or similarly significant effects on you within the meaning of GDPR Art. 22.

The skilder platform enables Customers to build and execute Skills that may themselves involve automated processing. Where this is the case, the Customer, as controller, is responsible for assessing whether Art. 22 applies and for providing the safeguards it requires (meaningful information about the logic involved, human intervention, the right to contest the decision). This allocation is reflected in our Terms of Service.

12. Cookies and similar technologies

We use cookies, local-storage entries, and similar technologies to operate our website and the skilder platform, to remember your preferences, and (with your consent) to measure usage. We do not use advertising cookies, cross-site tracking pixels, or fingerprinting techniques.

12.1 Consent

When you visit our website from the EEA, the United Kingdom, or Switzerland, a consent management platform (CMP) is presented on first visit. The CMP allows you to:

  • accept all categories;
  • reject all non-essential categories;
  • choose categories individually;
  • withdraw or change your consent at any time via the "Cookie preferences" link in the website footer.

Non-essential cookies are not set before you give consent. We respect your browser's "Do Not Track" / "Global Privacy Control" signals where they are technically detectable.

12.2 Categories of cookies and similar technologies

CategoryPurposeExamplesDurationConsent
Strictly necessary Authentication, session continuity, CSRF protection, load balancing session, csrf_token, lb_route Session, or up to 24h Not required
Functional Remember preferences (theme, language, last workspace) theme, locale, last_ws Up to 12 months Required where ePrivacy applies
Analytics Measure usage to improve the platform PostHog ph_* cookies and local-storage entries Up to 12 months Opt-in required
Security telemetry Detect abuse, brute force, suspicious patterns Short-lived in-memory tokens, server-side logs Per Section 8 Not required (legitimate interest)

12.3 Analytics provider, PostHog

We use PostHog (operated by PostHog Inc., with data processing on its EU Cloud, located in Frankfurt, Germany) as our analytics subprocessor. With your consent we collect:

  • page views and feature interactions within the skilder website and the authenticated platform;
  • a pseudonymous identifier per browser, and (for authenticated users) a workspace-scoped User identifier;
  • coarse device, browser, and country information derived from the IP address.

We have configured PostHog to:

  • anonymise IP addresses (last octet dropped) before storage;
  • disable session-replay of forms and any sensitive input;
  • scrub input values from autocapture events;
  • respect Do Not Track and Global Privacy Control signals;
  • be hosted exclusively on PostHog's EU Cloud.

You can opt out at any time from the CMP or directly in the "Cookie preferences" link in the footer. Opting out does not affect the lawfulness of any processing carried out before opt-out.

12.4 Where to learn more

A current, machine-readable cookie inventory (names, hosts, durations, purposes) is available on our cookie-preferences page. If you need additional details for a data-protection impact assessment or vendor review, contact contact@skilder.ai.

13. Children

The skilder platform is intended for use by businesses and their professional users. It is not directed at children. We do not knowingly collect personal data from individuals under the age of 18 as account holders or Users in our controller role. If we become aware that we have collected such data contrary to this Policy, we will delete it without undue delay.

For end-users of Customer-built experiences (for example, end-users reached through the Chat SDK or an embedded Hat, see Section 2.1), the Customer is the controller. The Customer is responsible for verifying that any processing of children's data complies with applicable law, including GDPR Art. 8 on conditions for child's consent (the digital-services age of consent varies across EEA member states between 13 and 16) and, for Switzerland, the discernment standard under Swiss law.

14. Changes to this Policy

We may update this Policy from time to time. When we do, we will:

  • update the "Last updated" date at the top of this page;
  • post the revised Policy on our website;
  • where the change is material, notify Users by email or in-product notice at least 30 days before the change takes effect, and where required by law, seek your renewed consent.

You can review prior versions on request.

15. How this Policy interacts with the Terms of Service

This Policy forms part of our Terms of Service. Where you are a Customer or User using the skilder platform under those Terms, the Terms govern your contractual relationship with us; this Policy describes the personal-data aspects of that relationship in our controller role.

For Customer Personal Data processed by skilder as a processor, the controlling document is the "Processing of Customer Personal Data" clause of the Terms of Service, which supplements (and where it conflicts with this Policy in that role, prevails over) this Privacy Policy.

Quick reference

TopicWhere to look
What we collect about Users and visitors (skilder as controller) This Policy
What we do with Customer Personal Data (skilder as processor) Terms of Service, "Processing of Customer Personal Data"
Who our subprocessors are and where they process data /legal/subprocessors
Standalone DPA for processor-role processing (e.g. enterprise procurement) Available on request, see Terms of Service §10.1
AI-training stance and BYOK allocation Section 5 and Section 6.4 of this Policy; §5 of the Terms
Cookies and the consent mechanism Section 12 of this Policy + the in-product Cookie preferences link
How to exercise your rights or lodge a complaint Section 10 of this Policy

By using the skilder website or the skilder platform, you acknowledge that you have read and understood this Privacy Policy.