Privacy Policy
skilledrabbit.ai / Skilled Rabbit Version 1.3 · Effective date: 2026-07-01
1. Who We Are
skilledrabbit.ai Operated by Sjors van de Wiel The Netherlands Email: privacy@skilledrabbit.ai
We are the data controller for personal data processed via the skilledrabbit.ai platform. This policy explains what data we collect, why, how long we retain it, and what rights you have.
2. What Data We Process
2.1 Account Data
When you create an account we collect:
- First name
- Email address
- Password (stored hashed via bcrypt by Supabase — never readable), if you sign up with email + password
- Account creation date
When signing in via Google or Apple we receive from those providers: name, email address, and a unique account identifier. We never receive your password from those providers.
2.2 Training Progress
- Completed weeks, missions, and checkpoints
- XP and rank
- Timestamp of each completed activity
This data is necessary to deliver the training. The platform cannot function without progress tracking.
2.3 Payment Data
Payments are processed by Paddle, which also acts as our Merchant-of-Record (the legal seller of record, responsible for collecting and remitting VAT). We do not store any card data. From Paddle we receive only:
- Payment confirmation (succeeded / failed)
- Which product was purchased
- Transaction timestamp
- Paddle transaction / subscription ID (for support and accounting)
2.4 Communications
- Emails you send us (support, questions)
- Content of emails we send you (confirmations, welcome messages)
2.5 Technical Data
- IP address — used transiently to rate-limit email-link and signup requests. It is stored only briefly in a rate-limiting table and is not linked to your account, not part of your exported data, and not kept as a login history.
- Browser type and version
- Device type (desktop / mobile)
- Session timestamp and duration
We do not collect location data beyond the country derived from your IP address (used for VAT calculation, which Paddle handles as Merchant-of-Record).
3. Why We Process Your Data
| Purpose | Legal basis | Data |
|---|---|---|
| Creating and managing your account | Contract performance | First name, email, password |
| Granting access to purchased content | Contract performance | Email, purchase record |
| Tracking training progress | Contract performance | Progress data |
| Providing AI coaching (Finney) | Contract performance | Prompts + coaching context sent to Anthropic |
| Processing payments | Contract performance | Paddle transaction data (Merchant-of-Record) |
| Sending transactional email | Contract performance | Email, first name |
| Rate-limiting sign-in and email-link requests | Legitimate interest | IP address (transient) |
| VAT calculation | Legal obligation | Country (via IP) |
| Customer support | Legitimate interest | Communication content |
We do not send newsletters or marketing email unless you have explicitly opted in. If you opt in, you may withdraw consent at any time via the link at the bottom of the email or by emailing privacy@skilledrabbit.ai.
4. How Long We Retain Your Data
| Data | Retention |
|---|---|
| Account data | Duration of account + 2 years after deletion |
| Training progress | Duration of account |
| Payment records | 7 years (legal tax retention) |
| Rate-limiting records (IP) | Transient — rate-limiting only, not a login history |
| Support email | 2 years after resolution |
| Marketing consent | Until withdrawn |
After the retention period expires, data is automatically deleted or anonymized.
5. Who We Share Data With
We never sell or rent your data to third parties. We use the following processors, each under a data processing agreement:
| Processor | Purpose | Location | Privacy policy |
|---|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) | supabase.com/privacy |
| Anthropic | AI coaching (Claude API — Finney) | US (SCCs apply) | anthropic.com/legal/privacy |
| Paddle | Payment processing + Merchant-of-Record | Paddle-operated (SCCs apply) | paddle.com/legal/privacy |
| Brevo | Transactional email | EU | brevo.com/legal/privacypolicy |
| PostHog | Product analytics (cookieless) | EU (eu.i.posthog.com) |
posthog.com/privacy |
| Sentry | Error monitoring | EU | sentry.io/privacy |
For transfers to the US, Standard Contractual Clauses (SCCs) apply pursuant to Article 46 GDPR.
6. Analytics
We use PostHog for product analytics, hosted in the EU region (eu.i.posthog.com). We operate PostHog in fully cookieless mode — no cookies or local storage are used for analytics purposes. We do not track individual users through analytics; only pseudonymous, aggregated event data (such as page views and button clicks) is collected to help us improve the platform.
7. Authentication
You can sign in with an email address and password (the password is stored hashed via bcrypt by Supabase — never in readable form), or with Google or Apple single sign-on. When you use Google or Apple, we receive your name, email address, and a unique account identifier from that provider — never your password. Your email address and authentication data are stored securely by Supabase (our authentication provider, hosted in the EU). Some specific flows — such as claiming a quiz result or accepting a cohort invitation — use a one-time email link or a temporary password sent to your email instead.
8. Waitlist
When you join a waitlist for an upcoming training, we collect your email address and optional audience preference. With your explicit consent (checkbox), your email is mirrored to our email service provider (Brevo) so we can send you updates when the training becomes available. You can unsubscribe at any time using the link in any waitlist email. Your consent timestamp is stored alongside your signup.
9. Cookies
We use only functional cookies — cookies strictly necessary for the platform to work:
| Cookie | Purpose | Duration |
|---|---|---|
sb-<project-ref>-auth-token |
Login session (managed by Supabase) | Session / 24 hours |
During checkout, Paddle's payment overlay may set its own strictly functional cookies required to complete the transaction. We do not set tracking, analytics, or advertising cookies. A cookie banner is not required for strictly functional cookies under EU ePrivacy rules.
10. Your Rights
Under the GDPR you have the following rights:
Access — You may request a copy of the personal data we hold about you.
Rectification — You may have inaccurate data corrected. You can change your first name and email address yourself in account settings.
Erasure — You may request deletion of your account and associated data. Payment and invoice records held by Paddle as Merchant-of-Record are retained under legal tax/accounting retention and cannot be deleted on an erasure request. See our Transparency page for details.
Objection — You may object to processing based on legitimate interest (e.g., security logs).
Portability — You may export your personal data (profile, training progress, and saved work) as a machine-readable JSON file.
Withdraw consent — Where processing is based on consent (e.g., marketing email) you may withdraw it at any time.
You can exercise your access, portability, and erasure rights yourself, instantly, at /account/data (sign-in required) — export your data as JSON or delete your account there. For the other rights, or if you need help, send your request to privacy@skilledrabbit.ai; we respond within 30 days and may ask you to verify your identity via the email address on your account.
If you believe we are not processing your data correctly, you may file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via autoriteitpersoonsgegevens.nl.
11. Security
We take the security of your data seriously:
- All connections are encrypted via HTTPS (TLS 1.2+)
- Passwords are stored hashed with bcrypt (never in readable form)
- JWT sessions expire after 24 hours
- Access to the production database is restricted to authorized systems
- Paddle processes all card data — we never see it
In case of a data breach presenting a risk to your rights and freedoms, we will notify you and the Dutch Data Protection Authority as soon as possible, no later than within 72 hours.
12. Minors
The platform is intended for people aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact privacy@skilledrabbit.ai.
13. Changes
We may update this policy. Material changes will be announced by email at least 14 days before they take effect. The current version is always published at skilledrabbit.ai/privacy.
14. Contact
Questions about your privacy or this policy? Email privacy@skilledrabbit.ai.
For general inquiries: hello@skilledrabbit.ai For support: support@skilledrabbit.ai