Legal

Skillsail Privacy Policy

Effective Date: 21.05.2025

1. Introduction

We at Skillsail respect your privacy and are committed to protecting your personal data. We adhere to the principles of the EU General Data Protection Regulation (GDPR) in all our data processing activities. This Privacy Policy explains how Skillsail (referred to as "we", "us", or "our") collects, uses, and protects personal data when you use the Skillsail platform (our AI-powered learning management system), our website, and related services. It also describes your rights regarding your personal data under the GDPR and how to exercise them.

By using our services, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with the practices described, please do not use the Skillsail platform.

2. Who We Are and How to Contact Us

Skillsail is the organization responsible for processing your personal data in relation to our services. For the purposes of applicable data protection laws, Skillsail acts as the data controller for the personal data described in this policy (except in cases where we process data on behalf of a customer, as noted below).

Note: If you are using Skillsail as part of an organization's account (for example, your employer or educational institution), that organization may be the data controller for your personal data and we act as a data processor on their behalf. In such cases, that organization's privacy policies may also apply, and we will process your data in accordance with our agreement with them.

Contact Information: If you have any questions or requests regarding your personal data or this Privacy Policy, you can contact us at privacy@skillsail.com.

Data Protection Officer (DPO): We have not appointed a DPO at this time (as we are not currently legally required to do so). We will update this policy if a DPO is appointed in the future. In the meantime, please direct any privacy inquiries to the contact email above.

3. Data We Collect

We collect various types of information, including personal data, when you interact with Skillsail. This includes:

  • Account Information: When you or your organization create an account on Skillsail, we collect information such as your name, email address, organization name, and login credentials. This may also include any profile details you choose to add to your account.
  • Learning Content and User-Generated Data: The platform stores content that you upload or create, such as course materials, assignments, notes, messages, or feedback. If our AI features process or learn from user-provided content, this data remains isolated to your organization's environment and is not shared with other customers.
  • Usage Data: We collect data about how you use the platform, such as the features or pages you interact with, your course progress, time spent on various activities, and other usage metrics. This may include technical information automatically logged by our systems, like your IP address, browser type, device information, and timestamps of your activities.
  • Cookies and Similar Technologies: When you use our platform or website, we use cookies for functional purposes (see Cookies and Tracking below for details). Notably, our public website's analytics do not rely on cookies.
  • Communications: If you contact us (for example, for support or inquiries) or subscribe to our newsletter, we will collect information such as your name, email address, and the content of your messages. We also record your communication preferences (e.g. your consent to receive newsletters).
  • Authentication Data: Authentication to the Skillsail platform is handled via our partner WorkOS. When you log in, WorkOS may collect and store certain authentication information (such as Single Sign-On tokens, data from your organization's Identity Provider, and basic profile details needed for login). This data is used solely to verify your identity and securely log you into Skillsail.

4. How We Use Your Data (Purposes and Legal Bases)

We use personal data for the following purposes, and each use is supported by a legal basis under the GDPR:

  • To Provide Our Services: We process personal data to set up and maintain your account, allow you to access courses and content, track your learning progress, and operate the Skillsail LMS for you and your organization. This processing is necessary to perform our contract with you or your organization (GDPR Art. 6(1)(b)).
  • To Personalize and Improve the Platform: We use data such as your usage patterns and feedback to improve our services, fix issues, and develop new features (for example, optimizing our AI-powered learning tools for your organization). This processing is based on our legitimate interest (GDPR Art. 6(1)(f)) in enhancing our services and providing a high-quality user experience.
  • To Communicate with You: We use your contact information to send you service-related communications. This includes emails for account verification, password resets, important announcements about the platform (e.g. feature updates or security notifications), and responses to support inquiries. These communications are necessary for the provision of our services (legal basis: contract performance under Art. 6(1)(b), or our legitimate interest in maintaining the service under Art. 6(1)(f)). With your consent, we may also send marketing or newsletter emails containing product updates, new features, or event information. You can opt out of these marketing emails at any time. (Legal basis: your consent under Art. 6(1)(a), or where applicable, our legitimate interest under Art. 6(1)(f) GDPR for existing customers, with the option to unsubscribe at any time.)
  • To Ensure Security and Performance: We process certain data (like IP addresses, device information, and log data) to monitor for suspicious or malicious activity, maintain the security and integrity of our platform, and to measure and improve performance. For example, we use monitoring tools (such as Datadog and Sentry) to detect outages or bugs. This processing is based on our legitimate interest (GDPR Art. 6(1)(f)) in protecting our service and users, and ensuring the platform runs smoothly and securely.
  • To Analyze Website Usage: For our public website, we use Vercel's built-in analytics to understand page visits and user interactions without using cookies. This helps us gauge interest in our site content and improve the website, based on our legitimate interest in understanding and improving our online presence (GDPR Art. 6(1)(f)).
  • To Comply with Legal Obligations: We may process or retain personal data as required by law or regulations – for example, to keep proper business records, comply with tax requirements, or respond to lawful requests by public authorities. In such cases, the legal basis is compliance with a legal obligation (GDPR Art. 6(1)(c)).

5. Cookies and Tracking

We use cookies and similar technologies in a minimal and purposeful way:

  • Public Website (Skillsail Marketing Site): Our public-facing website uses very limited tracking. We utilize Vercel's analytics features which do not use cookies or persistent identifiers. This means when you visit our marketing site, no analytics cookies are placed on your browser.
  • Logged-In Platform (Application): The Skillsail web application (after you log in) uses cookies primarily for essential functionality:
    • We set a session cookie (and similar technologies) to keep you logged in as you navigate between pages on the platform. This cookie is typically deleted when you log out.
    • We may use a cookie to remember certain preferences or settings (for example, your chosen language or other user interface settings).
    • These cookies are strictly necessary for the proper provision of the service and to improve your user experience. We do not use any cookies for advertising purposes or to track your behavior across other sites.
  • Your Choices: You can configure your web browser to block or delete cookies. However, please note that if you disable or remove essential cookies, some features of Skillsail may not function properly – for instance, you might not be able to stay logged in.
  • Other Tracking: Aside from cookies, our systems may automatically collect some technical information as mentioned in the "Usage Data" section above (such as IP address and device information) for security and performance monitoring. This is done without using third-party tracking cookies.

6. Third-Party Service Providers

To operate the Skillsail platform effectively, we rely on a number of trusted third-party service providers. These providers act as our data processors, processing data on our behalf and under our instructions. They only have access to data necessary for their services and are contractually obligated to protect your information. Our key third-party service providers include:

  • WorkOS (Authentication): We use WorkOS to enable secure single sign-on (SSO) and enterprise authentication options. WorkOS processes certain user credentials and authentication data to verify identities and facilitate login (for example, handling SSO tokens and communicating with your identity provider). This data is used only for authentication and security purposes.
  • Neon (Database Hosting): Our application data is stored in databases hosted by Neon, a cloud database service. Neon hosts these databases in specified regions (by default in Germany, or in the USA/Australia if a customer requests). Neon, as our infrastructure provider, may technically handle stored data but only under our control and instructions; they do not access or use the data for any purpose other than storing and retrieving it as needed for the service.
  • Vercel (Hosting and Analytics): We host our website and web application on Vercel's platform. When you interact with Skillsail, your requests (including IP address and other technical data) pass through Vercel's servers. Vercel also provides us with privacy-friendly analytics — meaning we can see aggregated information about site usage without personal identifiers or cookies. Vercel may incidentally process some data (like IP addresses) to serve our content and provide these analytics, but it does not use your data for its own marketing or share it inappropriately.
  • Datadog (Monitoring): We use Datadog to monitor our servers and application performance. Datadog collects technical data such as server logs, usage metrics, and system health information. This may include IP addresses or user IDs in log entries or metadata. We use this information to detect and troubleshoot performance issues, ensure reliability, and protect against security threats. Datadog acts solely as a processor of this data for us; the data is not used by Datadog for any purpose other than providing us these monitoring tools.
  • Sentry (Error Tracking): Sentry is used to capture and track software errors in our application. If an error occurs while you're using Skillsail, Sentry will record information about the error and the context (for example, which function or module failed, timestamp, and potentially a user identifier or technical details like browser version). This helps our developers diagnose and fix issues quickly. The information sent to Sentry is used only for debugging and improving the stability of the platform, not for user profiling.
  • Loops (Email Marketing): For sending out newsletters or marketing emails (such as product updates or educational content about using Skillsail), we use a service called Loops. If you are on our marketing email list, Loops will process your email address (and name, if provided) to send emails on our behalf. Each such email will include an unsubscribe link that you can click at any time to opt out of future marketing emails. We only send these communications with your consent or if you are an existing customer in accordance with applicable laws.
  • Resend (Transactional Emails): We use Resend to deliver transactional emails that are part of the Skillsail service. These are non-promotional emails you receive as a result of your use of Skillsail – for example, account creation confirmations, password reset emails, notifications about course assignments, or other system alerts. Resend processes recipients' email addresses and the email content strictly to deliver the message and for no other purposes.
  • Other Processors: In addition to the above, we may use other processors for specific needs (for example, a cloud storage provider for backups). Any such processors are vetted for security and privacy and bound by data protection agreements.

We ensure that all third-party providers we work with are bound by strict data protection obligations (through Data Processing Agreements or equivalent contracts). They are not permitted to use your personal data for anything other than delivering the services we have requested. Where these providers are located outside of the European Economic Area, we implement appropriate safeguards (see Data Transfers below).

7. Data Storage and International Transfers

We are based in Germany and primarily store data in the European Union, but we can accommodate certain data residency requests. Here's how we handle data storage and transfers:

  • Primary Data Location (EU/Germany): By default, all personal data collected through Skillsail is stored on servers located in Germany. In other words, unless otherwise agreed or requested, your data will remain within Germany (and thus within the EU), benefiting from the robust data protection laws of the EU.
  • Optional Regions (U.S. or Australia): If a customer organization specifically requests that its data be hosted in the United States or in Australia (for example, to meet internal policies or to improve performance for their users in those regions), we have the capability to store data in those jurisdictions. In such cases, the data belonging to that customer will reside in data centers in the requested country.
  • Safeguards for International Data Transfers: Whenever personal data is transferred out of the European Economic Area (EEA), we take steps to ensure it remains protected. Neither the USA nor Australia currently has an "adequacy decision" from the EU, which means they may not provide a data protection level equivalent to EU law. For transfers to these and other countries, we rely on approved safeguards such as the European Commission's Standard Contractual Clauses (SCCs), along with additional technical and organizational measures as necessary. This is to ensure that your data receives an adequate level of protection, essentially equivalent to that guaranteed in the EU.
  • Third-Party Processors Abroad: Many of our third-party service providers mentioned above are headquartered in the United States (WorkOS, Vercel, Datadog, Sentry, Loops, Resend, etc.), and they may process data on servers in the U.S. or other locations. We only work with such providers if they commit to GDPR compliance. When we transfer data to these providers, we do so under the protection of lawful transfer mechanisms (for example, SCCs as mentioned, or participation in frameworks like the EU-U.S. Data Privacy Framework, where applicable). We also assess, where relevant, that these providers implement additional safeguards (encryption, access controls, etc.) to protect data.
  • Data Isolation and Security: Regardless of where data is stored, we apply the same security standards and privacy controls. Our architecture uses data isolation measures (each customer's data is kept in a separate database schema via Neon, as noted) to ensure that data is segregated and accessible only by authorized users of that customer. All data is transmitted securely (using encryption like HTTPS/TLS) and stored in secure environments. We do not share data between customers, and any processing (including AI-related processing) is done within the scope of each customer's own data environment.

If you have questions about our data transfer practices or need more information about international transfer safeguards, feel free to contact us.

8. Data Retention and Deletion

We retain personal data only for as long as necessary to fulfill the purposes outlined in this policy, or as required by applicable law. Retention periods can vary depending on the type of data and purpose of processing:

  • Account Data: For as long as you have an active account on Skillsail, we will keep your personal account information in order to provide you with the service. If you (or your organization) decide to stop using Skillsail, we will deactivate or delete your account upon instruction. Personal data associated with your account will be deleted or anonymized within a reasonable timeframe after account closure. In some cases, we may retain certain information if necessary for legitimate business interests, such as resolving disputes or enforcing agreements, but we will delete it as soon as those purposes are fulfilled.
  • Customer-Offboard Deletion: Our enterprise customers (the companies using Skillsail) have the right to request deletion of all data associated with their account at any time. Upon such a request, or when a contract terminates, we will permanently delete the customer's data from our production systems. Residual copies may remain in encrypted backups for a short period, but those are safeguarded and eventually overwritten or deleted in the normal backup rotation cycle.
  • Communications Data: If you contacted us (e.g., for support) or you subscribed to our newsletters, we may retain correspondence and your contact details as long as needed to address your inquiry or provide the subscribed service. For example, support emails may be kept until your issue is resolved plus a short period for quality assurance. Newsletter subscription data is retained until you unsubscribe or the newsletter program ends.
  • Logs and Analytics: System logs, audit trails, and analytics data are kept for a limited period which is necessary for security monitoring and performance analysis. We routinely purge or anonymize older log data. For instance, logs and monitoring data might be retained for a few weeks or months, unless we need to retain them longer to investigate a security incident or comply with legal requirements.
  • Legal Requirements: In some cases, we may need to retain certain data for a longer period if required by law (for example, financial transaction records for taxation or accounting purposes, or information needed to comply with a government order). Such data will be kept only for the legally mandated duration and then deleted.

When we delete personal data, we take measures to ensure the data is securely and completely removed from our active systems. Please note that complete removal from all systems may not be instantaneous – for example, data might remain temporarily in backups or cached in secure locations. However, such copies will also be deleted or overwritten in due course, and they remain protected and inaccessible in the interim.

9. Your Rights Under GDPR

As an individual whose data we process, you have certain rights under the General Data Protection Regulation. These rights (subject to certain conditions and exceptions under the law) include:

  • Right of Access: You have the right to request confirmation of whether we are processing your personal data, and if so, to access that data. This allows you to receive a copy of the personal data we hold about you and information about how we use it.
  • Right to Rectification: If any personal data we hold about you is inaccurate or incomplete, you have the right to request that we correct or update it without undue delay.
  • Right to Erasure: You have the right to request deletion of your personal data in certain circumstances. For example, if the data is no longer necessary for the purposes it was collected for, or if you have withdrawn your consent and we have no other legal basis to continue processing it, you can request erasure. This is also known as the "right to be forgotten." Please note that this right is not absolute – sometimes we may need to retain certain information if required by law or if we have overriding legitimate grounds (we will inform you if that is the case).
  • Right to Restrict Processing: You have the right to ask us to suspend the processing of your personal data in certain scenarios. For instance, if you contest the accuracy of your data, you can request we restrict processing while we verify the information. Or if you object to processing based on our legitimate interests, you can request restriction while the objection is under review. When processing is restricted, we can still store your data but will not use it further until the restriction is lifted (unless necessary for legal claims or protection of others' rights).
  • Right to Data Portability: For data you have provided to us and which we process by automated means under consent or contract, you have the right to request a copy in a structured, commonly used, machine-readable format (for example, CSV or JSON). You also have the right to request that we transmit this data directly to another controller, where technically feasible. This right facilitates moving your data to other services.
  • Right to Object: You have the right to object to our processing of your personal data when that processing is based on our legitimate interests (Art. 6(1)(f) GDPR), on grounds relating to your particular situation. If you lodge an objection, we will consider it and whether our legitimate grounds for processing outweigh your privacy rights. Importantly, you have an unconditional right to object to the processing of your personal data for direct marketing purposes at any time. If you object to marketing, we will stop using your data for that purpose immediately.
  • Right to Withdraw Consent: Where we rely on your consent to process your personal data (for example, for sending promotional emails), you have the right to withdraw that consent at any time. You can do so by contacting us or using the unsubscribe link in emails. Once you withdraw consent, we will stop the processing that was based on consent. Withdrawal of consent does not affect the lawfulness of processing that occurred before the withdrawal.
  • Right to Lodge a Complaint: If you believe we have violated data protection laws or your privacy rights, you have the right to file a complaint with a supervisory authority. You may contact the data protection authority in the country or region where you live, where you work, or where the alleged infringement occurred. For example, in Germany you could contact the Data Protection Authority of your federal state (Bundesland) or another relevant German supervisory authority. A list of EU data protection authorities and their contact information is available on the European Commission's website.

These rights are subject to certain limitations and conditions under GDPR and other applicable laws. We will respect your rights and will respond to your requests in accordance with legal requirements.

10. Exercising Your Rights

To exercise any of your data protection rights, please contact us at privacy@skillsail.com. In your request, kindly make clear which right you wish to exercise and, if needed, what personal data your request pertains to. For your protection, we may need to verify your identity before acting on the request — for example, we might ask you to provide information to confirm you are the owner of the email account in question or to provide a government-issued ID for verification in sensitive cases. This is to ensure that we do not disclose data to someone who is not entitled to receive it.

We will respond to valid requests as soon as we can, and at the latest within one month as mandated by GDPR. If your request is complex or if you have made a large number of requests, we may inform you that we need more time (up to an additional two months) to respond. If we cannot fulfill your request in whole or in part, we will explain the reasons (for example, if providing certain data would adversely affect the rights and freedoms of others, or if we are legally prevented from deleting certain data).

There is no fee for making a request to exercise your rights. However, if a request is manifestly unfounded or excessive (for example, repetitive), the law allows us to charge a reasonable fee or refuse to act on the request. We will inform you if this situation arises.

11. Security Measures

We take the security of your personal data very seriously. Skillsail implements a range of technical and organizational measures to safeguard the data we hold against loss, misuse, unauthorized access, disclosure, alteration, or destruction. These measures include:

  • Encryption: We use encryption technologies such as HTTPS/TLS to protect data in transit between your device and our servers. Sensitive data may also be encrypted at rest (when stored in databases or backups).
  • Access Control: Access to personal data within Skillsail is limited on a need-to-know basis. Only authorized personnel and service providers who require access to operate or improve the platform are granted access, and even then, subject to confidentiality obligations. Administrative access to systems is protected with strong authentication (e.g., multi-factor authentication) to prevent unauthorized access.
  • Isolation: Our platform architecture provides strong data isolation. Each customer's data is stored in a separate database or schema (via Neon), which prevents one customer from accessing another's data. Similarly, any AI training data or models derived from user content are kept isolated per customer — data from one organization is not used to train or inform the AI for any other organization.
  • Monitoring and Testing: We actively monitor our systems for anomalies and potential vulnerabilities using tools like Datadog (for infrastructure monitoring) and conduct regular testing (including security audits and penetration tests) to identify and address potential security issues. Sentry helps us catch and fix errors that could affect data integrity or security.
  • Physical Security: The data centers where our servers reside (through our hosting providers) employ industry-standard physical security controls, such as access badges, surveillance, and on-site security personnel, to prevent unauthorized physical access.
  • Employee Training: Our team members are trained on data protection and security practices. We maintain internal policies to ensure that personal data is handled and protected properly and we continuously raise awareness about privacy and security.

Despite all our efforts, no system can be guaranteed to be 100% secure. We therefore encourage you to also take precautions when using any online service, including using a strong, unique password for your Skillsail account and keeping your login credentials confidential. If you have any reason to believe that your interaction with us is no longer secure (for example, if you suspect that your account has been compromised), please contact us immediately.

12. Changes to This Privacy Policy

We may update or revise this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or for other reasons. When we make changes, we will update the "last updated" date posted at the top of the policy (or indicate within the policy text) and, if the changes are significant, we will take additional steps to notify you of the updates. This may include posting a notice on our website or platform, or contacting you via email or other means.

We encourage you to review this Privacy Policy periodically to stay informed about how we are protecting your information.

If we make material changes to the way we collect or use personal data, we will obtain any necessary consents or give you the opportunity to opt out, in accordance with applicable law.

13. Contact Information

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please do not hesitate to contact us:

  • Email: privacy@skillsail.com
  • Postal Mail: Skillsail, Elektrastraße 11, 81925 München, Germany

We will be happy to assist you and address any questions or issues you may have regarding the privacy and security of your personal data.