Privacy Policy
skilledrabbit.ai / Skilled Rabbit Version 1.2 · Effective date: 2026-04-10
1. Who We Are
skilledrabbit.ai Operated by Sjors van de Wiel The Netherlands Email: privacy@skilledrabbit.ai
We are the data controller for personal data processed via the skilledrabbit.ai platform. This policy explains what data we collect, why, how long we retain it, and what rights you have.
2. What Data We Process
2.1 Account Data
When you create an account we collect:
- First name
- Email address
- Password (stored hashed via bcrypt — never readable)
- Account creation date
- IP address at registration (for fraud prevention)
When signing in via Google or Apple we receive from those providers: name, email address, and a unique account identifier. We never receive your password from those providers.
2.2 Training Progress
- Completed weeks, missions, and checkpoints
- XP and rank
- Timestamp of each completed activity
This data is necessary to deliver the training. The platform cannot function without progress tracking.
2.3 Payment Data
Payments are processed by Stripe. We do not store any card data. From Stripe we receive only:
- Payment confirmation (succeeded / failed)
- Which product was purchased
- Transaction timestamp
- Stripe Payment Intent ID (for support and accounting)
2.4 Communications
- Emails you send us (support, questions)
- Content of emails we send you (confirmations, welcome messages)
2.5 Technical Data
- IP address (at login, for fraud detection and security)
- Browser type and version
- Device type (desktop / mobile)
- Session timestamp and duration
We do not collect location data beyond the country derived from your IP address (used for VAT calculation via Stripe Tax).
3. Why We Process Your Data
| Purpose | Legal basis | Data |
|---|---|---|
| Creating and managing your account | Contract performance | First name, email, password |
| Granting access to purchased content | Contract performance | Email, purchase record |
| Tracking training progress | Contract performance | Progress data |
| Processing payments | Contract performance | Stripe transaction data |
| Sending transactional email | Contract performance | Email, first name |
| Security and fraud prevention | Legitimate interest | IP address, login attempts |
| VAT calculation | Legal obligation | Country (via IP) |
| Customer support | Legitimate interest | Communication content |
We do not send newsletters or marketing email unless you have explicitly opted in. If you opt in, you may withdraw consent at any time via the link at the bottom of the email or by emailing privacy@skilledrabbit.ai.
4. How Long We Retain Your Data
| Data | Retention |
|---|---|
| Account data | Duration of account + 2 years after deletion |
| Training progress | Duration of account |
| Payment records | 7 years (legal tax retention) |
| Login logs (IP, timestamp) | 90 days |
| Support email | 2 years after resolution |
| Marketing consent | Until withdrawn |
After the retention period expires, data is automatically deleted or anonymized.
5. Who We Share Data With
We never sell or rent your data to third parties. We use the following processors, each under a data processing agreement:
| Processor | Purpose | Location | Privacy policy |
|---|---|---|---|
| Supabase | Database and authentication | EU (Frankfurt) | supabase.com/privacy |
| Stripe | Payment processing | US (SCCs apply) | stripe.com/privacy |
| Resend | Transactional email | US (SCCs apply) | resend.com/privacy |
| Sentry | Error monitoring | EU | sentry.io/privacy |
| PostHog | Website analytics (cookieless) | EU (Hetzner, Germany — self-hosted) | posthog.com/privacy |
For transfers to the US, Standard Contractual Clauses (SCCs) apply pursuant to Article 46 GDPR.
6. Analytics
We use PostHog for website analytics. PostHog is self-hosted on our own European servers (Hetzner, Germany). We operate PostHog in fully cookieless mode — no cookies or local storage are used for analytics purposes. We do not track individual users or store personal data through analytics. Only anonymous, aggregated event data (such as page views and button clicks) is collected to help us improve the platform. No data is shared with third parties.
7. Authentication
When you sign up, we use email-only magic-link authentication. We send a one-time login link to your email address — no password is created or stored. Your email address is stored securely by Supabase (our authentication provider, hosted in the EU). If you previously created an account with a password, you can still log in with your email and password.
8. Waitlist
When you join a waitlist for an upcoming training, we collect your email address and optional audience preference. With your explicit consent (checkbox), your email is mirrored to our email service provider (Resend) so we can send you updates when the training becomes available. You can unsubscribe at any time using the link in any waitlist email. Your consent timestamp is stored alongside your signup.
9. Cookies
We use only functional cookies — cookies strictly necessary for the platform to work:
| Cookie | Purpose | Duration |
|---|---|---|
sb-auth-token |
Login session (Supabase) | Session / 24 hours |
stripe_mid |
Fraud prevention (Stripe) | 1 year |
We do not set tracking, analytics, or advertising cookies. A cookie banner is not required for strictly functional cookies under EU ePrivacy rules.
10. Your Rights
Under the GDPR you have the following rights:
Access — You may request a copy of the personal data we hold about you.
Rectification — You may have inaccurate data corrected. You can change your first name and email address yourself in account settings.
Erasure — You may request deletion of your account and associated data. Payment records are retained for 7 years under legal tax retention and cannot be deleted.
Objection — You may object to processing based on legitimate interest (e.g., security logs).
Portability — You may export your training progress in a machine-readable format (JSON or CSV).
Withdraw consent — Where processing is based on consent (e.g., marketing email) you may withdraw it at any time.
Send your request to privacy@skilledrabbit.ai. We respond within 30 days. We may ask you to verify your identity via the email address on your account.
If you believe we are not processing your data correctly, you may file a complaint with the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) via autoriteitpersoonsgegevens.nl.
11. Security
We take the security of your data seriously:
- All connections are encrypted via HTTPS (TLS 1.2+)
- Passwords are stored hashed with bcrypt (never in readable form)
- JWT sessions expire after 24 hours
- Access to the production database is restricted to authorized systems
- Stripe processes all card data — we never see it
In case of a data breach presenting a risk to your rights and freedoms, we will notify you and the Dutch Data Protection Authority as soon as possible, no later than within 72 hours.
12. Minors
The platform is intended for people aged 18 and over. We do not knowingly collect data from minors. If you believe a minor has created an account, please contact privacy@skilledrabbit.ai.
13. Changes
We may update this policy. Material changes will be announced by email at least 14 days before they take effect. The current version is always published at skilledrabbit.ai/privacy.
14. Contact
Questions about your privacy or this policy? Email privacy@skilledrabbit.ai.
For general inquiries: hello@skilledrabbit.ai For support: support@skilledrabbit.ai