Privacy Policy
Last updated: April 22, 2026
1. Overview
This Privacy Policy describes how FindSkills collects, uses, and shares your personal data when you use our website, CLI, MCP server, or API. Please read it together with our Terms of Service.
2. Data Controller
The data controller is Sean, operating as FindSkills.
Contact: sean@findskills.org
3. Data We Collect
| Category | Source | Purpose |
|---|---|---|
| GitHub user ID and login | GitHub OAuth | Authentication, attribution of submissions |
| Public email (if GitHub provides) | GitHub OAuth | Account notices, support replies |
| API key hash | You generate via /developers | Rate limiting, authentication |
| Request metadata | Server logs | Abuse prevention, aggregated statistics |
| IP address + User-Agent | Server logs | Geographic statistics, abuse prevention |
| GA4 cookies (_ga, _ga_*) | Your browser | Aggregate analytics |
| Submissions | /submit page | Directory content, public record |
| Votes | Button clicks | Ranking signals |
4. Legal Bases (GDPR)
- Art 6(1)(b) contract performance — authentication, API service, submission handling.
- Art 6(1)(f) legitimate interest — abuse prevention, security, service reliability.
- Art 6(1)(a) consent — Google Analytics; opt-out link provided below.
5. How We Use Data
- Provide and maintain the Service
- Enforce rate limits and prevent abuse
- Respond to support requests
- Generate aggregate, non-identifying statistics
- Comply with legal obligations and process DMCA notices
6. Sharing and Sub-Processors
- Vercel (US) — hosting and edge network
- Neon (US, AWS us-east-1) — PostgreSQL database
- Upstash (US) — Redis cache and rate limiting
- Google Analytics 4 — aggregate analytics
We do not sell personal data. We do not use advertising trackers beyond GA4.
7. International Transfers
Data is stored and processed in the United States.
- EEA/UK users: transfers rely on Standard Contractual Clauses (SCCs) operated by our sub-processors.
- Mainland China residents: the Service is not offered to you. See Terms § 3. We do not knowingly process personal information of users located in mainland China. If you are a mainland China resident and have used the Service, please email sean@findskills.org to request deletion.
8. Cookies and Similar Technology
| Cookie | Type | Purpose | Retention |
|---|---|---|---|
| Session cookie | Essential (first-party) | Login state | Session |
| _ga, _ga_* | Analytics (Google) | Visitor measurement | Up to 2 years |
No advertising or cross-site tracking cookies are set.
Opt-out: install the Google Analytics Opt-out Browser Add-on, or enable your browser's "Do Not Track" setting (we honor it).
9. Data Retention
- Account data: until you request deletion.
- API usage logs: 180 days.
- Aggregate, non-identifying analytics: indefinite.
- Submissions: retained as part of the public directory even after account deletion.
10. Your Rights
GDPR (EEA/UK)
- Access, rectification, erasure, restriction of processing, portability, objection.
- Right to withdraw consent at any time.
- Right to lodge a complaint with your supervisory authority.
CCPA (California)
- Right to know what personal information we collect and how it is used.
- Right to delete your personal information.
- Right to opt out of the sale of personal information (we do not sell).
- Right to non-discrimination for exercising these rights.
PDPA (Singapore) and PDPO (Hong Kong)
- Right of access and correction via email.
How to exercise: email sean@findskills.org with the subject line identifying your jurisdiction (e.g., "GDPR Request"). We respond within 30 days.
11. Children
The Service is not intended for users under 13 (general) or under 16 (EEA/UK). If we learn we have collected personal data from a child under these ages without verifiable parental consent, we will delete it.
12. Security
- HTTPS on all endpoints.
- API keys stored as hashes; we never log or store them in plain text.
- We do not store passwords (authentication is via GitHub OAuth).
- Breach notification: we notify affected users within 72 hours of confirming a personal data breach, per GDPR Art 33.
13. Automated Decision-Making
We apply automated rate limiting to protect the Service. This is not profiling. We do not make decisions with legal or similarly significant effect about you based solely on automated processing.
14. Changes
Material changes to this Policy will be announced at least 30 days in advance. The "Last updated" date at the top of this page reflects the current effective version.
15. Contact
General privacy inquiries: sean@findskills.org (subject line prefix the jurisdiction for data subject requests).