SKEW

Privacy Policy.

Skew collects the minimum needed to run an account and generate your artifacts. This policy says what we collect, who touches it, how long we keep it, and how you get it back or get it removed.

1. What we collect

We collect three kinds of data:

  • Account data — your email, your display name if you set one, the authentication identifier from the login provider.
  • Generation inputs — every brief you paste, every prompt you submit, and the output the system produces in response. This is the record of your work.
  • Session data — browser fingerprint tokens, IP address, the timestamp of each request, and the routes you visit while signed in. Used for security and to debug bad sessions.

We do not collect anything the service does not need. We do not sell data to third parties. Ever.

2. Why we collect it

  • To run your account — sign you in, enforce plan limits, show you your past generations.
  • To bill you — if you are on a paid tier, we pass a minimal identifier to the payment processor so your plan stays active.
  • To generate your outputs — every brief is sent to our model provider so the output can be produced.
  • To keep the service up — rate limiting, fraud detection, debugging.
  • To reach you — service emails (receipts, account notices, policy changes). Product updates only if you opt in.

3. Vendors we use

Skew runs on infrastructure from a small set of processors. Each sees only the slice of data needed for its role.

  • Clerk — authentication. Sees email and the login identifier. Does not see briefs or outputs.
  • Convex — application data store. Sees account data, briefs, outputs, and generation history. No third party has read access to your outputs through Convex.
  • Anthropic (Claude) — the model provider that generates outputs from your briefs. Sees the brief you submit and the output produced; per Anthropic’s commercial terms, your inputs are not used to train their models.
  • Stripe — payment processing for paid tiers. Sees billing identifier, card data, and subscription state. Does not see briefs or outputs.
  • Vercel — web hosting. Sees request metadata (IP, route, timestamp) for edge delivery and logs.
  • Cloudflare — DNS and edge protection. Sees request metadata at the network layer.

Each of these vendors has its own privacy policy. When you use Skew, you are also subject to theirs for the slice of data they handle.

4. How long we keep it

  • Generations — kept indefinitely unless you delete them or delete your account. You can delete any generation from the library at any time.
  • Account data — kept while your account is active. Deleted within 30 days of account closure, except where retention is required by law (tax records up to 7 years).
  • Session and log data — rotated out after 90 days.
  • Billing records — retained by Stripe and by us for 7 years per US tax law.

5. Cookies

Skew uses a small set of cookies. Details live in the Cookie Policy. In short: session cookies for sign-in and live data, plus optional analytics if we enable them.

6. Your rights

Depending on where you live, you have some or all of the following rights:

  • Access — request a copy of what we hold on you.
  • Correction — fix anything wrong.
  • Deletion — close your account and have us remove your data. You can also delete individual generations from the library.
  • Portability — export your generations in a standard format.
  • Objection / restriction — tell us to stop certain uses.
  • Opt out of sale — we do not sell data, so there is nothing to opt out of, but your right exists.

GDPR (if you are in the EU/UK) and CCPA (if you are in California) give you these rights by statute. To exercise any of them, email privacy@skew.site. We respond within 30 days.

7. Children

Skew is not for children under 13. We do not knowingly collect data from anyone under 13. If you believe a child has created an account, email us and we will delete it.

8. International transfers

Our vendors operate in the United States and the European Union. If you access Skew from another country, your data may be transferred across borders. For EU/UK users, transfers rely on Standard Contractual Clauses or adequacy decisions.

9. Security

Data in transit is encrypted with TLS. Data at rest in Convex is encrypted. Secrets live in a managed vault; no engineer has routine read access to production customer data. We disclose known breaches to affected users within 72 hours of confirmation, per GDPR standard.

10. Changes

We may update this policy. Material changes get a notice by email at least 14 days before they take effect. The “last updated” date at the top reflects the current version.

11. Contact

Privacy questions: privacy@skew.site. For EU/UK users, this is the primary contact; we are not currently required to name a dedicated Data Protection Officer but will do so once our processing scale requires it.