Privacy Policy

Last updated: February 18, 2026

Controller

Kill The Dragon GmbH
Dürergasse 3 / TOP 4 / HOF
1060 Vienna, Austria
Email: privacy@supaskills.ai

Data We Collect

Account Data

Email address: account creation, login, communication (Art. 6(1)(b) GDPR)
Name (optional): personalization (Art. 6(1)(a) GDPR)
Password (hashed): authentication (Art. 6(1)(b) GDPR)

Payment Data

Payment data is processed directly by Stripe, Inc. We do not store credit card numbers. Stripe acts as an independent controller. See: stripe.com/privacy

Usage Data

Skill activations: service delivery, slot management (Art. 6(1)(b) GDPR)
API calls (timestamp, endpoint): rate limiting, abuse prevention (Art. 6(1)(f) GDPR)
IP address (anonymized): security, abuse prevention (Art. 6(1)(f) GDPR)

Sub-Processors

Service	Provider	Purpose	Safeguard	DPA
Hosting	Vercel Inc.	Website hosting	EU-US DPF	DPA
Database & Auth	Supabase Inc.	Data storage, auth	EU-US DPF	DPA
Payments	Stripe Inc.	Subscriptions	EU-US DPF	DPA
Email	Resend Inc.	Notifications	EU-US DPF	DPA
Embeddings	OpenAI Inc.	Search embeddings	EU-US DPF	DPA

International Data Transfers

Some of our sub-processors are located outside the European Economic Area (EEA). We ensure appropriate safeguards for international data transfers through:

EU-US Data Privacy Framework (DPF): All US-based sub-processors are certified under the DPF.
EU Standard Contractual Clauses (SCCs): In place with all sub-processors as additional safeguard.
Data Processing Agreements: Signed with every sub-processor.

Your data is primarily processed in the EU (Supabase EU region, Vercel EU edge).

Cookies

We use strictly necessary cookies only. No tracking, no analytics, no advertising cookies.

sb-access-token: Supabase auth session (session duration)
sb-refresh-token: Supabase auth refresh (7 days)

Your Rights (Art. 15–22 GDPR)

Access (Art. 15): request a copy of your personal data
Rectification (Art. 16): correct inaccurate data
Erasure (Art. 17): request deletion of your data
Restriction (Art. 18): restrict processing
Data Portability (Art. 20): receive data in machine-readable format
Object (Art. 21): object to processing based on legitimate interests
Withdraw Consent: at any time, without affecting prior processing

Requests to: privacy@supaskills.ai. Response within 30 days.

Right to lodge a complaint: Austrian Data Protection Authority (Datenschutzbehörde), Barichgasse 40-42, 1030 Vienna. dsb.gv.at

Data Retention

Account data: until account deletion + 30 days backup
Payment records: 7 years (Austrian Federal Fiscal Code / BAO)
Usage data: 90 days rolling
Server logs: 30 days

Security

Encryption in transit (TLS 1.3)
Encryption at rest (AES-256)
API keys stored as SHA-256 hashes
Row Level Security (RLS) on all database tables

Email Communications

We send the following types of email communications:

Transactional emails: welcome, payment confirmations, payment failures. Always sent as part of service delivery (Art. 6(1)(b) GDPR). Cannot be unsubscribed.
Onboarding emails: getting started tips and nudges. Sent based on legitimate interest (Art. 6(1)(f) GDPR) with easy opt-out. You can unsubscribe via the link in any email or in Dashboard Settings.
Marketing emails: weekly digest, skill updates, PowerPack notifications, product announcements. Require double opt-in (Art. 6(1)(a) GDPR). Only sent after you explicitly confirm your email address. You can unsubscribe at any time.

All non-transactional emails include an unsubscribe link. You can manage all preferences at Dashboard → Settings → Emails, or email privacy@supaskills.ai.

Changes

Material changes will be communicated via email. The current version is always available at this page.