Privacy Policy
Last updated: February 24, 2026
1. Introduction
SKYCOT ("we", "us", or "our") operates the skycot.com website and the SKYCOT application building platform. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service.
2. Information We Collect
We collect information you provide directly to us when you create an account, use our platform, or communicate with us:
- Account information: Name, email address, and authentication credentials when you sign up via email, Google, or GitHub.
- Payment information: Billing details processed securely through Stripe. We do not store your full credit card number on our servers.
- Project data: Application descriptions, configuration choices, and generated code that you create using our platform.
- Usage data: Build history, token consumption, feature usage, and interaction patterns to improve our service.
- Technical data: IP address, browser type, device information, and access logs collected automatically.
3. How We Use Your Information
- Provide, maintain, and improve the SKYCOT platform.
- Process your transactions and manage your subscription.
- Send transactional emails such as build notifications and account updates.
- Monitor usage patterns to detect abuse and ensure platform stability.
- Respond to your support requests and communicate with you about the service.
- Comply with legal obligations and enforce our Terms of Service.
4. Data Sharing & Third Parties
We do not sell your personal information. We share data only with the following categories of service providers who help us operate the platform:
- Supabase: Authentication and database hosting.
- Stripe: Payment processing and subscription management.
- Anthropic: AI model API for code generation (project descriptions are sent to generate your applications).
- Vercel: Application hosting and deployment.
- Sentry: Error monitoring and performance tracking.
- Resend: Transactional email delivery.
5. Data Retention
We retain your account information and project data for as long as your account is active. If you delete your account, we will remove your personal information within 30 days, except where we are required to retain it for legal or compliance purposes. Build logs and anonymised usage data may be retained for analytics.
6. Data Security
We implement industry-standard security measures including encryption in transit (TLS), encrypted database connections, and secure authentication via Supabase. However, no method of transmission over the internet is 100% secure, and we cannot guarantee absolute security.
7. Your Rights
Depending on your location, you may have the right to:
- Access the personal data we hold about you.
- Request correction of inaccurate data.
- Request deletion of your account and associated data.
- Object to or restrict certain processing of your data.
- Export your project data in a portable format.
To exercise any of these rights, contact us at info@skycot.com.
8. Cookies & Analytics
We use essential cookies required for authentication and session management. We do not use third-party advertising or tracking cookies.
Website analytics: We use Plausible Analytics, a privacy-friendly analytics tool. Plausible does not use cookies, does not collect personal data, and does not track users across websites. All data is aggregated and no individual visitor profiles are created. Plausible is hosted in the EU and is fully compliant with GDPR, CCPA, and PECR.
Error monitoring: We use Sentry for application error monitoring and performance tracking to maintain service quality.
9. GDPR & CCPA Compliance
We are committed to complying with applicable data protection regulations, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Lawful Basis for Processing (GDPR)
- Contract performance: Processing necessary to provide the SKYCOT service you subscribed to (account management, builds, deployment).
- Legitimate interest: Improving our platform, detecting abuse, ensuring security, and sending service-related communications.
- Consent: Where required, such as for optional marketing communications (you may withdraw consent at any time).
- Legal obligation: Where we are required to process data for tax, fraud prevention, or regulatory compliance.
Data Subject Rights
Under GDPR and CCPA, you have the right to:
- Access: Request a copy of all personal data we hold about you.
- Rectification: Request correction of inaccurate or incomplete data.
- Erasure: Request deletion of your personal data ("right to be forgotten").
- Restriction: Request we limit processing of your data in certain circumstances.
- Portability: Request your data in a structured, machine-readable format.
- Objection: Object to processing based on legitimate interests.
- Non-discrimination (CCPA): We will not discriminate against you for exercising your privacy rights.
We will respond to all data subject requests within 30 days of receipt, as required by GDPR. If we need additional time (up to 60 further days for complex requests), we will inform you of the extension and the reasons. To submit a request, email privacy@skycot.com.
Data Processing Agreements
We maintain Data Processing Agreements (DPAs) with all sub-processors that handle personal data on our behalf. Enterprise customers may request a copy of our DPA by contacting info@skycot.com.
Subprocessors
| Subprocessor | Purpose | Location | DPA |
|---|---|---|---|
| Supabase | Auth, database, storage | US / EU (configurable) | In place |
| Stripe | Payment processing | US | In place |
| Anthropic | AI code generation | US | In place |
| Vercel | App hosting, deployment | US / Global CDN | In place |
| Trigger.dev | Build orchestration | US | In place |
| Resend | Email delivery | US | In place |
| Sentry | Error monitoring | US | In place |
| Plausible | Analytics | EU | In place |
To request a downloadable DPA, email legal@skycot.com with subject "DPA Request".
10. International Data Transfers
Our primary infrastructure is hosted in the United States through Vercel (application hosting) and Supabase (database and authentication). If you are located outside the United States, please be aware that your data will be transferred to, stored, and processed in the US.
For users in the European Economic Area (EEA), United Kingdom, or Switzerland, we rely on the following safeguards for international data transfers:
- Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into our agreements with sub-processors.
- Sub-processor certifications where available (e.g., SOC 2 Type II compliance from Supabase and Vercel).
- Technical measures including encryption in transit and at rest for all personal data.
11. Children's Privacy
SKYCOT is not intended for use by anyone under the age of 16. We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.
12. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Your continued use of the service after changes constitutes acceptance of the revised policy.
13. Contact Us
If you have questions about this Privacy Policy or our data practices, contact us at: