Privacy Policy

Last updated: June 5, 2026 · Version 1

1. About this Policy

This Privacy Policy explains what personal data SkipLife (“we”, “the Service”) collects, how we use it, and what rights you have. It applies to anyone who creates an account or uses the Service through the website skiplife.app.

2. Who we are

SkipLife is operated as an independent project. The data controller is reachable at legal@skiplife.app. We process the data described below on our own infrastructure hosted in Germany (Hetzner Online GmbH) and through the third-party providers listed in Section 6.

3. Data we collect

We collect only the minimum data needed to run accounts, payments, and security:

  • Account. Email address and a salted hash of your password. We never store your password in plain text.
  • Login session. The IP address from which you log in, the JWT access and refresh tokens issued to your browser, and basic device user-agent.
  • Payment data. Only what our payment processors (Stripe for fiat, on-chain wallets for crypto via the x402 protocol) need to settle a charge: card last-four digits and brand for Stripe (the full PAN is held by Stripe, never by us); wallet address and tx hash for crypto.
  • Consent stamps. The timestamps at which you accepted the Terms of Service, the Privacy Policy, and the character-fiction acknowledgement; the policy version you saw at each acceptance. This is the legal audit trail of when you agreed to what.
  • Operational logs. Server access logs (timestamp, route, response code, user id), error traces forwarded to Sentry, and aggregated performance metrics. Retained for 30 days.

4. Data we do NOT collect

The Service is designed around the creation of fictional characters. The interview you complete (name, birth year, city, occupation, relationships, key events, emotions, branching point) describes a character that you are authoring — not yourself. Those details are content you produce, not personal information about you.

As a consequence, we explicitly do not collect, process, or associate with your identity:

  • Your real name, birth year, address, profession, or family relations
  • Any biographical detail derived from the character interview
  • Tracking identifiers (no advertising cookies, no analytics fingerprinting)
  • Location beyond the coarse IP-level needed for rate limiting

If you choose to make your character resemble yourself, that is your creative choice; the platform has no way of knowing it does and treats the input as authored content (see Terms of Service, Section 2).

5. How we use data

  • Authenticating you on every request and issuing session tokens
  • Processing payments and reconciling subscription state
  • Sending transactional emails (registration, password reset, billing receipts, account alerts)
  • Detecting and blocking abuse — rate-limiting from a single IP, refusing payment fraud signals from Stripe
  • Diagnosing and fixing software defects via Sentry-aggregated stack traces
  • Generating character content by sending the character dossier you authored to the AI providers listed in Section 6

We do not use your data for advertising, profiling, or for building behavioural models about you.

6. Third-party processors and AI providers

We rely on the following processors. Each is bound by a Data Processing Agreement (DPA) with us, or by their standard contractual terms when a separate DPA is not available:

  • Anthropic, PBC — Claude API for character-creation dialogue, dossier extraction, and narrative generation. Zero Data Retention is enabled where the plan supports it.
  • OpenAI, LLC — GPT models, gpt-image-2 for cover art, Whisper for speech-to-text. Used for character-driven content generation. API inputs are not used for model training under the OpenAI API Terms.
  • xAI Corp. — Grok and Grok-Imagine video, used for video generation.
  • Stripe, Inc. — payment processing for fiat subscriptions. Stripe is PCI-DSS certified and holds full card details on our behalf.
  • Cloudflare, Inc. — R2 object storage for generated images and videos.
  • Hetzner Online GmbH — VPS infrastructure in Falkenstein/Nuremberg, Germany. Servers are within the European Economic Area.
  • Functional Software, Inc. (Sentry) — error monitoring and aggregated stack traces.

7. International data transfers

Our primary infrastructure is hosted in Germany. Several of our AI providers (Anthropic, OpenAI, xAI), Stripe, and Cloudflare are based in the United States. Transfers to those providers rely on the European Commission's Standard Contractual Clauses or on an adequacy decision where one applies.

8. Data retention

  • Account record. Retained until you delete your account. Deletion removes your account record and is irreversible.
  • Generated character content (branches, circles, images, videos). Retained as long as your account is active. You can delete individual branches at any time from the graph view.
  • Payment records. Retained for at least 7 years as required by tax law. Stripe holds the authoritative record; we keep only transaction references.
  • Operational and access logs. Retained for 30 days, then rotated out.
  • Consent timestamps. Retained for the lifetime of the account as legal evidence of agreement.

9. Your rights

You have the right to:

  • Access the personal data we hold about you
  • Receive an export of that data in a machine-readable format
  • Correct inaccurate data (e.g. change your email)
  • Delete your account and have all personal data removed
  • Object to or restrict specific processing
  • Lodge a complaint with a data-protection authority

Email legal@skiplife.app to exercise any of these rights. We respond within 30 days.

10. Cookies and local storage

We do not use tracking cookies, advertising pixels, or third-party analytics. Your browser stores only:

  • Authentication tokens (access + refresh) in localStorage, used to keep you signed in
  • Your language preference (always “en”)

11. Children

The Service is not intended for children under 13. If we learn that an account was registered by someone under 13, we will delete it.

12. Security

All traffic is served over TLS. Passwords are stored as salted bcrypt hashes. Sensitive content fields are encrypted at rest with AES-256. Access to the underlying database is restricted to a single private network and audited.

13. Changes to this Policy

We may update this Policy. Material changes will be announced by email or as an in-app notice. Continued use of the Service after the effective date of an update constitutes acceptance of the updated Policy.

14. Contact

Questions, rights requests, or anything else: legal@skiplife.app.