Privacy Policy

Company: Skippr Ltd. ("Skippr", "we", "us", "our")

Registered office: 99 Milton Keynes Business Centre, Foxhunter Drive, Linford Wood, Milton Keynes, Buckinghamshire MK14 6GD, England

Email: privacy@skippr.ai | DPO: dpo@skippr.ai

This Privacy Policy explains how we collect, use, disclose, and protect personal information when you use:

• Our websites (e.g., skippr.ai, skippr.com) and any page that links to this Policy;
• Our Chrome browser extension and related extensions;
• Our waitlist, community spaces, and support channels; and
• Other services that reference this Policy (together, the "Services").

If you do not agree with this Policy, please do not use the Services.

Quick Summary (At-a-glance)

• Website vs. Extension roles. For the website/app, Skippr is the Controller. For extension analyses you initiate, you (or your organization) are the Controller of the page content you capture; Skippr acts as your Processor (DPA available on request).
• Screenshots/DOM stored for your project. When you run a full analysis, the extension may capture a screenshot and selected DOM fragments. These captures are saved to your project so they can appear in your reports and history. You control whether to share or export them outside your workspace.
• LLM use without direct identifiers. To generate your report, we may use trusted AI processing services (category only). We do not include your account email or similar direct identifiers in those requests.
• Cookies (website only). Non-essential cookies/analytics run only with consent where required.
• No sale; limited sharing. We do not sell personal information. Website advertising tools, if used, may be considered "sharing" in some US states; we provide an opt-out and honor Global Privacy Control (GPC) where required.
• Your rights & deletion. You can request permanent deletion by email; in-product "delete" is archive only.

Table of Contents

1. Information We Collect
2. How We Use Information
3. Legal Bases (EU/UK)
4. When We Share Information
5. Cookies and Similar Technologies (Web)
6. Retention
7. Security
8. International Transfers
9. Children
10. Your Privacy Rights
11. Do-Not-Track & Global Privacy Control
12. California Notice (CPRA/CCPA)
13. Chrome Extension Privacy Disclosures
14. Updates
15. Governing Law
16. Contact
17. Access/Deletion Requests
18. Roles & Your Responsibilities (Controller/Processor)

1) Information We Collect

a) Information you provide

Account details (name, work email, company, hashed password if you create one), workspace/project names, content you upload, support requests, and community contributions. Prompts, comments, and project chats you create to review and improve your application.

b) Information collected automatically (website/app)

Log data (IP address, device/browser info, pages viewed, timestamps) and cookie-based analytics/functional data as described in Section 5.

c) Extension data (user-initiated only)

When—and only when—you run a full analysis of a page, the extension may capture:

• Screenshot of the current tab and selected DOM fragments needed to assess UX/product issues;
• Page URL, title, and technical metadata;
• Your prompts/instructions and project context.

We do not monitor in the background, read other tabs, or collect browsing history.

Live Chat Features (Multimodal): When using our live chat feature with voice enabled, audio input is transmitted in real-time to trusted AI processing services for voice interaction, and screenshots may be captured during the conversation to provide contextual assistance. Both audio and live chat screenshots are processed in real-time and not stored by Skippr after the session ends (unlike Captured Content from full page analyses, which is saved to your project).

Diagnostics/monitoring (extension). We collect limited telemetry (e.g., feature usage events, error rates, performance metrics) to monitor reliability and address bugs. This is not background browsing history.

2) How We Use Information

• Provide and improve the Services. Create and secure accounts, deliver reports, operate projects/collaboration, provide support, and improve features.
• Extension analysis & project memory. Lightweight checks may run locally; advanced analysis occurs on our servers and may use AI processing services (sub-processor category). We store the screenshots and DOM fragments you captured in your project so they appear in reports and history. You decide whether to share or export captures and reports outside your workspace. We also store derived analysis (e.g., issue lists, suggestions).
• Communications. Service and security notices; with your consent where required, product updates and marketing.
• Security and compliance. Detect and prevent fraud/abuse, meet legal obligations, and enforce terms.

3) Legal Bases (EU/UK)

We rely on:

• Contract (to provide core services you request);
• Legitimate interests (e.g., to secure and improve services, and to deliver extension analyses and project history you request as controller);
• Consent (e.g., marketing emails; non-essential website cookies/analytics where required);
• Legal obligations (e.g., tax/accounting, responding to lawful requests).

Where we store captures in your project, our legal basis is performance of a contract and/or our legitimate interests, balanced with your controls and rights.

4) When We Share Information

We do not sell personal information. We share information only with:

• Service providers / sub-processors (categories): cloud hosting, storage/backup, security and monitoring, analytics (web), payment processing, customer support, product/design tooling, and AI processing services (for extension analysis only).
• Corporate events: In M&A/financing scenarios we will continue to protect data as described here.
• Legal: Compliance with law, safety and rights protection; fraud/abuse prevention; responding to lawful requests.
• At your direction: When you integrate or export to services you choose.

If our websites use advertising or remarketing tools, that may be "sharing" for cross-context behavioral advertising in certain US states. You can opt out at any time via our "Do Not Sell or Share My Personal Information" link and via GPC signals where applicable.

We maintain a current list of sub-processor categories and can provide details upon request.

5) Cookies and Similar Technologies (Web)

• Essential cookies operate the site (auth, security, load balancing).
• Non-essential (analytics, A/B testing, advertising) run only with your consent where required.
• You can manage or withdraw consent at any time via "Cookie Settings". If you opt out, you can still use the site but some features may be limited.

(Cookies do not apply to extension storage; extension telemetry is covered in Section 1(c).)

6) Retention

We keep personal information only as long as needed for the purposes described or as required by law.

• Account/workspace data: until you delete your account or we no longer need it to provide the Services.
• Project chats, prompts, derived analyses, and captures (screenshots/DOM): 12 months by default (workspace-configurable) or until we process your permanent deletion request.
• Archive vs. permanent deletion. In-product "Delete" currently archives items (captures/projects) and removes them from normal views; it does not immediately erase underlying data. To request permanent deletion, follow Section 17. Once approved, we erase data from active systems within 30 days, and from encrypted backups on the next scheduled rotation (typically within 35 additional days). Where data was sent to approved processors, we instruct them to delete corresponding copies within 30 days, subject to their technical and legal limits.
• Support tickets: ~3 years after resolution.
• Billing/transaction records: 7 years (legal).
• Website cookies/analytics: per tool settings and your consent choices.

When deletion isn't immediately possible (e.g., backups), we isolate and delete on the next rotation.

7) Security

We use reasonable and appropriate safeguards, including encryption in transit/at rest (where applicable), role-based access controls with MFA for staff, secure development practices, logging/monitoring, vulnerability management, and an incident response process.

8) International Transfers

We operate from the United Kingdom with cloud infrastructure in the EEA and United States. Where required, we use recognized transfer mechanisms (e.g., adequacy decisions, standard contractual clauses with UK addendum, or other appropriate safeguards).

9) Children

The Services are not directed to children under 13 and the extension is intended for professional use. We do not knowingly collect personal information from children. If we learn we have, we will delete it.

10) Your Privacy Rights

Depending on your location, you may have rights to access, correct, delete (including permanent deletion of captures and project artifacts by request), restrict or object, withdraw consent, or data portability. You may also opt out of marketing at any time.

• EU/UK: You may lodge a complaint with your local supervisory authority.
• US states with privacy laws: You may have rights to know, delete, correct, and to opt out of targeted advertising ("sharing"). We honor GPC signals where required.
• Canada: You may access/correct your data and ask about cross-border processing and safeguards.

Contact privacy@skippr.ai to exercise your rights. We verify requests and respond within required timeframes.

11) Do-Not-Track & Global Privacy Control

We currently do not respond to legacy DNT signals (no industry standard). Where required by law, we honor GPC or other recognized universal opt-out signals for "sale"/"sharing" or targeted advertising.

12) California Notice (CPRA/CCPA)

• We do not sell personal information. Where our websites use advertising/remarketing tools, that may be "sharing"; opt out via the "Do Not Sell or Share" link or through GPC signals.
• You have rights to know, delete, correct, and to non-discrimination.
• We do not sell/share minors' personal information (under 16).
• Categories collected depend on your use: Identifiers (e.g., email), Internet/Network Activity (site analytics), Commercial Info (purchases), Inferences (product interest), and User Content you choose to analyze (extension). See Section 6 for retention.

13) Chrome Extension Privacy Disclosures

Requested permissions

activeTab (access only the tab you invoke when you run a full analysis), scripting (inject analysis helpers on demand), storage (save extension preferences locally), identity (workspace sign-in), sidePanel (in-product UI).

In-product capture notice (shown when you proceed)

Operation statement

The extension does not run in the background, read other tabs, or collect browsing history.

If you archive a capture in the product, you may request permanent deletion at any time via privacy@skippr.ai as described in Section 17.

14) Updates

We may update this Policy. The "Effective Date" will change and, for material updates, we will provide reasonable notice.

15) Governing Law

This Policy is governed by the laws of England and Wales, with exclusive jurisdiction of its courts.

16) Contact

Data Protection Officer: dpo@skippr.ai

General privacy inquiries: privacy@skippr.ai

Postal: Skippr Ltd., address above.

17) Access/Deletion Requests

Submit privacy requests by emailing privacy@skippr.ai from the email on your account. Include:

• Request type: access, correction, permanent deletion (erasure), portability, restriction, or objection;
• Scope: account, workspace, project(s), capture ID(s) (if known), relevant dates/URLs;
• Authority: if acting for an organization, your role (e.g., workspace admin) and authorization if required.

Verification

We may verify identity and (for workspace requests) administrative authority.

What we delete

For approved permanent deletion requests, we erase specified captures (screenshots/DOM), derived analyses, project artifacts, and related metadata from active systems and instruct sub-processors to delete corresponding data. We retain data we must keep by law (e.g., billing records, security logs) for the required period only.

Timelines

We respond within legal timeframes (generally 30 days). Erasure from active systems is typically completed within 30 days of approval; backups are overwritten on the next scheduled rotation (typically within 35 additional days).

Limitations

We may decline or limit a request where identity/authority cannot be verified, where it would adversely affect others' rights, or where retention is legally required. If denied, we explain why and how to appeal if applicable.

18) Roles & Your Responsibilities (Controller/Processor)

• Website/app: Skippr is Controller.
• Extension analyses: You (or your organization) act as Controller of the page content you choose to analyze; Skippr acts as Processor on your documented instructions (DPA available on request).