Privacy Policy

This Privacy Policy explains how SkillsRX Ltd ("we," "us," or "our") collects, uses, stores, and protects your personal data when you use the SkillsRX mobile application ("the App") and the website at skillsrx.app ("the Website"), collectively referred to as "the Service."

SkillsRX Ltd is a company registered in England and Wales.

Registered office: [INSERT REGISTERED ADDRESS]

We are the data controller for your personal data. We are committed to protecting your privacy in accordance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

By using the Service, you acknowledge that you have read and understood this Privacy Policy. If you do not agree with our practices, please do not use the Service.

2.1 Information You Provide

• Account information: Email address and password when you create an account
• Profile information: Your chosen display name
• Training data: Skill path selections, assessment responses, session feedback (Too Easy / Just Right / Too Hard), and exercise completion data
• Payment information: Subscription plan selection and payment method (processed by Apple, Google, or Stripe — we do not store your card details directly)
• Communications: Any messages you send to us via support@skillsrx.app

2.2 Information Collected Automatically

• Usage data: App opens, sessions started, sessions completed, features used, skill paths accessed, levels progressed through
• Device information: Device type, operating system version, app version, screen resolution
• Error data: Crash reports and error logs to help us fix bugs and improve stability
• Push notification tokens: If you enable push notifications, we store a device token to deliver notifications

We do not collect location data, contacts, photos, or any data from other apps on your device.

We use your personal data for the following purposes:

• Providing the Service: Delivering adaptive training sessions, tracking your progress, managing your subscription, and personalising your experience based on your feedback and skill level
• Communications: Sending transactional emails (welcome emails, trial reminders, purchase receipts), responding to support requests, and sending the weekly Coach's Corner notification
• Improving the Service: Analysing usage patterns to improve the adaptive algorithm, fix bugs, and develop new features
• Payment processing: Managing subscriptions, processing payments, and handling refunds
• Legal compliance: Complying with applicable laws, regulations, and legal processes

We do not use your data for advertising. We do not sell your data to third parties. We do not build advertising profiles.

Under the UK GDPR, we process your personal data on the following legal bases:

• Performance of a contract: Processing necessary to provide you with the Service you have subscribed to (account management, session delivery, progress tracking, payment processing)
• Legitimate interests: Analytics and error monitoring to improve the Service, provided this does not override your rights and freedoms
• Consent: Push notifications and marketing communications (you can withdraw consent at any time)
• Legal obligation: Where we are required to process data to comply with applicable law

We use the following third-party services to operate the Service. Each processes data on our behalf as a data processor:

5.1 Supabase (Database and Authentication)

• Data processed: Account information, training data, session history, progress records
• Location: Cloud infrastructure (check current hosting region at supabase.com)
• Purpose: Database storage, user authentication, and backend functions
• Privacy policy: supabase.com/privacy

5.2 Stripe (Web Payment Processing)

• Data processed: Email address, subscription plan, payment method details
• Location: United States and EU (with appropriate safeguards)
• Purpose: Processing web subscription payments
• Privacy policy: stripe.com/privacy
• Note: For iOS and Android subscriptions, payments are processed by Apple and Google respectively, under their own privacy policies

5.3 RevenueCat (Subscription Management)

• Data processed: Anonymous app user ID, subscription status, purchase history, platform (iOS/Android)
• Location: United States (with appropriate safeguards)
• Purpose: Managing in-app subscriptions across platforms, syncing entitlement status
• Privacy policy: revenuecat.com/privacy

5.4 Cloudflare Stream (Video Hosting)

• Data processed: IP address, video playback data (which videos viewed, playback duration)
• Location: Global CDN (served from nearest edge location)
• Purpose: Hosting and delivering exercise demonstration videos
• Privacy policy: cloudflare.com/privacypolicy

5.5 PostHog (Analytics)

• Data processed: Anonymous usage events (app opens, sessions started, features used), device type, OS version, app version
• Location: EU (PostHog Cloud EU)
• Purpose: Understanding how the App is used to improve features and fix issues
• Privacy policy: posthog.com/privacy
• Note: We do not use PostHog for advertising or user profiling. Analytics data is used solely to improve the Service.

5.6 Sentry (Error Monitoring)

• Data processed: Error and crash data, device information, OS version, app version, anonymous user identifier
• Location: United States (with appropriate safeguards)
• Purpose: Detecting, diagnosing, and fixing bugs and crashes
• Privacy policy: sentry.io/privacy

5.7 Resend (Transactional Email)

• Data processed: Email address, email content (welcome emails, trial reminders, purchase receipts)
• Location: United States (with appropriate safeguards)
• Purpose: Sending transactional and service-related emails
• Privacy policy: resend.com/legal/privacy-policy

5.8 Expo Push Notifications

• Data processed: Push notification token, notification content
• Location: United States (with appropriate safeguards)
• Purpose: Delivering push notifications to your device
• Privacy policy: expo.dev/privacy

The Website (skillsrx.app) uses only essential cookies required for the website to function (such as session management). We do not use advertising cookies, tracking cookies, or third-party marketing pixels.

The App does not use cookies. Analytics within the App are handled by PostHog as described in Section 5.5.

We retain your personal data for as long as your account is active and for a period of 30 days after account deletion, after which your data is permanently deleted from our systems.

Specific retention periods:

• Account and profile data: Duration of account plus 30 days
• Training and session data: Duration of account plus 30 days
• Payment records: As required by UK tax law (typically 6 years) — held by payment processors (Stripe, Apple, Google)
• Error logs (Sentry): 90 days
• Analytics data (PostHog): Anonymised and retained for up to 12 months
• Email records (Resend): 30 days after account deletion
• Support communications: Duration of account plus 30 days, unless a longer period is required for legal purposes

We implement appropriate technical and organisational measures to protect your personal data, including:

• Encryption of data in transit (TLS/HTTPS)
• Encryption of data at rest (database-level encryption via Supabase)
• Secure password hashing (bcrypt)
• Row-level security policies on all database tables (users can only access their own data)
• Regular security updates and dependency monitoring
• Access controls limiting who can access production data

While we take reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

Under the UK GDPR, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Request correction of inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (subject to legal retention requirements)
• Right to restrict processing: Request that we limit how we use your data
• Right to data portability: Request your data in a structured, commonly used, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Withdraw consent for push notifications or marketing at any time

To exercise any of these rights, contact us at support@skillsrx.app. We will respond to your request within one month, as required by law. If your request is complex, we may extend this by a further two months, and we will inform you if this is the case.

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

• Website: ico.org.uk
• Telephone: 0303 123 1113

Some of our third-party service providers are based outside the United Kingdom (primarily in the United States). Where personal data is transferred outside the UK, we ensure appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the UK Government
• Adequacy decisions where applicable
• The service provider's participation in recognised data protection frameworks

The Service is intended for users aged 18 and over. We do not knowingly collect personal data from anyone under the age of 18. If we become aware that we have collected data from a person under 18, we will take steps to delete that data promptly and terminate the associated account.

If you believe a child under 18 has provided us with personal data, please contact us at support@skillsrx.app.

We may update this Privacy Policy from time to time. If we make material changes, we will notify you via email or an in-app notice at least 14 days before the changes take effect.

The "Last updated" date at the top of this policy indicates when the most recent changes were made. We encourage you to review this policy periodically.

If you have any questions about this Privacy Policy or how we handle your data, please contact us:

SkillsRX Ltd
Email: support@skillsrx.app
Registered in England and Wales
Registered office: [INSERT REGISTERED ADDRESS]