Privacy Policy

Last updated: March 9, 2026

1. What We Collect

Account data

When you sign in with GitHub, we receive and store your name, email address, and avatar URL from your GitHub profile. We do not access your private repositories or GitHub credentials.

Session data

We store your IP address and user agent string with each session for security purposes. Sessions expire after 7 days.

Published content

Skills you publish (SKILL.md files and associated packages), reviews, and profile information are stored on our servers and displayed publicly on the Platform.

CLI telemetry

The osk CLI collects anonymous usage data including: a hashed machine identifier (not personally identifiable), command names, skill slugs, CLI version, operating system, and CPU architecture. If you are logged in, your user ID may also be included. Telemetry helps us understand usage patterns and improve the tool.

Analytics

We use Vercel Analytics and Vercel Speed Insights to collect anonymous page view and performance data. These services are operated by Vercel Inc. and do not use third-party tracking cookies. See Vercel's privacy policy for details.

2. What We Do Not Collect

  • We do not collect payment information. No payment processing is currently active.
  • We do not use third-party advertising or ad-tracking services.
  • We do not sell or share personal data with third parties for marketing.
  • We do not access your private GitHub repositories.

3. Cookies

We set a single authentication cookie when you sign in. This cookie is HTTP-only, SameSite=Strict, and Secure in production. It is used solely to maintain your session. We do not use tracking or advertising cookies.

4. How We Use Your Data

  • To authenticate you and maintain your session.
  • To display your published skills and reviews on the Platform.
  • To run automated security audits on published skills.
  • To monitor and improve Platform performance and reliability.
  • To enforce our Terms of Service and prevent abuse.

5. Third-Party Services

The Platform relies on the following third-party services that may process your data:

  • GitHub — OAuth authentication and public repository indexing.
  • Vercel — Hosting, analytics, and performance monitoring.
  • S3-compatible storage — Skill package file storage.

6. Data Retention

Account data is retained as long as your account is active. Sessions expire after 7 days. CLI API tokens expire after 90 days. Published content remains available until you delete it or request its removal. Telemetry data is retained in aggregate form.

7. Account Deletion

To request deletion of your account and associated data, contact us via GitHub. Upon account deletion, your sessions, API tokens, and authentication records are automatically removed. Published skills may be retained in anonymized form if they have been installed by other users.

8. Security

We use HTTPS, HTTP-only cookies, rate limiting, and content security policies to protect your data. Authentication tokens are hashed before storage. However, no system is perfectly secure, and we cannot guarantee absolute security.

9. Changes

We may update this Privacy Policy at any time. Material changes will be communicated via the Platform. Continued use after changes constitutes acceptance.

10. Contact

For privacy-related questions or data deletion requests, open an issue at github.com/vudknguyen/openskill.