SkillAuthorRegistry of AI Skills
Article III

Privacy notice

Effective 12 May 2026. We update this page from time to time and note the effective date here.

This notice describes what personal data SkillAuthor collects, why, how long we keep it, and the rights you have under the EU General Data Protection Regulation (Regulation (EU) 2016/679 — GDPR). The data controller for SkillAuthor is Netvista Media S.L..

1. What we collect

  • Name and email you supply at registration. The name is printed on the certificate and is publicly visible on the verification page for the registration; the email is used for the payment receipt, for our own registration-confirmation mail, and for authorship-verification correspondence. Your email is not published.
  • The .mdc file you submit, including its full contents, filename and size. The file is stored permanently and publicly verifiable by registration number or SHA-256 hash.
  • Payment metadata from Stripe: the checkout session ID, the payment intent ID, the Stripe customer ID, the card brand, last 4 digits, and country. We never see or store full card numbers — Stripe handles those under PCI-DSS.
  • Standard web logs (IP address, user agent, timestamps) — retained for 30 days for security, fraud-prevention and incident-response purposes, then deleted.

2. Why we collect it (legal basis)

Performance of the registration contract (Article 6(1)(b) GDPR) for everything required to issue the certificate, ship the email and maintain the public record. Legitimate interest (Article 6(1)(f)) for short-term security logs and abuse prevention. We do not rely on consent for any of the above, and we do not sell, rent, or share personal data for advertising.

3. Retention

Registration records (the file, hash, author name, registration number, payment metadata) are retained indefinitely— that is the entire point of the service. Web logs are deleted after 30 days. Receipts and invoices are retained for the period required by Spanish tax law (typically six years).

4. Your rights

Under GDPR you have the right to access, rectify or erase your personal data, to restrict or object to processing, and to data portability. Erasure of the cryptographic ledger entry would defeat the service's purpose; if you exercise the right to erasure we will replace your author name with “Author withdrawn” while preserving the hash, registration number, and timestamp. The certificate PDF you downloaded remains valid and verifiable offline regardless.

You also have the right to lodge a complaint with the Agencia Española de Protección de Datos (AEPD) or with the supervisory authority in your country of habitual residence.

5. Data processors

  • Stripe Payments Europe Ltd. (Ireland) — payment processing.
  • Hetzner Online GmbH (Germany) — server hosting, EU region.
  • Cloudflare, Inc. — DNS, TLS termination, edge caching and transactional-email delivery for skillauthor.com.

Each processor operates under a data processing agreement compliant with Article 28 GDPR.

6. International transfers

Stripe and Cloudflare may transfer data outside the EEA under Standard Contractual Clauses and additional safeguards. No transfer takes place without an adequate legal basis.

7. Contact

Direct privacy or data-subject requests to [email protected]. We respond within the one-month window required by Article 12(3) GDPR.