Legal

Privacy Policy

Skrybo collects the minimum data needed to run your audits and rank tracking. This Policy explains what that is, how it is protected, and the choices you have.

Last updated: July 2026

1. Overview

This Privacy Policy explains what Skrybo collects, why, how it is protected, and the choices you have. It applies to the hosted Service at skrybo.com and to self-hosted instances running the same software.

For self-hosted deployments, Skrybo the organisation has no access to your data — everything runs on your own infrastructure. The information below describes the hosted Service.

2. Data we collect

Account data. Name, email address, password (scrypt hash only), preferred language, role, and email-verification state. Optional Google OAuth profile if you sign in with Google.

Session data. Session token, IP address, and user agent stored with each session for security and abuse prevention.

Usage data. Per-account monthly counters for tracked keywords, audits, audit pages, backlink rows, AI summaries, and seats. These counters enforce plan limits.

Product data. Domains you add, tracked keywords, rank history, audit reports, backlink rows, competitor sets, and keyword-research results. This is the working data the Service produces for you.

Billing data. Subscription tier, invoices, and credit-ledger entries. Card details are handled by Polar; Skrybo does not store full card numbers.

Vendor credentials. Google Search Console refresh tokens and DataForSEO credentials, when you configure them. These are encrypted at rest with AES-256-GCM under a master key.

Contact-form messages. If you use the contact form, the message content and your email address are delivered to our support inbox via Resend.

3. How we use your data

We use the data above to:

  • Provision and operate your account, sites, and audits.
  • Enforce plan limits and prevent abuse through rate limiting and cross-account isolation.
  • Process payments through Polar and maintain an invoice and credit-ledger history.
  • Send transactional email: verification, password reset, audit completion, rank-drop alerts, and deletion warnings. Marketing email is opt-out and only sent if the corresponding preference is enabled.
  • Generate AI summaries when the feature is enabled. Only the generated rule copy and site domain are sent to the AI model — never raw HTML, vendor payloads, or your personal data.
  • Maintain audit logs for security. Audit logs never record email addresses, request bodies, headers, or sensitive parameters.

4. Cookies and similar technologies

Session cookie. A single httpOnly, SameSite=Lax cookie (better-auth.session_token) keeps you signed in. It is marked Secure in production.

CSRF cookie. A double-submit token (x-csrf-token by default) protects forms. It is SameSite=Strict and Secure in production.

Language cookie. A lang cookie stores your interface-language preference for one year.

Skrybo does not use analytics, advertising, or third-party tracking cookies.

5. Data sharing and sub-processors

Skrybo shares data only with the sub-processors required to run the Service:

  • Polar — payment processing and subscription management. Receives product IDs, customer references, and webhook events. Does not receive your audit or rank data.
  • DataForSEO — keyword, rank, backlink, and competitor signals. Receives the domains and keywords you track.
  • Google APIs (Search Console, PageSpeed Insights, CrUX) — on-page audits and page-speed signals. Receives the public URLs you audit.
  • Anthropic — AI summary generation, when enabled. Receives only generated rule copy and the site domain; never raw HTML, vendor payloads, or personal data.
  • Resend — transactional and notification email delivery.

Each sub-processor is bound by its own data-protection terms. Skrybo does not sell your data.

6. Security safeguards

  • Vendor secrets and refresh tokens are encrypted at rest with AES-256-GCM using a master key.
  • Passwords are hashed with scrypt via Better Auth; plaintext passwords are never stored.
  • Cross-account isolation: every product route verifies ownership and returns 404 (not 403) for foreign resources so existence never leaks.
  • Rate limits on authentication and webhook routes reduce brute-force and volumetric abuse.
  • Two-factor authentication (TOTP + backup codes) is available on all accounts and required for admins.
  • CSRF is enforced via Origin and trusted-origins checks plus the double-submit cookie.

No system is perfectly secure. If you believe you have found a vulnerability, please contact security@skrybo.com before public disclosure.

7. Data retention

Skrybo retains product data (audits, rank history, keyword research) for as long as your account is active. Inactive accounts may have cached vendor data pruned to free space, but your owned data remains until you export or delete it.

Billing records (invoices, credit ledger) are retained for the period required by tax law in the operating jurisdiction.

Audit logs that carry security-relevant metadata are retained on a rolling basis and never contain email addresses or request bodies.

8. Your rights (GDPR and similar)

Depending on your jurisdiction (EU/EEA, UK, California, etc.) you may have the right to:

  • Access a copy of your personal data.
  • Correct inaccurate data.
  • Export your data — every audit report and rank-history dataset is exportable as CSV or JSON at any time.
  • Delete your account. Deletion enters a 30-day grace period during which you can cancel. A final warning email is sent 24 hours before the purge. A legal hold may delay deletion where required by law.
  • Object to or restrict certain processing, and withdraw consent for marketing email at any time via notification preferences.
  • Lodge a complaint with your supervisory authority if you believe processing violates applicable law.

To exercise any of these rights, use the in-app data-rights endpoints (/api/legal/*) or contact privacy@skrybo.com.

9. International data transfers

Your data may be processed by Skrybo and its sub-processors in jurisdictions outside your country of residence. Where the EU/EEA is involved, transfers rely on appropriate safeguards such as Standard Contractual Clauses or another lawful transfer mechanism.

Self-hosted deployments keep all data on your own infrastructure; no transfer to Skrybo occurs.

10. Children’s privacy

The Service is not directed to children under 16. Skrybo does not knowingly collect personal data from children. If you believe a minor has registered, contact privacy@skrybo.com and the account will be removed.

11. Self-hosted deployments

On a self-hosted instance you control the infrastructure, the encryption keys, and the vendor integrations. Skrybo the organisation does not receive data from your instance. You are responsible for compliance with this Policy’s obligations (including data-subject requests) for data you process on your own deployment.

12. Changes to this Policy

We may update this Privacy Policy from time to time. Material changes will be announced by email (to verified accounts) or in-app at least 30 days before taking effect. The “Last updated” date below reflects the most recent revision.

13. Contact

Questions about this Privacy Policy or a data-subject request? Contact privacy@skrybo.com.