Privacy Policy v1.0 — SkillMap
Effective date: 2026-04-13

1. WHO WE ARE

SkillMap is a personal skill tracking and career development platform. This privacy policy explains how we collect, use, and protect your personal data in compliance with the EU General Data Protection Regulation (GDPR).

1. WHAT DATA WE COLLECT

When you create an account, we collect:

• Account data: first name, last name, middle name (optional), email address, password (hashed with SHA-256 + unique salt — never stored or transmitted in plain text)
• Profile data (optional, editable): display name, location, current role, bio
• Skill data: skill states (learning, self-assessed, tested), tool usage states, test scores and history, sub-skill progress
• Certificate data: uploaded certificate files (PDF/image), extracted course name, provider, issue date, linked skills, verification status
• Activity data: timestamps of skill state changes, test attempts, certificate additions
• Job analysis data: saved "dream job" skill requirements (the job posting text itself is not permanently stored)
• Consent records: timestamp, policy version, hashed IP address (see Section 5)

We do NOT collect: browsing history, device fingerprints, tracking cookies, behavioral analytics, location data, or any data from third-party sources.

1. HOW WE USE YOUR DATA

3.1 Account management
Your email and password are used for registration, authentication, email verification, and password reset. Your email is also used to send transactional emails (verification, password reset, account deletion notices) via Resend.

3.2 Skill tracking
Your skill states, tool states, and test history are stored to display your personal skill map and track your learning progress over time.

3.3 Skill testing
When you take a skill test, your answers and scores are recorded. Test questions are fetched from our question bank API. Your answers are stored to calculate scores and prevent re-use of questions. No answer data is shared with third parties.

3.4 Certificate verification
When you upload a certificate (PDF or image):

• We extract text from the file using OCR (for images) or PDF text extraction
• We parse the certificate to identify: course name, provider, issue date, and the person's name printed on the certificate
• We compare the extracted name with your profile name (first name + last name) to verify that the certificate belongs to you
• This comparison uses normalized text matching (case-insensitive, diacritics-insensitive, name order variants) and fuzzy matching (Levenshtein distance)
• The verification result (verified/unverified/rejected) and confidence score are stored with the certificate metadata
• Your certificate files are stored on our server and accessible only by you
• IMPORTANT: We never send your name, email, or certificate file to any AI service. Only the course name and provider are sent to AI for skill identification.

3.5 Job analysis
When you paste a job posting in the Job Analyzer:

• The job posting text is sent to Mistral AI to extract required skills
• No personal data (name, email, profile) is included in this request
• Extracted skills are matched against our skill tree and displayed on your map
• If you save a "dream job", only the matched skill IDs are stored in your profile
• The analyzed posting may be saved to our postings database with source_type "analyzer" for aggregate skill trend analysis. This contains only: company name, position, location, extracted skills — no personal data.

3.6 AI processing summary
We use AI services (Anthropic Claude, Mistral) exclusively for:

• Certificate skill lookup: receives ONLY course name + provider
• Job posting skill extraction: receives ONLY the job posting text

No personal data is ever sent to AI services. AI providers do not have access to your account, profile, skill data, or certificate files.

1. LEGAL BASIS

We process your data based on GDPR Article 6(1)(a) — your explicit consent, given at registration via two mandatory checkboxes:

1. Agreement to this Privacy Policy
2. Consent to processing personal data for account management and certificate verification

We retain anonymized consent records after account deletion based on GDPR Article 6(1)(c) — legal obligation to demonstrate that valid consent was obtained.

1. DATA STORAGE AND SECURITY

• Server location: Hetzner, Germany (EU jurisdiction)
• Passwords: hashed with SHA-256 + unique random salt per user
• Sessions: JWT tokens (24-hour expiration), refresh tokens (7-day expiration)
• Certificate files: stored server-side, accessible only by the file owner
• Consent records: IP address stored as SHA-256 hash (not raw IP), user ID anonymized after account deletion
• Login protection: account locked for 15 minutes after 5 failed login attempts
• Email tokens: single-use, 24-hour expiration, stored as SHA-256 hash (raw token only in email)
• Rate limiting: maximum 3 verification/reset emails per 12 hours, 30 quiz questions per minute

1. DATA SHARING

We do NOT sell, rent, or share your personal data with any third party.

Services that process data on our behalf:

• Resend (resend.com): transactional email delivery. Receives only your email address and the email content (verification link, password reset link). Resend's privacy policy: https://resend.com/legal/privacy-policy
• Hetzner (hetzner.com): server hosting in Germany. Infrastructure provider — does not have application-level access to your data.
• Mistral AI: receives only job posting text for skill extraction. No personal data.
• Anthropic (Claude): receives only course name + provider for certificate skill lookup. No personal data.

No advertising networks, no analytics services, no tracking pixels, no social media integrations.

1. YOUR RIGHTS UNDER GDPR

You have the following rights, exercisable at any time:

• Right of access (Art. 15): view all your data in your profile page, or export it as JSON
• Right to rectification (Art. 16): edit your display name, location, role, and bio at any time
• Right to erasure (Art. 17): delete your account from the profile page. After a 30-day grace period (during which you can cancel), all personal data is permanently deleted.
• Right to data portability (Art. 20): export your complete profile (skills, certificates, test history) as JSON
• Right to withdraw consent (Art. 7(3)): delete your account at any time, which withdraws all consent
• Right to lodge a complaint: you may file a complaint with your local data protection authority

1. DATA RETENTION

Your data is retained for as long as your account is active.

When you delete your account:
DELETED: name, email, password hash, skill states, tool states, certificates (files + metadata), test history (questions + answers + scores), dream job data, activity log, sessions
RETAINED (anonymized, for legal compliance): consent records with anonymized user ID (SHA-256 hash), consent timestamps, policy versions accepted, hashed IP address. These records contain no personally identifiable information and exist solely to demonstrate that valid consent was obtained, as required by GDPR Article 6(1)(c).
RETAINED (aggregated, anonymous): skill popularity statistics (e.g., "Python was learned by N users"), test difficulty statistics (e.g., "question X has 40% pass rate"). These are aggregate counters with no link to any individual user.

1. COOKIES AND LOCAL STORAGE

We use only essential storage for authentication:

• localStorage: JWT access token, refresh token, user profile cache

We do NOT use: tracking cookies, analytics cookies, third-party cookies, advertising cookies, or any non-essential cookies.

1. CHILDREN

SkillMap is not directed at children under 16. We do not knowingly collect personal data from children under 16. If we become aware that we have collected data from a child under 16, we will delete the account and all associated data promptly.

1. INTERNATIONAL TRANSFERS

All data is processed and stored within the European Union (Germany). We do not transfer personal data outside the EU/EEA. AI API calls to Anthropic and Mistral may be processed on servers outside the EU, but these calls contain no personal data (see Section 3.6).

1. CHANGES TO THIS POLICY

When we update this policy:

• We increment the version number (v1.0 → v1.1 → v2.0)
• We update the effective date
• The full text of every version is stored permanently in our database with a cryptographic hash
• If changes are material, existing users will be asked to review and accept the new version on their next login
• Previous versions remain accessible at /privacy?version=v1.0
• The version and hash that each user consented to is recorded in their consent record

1. CONTACT

For questions about this privacy policy or to exercise your data rights, contact us via the email associated with your SkillMap account.

Privacy Policy v1.0
Effective: 2026-04-13
SkillMap