Privacy Policy
As of: June 2026
Convenience translation. In case of discrepancies, the German version is legally authoritative.
Last updated: June 2026.
1. Controller
Controller within the meaning of the GDPR: Cornelius Krämer, Kalkstraße 135, 51377 Leverkusen, email: [email protected]. Further details in the Legal Notice.
2. Your rights
You have the right at any time to information (Art. 15 GDPR), rectification (Art. 16), erasure (Art. 17), restriction (Art. 18), data portability (Art. 20) and objection (Art. 21). An email to the address above is sufficient for requests.
Right to complain: You have the right to lodge a complaint with a data protection supervisory authority. The authority responsible for us is the State Commissioner for Data Protection and Freedom of Information of North Rhine-Westphalia (LDI NRW), Kavalleriestraße 2–4, 40213 Düsseldorf, Germany, ldi.nrw.de. You may also contact the supervisory authority of your place of residence.
No automated decision-making: No automated decision-making, including profiling within the meaning of Art. 22 GDPR, takes place.
3. Server log files & hosting
The site is served by Railway (region EU-West) via the Caddy web server; DNS, TLS protection and the CDN run via Cloudflare. For technical reasons, server log files are generated on each request (incl. IP address, browser type/version, operating system, referrer URL, time). The legal basis is our legitimate interest in secure, stable operation and in defending against attacks (Art. 6 (1) (f) GDPR). All data is transmitted exclusively via TLS/HTTPS encryption.
4. Local settings & cart
Theme (light/dark), language choice and the cart are stored exclusively locally in the browser (localStorage/sessionStorage: sfa-theme, sfa-lang, sfa-cart, sfa-last-order) and are not transmitted to us as long as you do not trigger a purchase/unlock. Fonts are served locally — no Google Fonts CDN. Without your consent, no analytics or marketing cookies are set.
5. Account & sign-in
For “My Skills”, purchases and downloads you can create an account. Authentication is handled by Supabase (auth/database/storage; region EU). Sign in either via magic link (passwordless by email) or via OAuth with Google, GitHub or Discord. We process your email address, possibly the provider’s display name/avatar and an internal user ID; multiple sign-in methods with the same email are assigned to the same account. Legal basis: contract/pre-contractual measures (Art. 6 (1) (b) GDPR). Providing this data is voluntary; without an account you can continue to use the freely accessible areas, but not personal features such as “My Skills”, unlocks or downloads. If you sign in via Google, GitHub or Discord, we obtain your display name and avatar from the respective provider as the data source (Art. 14 GDPR).
6. Free of charge
All Skills & Agents are currently provided free of charge. No payment processing takes place; no payment data is collected and no data is transmitted to a payment service provider.
7. Delivery & license key
Free-of-charge unlocked skills are delivered only after sign-in and ownership check — either via an install command (CLI) or via short-lived, signed download links from non-public storage. A personal LICENSE.txt is embedded in the downloaded file as proof of license, containing your license key, your email address, the purchase date and the order reference. Legal basis: contract (Art. 6 (1) (b) GDPR).
8. Statistics
We count only aggregated view and download numbers per skill. No IP addresses, no visitor IDs and no personal data are stored; a cookie banner is not required for this. Legal basis: legitimate interest in simple reach measurement (Art. 6 (1) (f) GDPR).
Web analytics & advertising with Google — only with your consent
If you agree in the cookie banner, we use Google Analytics 4 (reach and usage analysis) and/or Google Ads (ad performance measurement, remarketing). The provider is Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Ireland (parent company: Google LLC, USA). Cookies or similar identifiers are set and usage and device data are processed.
The Google tags are loaded only after your consent — before that, no connection to Google takes place (Google Consent Mode, "basic" variant). The legal basis is your consent (Art. 6 (1) (a) GDPR); the associated data transfer to the USA is based on your explicit consent (Art. 49 (1) (a) GDPR) and the EU-US Data Privacy Framework. You can withdraw or adjust your consent at any time with effect for the future via "Cookie settings" in the footer.
9. Newsletter
If a newsletter is offered and subscribed to by you, we process your email address using the double opt-in procedure on the basis of your consent (Art. 6 (1) (a) GDPR). Consent can be withdrawn at any time with effect for the future. (Currently not active.)
10. Contacting us
When you contact us by form or email, we process your details to handle the request (Art. 6 (1) (b) or (f) GDPR).
11. Recipients & processors
We use carefully selected service providers as processors and, where required, conclude data processing agreements pursuant to Art. 28 GDPR (or rely on their standard data processing clauses) with them:
- Supabase — account/authentication, database, file storage (region EU).
- Railway — application hosting (region EU-West).
- Cloudflare — DNS, CDN, TLS and attack defense (USA/global).
- Strato — domain registration.
12. Transfer to third countries
Some services (especially Cloudflare) may process data in the USA. A transfer takes place only on the basis of appropriate safeguards (EU standard contractual clauses or the EU-US Data Privacy Framework).
13. Storage period
We store account/ownership data for as long as the account exists or as long as this is necessary to provide purchased skills. Server log files are kept only briefly for operational security. Otherwise we delete data as soon as the purpose ceases to apply.