The SkillRoot Privacy Pledge

Five promises. Written in plain English. The same five we'll still be making in ten years.

01

We never sell your data

Not to advertisers. Not to data brokers. Not to political campaigns. Not bundled, anonymized, or 'aggregated.' Selling user data is structurally incompatible with our mission, and our governance structure (see §11.5 of the plan) is being built to make that impossible — even under future ownership.

02

No third-party tracking pixels or session-replay tools

No Facebook Pixel. No Google Analytics. No Hotjar, FullStory, LogRocket, or any other vendor that records what you click, type, or hover. We measure aggregate counts (how many trades happened this week) using our own first-party analytics, and that's it.

03

Precise location is used only for distance math

We store your ZIP code so we can match you with neighbors within your chosen radius. Other users only ever see 'X miles away' — never your ZIP, never your address, never your coordinates. The raw distance computation happens server-side and the result is rounded.

04

One-click export of everything we have on you

From your profile page, you can download a single JSON file containing every record we hold — your profile, skills, matches, messages, reviews, push subscriptions, the lot. No support ticket. No 30-day waiting period. One click.

05

Two-click delete of everything

Click 'Delete account' and confirm once. Within minutes your profile, skills, messages, reviews, and push subscriptions are gone. Aggregate trade counts (with your name removed) remain so we can keep reporting community impact honestly — that's the only thing that survives.

What we collect, and why

Every piece of data we store, in one table. If it's not on this list, we don't have it.

DataWhy we store it
Email + display nameSign-in and so neighbors know who they're trading with.
ZIP code + search radiusMatch you with nearby neighbors. Never shown to other users.
Skills you offer + wantThe whole point of the app.
Messages and connection historySo you can pick up a conversation where you left off.
Reviews you give and receiveTrust signal so good neighbors get more matches.
Push subscription tokensOnly if you opt in. Used to send match notifications.
Aggregate event counts (no PII)Internal weekly review and quarterly /impact report.

How we keep it safe

  • Row-Level Security on every table — your data is invisible to other users at the database level, not just the app layer.
  • All secrets (push keys, service tokens, third-party API keys) live in encrypted secret storage — never in code, never in client bundles.
  • Quarterly automated security linter pass plus a manual RLS audit by a second reviewer.
  • Independent penetration test before any state grant disbursement.
  • Public security.txt and a $50–$500 bug bounty once we cross 5,000 users.

Retention

Messages
18 months, then auto-purged unless you pin them
Push subscriptions
Pruned after 90 days of failed deliveries
Inactive accounts
Warning at 18 months, anonymized at 24 months
Analytics events
Aggregated to daily counters at 90 days; raw rows purged

Compliance

  • • COPPA — under-13 accounts not allowed.
  • • WV consumer data protection — opt-out of sale (we don't sell anyway) and full deletion rights.
  • • WCAG 2.2 AA accessibility — automated checks in CI, manual quarterly audit.
  • • CAN-SPAM — every email has a one-click unsubscribe link.

Questions, concerns, or a security report?

Email privacy@skillroot.app and a real human will reply within two business days.

Last updated April 2026. Material changes will be announced by email and dated here.