/createskills
Sign in

Privacy Policy

Last updated: April 24, 2026

This privacy policy explains how Yong Ventures Pte. Ltd. ("createskills", "we", "us") collects, uses, and protects your information when you use the createskills web app at createskills.io, the createskills Chrome extension, and the createskills iOS app. The same policy applies across all three surfaces; differences in data collection are flagged in the relevant sections below.

Who we are

createskills is a service operated by Yong Ventures Pte. Ltd., a company incorporated in Singapore (UEN 202531715G) with its registered office at 160 Robinson Road #14-04, Singapore Business Federation Center, Singapore 068914. We are the data controller for the personal information described in this policy.

What this policy covers

This policy covers three products that share a single account system:

  • The web app at createskills.io, where you sign in, manage your subscription, and read public pages.
  • The Chrome extension, which captures web pages, YouTube and Instagram content, PDFs, and images, and generates AI "skill" files from them.
  • The iOS app ("createskills: URL to Markdown"), which captures URLs from the iOS share sheet and stores them as readable markdown.

Information we collect

We collect only what is needed to operate the service. Specifically:

Account information (all surfaces)

  • Email address — used to send a one-time sign-in code and to identify your account.
  • Account identifier — a randomly generated user ID assigned by our authentication provider (Supabase) and an associated session token stored on your device to keep you signed in.

Billing information (web only)

  • Your subscription plan, status, period dates, and a counter of skills generated in the current billing period.
  • A Stripe customer identifier and a Stripe subscription identifier so we can match invoices and webhooks to your account.
  • Payment card details are collected and stored by Stripe directly. We never see or store full card numbers.

Content you capture (extension and iOS app)

  • The URL, title, and favicon of any page or video you choose to capture.
  • The extracted markdown of that content, including transcripts for YouTube videos and Instagram Reels when you capture them.
  • Any files (PDFs, images) you attach when generating a skill, and any prompts or instructions you write to transform that content.

Captured content is held locally on your device (in IndexedDB on the extension, in Core Data on iOS) and, if you are signed in, is synced to your cloud feed so it appears across your devices.

Information we do not deliberately collect

We do not run any third-party analytics SDK, advertising SDK, or crash-reporting SDK in the iOS app or extension. We do not request your location, contacts, photos, microphone, or health data. Your IP address and user agent are visible to our infrastructure providers during normal HTTP traffic and are used by them for security and rate limiting; we do not retain them in our own database.

How we use your information

We use the information described above for the following purposes, with the following legal bases under the EU/UK General Data Protection Regulation (GDPR):

  • Account creation, sign-in, feed sync, and AI-powered skill generation — performance of our contract with you (Article 6(1)(b)).
  • Billing, invoicing, and tax record-keeping — compliance with our legal obligations (Article 6(1)(c)).
  • Service security, fraud and abuse prevention, debugging, and operational logs — our legitimate interest in running a safe and reliable service (Article 6(1)(f)).
  • Product update and transactional emails — performance of our contract or, where applicable, your consent. You can opt out of non-essential email at any time.

We do not use your captured content or generated skills to train any AI model, and we do not allow our providers to do so.

Where your data is stored and how long we keep it

  • Email and account metadata — kept while your account is active and deleted within 30 days of an account deletion request, except where we are required by law to retain it.
  • Synced feed items (URL, title, markdown) — kept until you delete them. On account deletion they are removed from our servers within 30 days.
  • On-device caches (IndexedDB on the extension, Core Data on iOS) — kept on your device until you clear the data, sign out, or uninstall the app.
  • Billing records — kept for the period required by Singapore tax and accounting law (typically a minimum of five years).
  • Server and security logs — typically 90 days, longer where needed to investigate a security incident.
  • Anthropic API request payloads — processed under Anthropic's commercial API terms; we do not store these requests in our own systems beyond the time needed to return your skill to you.

International data transfers

We are based in Singapore. The providers listed above process data primarily in the United States and the European Union. When personal data is transferred out of your country we rely on the safeguards each provider offers in its data processing addendum, including the European Commission's Standard Contractual Clauses where applicable, and on contractual commitments comparable to those required by Singapore's Personal Data Protection Act.

Security

All traffic between your device and our services uses TLS encryption. Data stored with Supabase is encrypted at rest, and row-level security policies ensure that you only see your own feed items. Authentication tokens are stored in HttpOnly cookies on the web, in Chrome's local extension storage in the extension, and in the iOS Keychain on iPhone. Payment card data never touches our servers — Stripe handles it directly. No system is ever perfectly secure; we work continuously to improve our practices and will notify you of incidents where the law requires us to.

Your rights

Depending on where you live, you may have the right to:

  • Access the personal data we hold about you and receive a copy.
  • Correct data that is inaccurate or out of date.
  • Delete your account and the data associated with it.
  • Restrict or object to certain processing.
  • Receive a portable copy of your data in a machine-readable format.
  • Withdraw consent where we rely on it.
  • Lodge a complaint with your local data protection regulator.

To exercise any of these rights, email privacy@createskills.io. We respond within one month, in line with the GDPR's timeline. We will not discriminate against you for exercising these rights.

Notice for California residents (CCPA / CPRA)

If you live in California, the categories of personal information we have collected in the past 12 months, as defined by Cal. Civ. Code §1798.140, are:

  • Identifiers — email address, account ID, IP address.
  • Commercial information — subscription plan and billing history.
  • Internet or other electronic network activity — URLs you choose to capture.
  • Other user-provided content — markdown extracted from those URLs and files you upload.

The only Sensitive Personal Information we collect is account login credentials, used solely to authenticate you. We do not infer characteristics about you from this information. We do not sell your personal information and we do not share it for cross-context behavioural advertising. You have the right to know, delete, correct, and opt out, the right to limit the use of your sensitive personal information, the right to non-discrimination, and the right to appeal a denial of a request. Where your browser sends a Global Privacy Control (GPC) signal we treat it as a valid opt-out request. To exercise California rights, or to use an authorised agent, email privacy@createskills.io.

Notice for users in the EEA, UK, and Switzerland (GDPR)

We rely on the legal bases set out under "How we use your information" above. You can exercise the rights listed under "Your rights" by emailing privacy@createskills.io, and you have the right to lodge a complaint with the data protection authority in your country.

Generating markdown or a skill file from content you submit is a content transformation, not an automated decision that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. You can stop using the AI generation feature at any time.

As we are established in Singapore, we are appointing an EU Representative under Article 27 GDPR. Until that appointment is published, please direct EU privacy enquiries to dpo@createskills.io.

Notice for Singapore residents (PDPA)

Our Data Protection Officer is reachable at dpo@createskills.io. You may withdraw your consent to our processing of your personal data at any time by writing to the DPO; withdrawal takes effect on reasonable notice and may end your access to parts of the service that depend on that data. We rely on contractual safeguards comparable to the PDPA's Transfer Limitation Obligation when our providers process your data outside Singapore. In the event of a data breach that is likely to result in significant harm or that affects 500 or more individuals, we will notify the Personal Data Protection Commission and affected individuals as required by law.

Children's privacy

createskills is not directed to children under the age of 13 (or under 16 in the European Economic Area and the United Kingdom), and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please email privacy@createskills.io and we will delete it promptly.

Chrome extension — Limited Use disclosure

The use of information received from Google APIs by the createskills Chrome extension will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. Data collected through the extension is used only for the user-facing features described in this policy and on our store listing. We never sell extension data, never use it for unrelated advertising, and never allow humans to read it except as needed for security, support, or legal compliance, with your explicit consent, or in aggregated and anonymised form. The extension only accesses the content of a tab when you explicitly trigger a capture or conversion action.

Account deletion

You can delete your account and the data associated with it from inside the iOS app under Settings → Delete account, or by emailing privacy@createskills.io. We confirm receipt within a few business days and remove your account, your synced feed items, and your billing record from our active systems within 30 days, except where we are required by law (for example, tax records) to retain a limited copy. Deleting the apps from your device does not by itself delete your server-side data — please use the in-app flow or email us so we can remove it.

Changes to this policy

We may update this policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you in the app or by email before the changes take effect.

Contact

Questions, requests, or concerns? Email privacy@createskills.io, or write to us at Yong Ventures Pte. Ltd., 160 Robinson Road #14-04, Singapore Business Federation Center, Singapore 068914.