Privacy Policy

This privacy policy explains how Yong Ventures Pte. Ltd. ("createskills", "we", "us") collects, uses, and protects your information when you use the createskills web app at createskills.io, the createskills Chrome extension, and the createskills iOS app. The same policy applies across all three surfaces; differences in data collection are flagged in the relevant sections below.

Who we are

createskills is a service operated by Yong Ventures Pte. Ltd., a company incorporated in Singapore (UEN 202531715G) with its registered office at 160 Robinson Road #14-04, Singapore Business Federation Center, Singapore 068914. We are the data controller for the personal information described in this policy.

What this policy covers

This policy covers three products that share a single account system:

• The web app at createskills.io, where you sign in, manage your credits and billing, and read public pages.
• The Chrome extension, which captures web pages, YouTube and Instagram content, PDFs, images, selected text, and saved source context.
• The iOS app ("createskills: URL to Markdown"), which captures URLs from the iOS share sheet and stores them as readable markdown.

Information we collect

We collect only what is needed to operate the service. Specifically:

Account information (all surfaces)

• Email address — used to send a one-time sign-in code and to identify your account.
• Account identifier — a randomly generated user ID assigned by our authentication provider (Supabase) and an associated session token stored on your device to keep you signed in.

Billing information (web only)

• Your credit balance, credit ledger activity, auto-recharge settings, and kit entitlement records.
• Stripe customer, checkout session, and payment identifiers so we can match payments and webhooks to your account.
• Payment card details are collected and stored by Stripe directly. We never see or store full card numbers.

Content you capture (extension and iOS app)

• The URL, title, and favicon of any page or video you choose to capture.
• The extracted markdown of that content, including transcripts for YouTube videos and Instagram Reels when you capture them.
• Any files (PDFs, images) you attach when capturing or transforming source material, and any prompts or instructions you write to transform that content.

Captured content is held locally on your device (in IndexedDB on the extension, in Core Data on iOS) and, if you are signed in, is synced to your cloud feed so it appears across your devices.

Information we do not deliberately collect

We do not run any third-party analytics SDK, advertising SDK, or crash-reporting SDK in the iOS app or extension. We do not request your location, contacts, photos, microphone, or health data. Your IP address and user agent are visible to our infrastructure providers during normal HTTP traffic and are used by them for security and rate limiting; we do not retain them in our own database.

Chrome extension data collection

The Chrome extension has technical permission to access webpages so it can perform its user-facing conversion features. It does not continuously monitor every page you visit. It accesses page content only when you take an action such as converting a page or link, extracting a YouTube transcript, extracting Instagram Reel content, using the element picker, saving selected text, adding an image, or cleaning or transforming markdown.

When you use those features, the extension may collect the URL, page title, favicon, selected text, page content converted to markdown, YouTube transcript text, Instagram Reel description or transcript text, PDF-derived content, images and PDF files you provide, prompts or instructions you write, transformed markdown, source folders, credits and account state, and authentication tokens used to keep you signed in.

Local extension data is stored in IndexedDB. Authentication session data, credit cache data, and sync metadata may be stored in chrome.storage.local. If you are signed in, source captures, folders, and related feed data may also sync to our cloud database so they can appear across your devices.

How we use your information

We use the information described above for the following purposes, with the following legal bases under the EU/UK General Data Protection Regulation (GDPR):

• Account creation, sign-in, feed sync, source capture, and AI-powered cleanup or transformation — performance of our contract with you (Article 6(1)(b)).
• Billing, invoicing, and tax record-keeping — compliance with our legal obligations (Article 6(1)(c)).
• Service security, fraud and abuse prevention, debugging, and operational logs — our legitimate interest in running a safe and reliable service (Article 6(1)(f)).
• Product update and transactional emails — performance of our contract or, where applicable, your consent. You can opt out of non-essential email at any time.

We do not use your captured content or kit entitlements to train any AI model, and we do not allow our providers to do so.

How we handle and share information

We handle your information to provide the features you choose to use: converting selected webpages and media into markdown, syncing your feed across signed-in devices, cleaning or transforming markdown, showing kit entitlement status, enforcing usage limits, managing billing, securing the service, responding to support requests, and maintaining your account.

We share information only with service providers needed to operate those features:

• Supabase provides authentication, account sessions, database storage, and synced feed storage.
• Stripe processes checkout, invoices, and payment-related billing records. We do not receive or store full payment card numbers.
• Vercel provides hosting, application runtime, network delivery, and infrastructure logs.
• AI processing providers process source markdown, uploaded files, and prompts only when you use AI-assisted cleanup or transformation features.
• Content extraction and transcription providers process the URLs or media links you choose to convert when server-side extraction or transcript retrieval is needed.

We do not sell your personal information or extension data. We do not use it for ads, personalized advertising, cross-context behavioral advertising, credit decisions, lending decisions, or resale to data brokers. We do not allow humans to read your captured content except with your explicit consent for support, when necessary for security or abuse investigation, to comply with law, or in aggregated and anonymized form for internal operations.

Where your data is stored and how long we keep it

• Email and account metadata — kept while your account is active and deleted within 30 days of an account deletion request, except where we are required by law to retain it.
• Synced feed items (URL, title, markdown) — kept until you delete them. On account deletion they are removed from our servers within 30 days.
• On-device caches (IndexedDB on the extension, Core Data on iOS) — kept on your device until you clear the data, sign out, or uninstall the app.
• Extension session and sync metadata — stored in chrome.storage.local until you sign out, clear extension data, or uninstall the extension.
• Billing records — kept for the period required by Singapore tax and accounting law (typically a minimum of five years).
• Server and security logs — typically 90 days, longer where needed to investigate a security incident.
• AI and content-processing requests — processed by service providers only for the request you initiate, such as returning converted markdown, cleaned markdown, a transcript, or transformed source output.

International data transfers

We are based in Singapore. The providers listed above may process data in the United States, the European Union, Singapore, or other countries where they operate infrastructure. When personal data is transferred out of your country we rely on the safeguards each provider offers in its data processing addendum, including the European Commission's Standard Contractual Clauses where applicable, and on contractual commitments comparable to those required by Singapore's Personal Data Protection Act.

Security

All traffic between your device and our services uses TLS encryption. Data stored with Supabase is encrypted at rest, and row-level security policies ensure that you only see your own feed items. Authentication tokens are stored in HttpOnly cookies on the web, in Chrome's chrome.storage.local in the extension, and in the iOS Keychain on iPhone. Payment card data never touches our servers — Stripe handles it directly. No system is ever perfectly secure; we work continuously to improve our practices and will notify you of incidents where the law requires us to.

Your rights

Depending on where you live, you may have the right to:

• Access the personal data we hold about you and receive a copy.
• Correct data that is inaccurate or out of date.
• Delete your account and the data associated with it.
• Restrict or object to certain processing.
• Receive a portable copy of your data in a machine-readable format.
• Withdraw consent where we rely on it.
• Lodge a complaint with your local data protection regulator.

To exercise any of these rights, email privacy@createskills.io. We respond within one month, in line with the GDPR's timeline. We will not discriminate against you for exercising these rights.

Notice for California residents (CCPA / CPRA)

If you live in California, the categories of personal information we have collected in the past 12 months, as defined by Cal. Civ. Code §1798.140, are:

• Identifiers — email address, account ID, IP address.
• Commercial information — credit purchases, auto-recharge settings, and billing history.
• Internet or other electronic network activity — URLs you choose to capture.
• Other user-provided content — markdown extracted from those URLs and files you upload.

The only Sensitive Personal Information we collect is account login credentials, used solely to authenticate you. We do not infer characteristics about you from this information. We do not sell your personal information and we do not share it for cross-context behavioural advertising. You have the right to know, delete, correct, and opt out, the right to limit the use of your sensitive personal information, the right to non-discrimination, and the right to appeal a denial of a request. Where your browser sends a Global Privacy Control (GPC) signal we treat it as a valid opt-out request. To exercise California rights, or to use an authorised agent, email privacy@createskills.io.

Notice for users in the EEA, UK, and Switzerland (GDPR)

We rely on the legal bases set out under "How we use your information" above. You can exercise the rights listed under "Your rights" by emailing privacy@createskills.io, and you have the right to lodge a complaint with the data protection authority in your country.

Generating markdown or transformed output from content you submit is a content transformation, not an automated decision that produces legal or similarly significant effects on you within the meaning of Article 22 GDPR. You can stop using the AI-assisted features at any time.

As we are established in Singapore, we are appointing an EU Representative under Article 27 GDPR. Until that appointment is published, please direct EU privacy enquiries to dpo@createskills.io.

Notice for Singapore residents (PDPA)

Our Data Protection Officer is reachable at dpo@createskills.io. You may withdraw your consent to our processing of your personal data at any time by writing to the DPO; withdrawal takes effect on reasonable notice and may end your access to parts of the service that depend on that data. We rely on contractual safeguards comparable to the PDPA's Transfer Limitation Obligation when our providers process your data outside Singapore. In the event of a data breach that is likely to result in significant harm or that affects 500 or more individuals, we will notify the Personal Data Protection Commission and affected individuals as required by law.

Children's privacy

createskills is not directed to children under the age of 13 (or under 16 in the European Economic Area and the United Kingdom), and we do not knowingly collect personal information from children. If you believe a child has provided personal information to us, please email privacy@createskills.io and we will delete it promptly.

Chrome extension — Limited Use disclosure

The use of information received from Google APIs will adhere to the Chrome Web Store User Data Policy, including the Limited Use requirements. Data collected through the extension is used only for the user-facing features described in this policy and on our Chrome Web Store listing. We never sell extension data, never use it for unrelated advertising, and never use or transfer it to determine creditworthiness or for lending purposes. For more information, see the Chrome Web Store User Data Policy.

Account deletion

You can delete your account and the data associated with it from inside the iOS app under Settings → Delete account, or by emailing privacy@createskills.io. We confirm receipt within a few business days and remove your account, your synced feed items, and your billing record from our active systems within 30 days, except where we are required by law (for example, tax records) to retain a limited copy. Deleting the apps from your device does not by itself delete your server-side data — please use the in-app flow or email us so we can remove it.

Changes to this policy

We may update this policy from time to time. When we make material changes we will update the "Last updated" date above and, where appropriate, notify you in the app or by email before the changes take effect.

Contact

Questions, requests, or concerns? Email privacy@createskills.io, or write to us at Yong Ventures Pte. Ltd., 160 Robinson Road #14-04, Singapore Business Federation Center, Singapore 068914.