Privacy Policy

Effective Date: 12th of May, 2026

This policy explains what personal data Skippa collects, why we collect it, how it's used, and what rights you have over it. Skippa is operated by an individual data controller based in Romania. For any privacy questions, reach us at support@skippa.cc.

1. Data we collect

We only collect what's necessary to run the platform:

Account data: Your email address, username, and password. Passwords are stored using industry-standard hashing — we never store them in plain text.
Technical data: IP address history and device information, used to prevent abuse, detect bots, and maintain platform security.
Session data: Authentication tokens used to keep you logged in.
Content and activity: Videos you upload, likes, comments, and other interactions on the platform.
View analytics: General viewing history and approximate country-level location (derived from IP via Cloudflare), used to generate engagement metrics for creators.
Purchase records: PayPal Order ID, transaction status, and timestamps for any purchases made. We do not store or have access to your payment card details — those are handled exclusively by PayPal.

2. How we use your data

Your data is used to: create and maintain your account; deliver content to other users; send transactional emails such as login codes and password resets; process payments; provide creators with video analytics; and detect and prevent fraud and abuse.

We do not sell, rent, or trade your personal data to third parties.

3. Legal basis for processing (EU/EEA)

For users in the European Economic Area, we process personal data under the following legal bases as defined by the GDPR:

Contractual necessity (Art. 6(1)(b)): To provide your account, deliver the platform, and process purchases.
Legitimate interests (Art. 6(1)(f)): To maintain platform security, prevent abuse, and generate anonymised analytics. These interests don't override your fundamental rights.
Legal obligation (Art. 6(1)(c)): Where law requires us to retain or disclose data — including mandatory reporting of CSAM to the relevant authorities.
Consent (Art. 6(1)(a)): Where no other lawful basis applies and consent is required by law.

4. Third-party service providers

We rely on the following trusted third parties to operate Skippa. Each receives only the data needed for their specific function:

Bunny.net — video and image storage and CDN delivery. Privacy policy
Cloudflare — DNS, DDoS protection, and bot mitigation; provides country-level IP data used for view analytics. Privacy policy
Cloudflare Turnstile — bot verification on sign-up, login, and other forms. Privacy policy
Brevo — transactional email delivery for OTP codes and password resets. Privacy policy
PayPal — payment processing. Data submitted during checkout is governed by PayPal's own privacy policy. Privacy policy
Umami Analytics — privacy-preserving traffic analysis with no cookies and no personal identifiers collected. Privacy policy
MongoDB Atlas — database storage for account, content, and activity data. Privacy policy

5. Cookies

We use essential cookies only — specifically, session tokens to keep you logged in. We don't use advertising cookies, behavioural tracking cookies, or any third-party marketing scripts. Umami Analytics operates entirely without cookies. Because we use only strictly necessary cookies, no cookie consent banner is required under the ePrivacy Directive.

6. International data transfers

Some of our service providers may process data outside the EU/EEA — including in the United States. Where this happens, we ensure appropriate transfer safeguards are in place, such as the European Commission's Standard Contractual Clauses (SCCs), in accordance with GDPR Chapter V.

7. Data retention

We keep your data only for as long as it's needed, in line with GDPR Article 5(1)(e):

Account data (email, username, password): retained for as long as your account is active, then deleted within 30 days of account deletion, unless a legal obligation requires longer retention.
Technical logs (IP addresses, device info): retained for up to 12 months for security and abuse prevention purposes.
Purchase records: retained for 5 years from the transaction date, to comply with Romanian and EU financial record-keeping obligations.
Content and activity data (videos, likes, comments): retained while your account is active, and deleted within 30 days of account deletion, except where legal holds apply.
Aggregated/anonymised analytics: kept indefinitely, as they cannot identify you.

If you request account deletion, your identifiable personal data will be removed within the timeframes above, unless retention is required for legal, security, or compliance purposes.

8. Your rights

Depending on where you live, you may have the right to:

Access the personal data we hold about you
Correct inaccurate or incomplete data
Delete your data ("right to be forgotten")
Restrict how we process your data
Export your data in a portable format (data portability)
Object to processing based on legitimate interests

To exercise any of these rights, email support@skippa.cc. We'll respond within the timeframe required by applicable law (generally 30 days for GDPR requests).

If you're in the EU or EEA, you also have the right to lodge a complaint with your local data protection authority. The supervisory authority for Romania is the ANSPDCP. You may alternatively contact the data protection authority in your own country of residence.

If you're a California resident, the CCPA grants you the right to know what personal information is collected about you, to request its deletion, and to opt out of any sale of your data. We do not sell personal information.

9. Data breach notification

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we'll notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. If the breach is likely to result in a high risk to you personally, we'll also notify you directly without undue delay.

10. Children

Skippa does not knowingly collect personal data from users under 13, or under 16 in EU/EEA jurisdictions where that higher threshold applies. If we become aware that an account belongs to a user below the applicable minimum age, the account and its associated data will be removed promptly.

11. Changes to this policy

This policy may be updated periodically. Any changes will be posted here with a revised effective date. For significant changes, we'll take reasonable steps to notify you in advance.