Last updated: April 27, 2026
Skizze ("we", "us", "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our platform. It is structured to satisfy the transparency obligations of the EU/UK General Data Protection Regulation (GDPR, Articles 13 and 14) and the Brazilian Lei Geral de Proteção de Dados (LGPD, Articles 9 and 18).
By creating an account, you confirm you have read this Policy and our Terms of Service.
We never see or store your full payment card details. Card data, CVV and the full PAN are handled exclusively by Stripe (our PCI DSS Level 1 certified payment processor). Skizze only retains a Stripe customer/account identifier and the high-level transaction record (amount, status, timestamps).
Under GDPR Article 6 and LGPD Article 7, we are required to disclose the legal basis on which we process each category of personal data. Below is our mapping:
| Purpose | Legal basis |
|---|---|
| Operate the Platform: account, profile, listings, chat, orders, payouts | Performance of contract (GDPR 6(1)(b) / LGPD 7-V) |
| Audit log of payments, withdrawals and account-deletion events | Legal obligation (GDPR 6(1)(c) / LGPD 7-II) |
| Stripe Connect KYC for freelancers receiving payouts | Legal obligation (anti-money-laundering) |
| Fraud prevention, abuse detection, off-platform contact filtering | Legitimate interest (GDPR 6(1)(f) / LGPD 7-IX) |
| Transactional email (order updates, payment receipts, security alerts) | Performance of contract |
| Marketing emails, non-essential cookies, optional analytics | Consent (GDPR 6(1)(a) / LGPD 7-I) — opt-in, revocable any time |
We do not sell your personal data. To run the Platform, we share specific data with the following sub-processors. Each is bound by a Data Processing Agreement (DPA) compliant with GDPR Article 28 / LGPD Article 39, and where applicable, by Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to the United States.
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage, real-time messaging | United States (SCCs apply) |
| Stripe | Payment processing, Connect payouts, fraud screening (PCI DSS Level 1) | United States, Ireland (SCCs apply) |
| Resend | Transactional and notification email delivery | United States (SCCs apply) |
| Vercel | Web hosting, edge runtime, content delivery | Global edge — primary region: United States (SCCs apply) |
| Sentry | Error tracking and performance monitoring (operational diagnostics only) | United States (SCCs apply) |
We may also disclose your data when required by law, court order, or governmental authority, or in connection with a merger, acquisition, or sale of assets — in which case we will notify you before your data becomes subject to a different policy.
We rely on a minimal set of cookies. The full inventory and durations are documented in our Cookie Policy. In summary:
We keep personal data only for as long as necessary for the purpose for which it was collected:
Wherever you live, we honor the following rights — even if your jurisdiction does not strictly require us to. EEA/UK residents are protected by GDPR Articles 15-22; Brazilian residents are protected by LGPD Article 18.
To exercise these rights, email our Data Protection Officer at dpo@skizze.io. We respond within 30 days (GDPR) / 15 days (LGPD), or notify you of an extension where the law allows.
Skizze operates globally. Personal data is processed primarily on servers located in the United States (Supabase, Stripe, Resend, Vercel, Sentry). Where data is transferred from the EEA, UK, or Switzerland to the US, we rely on the European Commission's Standard Contractual Clauses (SCCs). Where data is transferred from Brazil, the transfer is grounded on Article 33 of the LGPD using equivalent contractual safeguards. Copies of the relevant SCCs are available on request from our DPO.
We implement industry-standard security measures: encryption in transit (TLS 1.2+), database row-level security policies on every table containing personal data, hashed and salted passwords (Supabase Auth), optional two-factor authentication, server-side rate limits on sensitive endpoints, an immutable audit log of privileged actions, and a regex-based content filter on chat. No method of transmission is 100% secure, but we treat security as a design constraint, not an afterthought.
The Platform is not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe a minor has provided us data, contact us at dpo@skizze.io and we will delete the records promptly.
We may update this Privacy Policy from time to time. Material changes — anything that broadens our processing or introduces new sub-processors — will be announced by email and by an in-Platform notice at least 14 days before they take effect. Non-material changes (typo fixes, clarifications) take effect immediately and are reflected in the "Last updated" date above.
For privacy questions, rights requests, or complaints, you can reach our Data Protection Officer at:
For everything not specifically related to data protection, see our general contact and help pages.