Privacy Policy

Last updated: April 7, 2026

1. Data Controller

The data controller for SkyFeed is:

This Privacy Policy explains how we collect, use, and protect your personal data when you use SkyFeed (skyfeed.app). We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR) and applicable German data protection laws.

2. Key Points

• We do not sell your personal data.
• We do not use advertising, profiling, or behavioral tracking.
• We do not use cookies. Authentication tokens are stored only in your browser's local storage.
• We do not use any third-party analytics tools.
• Your data is primarily stored and processed within the European Union.
• SkyFeed is funded entirely through subscriptions, not data monetization.
• You can exercise your data protection rights at any time (see Your Rights below).

3. Data We Collect

3.1 Account Data

When you sign in to SkyFeed with your Bluesky account, we collect and store:

• Bluesky DID (Decentralized Identifier): Your unique identifier on the AT Protocol network
• Bluesky Handle: Your public username (e.g., user.bsky.social)
• Authentication Tokens: Secure tokens that allow SkyFeed to access Bluesky on your behalf. We do not store your password.

3.2 Feed & Content Data

Your feed definitions (rules, filters, settings) are stored on the AT Protocol network, typically on your Personal Data Server (PDS), not on SkyFeed's infrastructure. SkyFeed reads your feed configurations to execute them but does not independently store copies of your feed definitions.

We may store limited operational data related to your feeds, such as:

• Feed performance metadata: Anonymous aggregate request counts and response times for feeds served through our infrastructure
• Cached feed state: Temporary cached data to improve feed response times, which is regularly refreshed and not permanently retained

3.3 Usage Data

We collect only anonymous, aggregate request counts for feeds hosted by SkyFeed. This data cannot be linked to individual users and is used solely to monitor service health and feed performance.

We do not use any third-party analytics tools. We do not track individual user behavior, build user profiles, or perform behavioral analysis.

3.4 Technical Data

Our servers may automatically collect:

• Truncated IP addresses (last octet removed) for security and rate limiting purposes
• Browser type and version
• Referring pages and access times

We deliberately truncate IP addresses before storage so that full IP addresses are never retained in our logs. This data is kept for a limited period and is used solely for security and operational purposes.

3.5 Payment Data

If you subscribe to SkyFeed Pro, payment is handled by Armitage Labs OÜ ("Creem"), based in Estonia (EU), as our Merchant of Record. Creem collects and processes your payment information (such as credit card details, billing address, and email) directly. We do not receive or store your payment credentials.

We receive from Creem only the information necessary to manage your subscription, such as your subscription status, plan type, and billing period dates. For details on how Creem handles your data, please refer to Creem's Privacy Policy.

4. How We Use Your Data

We use your personal data for the following purposes:

• Providing the service: Authenticating your identity, executing your feed logic, and serving your published feeds to subscribers
• Managing subscriptions: Activating and managing SkyFeed Pro features based on your subscription status
• Improving the service: Monitoring anonymous aggregate metrics to fix bugs, optimize performance, and develop new features
• Security: Protecting against abuse, unauthorized access, and technical issues
• Communication: Responding to your support requests and notifying you of important service changes

We do not use your data for advertising, profiling, or behavioral tracking. We do not sell, rent, or trade your personal data. SkyFeed is funded entirely through subscriptions, and we will never serve ads.

5. Legal Basis for Processing

Under the GDPR, we process your personal data based on the following legal grounds:

• Contract performance (Art. 6(1)(b) GDPR): Processing necessary to provide the SkyFeed service to you, including account authentication, feed storage, and subscription management
• Legitimate interests (Art. 6(1)(f) GDPR): Processing for service security, abuse prevention, usage analytics for service improvement, and server log retention. Our legitimate interest is maintaining a secure, functional, and improving service.
• Legal obligation (Art. 6(1)(c) GDPR): Processing required to comply with applicable laws, such as tax recordkeeping obligations
• Consent (Art. 6(1)(a) GDPR): Where applicable, for optional data processing activities. You may withdraw consent at any time.

6. Cookies, Local Storage & Analytics

SkyFeed does not use cookies. We do not set any first-party or third-party cookies, including tracking, advertising, or analytics cookies.

When you sign in with your ATmosphere account, your authentication tokens and display preferences (such as theme settings) are stored exclusively in your browser's local storage. This data never leaves your device and is not accessible to us or any third party.

We do not use any third-party analytics tools. The only metrics we collect are anonymous, aggregate request counts for feeds hosted by SkyFeed, which cannot be linked to individual users.

7. Data Sharing & Third Parties

We share your personal data only with the following recipients, who process data on our behalf under data processing agreements (DPAs) in compliance with the GDPR.

Important: The AT Protocol is currently a public network. When you publish feeds through SkyFeed, your feed configurations, metadata, and any associated profile information are made publicly available through the AT Protocol network (the ATmosphere) and can be accessed by anyone. This is inherent to the decentralized protocol and not something SkyFeed controls.

We do not sell, rent, or trade your personal data. We will only disclose personal data to authorities when we are legally compelled to do so by a valid legal order. We will resist requests that we consider overbroad, vague, or otherwise improper. Where legally permitted, we will notify you before disclosing your data in response to a legal request, so you have the opportunity to challenge it.

8. Data Retention

• Account data: Retained as long as your account is active. If you delete your account or request data deletion, we will remove your data from our systems within 30 days, except where retention is required by law. Your feed definitions on the AT Protocol network are controlled by your PDS and are not affected by account deletion on our side.
• Server logs (truncated IP addresses): Retained for up to 90 days for security and operational purposes. Full IP addresses are never stored.
• Anonymous feed metrics: Aggregate request counts are retained as long as needed for service monitoring. This data is anonymous and cannot be linked to individual users.
• Payment records: Retained as required by German tax and commercial law (typically up to 10 years for accounting records).

9. Your Rights

Under the GDPR, you have the following rights regarding your personal data:

• Right of access (Art. 15): You can request a copy of the personal data we hold about you
• Right to rectification (Art. 16): You can request correction of inaccurate data
• Right to erasure (Art. 17): You can request deletion of your personal data, subject to legal retention obligations
• Right to restriction (Art. 18): You can request restriction of processing in certain circumstances
• Right to data portability (Art. 20): You can request your data in a structured, machine-readable format
• Right to object (Art. 21): You can object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, please contact us at privacy@skyfeed.dev. We will respond to your request within 30 days.

10. International Data Transfers

Our core infrastructure providers (Hetzner, Avoro/dataforest, BunnyCDN) and our payment processor (Creem) are based in the European Union, and your data is primarily stored and processed within the EU.

Fly.io, currently used as a temporary feed caching proxy, is based in the United States. We are actively working to migrate this component to EU-based infrastructure. Where personal data is transferred outside the European Economic Area (EEA) via Fly.io, appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission and Fly.io's participation in the EU-U.S. Data Privacy Framework.

11. Children's Privacy

SkyFeed is not intended for users under 18 years of age. We do not knowingly collect personal data from children under 18. If you believe we have collected data from a child under 18, please contact us and we will promptly delete the information.

12. Security

We implement appropriate technical and organizational measures to protect your personal data, including encrypted connections (HTTPS), secure authentication token handling, and access controls. However, no method of electronic transmission or storage is 100% secure, and we cannot guarantee absolute security.

13. Changes to This Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you at least 30 days before the updated policy takes effect, through the service or by other reasonable means. The "Last updated" date at the top of this policy indicates when it was last revised.

14. Contact

For privacy-related questions or to exercise your data subject rights: