Legal
Privacy Policy
Effective from: 1 May 2026
Application: Skildo (the customer-facing mobile application, the “App”) Data Controller: Invicta Solutions, s.r.o. Pod Jiráskovou čtvrtí 752/14, 147 00 Praha 4 – Braník, Czech Republic Company ID (IČO): 21341303 VAT ID (DIČ): CZ21341303 Registered in the Commercial Register maintained by the Municipal Court in Prague. Contact e-mail: info@skildo.cz
Effective date: 1 May 2026 Version: 1.0
This Privacy Policy (“Policy”) explains how Invicta Solutions, s.r.o. (“we”, “us”, “our”, the “Controller”) processes your personal data when you use the Skildo mobile application. Read it together with our Terms of Service and Child Safety Standards.
1. Scope and applicability
- This Policy applies to every natural person who installs, registers in, or otherwise uses the App (“you” or “user”).
- The separate Skildo Partner platform used by tradespeople is governed by a separate Skildo Partner Privacy Policy.
- This Policy does not govern third-party services (e.g. your mobile carrier or app store).
2. Regulatory framework
We process personal data in accordance with:
- Regulation (EU) 2016/679 (“GDPR”);
- Act No. 110/2019 Coll., on Personal Data Processing;
- Act No. 480/2004 Coll., on Certain Information Society Services;
- Regulation (EU) 2022/2065 (Digital Services Act), where applicable.
3. Data Protection Officer
Given the nature and scale of processing, we are not legally required to designate a DPO under Article 37 GDPR at this time. Direct any privacy enquiries to info@skildo.cz.
4. Categories of personal data we process
| # | Category | Data elements | Source | Mandatory / Optional |
|---|---|---|---|---|
| 1 | Account & authentication | Email, internal user ID (UUID), session metadata, sign-in timestamps, OAuth provider identifier | You / Supabase Auth / Google / Apple / Facebook | Mandatory |
| 2 | Profile | First name, last name, phone number, profile photo (optional), preferred language | You | Mandatory (phone optional until first contact) |
| 3 | Job requests | Title, description, photos, category, budget, deadline, location (street, city, GPS) | You | Generated by your action |
| 4 | AI-generated description | Suggestion text generated from your photo and prompt (processed by a third-party AI provider) | System / OpenAI or comparable provider | Optional |
| 5 | Location | GPS coordinates (PostGIS), or manually entered address | Your device (with permission) / you | Optional (requires OS permission) |
| 6 | Communication with a tradesperson | Your contact details (phone, email) revealed only after the job is mutually confirmed | You | Mandatory once a job is confirmed |
| 7 | Reviews and ratings | Stars, review text, completed-job reference | You | Optional |
| 8 | Push tokens & notifications | Expo Push token, platform (iOS / Android), notification preferences | Device / Expo SDK | Optional (requires OS permission) |
| 9 | Technical & diagnostic data | IP address, device type, OS version, app version, build ID, crash reports, error logs | Automatic (Sentry, device) | Automatic |
| 10 | Product analytics | Pseudonymised events (onboarding steps, taps), session ID | Automatic (PostHog, production only) | Automatic |
| 11 | Marketing & advertising data | Cookies and identifiers for Google Ads (AW-17279763951), Meta Pixel, Google Analytics 4 — only on the skildo.cz website, not in the App | Web / browser | Consent (cookie banner) |
Special categories. We do not intend to process special categories of personal data within the meaning of Article 9 GDPR (health, biometrics, sex life, religion, political opinions, ethnic origin). Do not include such information in job descriptions, photos, or reviews.
5. Purposes and legal bases
| # | Purpose | Legal basis (GDPR Art. 6(1)) |
|---|---|---|
| 1 | Operating the App, account, authentication, job posting, matching with tradespeople | (b) Contract |
| 2 | Disclosing your contact details to a tradesperson after job confirmation | (b) Contract |
| 3 | AI-generated description suggestion | (b) Contract + (a) Consent (optional feature) |
| 4 | Determining your location | (a) Consent (OS permission) + (b) Contract |
| 5 | Push notifications about offers and messages | (a) Consent + (b) Contract |
| 6 | Reviews and ratings (public part of profile) | (b) Contract + (f) Legitimate interest (platform trust) |
| 7 | Sentry — error monitoring and stability | (f) Legitimate interest |
| 8 | PostHog — product analytics (production only) | (f) Legitimate interest |
| 9 | Marketing cookies on the website (Google Ads, Meta Pixel, GA4) | (a) Consent |
| 10 | Compliance with legal obligations | (c) Legal obligation |
| 11 | Establishment, exercise or defence of legal claims | (f) Legitimate interest |
6. Recipients and processors
| Recipient | Role | Data shared | Purpose |
|---|---|---|---|
| Supabase, Inc. (USA) | Processor | Account, profile, job requests, location, ratings, push tokens | Backend, database (PostgreSQL + PostGIS), auth, storage, realtime |
| Google LLC, Apple Inc., Meta Platforms, Inc. | Independent controller | OAuth identifiers when you sign in with Google / Apple / Facebook | Authentication |
| Expo, Inc. (USA) | Processor | Push token, notification payload | Push delivery, OTA updates, build infrastructure |
| Apple, Google | Independent controller | APNS / FCM tokens, notification content | Push delivery to iOS / Android |
| RevenueCat, Inc. (USA) | Processor | Anonymised user identifier, subscription metadata (no card numbers — Apple / Google handle those) | In-app purchases / premium features (if applicable) |
| Sentry (Functional Software, Inc.) (USA) | Processor | Error logs, stack traces, device metadata | Error monitoring |
| PostHog, Inc. (USA) | Processor | Pseudonymised events, session IDs | Product analytics (production only) |
| AI provider (e.g. OpenAI) | Processor | Photo and short prompt you upload when posting a job | Job description suggestion |
| Mapbox, Inc. / Google Maps (USA) | Processor | Coordinates, approximate address | Geocoding and map display |
International transfers. Where personal data is transferred outside the EEA, the transfer is safeguarded by:
- an adequacy decision under Article 45 GDPR (incl. EU–US Data Privacy Framework where applicable);
- Standard Contractual Clauses under Article 46 GDPR;
- derogations under Article 49 GDPR, used only exceptionally.
You can request a copy of the SCCs or a transfer-impact summary at info@skildo.cz.
No sale of data. We do not sell your personal data and we do not share it with third parties for their own marketing.
7. Retention periods
| Category | Rule |
|---|---|
| Account & profile | Lifetime of the account; deleted without undue delay after account deletion |
| Job requests | Lifetime of the account; we anonymise historical transaction records for accounting |
| Location (precise GPS) | Deleted with the job request; system purges inactive jobs after 12 months |
| Reviews and ratings | Public review remains tied to an anonymised identifier even after account deletion |
| Communication with a tradesperson | Lifetime of both accounts; cascade-deleted on deletion |
| Sentry (error logs) | 90 days from ingestion |
| PostHog (analytics) | 12 months from capture, then deleted or fully anonymised |
| Infrastructure logs (Supabase) | Up to 30 days |
| Database backups | Up to 30 days after deletion from the live database |
| Accounting and tax documents (if any arise) | 10 years per Act No. 235/2004 Coll. (VAT) and Act No. 563/1991 Coll. (accounting) |
8. Account deletion
- You can delete your account directly in the App (Settings → Account → Delete account).
- After deletion:
- We delete your profile, photo, and all active job requests;
- Push tokens, notification settings, and communications are cascade-deleted;
- Completed reviews are anonymised (only initials and job type remain);
- Backup copies are overwritten within 30 days (see Section 7).
- If you cannot use the in-app flow, e-mail info@skildo.cz from the address tied to your account; we will act within 30 days.
9. Your rights under the GDPR
| Right | How to exercise |
|---|---|
| Access (Art. 15) | E-mail info@skildo.cz |
| Rectification (Art. 16) | Edit in the App or e-mail us |
| Erasure (Art. 17) | Delete your account in the App or e-mail us |
| Restriction (Art. 18) | E-mail info@skildo.cz |
| Portability (Art. 20) | E-mail info@skildo.cz (we will export JSON) |
| Objection (Art. 21) | E-mail info@skildo.cz |
| Withdrawal of consent (Art. 7(3)) | Revoke OS permissions (location, contacts, notifications) or withdraw cookie consent |
| Complaint to a supervisory authority | ÚOOÚ, Pplk. Sochora 727/27, 170 00 Praha 7, www.uoou.cz |
We respond without undue delay, within one month at the latest.
10. Children
- The App is not directed at users under 18. Skildo is an adult marketplace.
- We do not knowingly collect data from children. If you believe a minor has created an account, e-mail us at info@skildo.cz.
- Our approach to child safety is set out in the Child Safety Standards.
11. Security
We apply technical and organisational measures appropriate to the risk:
- encryption in transit (TLS 1.2+);
- encryption at rest (database, backups);
- Row-Level Security in Supabase;
- OAuth-based authentication with no passwords stored by us;
- API rate limiting;
- principle of least privilege and routine dependency upkeep.
No system is 100% secure. If a personal-data breach poses a risk to your rights, we will notify ÚOOÚ within 72 hours and, where required, you (Articles 33–34 GDPR).
12. Cookies and similar technologies
The App is a native mobile application and does not use browser cookies. The website skildo.cz uses cookies and measurement technologies:
| Technology | Purpose | Consent |
|---|---|---|
| Strictly necessary cookies | Site functionality, language, consent banner | No consent |
| Google Analytics 4 | Traffic measurement | Consent |
Google Ads (AW-17279763951) | Ad campaign measurement | Consent |
| Meta Pixel | Facebook/Instagram campaign measurement | Consent |
| PostHog | Product analytics | Consent |
You manage consent via the cookie banner; you can change or revoke your choice at any time.
The App itself uses local storage only for sessions, push tokens, and an anonymous ID — no advertising trackers.
13. Automated decision-making
We do not use automated decision-making, including profiling, with legal or similarly significant effects on you under Article 22 GDPR. The AI description suggestion is a hint only — you decide the final text.
14. Changes to this Policy
We may update this Policy. Material changes will be notified at least 15 days before the new effective date in the App or by email. The effective date and version above will be updated accordingly.
15. Contact
Invicta Solutions, s.r.o. Pod Jiráskovou čtvrtí 752/14 147 00 Praha 4 – Braník Czech Republic
E-mail: info@skildo.cz
We acknowledge messages within 5 business days and respond on the substance within 30 calendar days.
Last updated: 1 May 2026