Legal
Privacy Policy — Skildo Partner
Effective from: 1 May 2026
Platform: Skildo Partner (web platform for tradespeople and side hustlers, the “Platform”) Data Controller: Invicta Solutions, s.r.o. Pod Jiráskovou čtvrtí 752/14, 147 00 Praha 4 – Braník, Czech Republic Company ID (IČO): 21341303 VAT ID (DIČ): CZ21341303 Registered in the Commercial Register maintained by the Municipal Court in Prague. Contact e-mail: info@skildo.cz
Effective date: 1 May 2026 Version: 1.0
This Privacy Policy (“Policy”) explains how Invicta Solutions, s.r.o. (“we”, “us”, “our”, the “Controller”) processes your personal data when you use the Skildo Partner platform. Read it together with the Terms of Service and Child Safety Standards.
1. Scope and applicability
- This Policy applies to every natural person who registers on the Platform as a tradesperson or side hustler (“you” or “Partner”).
- The customer-facing Skildo mobile app is governed by a separate Privacy Policy.
- This Policy does not govern third-party services (e.g. your mobile carrier or external job boards).
2. Regulatory framework
We process personal data in accordance with:
- Regulation (EU) 2016/679 (“GDPR”);
- Act No. 110/2019 Coll. on Personal Data Processing;
- Act No. 480/2004 Coll. on Certain Information Society Services;
- Act No. 253/2008 Coll. on Anti-Money Laundering (“AML Act”), where applicable to identity verification;
- Regulation (EU) 2022/2065 (Digital Services Act).
3. Data Protection Officer
Given the scale and nature of processing, we are not legally required to designate a DPO under Article 37 GDPR at this time. Direct privacy enquiries to info@skildo.cz.
4. Categories of personal data we process
| # | Category | Data elements | Source | Mandatory / Optional |
|---|---|---|---|---|
| 1 | Account & authentication | Email, internal user ID (UUID), session metadata, sign-in timestamps | You / Supabase Auth | Mandatory |
| 2 | Profile | First name, last name, phone number, profile photo, short bio, work categories, languages | You | Mandatory (photo optional) |
| 3 | Service area | Addresses or coordinates of the area you cover, travel radius | You / Mapbox geocoding | Mandatory |
| 4 | Identity documents (KYC) | Photo of government-issued ID, selfie, date of birth, address, business ID (IČO) for sole proprietors | You | Mandatory for full profile activation |
| 5 | Bank / billing details | Business name, IČO, DIČ, bank account number (when issuing invoices) | You | Optional, mandatory when invoicing |
| 6 | Marketplace activity | Jobs you accept, offers you submit, completions, ratings, disputes | System | Generated by your activity |
| 7 | Communication with customers | In-app chat messages, contact details revealed after mutual job confirmation | You / customer | Generated by interaction |
| 8 | Subscription and payments | Subscription tier (free / 299 CZK monthly / 500 CZK lifetime), purchase date, RevenueCat / app-store identifier; card numbers are processed by Apple / Google / Stripe — we do not store them | You / RevenueCat | Mandatory on a paid plan |
| 9 | Push tokens & notifications | Web push tokens, notification preferences | Browser / you | Optional |
| 10 | Technical & diagnostic data | IP address, device type, browser version, crash reports, error logs | Automatic (Sentry, browser) | Automatic |
| 11 | Product analytics | Pseudonymised events, session ID | Automatic (PostHog, production only) | Automatic |
| 12 | Marketing & advertising data (web) | Cookies for Google Ads, Meta Pixel, Google Analytics 4 — only on skildo.cz and partner.skildo.cz | Web / browser | Consent (cookie banner) |
Special categories. We do not knowingly process special categories under Article 9 GDPR. ID documents may indirectly reveal ethnic origin or health information — we process them strictly for identity verification and to the minimum extent necessary.
5. Purposes and legal bases
| # | Purpose | Legal basis (GDPR Art. 6(1)) |
|---|---|---|
| 1 | Operating the Platform, profile, matching with job requests | (b) Contract |
| 2 | Identity verification (KYC) | (c) Legal obligation + (f) Legitimate interest (platform trust and safety) |
| 3 | Subscriptions and invoicing | (b) Contract + (c) Legal obligation (accounting) |
| 4 | Geocoding the service area (Mapbox) | (b) Contract |
| 5 | Push notifications | (a) Consent + (b) Contract |
| 6 | Reviews and ratings (public part of profile) | (b) Contract + (f) Legitimate interest |
| 7 | Sentry — error monitoring | (f) Legitimate interest |
| 8 | PostHog — product analytics | (f) Legitimate interest |
| 9 | Marketing cookies on the website | (a) Consent |
| 10 | Compliance with legal obligations (AML, taxes, DSA, registry) | (c) Legal obligation |
| 11 | Establishment, exercise or defence of legal claims | (f) Legitimate interest |
6. Recipients and processors
| Recipient | Role | Data shared | Purpose |
|---|---|---|---|
| Supabase, Inc. (USA) | Processor | Account, profile, service area, KYC documents (private bucket), jobs, ratings | Backend, database (PostgreSQL + PostGIS), auth, storage |
| Mapbox, Inc. (USA) | Processor | Addresses, coordinates, travel radius | Geocoding, maps, search |
| RevenueCat, Inc. (USA) | Processor | User identifier, subscription status, app-store metadata | Subscription management |
| Apple, Inc., Google LLC | Independent controller | Payment data (card numbers handled by them, not us) | Payment processing within app store / Play store |
| Sentry (Functional Software, Inc.) (USA) | Processor | Error logs, stack traces, device metadata | Error monitoring |
| PostHog, Inc. (USA) | Processor | Pseudonymised events, session IDs | Product analytics (production only) |
| KYC provider (e.g. Veriff, Onfido or comparable) | Processor | Photo of ID, selfie, verification result | Identity verification |
| Accounting / tax adviser | Processor / independent controller | Invoice data, documents | Accounting |
International transfers. Where personal data is transferred outside the EEA, the transfer is safeguarded by:
- an adequacy decision under Article 45 GDPR (incl. EU–US Data Privacy Framework where applicable);
- Standard Contractual Clauses under Article 46 GDPR;
- derogations under Article 49 GDPR, used only exceptionally.
You can request a copy of the SCCs or a transfer-impact summary at info@skildo.cz.
No sale of data. We do not sell your personal data and we do not share it with third parties for their own marketing.
7. Retention periods
| Category | Rule |
|---|---|
| Account & profile | Lifetime of the account; deleted without undue delay after deletion |
| KYC documents | Lifetime of the account + 5 years thereafter (Act No. 253/2008 Coll. – AML) |
| Service area and work categories | Lifetime of the account |
| Jobs, offers, ratings | Lifetime of the account; statistical records anonymised after deletion |
| Communication with customers | Lifetime of both accounts; cascade-deleted |
| Subscriptions and invoicing | 10 years under Act No. 235/2004 Coll. (VAT) and Act No. 563/1991 Coll. (accounting) |
| Push tokens and notification preferences | Until you log out, revoke permission, or delete the account |
| Sentry (error logs) | 90 days from ingestion |
| PostHog (analytics) | 12 months from capture |
| Infrastructure logs (Supabase) | Up to 30 days |
| Database backups | Up to 30 days after deletion from the live database |
8. Account deletion
- You can request account deletion via the profile menu or by emailing info@skildo.cz.
- After deletion:
- We delete your profile, photo, service area, push tokens, and notification preferences.
- Ratings and records of completed jobs are anonymised — only an initial and the work category remain.
- KYC documents and accounting records must be retained by law (see Section 7) — they are kept in a restricted-access archive.
- We process the request within 30 days.
9. Your rights under the GDPR
| Right | How to exercise |
|---|---|
| Access (Art. 15) | E-mail info@skildo.cz |
| Rectification (Art. 16) | In the Platform or by email |
| Erasure (Art. 17) | Account deletion or email (subject to statutory archival periods — KYC, accounting) |
| Restriction (Art. 18) | E-mail info@skildo.cz |
| Portability (Art. 20) | E-mail info@skildo.cz (we will export JSON) |
| Objection (Art. 21) | E-mail info@skildo.cz |
| Withdrawal of consent (Art. 7(3)) | Change settings on the Platform, or withdraw cookie consent |
| Complaint to a supervisory authority | ÚOOÚ, Pplk. Sochora 727/27, 170 00 Praha 7, www.uoou.cz |
We respond without undue delay, within one month at the latest.
10. Children
- The Platform is not directed at persons under 18. It is a professional platform for adults.
- We do not knowingly collect data from minors.
- If we discover that a Partner provided false information at identity verification and is a minor, we will terminate the account and delete the data (except data we are required by law to retain).
- Our approach to child safety is set out in the Child Safety Standards.
11. Security
We apply technical and organisational measures appropriate to the risk:
- encryption in transit (TLS 1.2+);
- encryption at rest (database, backups);
- KYC documents in a private Supabase Storage bucket with strict Row-Level Security (access only by you and an internal compliance role);
- Row-Level Security in Supabase across all tables;
- OAuth and password-based authentication;
- API rate limiting;
- principle of least privilege and routine dependency upkeep.
No system is 100% secure. If a personal-data breach poses a risk to your rights, we will notify ÚOOÚ within 72 hours and, where required, you (Articles 33–34 GDPR).
12. Cookies and similar technologies
The Platform and websites use cookies and measurement technologies:
| Technology | Purpose | Consent |
|---|---|---|
| Strictly necessary cookies | Site functionality, language, consent banner | No consent |
| Google Analytics 4 | Traffic measurement | Consent |
| Google Ads | Ad campaign measurement | Consent |
| Meta Pixel | Facebook/Instagram campaign measurement | Consent |
| PostHog | Product analytics | Consent |
You manage consent via the cookie banner; you can change or revoke your choice at any time.
13. Automated decision-making
We do not use automated decision-making with legal or similarly significant effects on you under Article 22 GDPR. Any job recommendations based on your profile are hints — all decisions to accept an offer are yours.
14. Changes to this Policy
We may update this Policy. Material changes will be notified at least 15 days before the new effective date in the Platform or by email.
15. Contact
Invicta Solutions, s.r.o. Pod Jiráskovou čtvrtí 752/14 147 00 Praha 4 – Braník Czech Republic
E-mail: info@skildo.cz
We acknowledge messages within 5 business days and respond on the substance within 30 calendar days.
Last updated: 1 May 2026