Privacy Policy

This Privacy Policy relates to the skillion.hu website and the Skillion mobile application (iOS/Android), operated by Skillion Limited Liability Company (hereinafter referred to as the Data Controller or Skillion Ltd.). The Data Controller's details are as follows:

• •Name: Skillion Limited Liability Company (Skillion Ltd.)
• •Registered Office: 4244 Újfehértó, Kossuth L. u. 69.
• •Company Registration Number: 15-09-093995
• •Tax Identification Number: 32898987-2-15
• •Contact: email: support@skillion.hu, info@skillion.hu (for data processing inquiries).

Data Protection Officer: Skillion Ltd. has not currently appointed a data protection officer, as its activities do not make this mandatory. However, you may contact us regarding data protection issues through the contact details provided above.

This privacy notice covers all personal data processing carried out on the skillion.hu website and in the Skillion mobile application (iOS/Android). Skillion is an educational platform with two main components:

• •Webshop: An interface for purchasing pre-made study materials, which also provides interactive practice modules for the materials.
• •AI Educational Tools: An AI-powered learning platform whose services include, among others: document uploading and processing, quiz generation, flashcard creation, note-taking, modular learning packages (combining quizzes, flashcards, and notes), maintaining a learning log, and an audio/podcast feature.

The primary purpose of data processing is to provide these services to users. In this context, the Data Controller collects and processes personal data for various purposes, such as:

• •User account creation and identification: Ensuring registration and login to the platform.
• •Processing webshop purchases: Processing orders, managing payments, electronic billing, and providing access to purchased educational materials.
• •Providing AI features: Storing and processing content uploaded by the user (e.g., via vectorization), and generating quiz questions, flashcards, and summaries for the user based on these.
• •Communication and notifications: Maintaining contact with users for customer service purposes and sending notifications regarding the service (e.g., important changes, technical downtime, account-related information).
• •Website operation and security: Technical operation of the website, maintaining login sessions, saving language settings, and preventing misuse (e.g., logging, recording IP addresses for security reasons).

During data processing, we always follow the principles of purpose limitation and data minimization – we only request and process data that is strictly necessary for providing the given service or fulfilling a legal obligation.

The Data Controller processes the following scope of personal data during the use of the website's functions:

• •Registration and account data: Username (or first name/last name), email address, password (stored in encrypted form). This data is necessary for account creation, identification, and communication with the user.
• •Contact and profile data: Optionally provided additional data, such as full name, billing address (country, zip code, city, street, house number), and possibly a phone number if required for billing or contact purposes.
• •Payment data: Data serving the secure execution of payments (e.g., type of bank card, transaction ID, billing data). Important: Bank card data is handled through the system of the payment provider (Polar.sh as Merchant of Record and its partner, Stripe), so the Platform does not directly store the card number, expiration date, or CVV code. The Provider only receives notification of the transaction status and related basic data (e.g., successful or unsuccessful payment, transaction ID). In the case of purchases through a mobile application, the payment is processed by Apple (App Store) or Google (Google Play) with the involvement of RevenueCat.
• •Billing data: In the case of purchases, the invoice is issued by the payment provider (Polar.sh as Merchant of Record) through its own system, which issues an electronic document (receipt/invoice) in accordance with local legislation. The data required for this (name, address, email address) is transferred to the payment provider during the payment process.
• •Technical data: During the use of the website, some technical information may be automatically recorded, such as the IP address, type of browser and operating system, device data, and the time of the visit. We process this data primarily for IT security purposes (e.g., logging login attempts and major account operations to investigate potential misuse).
• •Data collected by cookies: See the Cookies section below for details. We only use cookies to the extent necessary (e.g., session ID, language settings); we do not use marketing or third-party tracking cookies.
• •Content uploaded or generated by the user: This includes documents uploaded by the user (e.g., PDF, Word, audio files, etc.), information extracted from these (e.g., vectorized data, text snippets), and content created by the user on the platform, such as notes, quiz questions, flashcards, and learning log entries. This content enters the system based on the user's decision and primarily serves their learning. Regarding any personal data that may be included in these, the user is responsible for ensuring they are entitled to share the given data. (See also the section on disclaimer of liability.)

We do not request or process special categories of personal data (e.g., data concerning health, racial or ethnic origin, political opinions, biometric identifiers, etc.) during registration or use of the service. Users are also advised not to upload such data to the platform. Should such data nevertheless enter the system (e.g., as part of an uploaded document), the Data Controller does not select or use it for any specific purpose, and the user may delete such content at any time.

The legal bases for data processing carried out within skillion.hu, in accordance with Article 6(1) of the European Union's General Data Protection Regulation (GDPR), may be the following:

• •Performance of a contract [GDPR Article 6(1)(b)]: Most of our data processing is based on this legal ground. When you register on the platform or subscribe to a service package, a contract is established between us and you (even free registration can be considered a contract for using the service). Processing your personal data (e.g., account creation, login, providing services, processing payments, saving content) is necessary to fulfill this.
• •Consent [GDPR Article 6(1)(a)]: We may request your voluntary consent for certain non-mandatory features or marketing-type communication. For example, if we send a newsletter in the future, we will only do so based on your prior consent. Currently, skillion.hu does not conduct explicit marketing-related data processing (we do not send unsolicited promotional materials) and we do not use non-essential cookies, so the role of consent is limited on the platform. If any data processing is nevertheless based on consent, you are entitled to withdraw it at any time; the withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
• •Compliance with a legal obligation [GDPR Article 6(1)(c)]: We are required by law to process certain data. An example of this is data retention due to accounting and tax legislation: we must retain issued invoices and the underlying transaction data for 8 years based on the provisions of the Hungarian Accounting Act. We may also process certain data of yours due to a legal obligation when, for example, an official request is received or anti-money laundering laws prescribe certain checks (the latter is typically not relevant to our service, as it is educational rather than financial in nature).
• •Legitimate interest of the data controller [GDPR Article 6(1)(f)]: In certain cases, the processing of your data may be justified by our legitimate interest or that of a third party. Such legitimate interest may be, for example, guaranteeing the security of the website (e.g., analyzing log files to detect intrusion attempts), preventing fraud, or improving the quality of the service (e.g., analyzing bug reports). In all such cases, we consider whether our legitimate interest does not disproportionately infringe upon your fundamental rights and freedoms. Based on legitimate interest, we perform analytics on system performance only in an anonymous or aggregated manner that does not affect your personal data. (Currently, Google Analytics or similar external analytical systems are not integrated into the website – should they be introduced in the future, this notice will be updated accordingly.)

Legal basis for special data: As mentioned above, we do not process special categories of data. Thus, we do not define a separate legal basis for such data – if the user nevertheless provides such data (e.g., writes health information in the educational materials), we consider that they did so based on their own decision, and we do not process the data for any specific purpose.

Necessity of data provision: Providing registration and account data (name, email address, password) is necessary for concluding the service contract. Without providing this data, use of the Platform is not possible. Providing payment and billing data is necessary for processing purchases and fulfilling legal obligations. Providing content uploaded by the user is voluntary, but in its absence, AI-based features cannot be used.

The Data Controller transfers users' personal data to third parties only to the extent necessary and with the appropriate legal basis. The recipients and data processors who may have access to personal data are listed below:

• •Payment provider (web): Web purchases and subscriptions are handled by Polar.sh in the capacity of Merchant of Record (MoR), through Stripe's payment infrastructure. Polar.sh acts as the seller: it handles the payment, issues the invoice/receipt, and manages VAT according to the buyer's country. Upon initiating payment, the necessary data (name, email address, billing address, transaction amount) is transferred to the Polar.sh/Stripe system. Bank card data (card number, CVV code, etc.) is handled exclusively by Stripe with PCI DSS certification; Skillion does not receive or store these. Polar.sh: Polar Software Inc., headquartered in the United States. Stripe: Stripe, Inc., headquartered in the United States. Their privacy policies are available on their respective websites.
• •Payment provider (mobile): Purchases through the mobile application are processed by the respective payment systems of Apple (App Store) and Google (Google Play). Subscription management is provided by RevenueCat, Inc. (USA), which synchronizes transaction data (subscription type, status, validity) with the Provider's system.
• •AI providers: To provide the Platform's artificial intelligence-based features (quiz generation, flashcards, notes, summaries, podcasts, presentations), we transfer details of the content uploaded and processed by the user to the following AI providers: (a) OpenAI, Inc. (USA) – text and content generation; (b) Google LLC (USA) – text and content generation via the Google Generative AI API; (c) ElevenLabs, Inc. (USA) – speech synthesis (podcast feature). AI providers receive the data solely for the purpose of processing the request and do not use it to train their models. OpenAI may retain data received via the API for up to 30 days for security monitoring purposes, after which it is automatically deleted. For guarantees regarding the transfer, see the "Data transfer to a third country" section below.
• •OAuth authentication providers: If the user chooses social login (Google, Microsoft, or Apple account), the selected provider shares the user's name and email address with us during registration/login. Beyond this, the Provider does not gain access to the user's account with the given provider.
• •Hosting and infrastructure provider: The Platform's servers operate in a data center located within the European Union. The hosting provider may only access the data within the framework of technical access (maintenance, troubleshooting), subject to confidentiality and data security obligations.
• •Other data processors: The Provider reserves the right to involve additional data processors (e.g., email delivery, analytics). In such cases, this notice will be updated.

The payment provider (Polar.sh) acts as an independent data controller in the capacity of Merchant of Record regarding web transactions. We have data processing agreements in accordance with Article 28 of the GDPR with our other data processing partners.

Data transfer to a third country (outside the EU/EEA): Several of the providers listed above are businesses headquartered in the United States. The following guarantees apply to the transfer of personal data outside the EU:

• •EU-US Data Privacy Framework (DPF): Google LLC, Stripe, Inc., and ElevenLabs, Inc. are certified participants in the EU-US Data Privacy Framework based on the European Commission's adequacy decision 2023/1795. This ensures an adequate level of data protection based on the adequacy decision under Article 45 of the GDPR.
• •Standard Contractual Clauses (SCCs): Regarding OpenAI, Inc. and RevenueCat, Inc., data transfer takes place based on standard contractual clauses approved by the European Commission, in accordance with Article 46(2)(c) of the GDPR.
• •Polar Software Inc. uses Stripe, Inc.'s payment infrastructure, which is covered by Stripe's DPF certification.
• •Apple Inc. is a participant in the EU-US DPF, while Microsoft Corporation is also DPF-certified; data exchange with them (OAuth login) takes place within this framework.

Authorities, law enforcement: Based on statutory authorization, we may be obliged in certain cases to hand over personal data to authorities (e.g., in the case of a court order, police request, or data protection authority investigation). Such data transfer takes place only upon a lawful request, to the extent necessary, and – if permitted by law – we also notify the data subject.

The Data Controller stores personal data only for as long as necessary and securely deletes it upon expiry of the period or cessation of the purpose. When determining data retention periods, we also take into account the relevant legal regulations. The retention periods for the main data groups are summarized below:

• •User account data: We retain data for active user accounts as long as you remain a registered user of the platform. If you request the deletion of your account or terminate your subscription and indicate that you no longer wish to use the service, your account will be deleted. Following deletion, your personal data will be anonymized or permanently deleted by our system within a reasonable timeframe (typically within one month of receiving the request, or up to three months in complex cases). Please note that data may temporarily remain in backups after deletion, but these are also periodically overwritten or deleted. If any legal dispute or suspicion of misuse arises regarding your account, we may retain the necessary data until the dispute is resolved.
• •Payment and billing data: Under applicable law, we are required to retain issued invoices and related transaction data for 8 years. This means that the name, address, and billing information associated with purchases, as well as the date and amount of the transaction, will be stored until the end of the 8th year following the year the invoice was issued. After this period, the data will be deleted or anonymized, unless an official proceeding, audit, etc., has been initiated in the meantime, necessitating further retention.
• •User-uploaded content (documents, notes, etc.): We generally store this data until you remove it or as long as your account is active. You can delete your uploaded documents, flashcards, and notes within your user account at any time. If you delete these, the system will permanently delete the associated files and the vectorized data derived from them within a reasonable timeframe. However, we reserve the right to delete stored content for inactive users—if an account has not been logged into for a long period (e.g., 1-2 years) and the subscription has expired—in order to free up storage space, following notification. Where possible, we will notify the affected user in advance.
• •Technical and log data: Web server log files (e.g., visit logs, error reports) are generally stored for a shorter period, typically 180 days. Security logs (e.g., login logs) are kept longer if necessary, for a maximum of 2 years. This data is automatically deleted upon expiration of the retention period or anonymized (so it can no longer be linked to an individual).
• •Communication (customer service correspondence): If you communicate with us via email or other means, such messages and any personal data contained therein will be retained until the matter is considered closed, and for a maximum of 5 years thereafter for reference, evidentiary purposes, and the handling of potential legal claims. If a legal claim arises, the relevant communication data may be retained until the statute of limitations for the legal claim expires (which is generally 5 years for civil law claims).

Upon expiration of the data retention periods, we regularly review the stored data and ensure its secure deletion or anonymization. If you request the deletion of any data earlier (and there is no legal basis for us to retain it further), we will act in accordance with your request.

As a data subject, you are entitled to the following rights regarding the processing of your personal data under the GDPR:

• •Right of access: You have the right to receive feedback from us as to whether your personal data is being processed, and if so, you are entitled to receive information regarding, among other things, the categories of data processed, the purposes of the processing, its source, the duration of the processing, and the recipients of any data transfers. Upon request, we will also provide a copy of the personal data we store (the first copy is free of charge).
• •Right to rectification: You have the right to request that we correct or supplement inaccurate or incomplete personal data. We make every effort to ensure that the data we process is accurate and up-to-date, but we also rely on you to notify us of any changes.
• •Right to erasure: You may request the deletion of your personal data in the following cases: if the data is no longer necessary for the purposes for which it was collected; if you withdraw your consent and we have no other legal basis; if you object to processing based on legitimate interest and we have no overriding legitimate grounds; if we have processed the data unlawfully; or if deletion is required by law. This is also known as the 'right to be forgotten.' Please note that we may not be able to delete certain data immediately due to legal obligations (e.g., billing data cannot be deleted before the 8-year retention period).
• •Right to restriction of processing: You may request that we temporarily restrict processing if you contest the accuracy of the data (for the period it takes us to verify accuracy); if the processing is unlawful but you request restriction instead of deletion; if we no longer need the data but you require it for the establishment or defense of legal claims; or if you have objected to the processing and the verification of whether our legitimate grounds override yours is pending.
• •Right to data portability: If the processing is based on your consent or a contract and is carried out by automated means, you have the right to receive the personal data you provided to us in a structured, commonly used, machine-readable format, and you may also have the right to transmit this data to another provider. At your request—if technically feasible—we will transmit the data directly to another data controller designated by you.
• •Right to object: You have the right to object to the processing of your personal data if the legal basis for the processing is our legitimate interest. In the event of such an objection, we will examine whether we have compelling legitimate grounds for processing that override your rights. If not, we will delete the data at your request. For example, if we were to contact you for marketing purposes (which would require consent, but we also respect the right to object), you can indicate at any time that you do not wish to receive such communications, and in that case, we will remove you from the list.
• •Right to withdraw consent: If any data processing is based on your consent, you have the right to withdraw your consent at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. (Since we currently have very little processing based on consent—except perhaps regarding cookies, if any—this right will mainly be relevant in practice for newsletters or marketing in the future.)

How to exercise your rights: To exercise your rights, you may contact us at any time using the contact details provided in Section 1 (primarily in writing, via email). We will examine and respond to your request without undue delay, but no later than within 1 month. If necessary—taking into account the complexity of the request and the number of requests—this deadline may be extended by a further 2 months, but we will notify you of this within the first month. Fulfilling requests is generally free of charge; we may only charge an administrative fee if the request is clearly unfounded or—especially due to its repetitive nature—excessive, and even then, only within the framework of the GDPR.

If you are not satisfied with our response, or if you feel that your rights have been violated in connection with the processing of your personal data:

• •You may lodge a complaint with the supervisory authority: You have the right to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH). NAIH contact details: Address: 1055 Budapest, Falk Miksa u. 9-11. Mailing address: 1363 Budapest, Pf. 9. Phone: +36 (1) 391-1400. Email: ugyfelszolgalat@naih.hu. Website: naih.hu. You may file a report with the Authority if you believe a violation has occurred during data processing. The NAIH will investigate the complaint and take action if necessary. (You can also find a form for submitting a complaint on the NAIH website.)
• •Judicial enforcement: You are entitled to go to court and initiate civil litigation against Skillion Kft. if you believe we have processed your personal data unlawfully or violated your rights under the GDPR. You may also initiate the lawsuit—at your choice—before the Tribunal competent for your place of residence or stay in Hungary. The court handles data protection lawsuits as a priority matter. If the court rules in your favor, it may award you damages or restitution for non-material injury.

Naturally, we trust that such measures will not be necessary and that any potential problems or complaints can be resolved directly with us. Please always contact us first at the contact details above; we strive to respond satisfactorily to every inquiry.

The skillion.hu website uses cookies to function. A cookie is a small text file stored in the browser that contains certain information. Regarding the use of cookies, European and national legislation (GDPR, as well as the Electronic Communications Act and related regulations) require that users be informed and, for certain cookies, that consent be obtained.

What cookies do we use on the website?

skillion.hu uses only strictly necessary cookies, without which the website would not be able to function properly. The legal basis for these cookies is the interest in providing the service (GDPR Article 6(1)(b), performance of a contract, and according to electronic communications rules, no separate consent is required). We do not currently use marketing or performance/analytical cookies. The main types of cookies we use are:

• •Session cookies: These are temporary cookies that ensure the logged-in state is maintained and that site functions work correctly during the visit. For example, when you log in, the system can recognize you on individual subpages using a session ID cookie. These cookies are automatically deleted when the browser is closed.
• •Functional cookies: These are cookies that remember certain settings or choices you make on the site. This could be, for example, a cookie that stores the language you selected for the interface so you don't have to set it again next time. These cookies typically remain in the browser for a longer period (e.g., a few days or weeks) to improve the user experience.
• •Security cookies: Occasionally, we use cookies or similar technology to help identify and prevent malicious activities (for example, detecting too frequent login attempts). Their purpose is to protect the system, and they do not collect marketing information about the user.

Third-party cookies: In its current form, skillion.hu does not use cookies placed by third parties. (For example, there are no Google Analytics, Facebook pixel, or similar integrations that would place cookies.) Should such a change occur in the future, we will obtain your prior consent for the use of such cookies and update this notice.

How can you manage cookie settings?

Since we only use necessary cookies, no separate cookie banner or selection panel appears when visiting the website—as consent is not required for these. Naturally, you can also delete or block cookies in your browser settings. Please note that if cookies are disabled, certain functions of the website will not work properly (for example, you will not be able to log in, or your language settings will not be saved).

Generally, you can manage cookies in the Privacy or Data Protection section of your browser's Settings menu: there you can delete all cookies or even set the browser to refuse cookies. You can find more information about this in your browser's help section.

The Data Controller pays special attention to the security of personal data. We have implemented appropriate technical and organizational measures to ensure that the data we process is protected against unauthorized access, modification, disclosure, deletion, or destruction. Within this framework, we use, among other things:

• •Access management: Personal data can only be accessed by authorized persons to the extent necessary for the performance of their duties. The persons involved are subject to confidentiality obligations.
• •Encryption: Data traffic between the website and the server is encrypted via HTTPS protocol (SSL/TLS). Sensitive data (e.g., passwords) is stored in an irreversible hash format.
• •Infrastructure security: We apply regular security updates to the servers and create backups of the data. Backups are stored separately and in a protected manner.
• •Continuous development: We regularly review and develop our data security measures in accordance with the current state of technology.

It is important to know that while we take all reasonable measures, 100% security cannot unfortunately be guaranteed. However, we strive to continuously maintain and develop protection corresponding to the current technological level. In the event of a data breach, we will notify the supervisory authority without undue delay and no later than 72 hours in accordance with Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights of data subjects. If the breach is likely to result in a high risk to the rights and freedoms of data subjects, we will also notify the data subjects in accordance with Article 34.

This privacy statement enters into force on October 22, 2025, and is valid until withdrawn. We reserve the right to modify or update the content of the statement from time to time. This may occur, for example, due to changes in legislation, the introduction of new services, changes in our data processing practices, or recommendations from the NAIH.

If we modify the notice in the future, we will publish the updated version on the website and adjust the effective date accordingly. In the case of significant changes, we will notify users in a reasonable manner (e.g., via a notice on the website). The currently effective version of the statement is always available from the website footer.

Please review the statement from time to time to stay up to date on how we handle your personal data. We always indicate the date of the last update at the top of the statement. Continued use of our services after a modification constitutes acceptance of the amended terms (to the extent applicable based on the nature of the change – for purely privacy notices, this is primarily for informational purposes).

Detailed terms regarding the use of the service, subscriptions, payment methods, limitation of liability, and the quality of AI-generated content are contained in the General Terms and Conditions (GTC), which is available on our website at the /aszf page.