Privacy Policy

This Privacy Policy relates to the skillion.hu website and the Skillion mobile application (iOS/Android), operated by Skillion Limited Liability Company (hereinafter: Data Controller or Skillion Kft.). The Data Controller's details are as follows:

• •Name: Skillion Limited Liability Company (Skillion Kft.)
• •Registered Office: 4244 Újfehértó, Kossuth L. u. 69.
• •Company Registration Number: 15-09-093995
• •Tax Number: 32898987-2-15
• •Contact: email: support@skillion.hu, info@skillion.hu (for inquiries related to data processing).

Data Protection Officer: Skillion Kft. has not currently appointed a data protection officer, as its activities do not make this mandatory. However, you may contact us regarding data protection questions through the contact details provided above.

This privacy policy covers all personal data processing carried out on the skillion.hu website and in the Skillion mobile application (iOS/Android). Skillion is an AI-powered educational platform:

• •AI Educational Tools: An artificial intelligence-supported learning interface whose services include, among others: document upload and processing, quiz generation, flashcard creation, note-taking, learning plan packages (combining quizzes, flashcards, and notes), visualization, presentation, mind maps, and audio/podcast functions.

The primary purpose of data processing is to provide these services to users. Within this framework, the Data Controller collects and processes personal data for various purposes, such as:

• •User account creation and identification: Ensuring registration and login to the platform.
• •Subscription management: Processing subscription contracts, managing payments, and electronic billing.
• •Providing AI features: Storing and processing content uploaded by the user (e.g., via vectorization), and generating quiz questions, flashcards, and summaries for the user based on these.
• •Communication and notifications: Contacting users for customer service purposes and sending notifications regarding the service (e.g., important changes, technical downtime, account-related information).
• •Website operation and security: Technical operation of the website, maintaining login sessions, saving language settings, and preventing abuse (e.g., logging, recording IP addresses for security reasons).

During data processing, we always follow the principles of purpose limitation and data minimization – we only request and process data that is strictly necessary for providing the given service or fulfilling a legal obligation.

The Data Controller processes the following categories of personal data during the use of the website's functions:

• •Registration and account data: Username (or first name/last name), email address, password (stored in encrypted form). This data is necessary for account creation, identification, and contacting the user.
• •Contact and profile data: Optional additional data such as full name, billing address (country, zip code, city, street, house number), and possibly a phone number if required for billing or contact purposes.
• •Payment data: Data used for the secure processing of payments (e.g., credit card type, transaction ID, billing data). Important: Credit card data is handled through the system of the payment provider (Polar.sh as Merchant of Record and its partner, Stripe), so the Platform does not directly store the card number, expiration date, or CVV code. The Provider only receives notification of the transaction status and related basic data (e.g., successful or failed payment, transaction ID). For purchases through the mobile application, payments are processed by Apple (App Store) or Google (Google Play) with the involvement of RevenueCat.
• •Billing data: For purchases, the invoice is issued by the payment provider (Polar.sh as Merchant of Record) through its own system, which issues an electronic receipt/invoice in compliance with local laws. The data required for this (name, address, email address) is transferred to the payment provider during the payment process.
• •Technical data: During the use of the website, certain technical information may be automatically recorded, such as IP address, browser and operating system type, device data, and the time of the visit. This data is primarily processed for IT security purposes (e.g., logging login attempts and significant account actions to investigate potential abuse).
• •Data collected by cookies: See the Cookies section below for details. We only use cookies to the extent necessary (e.g., session ID, language settings); we do not use marketing or third-party tracking cookies.
• •User-uploaded or generated content: This includes documents uploaded by the user (e.g., PDF, Word, audio files, etc.), information extracted from these (e.g., vectorized data, text snippets), and content created by the user on the platform, such as notes, quiz questions, and flashcards. This content enters the system based on the user's decision and primarily serves their learning. Regarding any personal data that may be included in these, the user is responsible for ensuring they are entitled to share that data. (See also the section on disclaimer of liability.)

We do not request or process special categories of personal data (e.g., data concerning health, racial or ethnic origin, political opinions, biometric identifiers, etc.) during registration or use of the service. Users are also advised not to upload such data to the platform. If such data should nevertheless enter the system (e.g., as part of an uploaded document), the Data Controller does not select or use it for any specific purpose, and the user may delete such content at any time.

The legal bases for data processing carried out within the framework of skillion.hu, in accordance with Article 6(1) of the General Data Protection Regulation (GDPR) of the European Union, may be the following:

• •Performance of a contract [GDPR Article 6(1)(b)]: Most of our data processing is based on this legal ground. When you register on the platform or subscribe to a service package, a contract is formed between us and you (even free registration can be considered a contract for using the service). Processing your personal data is necessary to fulfill this (e.g., account creation, login, providing services, processing payments, saving content).
• •Consent [GDPR Article 6(1)(a)]: We may request your voluntary consent for certain non-mandatory features or marketing communications. For example, if we send a newsletter in the future, we will only do so based on your prior consent. Currently, skillion.hu does not engage in explicit marketing-related data processing (we do not send unsolicited promotional materials) and we do not use non-essential cookies, so the role of consent is limited on the platform. If any data processing is nevertheless based on consent, you are entitled to withdraw it at any time; withdrawal does not affect the lawfulness of processing based on consent before its withdrawal.
• •Compliance with a legal obligation [GDPR Article 6(1)(c)]: Processing certain data is required by law. An example is data retention due to accounting and tax laws: we must retain issued invoices and the underlying transaction data for 8 years based on the provisions of the Hungarian Accounting Act. We may also process certain data of yours due to a legal obligation when, for example, an official request is received or anti-money laundering laws require certain checks (the latter is typically not relevant to our service, as it is educational rather than financial).
• •Legitimate interest of the data controller [GDPR Article 6(1)(f)]: In certain cases, the processing of your data may be justified by our legitimate interest or that of a third party. Such legitimate interest may be, for example, ensuring the security of the website (e.g., analyzing log files to detect intrusion attempts), preventing fraud, or improving the quality of the service (e.g., analyzing bug reports). In all such cases, we weigh whether our legitimate interest disproportionately infringes upon your fundamental rights and freedoms. Based on legitimate interest, we perform analytics on system performance only in an anonymous or aggregated manner that does not affect your personal data. (Currently, Google Analytics or similar external analytical systems are not integrated into the website – if they are introduced in the future, this policy will be updated accordingly.)

Legal basis for special data: As mentioned above, we do not process special categories of data. Therefore, we do not define a separate legal basis for such data – if the user nevertheless provides such data (e.g., describes health information in the study materials), we consider it to have been done by their own decision, and we do not process the data for any specific purpose.

Necessity of data provision: Providing registration and account data (name, email address, password) is necessary for concluding the service contract. Without providing this data, use of the Platform is not possible. Providing payment and billing data is necessary for conducting purchases and fulfilling legal obligations. Providing content uploaded by the user is voluntary, but in its absence, AI-based functions cannot be utilized.

The Data Controller transfers users' personal data to third parties only to the extent necessary and with the appropriate legal basis. The recipients and data processors who may have access to personal data are listed below:

• •Payment provider (web): Web purchases and subscriptions are handled by Polar.sh as Merchant of Record (MoR), through Stripe's payment infrastructure. Polar.sh acts as the seller: it manages the payment, issues the invoice/receipt, and handles VAT according to the buyer's country. When a payment is initiated, the necessary data (name, email address, billing address, transaction amount) is transferred to the Polar.sh/Stripe system. Credit card data (card number, CVV code, etc.) is handled exclusively by Stripe with PCI DSS certification; Skillion does not receive or store these. Polar.sh: Polar Software Inc., headquartered in the United States. Stripe: Stripe, Inc., headquartered in the United States. Their privacy policies are available on their respective websites.
• •Payment provider (mobile): Purchases through the mobile application are processed by Apple (App Store) or Google (Google Play) using their own payment systems. Subscription management is provided by RevenueCat, Inc. (USA), which synchronizes transaction data (subscription type, status, validity) with the Provider's system.
• •AI providers: To provide the Platform's artificial intelligence-based functions (quiz generation, flashcards, notes, summaries, podcasts, presentations), details of the content uploaded and processed by the user are forwarded to the following AI providers: (a) OpenAI, Inc. (USA) – text and content generation; (b) Google LLC (USA) – text and content generation via the Google Generative AI API; (c) ElevenLabs, Inc. (USA) – speech synthesis (podcast function). AI providers receive the data solely for the purpose of processing the request and do not use it to train their models. OpenAI may retain data received via the API for up to 30 days for security monitoring purposes, after which it is automatically deleted. For transfer guarantees, see the 'Data Transfer to Third Countries' section below.
• •OAuth authentication providers: If the user chooses social login (Google, Microsoft, or Apple account), the selected provider shares the user's name and email address with us during registration/login. Beyond this, the Provider does not gain access to the user's account with the respective provider.
• •Hosting and infrastructure provider: The Platform's servers operate in a data center located within the European Union. The hosting provider may only access the data within the framework of technical access (maintenance, troubleshooting), subject to confidentiality and data security obligations.
• •Other data processors: The Provider reserves the right to involve additional data processors (e.g., email delivery, analytics). In such cases, this policy will be updated.

The payment provider (Polar.sh) acts as an independent data controller regarding web transactions in its capacity as Merchant of Record. We have data processing agreements in accordance with Article 28 of the GDPR with our other data processing partners.

Data transfer to third countries (outside the EU/EEA): Several of the providers listed above are companies headquartered in the United States. The following guarantees apply to the transfer of personal data outside the EU:

• •EU-US Data Privacy Framework (DPF): Google LLC, Stripe, Inc., and ElevenLabs, Inc. are certified participants in the EU-US Data Privacy Framework based on the European Commission's adequacy decision 2023/1795. This ensures an adequate level of data protection based on an adequacy decision under Article 45 of the GDPR.
• •Standard Contractual Clauses (SCCs): Regarding OpenAI, Inc. and RevenueCat, Inc., data transfer takes place on the basis of standard contractual clauses approved by the European Commission, in accordance with Article 46(2)(c) of the GDPR.
• •Polar Software Inc. uses the payment infrastructure of Stripe, Inc., which is covered by Stripe's DPF certification.
• •Apple Inc. is a participant in the EU-US DPF, while Microsoft Corporation is also DPF-certified; data exchange with them (OAuth login) takes place within this framework.

Authorities, law enforcement: Based on legal authorization, we may be obliged in certain cases to transfer personal data to authorities (e.g., court orders, police requests, data protection authority investigations). Such data transfers take place only upon lawful request, to the extent necessary, and—if permitted by law—we will also notify the data subject.

The Data Controller stores personal data only for as long as necessary and securely deletes it upon expiration of the period or fulfillment of the purpose. When determining data retention periods, we also take into account the relevant legal requirements. Below is a summary of the retention periods for the main data groups:

• •User account data: Data of active user accounts is retained for as long as you are a registered user of the platform. If you request the deletion of your account or terminate your subscription and indicate that you no longer wish to use the service, the account will be deleted. Following deletion, your personal data will be anonymized or permanently deleted by our system within a reasonable period (typically within one month of receipt of the request, or up to three months in complex cases). Please note that data may temporarily remain in backups after deletion, but these are also periodically overwritten/deleted. If any legal dispute or suspicion of misuse has arisen regarding your account, we may retain the necessary data until the dispute is resolved.
• •Payment and billing data: Under the law, we must retain issued invoices and related transaction data for 8 years. This means that the name, address, invoice data related to purchases, as well as the date and amount of the transaction, are stored until the end of the 8th year following the year the invoice was issued. After this period, the data is deleted or anonymized, unless an official proceeding, audit, etc., has been initiated in the meantime, necessitating further retention.
• •User-uploaded content (documents, notes, etc.): We generally store this data until you remove it or as long as your account is active. You can delete your uploaded documents, flashcards, and notes within your user account at any time. If you delete these, the system will permanently delete the associated files and the vectorized data derived from them within a reasonable period. However, we reserve the right to delete stored content for inactive users—if an account has not logged in for a long period (e.g., 1-2 years) and the subscription has expired—to free up storage space, following notification. Where possible, we will notify the data subject in advance.
• •Technical and log data: Web server log files (e.g., visit logs, error reports) are generally stored for a shorter period, typically 180 days. Security logs (e.g., login logs) are kept longer if necessary, for a maximum of 2 years. This data is automatically deleted upon expiration of the retention period or anonymized (so it can no longer be linked to an individual).
• •Communication (customer service correspondence): If you communicate with us via email or other means, such messages and any personal data contained therein will be retained until the matter is considered closed, and for a maximum of 5 years thereafter for reference, evidence, and handling potential legal claims. If a legal claim arises, the relevant communication data may be retained until the statute of limitations for the legal claim expires (which is generally 5 years for civil law claims).

Upon expiration of the data retention periods, we regularly review the stored data and ensure its secure deletion or anonymization. If you request the deletion of any data earlier (and there is no legal basis for us to retain it further), we will act according to your request.

As a data subject, you have the following rights under the GDPR regarding the processing of your personal data:

• •Right of access: You are entitled to receive feedback from us as to whether we are processing your personal data, and if so, you are entitled to receive information, among other things, on the categories of data we process, the purpose of the processing, its source, the duration of the processing, and the recipients of any data transfers. Upon your request, we will also provide a copy of your personal data stored by us (the first copy is free of charge).
• •Right to rectification: You are entitled to request that we correct or supplement your inaccurate or incomplete personal data. We make every effort to ensure that the data we process is accurate and up-to-date, but we also rely on your notification in this regard.
• •Right to erasure: You may request the deletion of your personal data in the following cases: if the data is no longer necessary for the purpose for which it was collected; if you withdraw your consent and we have no other legal basis; if you object to processing based on legitimate interest and we have no overriding legitimate grounds; if we have processed the data unlawfully; or if the law requires deletion. This is also known as the right to be forgotten. Please note that we may not be able to delete certain data immediately due to legal obligations (e.g., we cannot delete billing data before the 8-year retention period).
• •Right to restriction of processing: You may request that we temporarily restrict processing if you contest the accuracy of the data (for the time it takes us to verify the accuracy); if the processing is unlawful but you request restriction instead of deletion; if we no longer need the data but you require it for the establishment or defense of legal claims; or if you have objected to the processing and the determination of the priority of legitimate interest is in progress.
• •Right to data portability: If the processing is based on your consent or a contract and is carried out by automated means, you are entitled to receive the personal data you have provided to us in a structured, commonly used, machine-readable format, and you may also be entitled to transmit this data to another service provider. At your request—if technically feasible—we will transmit the data directly to another data controller designated by you.
• •Right to object: You are entitled to object to the processing of your personal data if the legal basis for the processing is our legitimate interest. In the event of such an objection, we will examine whether we have compelling legitimate grounds for the processing that override your rights. If not, we will delete the data at your request. For example, if we were to contact you for marketing purposes (which would require consent, but we also respect the right to object), you can indicate at any time that you do not wish to receive such communications, in which case we will unsubscribe you from the list.
• •Right to withdraw consent: If any data processing is based on your consent, you are entitled to withdraw your consent at any time. The withdrawal does not affect the lawfulness of processing based on consent before its withdrawal. (Since we currently have very little processing based on consent—except perhaps for cookies, if any—in practice, this right will mainly be relevant for newsletters or marketing.)

How to exercise your rights: To exercise your rights, you can contact us at any time using the contact details provided in section 1 (primarily in writing, via email). We will examine and respond to your request without undue delay, but no later than within 1 month. If necessary—taking into account the complexity of the request and the number of requests—this deadline may be extended by a further 2 months, but we will notify you of this within the first month. Fulfillment of requests is generally free of charge; we may only charge an administrative fee if the request is clearly unfounded or—especially due to its repetitive nature—excessive, and even then, within the framework of the GDPR.

If you are not satisfied with our response or believe that your rights have been violated in connection with the processing of your personal data:

• •Complaint to the supervisory authority: You are entitled to lodge a complaint with the National Authority for Data Protection and Freedom of Information (NAIH). NAIH contact details: Address: 1055 Budapest, Falk Miksa u. 9-11. Mailing address: 1363 Budapest, Pf. 9. Telephone: +36 (1) 391-1400. E-mail: ugyfelszolgalat@naih.hu. Website: naih.hu. You can make a report to the Authority if you believe that a violation has occurred during data processing. The NAIH will investigate the complaint and take action if necessary. (A form is also available on the NAIH website for submitting a complaint.)
• •Judicial enforcement: You are entitled to go to court and initiate civil proceedings against Skillion Kft. if you believe that we have processed your personal data unlawfully or violated your rights under the GDPR. You may also initiate the lawsuit—at your choice—before the Tribunal competent for your place of residence or stay in Hungary. The court acts out of turn in data protection lawsuits. If the court rules in your favor, it may award you compensation or restitution for non-material damages.

Naturally, we trust that such measures will not be necessary and that you will be able to resolve any problems or complaints directly with us. Please always contact us first at the contact details above; we strive to respond satisfactorily to every inquiry.

The skillion.hu website uses cookies to function. A cookie is a small text file stored in the browser that contains certain information. Regarding the use of cookies, European and national laws (GDPR, as well as the Electronic Communications Act and related regulations) require that users be informed and, for certain cookies, that consent be obtained.

What cookies do we use on the website?

skillion.hu uses only strictly necessary cookies, without which the website would not be able to function properly. The legal basis for these cookies is the interest in providing the service (GDPR Article 6(1)(b), performance of a contract, and under electronic communications rules, no separate consent is required). We do not use marketing or performance/analytical cookies at this time. The main types of cookies we use are:

• •Session cookies: These are temporary cookies that ensure the logged-in state is maintained and that page functions work correctly during the visit. For example, when logging in, the system can recognize the User on individual subpages using a session ID cookie. These cookies are automatically deleted when the browser is closed.
• •Functional cookies: Cookies that remember certain settings of the site. This could be, for example, a cookie that stores the language chosen by the User for displaying the interface, so it doesn't have to be set again next time. These cookies typically remain in the browser for a longer period (e.g., a few days or weeks) to improve the user experience.
• •Security cookies: Sometimes we use a cookie or similar technology that helps identify and prevent malicious activities (for example, detecting too frequent login attempts). These are intended to protect the system and do not collect marketing information about the user.

Third-party cookies: In its current form, skillion.hu does not use cookies placed by third parties. (For example, there are no Google Analytics, Facebook pixel, or similar integrations that would place cookies.) Should such a change occur in the future, we will obtain your prior consent for the use of such cookies and update this notice.

How can cookie settings be managed?

Since we only use necessary cookies, a separate cookie banner or selection panel does not appear when visiting the website—as consent is not required for this. Naturally, it is possible to delete or disable cookies in the browser settings. Please note that if cookies are disabled, certain functions of the website will not work properly (for example, you will not be able to log in, or language settings will not be preserved).

Generally, cookies can be managed in the Privacy or Data Protection section of the browser's Settings menu: all cookies can be deleted there, or the browser can be set to refuse cookies. Further information can be found in the browser's help section regarding this.

The Data Controller pays special attention to the security of personal data. We have implemented appropriate technical and organizational measures to ensure that the data we process is protected against unauthorized access, modification, disclosure, deletion, or destruction. Within this framework, among other things:

• •Access management: Personal data can only be accessed by authorized persons to the extent necessary to perform their tasks. The persons involved are subject to confidentiality obligations.
• •Encryption: Data traffic between the website and the server is encrypted via HTTPS protocol (SSL/TLS). Sensitive data (e.g., passwords) is stored in an irreversible hash format.
• •Infrastructure security: We apply regular security updates to our servers and create backups of the data. Backups are stored separately and in a protected manner.
• •Continuous improvement: We regularly review and improve our data security measures in accordance with the current state of technology.

It is important to know that while we take all reasonable measures, 100% security unfortunately cannot be guaranteed. However, we strive to continuously maintain and develop protection in line with the current technological standards. In the event of a data breach, we will notify the supervisory authority without undue delay and at the latest within 72 hours in accordance with Article 33 of the GDPR, unless the breach is unlikely to result in a risk to the rights of the data subjects. If the breach is likely to result in a high risk to the rights and freedoms of the data subjects, we will also notify the data subjects in accordance with Article 34.

This Privacy Policy enters into force on October 22, 2025, and remains valid until revoked. We reserve the right to modify or update the content of this policy from time to time. This may occur, for example, due to changes in legislation, the introduction of new services, changes in our data processing practices, or recommendations from the NAIH.

If we modify this notice in the future, we will publish the updated version on the website and adjust the effective date accordingly. In the event of a material change, we will notify users in a reasonable manner (e.g., via a notice on the website). The current version of the policy is always available in the website footer.

Please review this policy periodically to stay informed about how we handle your personal data. We will always indicate the date of the last update at the top of the policy. Continued use of our services after a modification constitutes acceptance of the modified terms (where applicable based on the nature of the change – for purely privacy notices, this is primarily for informational purposes).

Detailed terms regarding the use of the service, subscriptions, payment methods, limitation of liability, and the quality of AI-generated content are contained in the General Terms and Conditions (GTC), available on our website at the /aszf page.