Privacy Policy

Skeleton Key uses AI to automate research, strategy, and planning work that traditionally requires expensive agencies, consultants, or large internal teams. The platform uses your brand’s basic information and campaign objectives to produce professional-grade marketing outputs in minutes instead of days or weeks.

Skeleton Key Pte. Ltd. is incorporated in Singapore. For the purposes of the PDPA, Skeleton Key is an “organisation” that collects, uses, and discloses personal data in Singapore.

By uploading personal data to the Skeleton Key Platform or continuing to use our services, you confirm you have obtained all necessary consents, permissions, or legal bases from your data subjects (e.g., your organization, customers, and employees) for us to act as your data processor.

We will process, manage, store, and transfer the personal data you upload solely to provide the services you have requested (“Service Purposes”). This includes:

• Collecting and organising uploaded data.
• Storing it securely in Singapore (AWS ap-southeast-1).
• Processing it for analytics, reporting, or integrations as per your instructions.
• Transferring it to subprocessors or service providers only where necessary for Service Purposes, under contracts ensuring PDPA-comparable protection

No secondary uses: We will not use your uploaded data for marketing, profiling, or any purpose beyond the Service Purposes without your separate written consent.

Your rights: You may withdraw this consent at any time by emailing privacy@skeletonkey.xyz. Withdrawal may limit or end your access to services. We retain data only as long as needed for Service Purposes or legal requirements.

Cross-border transfers: Data may be transferred outside Singapore to the United States of America under standard contractual clauses or binding corporate rules approved by Singapore’s PDPC. Recipient countries may not offer PDPA-equivalent protection, but we enforce safeguards.

This consent is voluntary.

Information You Give Us Directly

When you sign up for or use Skeleton Key, you may provide information such as your name and email address, your company name and website, billing and payment details (which are processed securely by our payment provider), Job title (optional) , marketing attribution data (such as how you found our service), the content you create or upload in our platform, and any messages you send to our support team. If you participate in surveys, webinars, or marketing programmes, you may also provide additional information such as your role, preferences, and feedback.

Information We Collect Automatically

When you use our service, we automatically collect information about how you use the Platform, including which features you use, which pages you visit, and how you move through the interface. We collect technical information about the device and browser you use, your IP address and general location at a city or country level, as well as performance data such as page load times, error messages, and other diagnostic information. This helps us operate, secure, and improve our service.

Site Analytics

On our website (skeletonkey.xyz), we use Google Analytics to understand how visitors use our site. This collects information such as the pages you visit, your device and browser type, your IP address, general location at a city or country level, and performance data such as page load times. Google Analytics uses cookies to collect this information.

Platform Usage

On our platform (app.skeletonkey.xyz), we use privacy-focused analytics that do not use cookies or store your IP address. We collect information about which features you use, which pages you visit, and how you move through the interface. We also collect general location at a country level, and browser and device type, in aggregated form. Our hosting infrastructure may process your IP address in the course of delivering the service, but we do not store IP addresses in our systems.

Provide Our Service

We use your information to create and maintain your account, to provide and operate our platform and AI‑powered tools, and to save your work and preferences. We use your payment information to process subscription payments securely through our payment partners. We use your contact information and account details to provide customer support and communicate with you about your use of the service. Where we process personal data, we do so for purposes that a reasonable person would consider appropriate in the circumstances, and in compliance with the PDPA and other applicable laws.

Improve Our Service

We use usage and performance information to understand which features people use most, to find and fix bugs, to test and launch new features, and to measure how well our platform performs. We may use aggregated and de-identified data to analyse trends and improve our services and AI models. When we use your personal data for product improvement, we do so in a way that is consistent with the original purposes for which the data was collected, unless we obtain further consent where required by the PDPA.

Communicate With You

We use your contact information to send important updates about your account, such as billing notices, security alerts, or changes to our terms and policies. We also respond to your questions and support requests. With your consent, or where permitted by law, we may send you educational content about marketing, invitations to events, or information about new features and services. You can opt out of marketing emails at any time by using the unsubscribe link in those emails or by contacting us directly. Operational and service‑related emails may still be sent even if you opt out of marketing.

Keep Everything Secure

We use your information to detect and prevent fraud and abuse, to protect against security threats, and to comply with legal and regulatory requirements in Singapore and other relevant jurisdictions. This may include monitoring for suspicious activity, investigating potential violations of our terms, and responding to lawful requests for information

Security Measures

We take security seriously and apply layered technical and organisational controls to protect your information. The main controls in place at the time of writing are described below.

Encryption in transit. Communications between you, our application, and the third-party services we rely on take place over HTTPS (TLS).

Encryption at rest. Stored data is encrypted at rest by our managed database provider using industry-standard algorithms.

Authentication. Passwords are stored as salted, one-way cryptographic hashes; we never have access to your password in plain text.

Access controls. Database-level controls ensure that each authenticated user can only access data belonging to organisations and brands they have been granted access to, and write operations are gated by role-based permissions before any change is persisted. Privileged credentials used by our backend are restricted to server-side processes and are never sent to the browser.

Internal access. Production systems are accessible only to a limited number of authorised personnel who require access to operate the service, all of whom are subject to written confidentiality obligations.

Logging and monitoring. We log application requests, workflow runs, and error events to help us operate, troubleshoot, and improve the service and to detect unusual activity. These logs may contain content that you submit to the Platform and are retained for a limited period.

Transmission to AI providers and other sub-processors. As detailed in “Service Providers We Work With” below, the content you create on the Platform — including your prompts and the brand and campaign materials you provide — is transmitted to third-party AI model providers and to research and search providers in order to generate the outputs you see in the product. These transmissions are made over TLS and are governed by our agreements with each provider, which prohibit the use of your identifiable content to train their general-purpose models. Further detail is set out in our Acceptable Use Policy and AI Supplement and in clause 4 of our Terms and Conditions.

Incident response. We maintain internal procedures for assessing and responding to suspected security incidents. Where a personal data breach meets the notifiability thresholds under the PDPA, we will notify the Personal Data Protection Commission and affected individuals without undue delay, in line with our PDPA Data Breach Notification obligations.

While we work hard to protect your information, no method of transmission over the internet or method of electronic storage is completely secure. We cannot guarantee absolute security, but we strive to protect your personal data in accordance with the PDPA and recognised industry standards

Where We Store Your Data

Your account data and the content you create on the Platform are stored in our managed Postgres database in Singapore (AWS ap-southeast-1). Some processing necessarily takes place in other countries — for example, our application is hosted with Vercel (United States), and the AI model providers and research providers we use to generate outputs are also located outside Singapore (see “Service Providers We Work With” below). When personal data is transferred out of Singapore, we take appropriate steps to ensure that the overseas recipient provides a standard of protection that is comparable to the protection provided under the PDPA. This may include using contractual clauses, relying on certifications, or other transfer mechanisms allowed under Singapore law.

How Long We Keep Your Data

We keep your personal data for as long as it is necessary to fulfil the purposes for which it was collected, or as required or permitted by law. For example, we keep active account data for as long as your account remains open. After you close your account, we generally delete or anonymise most of your personal data within ninety days, unless we need to keep it longer to comply with legal obligations, resolve disputes, or enforce our agreements. Certain information, such as transaction and billing records, may be retained for longer periods to meet tax, accounting, or regulatory requirements. You can request deletion of your personal data sooner, and we will review and respond to your request in accordance with our legal obligations.

We Do Not Sell Your Data

We will not sell your personal information to anyone.

Service Providers We Work With

We share limited information with trusted third‑party service providers who help us operate Skeleton Key. This may include cloud hosting providers that store and process your data, payment processors that handle your payments securely, email service providers that allow us to send you messages, analytics tools that help us understand how our service is used, and customer support tools that help us respond to your questions. These service providers may be located in Singapore or in other countries. We require them by contract to protect your personal data, to use it only for the services they provide to us, and to handle it in a manner consistent with this policy and the PDPA

When Required By Law

We may disclose your information where required to do so by law or where we believe in good faith that such disclosure is reasonably necessary to comply with a legal obligation, court order, or request from a government or regulatory authority. We may also disclose information if we believe it is necessary to protect the safety of our users or the public, to detect or prevent fraud, or to address security issues and technical problems

Business Transfers

If Skeleton Key is involved in a merger, acquisition, sale of assets, corporate reorganisation, or similar transaction, your information may be transferred as part of that transaction. If this happens, we will take reasonable steps to ensure that the new organisation continues to protect your personal data to at least the same standard and to notify you before your information becomes subject to a different privacy policy.

Managing Your Information

You can update your account information at any time in your account settings, such as your name, contact details, and preferences. You may request an export or copy of your data by contacting us, and we will provide it to you where reasonably practicable and in line with applicable law. You can delete your account by emailing us. We then will delete or anonymise your personal data, subject to any information we need to retain for legal, accounting, or operational reasons. You can opt out of marketing emails by clicking the unsubscribe link in those emails or by contacting us.

Your Legal Rights

Under the PDPA and other applicable laws, you may have certain rights in relation to your personal data. These typically include the right to request access to the personal data we hold about you, the right to request correction of inaccurate or incomplete personal data, and, in some circumstances, the right to request withdrawal of consent to our collection, use, or disclosure of your personal data. If you withdraw consent, this may affect our ability to provide you with the Services, and we will explain any such impact before processing your request.

If you are located outside Singapore, such as in the European Union, the United Kingdom, or other jurisdictions with specific data protection laws, you may have additional rights under those laws, such as the right to data portability, the right to object to certain types of processing, or the right to lodge a complaint with your local data protection authority. We will respect these rights where applicable and will work with you to address any concerns. To exercise any of these rights, you can email us at

privacy@skeletonkey.xyz

We may need to verify your identity before processing your request.

Skeleton Key is not intended for use by anyone under 18 years old. We do not knowingly collect personal data from children. If we discover that we have collected personal information from a child under 18 without appropriate consent, we will take steps to delete that information as soon as reasonably practicable. If you believe that a child has provided us with personal data, please contact us immediately.

Skeleton Key is based in Singapore, but our users may access the service from around the world and our service providers may be located in multiple countries. This means your information may be transferred to and stored in countries other than your own. When we transfer personal data out of Singapore, we take steps to ensure that the receiving organisation provides a standard of protection that is at least comparable to the protection provided under the PDPA. By using Skeleton Key, you consent to the transfer of your information to Singapore and to other countries where our service providers operate, subject to these safeguards.

If you use Skeleton Key from outside Singapore, you are responsible for ensuring that your use complies with local laws as well as with this policy and our Terms of Service.

We may update this privacy policy from time to time to reflect changes in our services, legal requirements, or how we handle personal data. When we make significant changes, we will update the “Effective Date” at the top of the policy and may notify you through email or a notice in the platform. Where required by law, we may also seek your consent to material changes. We encourage you to review this policy periodically so that you remain informed about how we protect your information.

Your Responsibilities

You are responsible for keeping your account password and login details secure and for ensuring that you have the right to share any content you upload or connect to Skeleton Key. You are also responsible for complying with all applicable laws when using Skeleton Key, including data protection and privacy laws that apply to your own customers or users.

Our Limitations

We work hard to protect your information and use reasonable security measures, but no security system is completely foolproof. We cannot control information that you choose to share publicly or with third parties. Our website and Platform may contain links to other websites or services that are not controlled by Skeleton Key. We are not responsible for the privacy practices of those websites or services, and we encourage you to review their privacy policies before providing them with personal data.

If you have any questions about this privacy policy or how we handle your information, or if you wish to exercise your rights or contact our Data Protection Team, you can contact us at:

Email:
privacy@skeletonkey.xyz

Website:
https://www.skeletonkey.xyz

You can also write to us at:

Skeleton Key Pte. Ltd.
109 North Bridge Road
#05-21 Funan
Singapore 179097

If you are in Singapore and are not satisfied with how we have handled your personal data, you may also lodge a complaint with the Personal Data Protection Commission (PDPC). We would, however, appreciate the chance to address your concerns first, so please contact us in the first instance.