Privacy Policy

This Privacy Policy describes how Skeleton ("we", "us") collects, uses, and shares information when you use the Skeleton service — the macOS application, the web dashboard at supaskel.dev, and the API at api.supaskel.dev.

1. What we collect

Account information

When you create an account we store your email address and a hashed password via Supabase Auth. We also create a profile row (display name, optional preferences) and a default personal space.

Connector credentials

When you connect a third-party service (Gmail, GitHub, etc.) we complete the OAuth 2.0 authorization code flow and store the resulting access and refresh tokens, encrypted at rest with Fernet (AES-128-CBC + HMAC-SHA-256) in our Supabase Postgres database. We rotate refresh tokens on use and serialize the rotation with a per-connection lock.

Tool-call metadata

Every request an AI client makes through Skeleton is recorded as an access request row containing: the tool name, a redacted summary of the arguments, the space it ran in, your approval decision, and a hash of the response. We use this to power the Activity log in the app and to enforce always-allow / always-deny rules you configure. The actual tool-call payload (message bodies, file contents, etc.) is not persisted.

Memory you author

Memories you explicitly ask an AI client to save are stored on our Supabase PGVector backend. Memories are per-space, fully user-editable, and can be deleted via the dashboard or the MCP delete_memory tool.

What we do not collect

Skeleton does not ingest your inbox, calendar, drive, or other provider content into our database. Tool calls are proxied live with your bearer token on each request; the provider serves the data to your AI client through us, and we do not keep a copy.

2. How we use information

We use the information above only to provide the Skeleton service: authenticating you, routing OAuth flows, proxying AI tool calls to the right provider on your behalf, enforcing your approval rules, and surfacing Activity and Memory in the macOS and web clients. We do not sell your data, share it with data brokers, or use it for targeted advertising.

3. Google API Services — Limited Use disclosure

Skeleton's use and transfer of information received from Google APIs to any other app will adhere to Google API Services User Data Policy, including the Limited Use requirements.

Specifically, Gmail data accessed through Skeleton is used only to provide user-facing features that you have explicitly requested — namely, proxying AI tool calls you have approved through the macOS approval gate. Skeleton does not use Gmail data to train generalized or third-party AI/ML models, serve advertisements, or transfer Gmail data to third parties for any purpose other than fulfilling your request through the AI client you initiated the request from.

4. Sharing

Tool-call results flow to the AI client you authorized (for example, Claude Desktop, Claude Code, Cursor). We use the following processors to run the service:

• Supabase — Postgres, auth, storage
• Railway — API hosting
• Vercel — web dashboard hosting
• OpenRouter — the LLM used for memory ingestion and recall

Each processor handles only the minimum data required to deliver its function. We do not share your data with any third party for their own purposes.

5. Retention

Account and connector data persist while your account is active. When you delete a connector, we revoke its stored credentials immediately. When you delete your account, we remove your profile, spaces, memories, connector registry rows, encrypted credentials, and access-request history within 30 days.

6. Security

All traffic to and from Skeleton uses TLS. OAuth tokens are encrypted at rest with a server-held Fernet key. We use Supabase Row-Level Security to ensure users can only access their own rows. The MCP authorization server uses OAuth 2.1 with PKCE, JWKS-verified access tokens, and rotating refresh tokens.

7. Your rights

You can at any time:

• View and delete memories via the dashboard or MCP tools
• Disconnect any connector to revoke its stored credentials
• Revoke Skeleton's access from the provider directly (for example, Google account permissions) — the next tool call will surface a reconnect prompt
• Delete your account by emailing us at the address below

8. Changes

We will update this policy as the product evolves. Material changes will be communicated via the address on your account and announced in the web dashboard changelog.

9. Contact

Questions? Email matthew@temporarystudios.com.