Short version: we collect the minimum needed to run your subscription, store it on Cloudflare in the US, never sell it to anyone, and delete it when you ask. Long version follows.
The plain-English summary. Your email + payment is handled by LemonSqueezy (our payment processor). Your subscription state (active / canceled / expired) lives in Cloudflare's database in the US. The skills you subscribe to run on your own machine — we don't see what they read or write. We don't run ad trackers. We don't sell your data. If you cancel, your data gets deleted after 90 days unless tax law requires us to keep records.
1.Who we are
StrongSkills is operated by Max Romano (sole proprietor) based in the United States. Contact: support@getstrongskills.com.
2.What we collect
When you subscribe or sign up for the waitlist:
Email address. Required for account, subscription receipts, support, and (if you opted in) waitlist/beta updates.
Payment information. Processed entirely by LemonSqueezy (our merchant of record). We never see or store your card number, CVV, billing address, or any payment credential. LemonSqueezy gives us only: subscription product, status, renewal date, last payment success/fail flag.
License key. A random string LemonSqueezy generates so your installed skill can confirm your subscription is active. You can revoke it by canceling your subscription.
Subscription state. Active / trialing / canceled / past-due / expired. Stored in Cloudflare D1 (a SQL database in the US).
IP address. Logged briefly by Cloudflare for security and rate-limiting. Standard web infrastructure; we don't surface this to ourselves except for fraud investigation.
What you write in forms. If you fill out the contact form, the waitlist form, the beta application, or the "suggest a skill" form, we store what you submitted plus your email. No more than what you entered.
3.What the skills themselves see
This is the most important thing to understand: each StrongSkills skill runs on your own machine, inside your own copy of Claude or as a separate local script. The skill reads and writes files in your normal user directory and reports its results to you, in your terminal or your browser tab. None of that data is sent to us. No telemetry. No usage tracking. No "what did the user run today" log on our side.
The only network traffic between your machine and StrongSkills servers is your license check (every ~24 hours, your skill asks our gate "is this key still active?" — we reply yes or no, nothing more).
4.Where your data lives
Cloudflare, Inc., in their US data centers — specifically:
Cloudflare D1. SQL database for subscription state + waitlist/contact form entries.
Cloudflare KV. Short-lived caches and lookup tables.
Cloudflare R2. The skill download files (the actual ZIPs you get after purchase). Object storage.
Cloudflare Access. Gates the admin dashboards so only Max can see signups.
LemonSqueezy, Inc. (our merchant of record) handles all payment data — see their privacy policy at lemonsqueezy.com/privacy.
5.How long we keep it
Active subscribers: as long as your subscription is active.
Canceled subscribers: 90 days after cancellation, then deleted from our databases (LemonSqueezy may hold records longer under their retention policy).
Waitlist / contact / beta-application entries: until you ask us to delete them, or 12 months of no activity, whichever comes first.
Tax records: we keep subscription invoices for 7 years per U.S. tax law, even after account deletion. These contain your email + purchase amount + date, nothing more.
6.Who else sees your data
LemonSqueezy: for payment processing. Merchant of record means they're responsible for sales-tax/VAT compliance globally.
Cloudflare: for hosting + the database + Access auth on /admin.
Google (if you sign in via Google for the admin gate): standard OAuth, no data shared back to advertising.
No one else. We don't sell, rent, share, or trade your data. We don't run advertising trackers. No Facebook Pixel, no Google Analytics, no third-party marketing cookies on the StrongSkills site.
See what data we have on you (we'll send you a JSON or text dump within 30 days).
Correct anything wrong.
Delete your account and all associated data (subject to the tax-law exception above).
Export your data in a portable format.
Withdraw consent for any optional data use.
California residents have additional rights under the California Consumer Privacy Act (CCPA) and CPRA, including the right to know, delete, correct, and opt out of "sale" or "sharing" of personal information. We do not sell or share personal information for advertising. Submit requests to the email above.
EU / UK residents: the legal basis for processing your data is performance of the subscription contract you entered into with us, and our legitimate interest in operating the service. You have the right to lodge a complaint with your local data protection authority. We do not have an EU representative because we do not target EU residents specifically; if you're an EU resident and have a concern, contact us first.
8.Cookies
We use the minimum cookies needed for the site to work:
Session cookies. For waitlist / contact / suggest form submission, so the form remembers you while you fill it out.
Cloudflare Access cookies. Only on /admin paths, only for Max.
localStorage: the "Mac / Windows / Linux" filter toggle remembers your OS choice between visits. That preference never leaves your browser.
No advertising cookies. No marketing pixels. No third-party analytics.
9.Children
StrongSkills is not directed to children under 13 and we do not knowingly collect their data. If you believe a child has signed up, email us and we'll delete the account.
10.Security
We use the security primitives Cloudflare and LemonSqueezy provide: HTTPS everywhere, signed webhooks, license-key validation, Cloudflare Access on the admin surface, and least-privilege storage scopes. No system is impenetrable; if a breach happens that affects you, we'll notify you within 72 hours of confirmation, as required by applicable law.
11.Changes to this policy
If we change anything material, we'll update the date at the top and notify active subscribers by email at least 14 days before the change takes effect. Continued use after the effective date means you accept the new version. Material changes include: adding new third-party data recipients, expanding what we collect, or changing retention periods.