Cookie
Policy

1. Overview

We use cookies and similar technologies (such as localStorage and device fingerprinting) to make the site work, protect against fraud, and remember your settings. This policy describes the types of cookies we set, why we set them, and how you can manage them.

2. What are cookies?

Cookies are small text files placed on your device. They can be set by the site you visit (first-party) or by third parties. Related technologies include localStorage, pixels and SDKs. Some cookies are strictly necessary for the site to function; others (analytics/marketing) are only used after you consent.

3. How we use cookies

• Strictly necessary — required to authenticate you, keep sessions secure, and run server-side features. These run without consent.
• Security & Fraud Prevention — required to detect and prevent the abuse of free practice offers (e.g., account cycling) and to ensure platform stability. These scripts run without consent as they are essential for protecting the service.
• Preferences / Functional — remember UI and accessibility preferences. Used with your consent where required.

4. Cookies & Technologies we use (examples)

Essential (first-party & security)

• skillity_session — server session cookie used to authenticate signed-in users and keep sessions. This cookie is set by the server as anHTTP-only cookie, uses SameSite=Lax, and is marked secure in production. Typical lifetime is configurable on the server (by default 7 days).
• site_unlocked — maintenance/allowlist cookie used by server middleware to permit authorized access during site maintenance. The value is an HMAC-style token which the server verifies; it is not used for tracking.
• Stripe (Payment Security) — cookies (such as __stripe_mid and __stripe_sid) set by our payment processor, Stripe, to prevent fraud and secure payment transactions. These are strictly necessary for processing payments securely.
• skillity_cookie_consent (if implemented) — remembers your cookie preferences so we do not re-prompt unnecessarily.
• Cloudflare bot-protection (if Cloudflare is used) — example cookies such as__cf_bm or cf_clearance to mitigate abusive traffic.
• Fraud Prevention Script — we use a script to analyze technical signals from your browser (e.g., version, resolution) to create a secure, hashed "device fingerprint." This identifier is used strictly to prevent trial abuse and is never used for advertising.
• Disposable Email Blocking — We use technical checks to identify and block known temporary or "burner" email providers to maintain the integrity of our practice environment.

Preferences / Local storage

We use a small number of client-only keys stored in localStorage for UI preferences and transient flow state:

We may set a minimal first-party cookie (for example site_country) that stores only the visitor’s country/locale (e.g. US, GB) to enable pricing and localization — we do not store IP addresses in client-side cookies.

• theme_preference — stores your dark/light mode choice.
• postLoginRedirect — temporary redirect hint used after authentication.

5. Consent & audit

We record consent server-side for higher-risk features — for example, AI analysis of interview audio and webcam use. When you grant consent via the UI we create an append-only audit record that captures the choice, date/time and request metadata (such as IP address and User-Agent). The server will verify that valid consent exists before any audio or transcripts are sent to external AI processors.

6. Analytics & advertising

We do not use any third-party analytics, cross-site tracking, or marketing cookies. Our platform only uses strictly necessary and functional cookies required for core operations. Specifically, we use cookies to keep you securely logged in and a local preference cookie (site_country) to ensure we display the correct currency and pricing for your region. Because we only use essential functional cookies, we do not require or display a cookie consent banner.

7. Retention & deletion

Cookies are retained only for the period necessary for their technical purpose (for example session lifetime). Consent records and any data processed under that consent are retained according to our data retention policy. If you withdraw consent or ask for deletion, our server-side flows will attempt to remove or pseudonymize transcripts and related cloud storage objects for the relevant application.

8. Managing cookies

• You can sign out to remove the server session (which clears skillity_session).
• To remove local preferences (theme, redirect), clear your browser’s localStorage for this site.
• To withdraw consent for AI/webcam processing or to request deletion for a specific application, use the in-app Withdraw / Delete controls (these call server APIs which remove or pseudonymize stored data).
• Browser settings also let you block or delete cookies, but blocking essential cookies may break sign-in or core functionality.
• Because device/browser technical signals are used to protect the platform from fraud, Skillity carries out a targeted Legitimate Interests Assessment (LIA) to ensure such processing is necessary and proportionate. Where particular fingerprinting techniques are strictly necessary to provide security (for example, to prevent automated abuse or account cycling), we rely on legitimate interests and apply strong safeguards, including HMAC/SHA-256 pseudonymisation, limited retention, and audit logs. Any additional, non-essential fingerprinting techniques are only used after you give explicit consent via our cookie or consent controls. See our Assessments summary at /legal/privacy#assessments for more information.

9. Changes to this policy

We may update this Cookie Policy to reflect changes in our use of cookies or legal requirements. We will post the revised version with a new Effective Date.

10. Contact

If you have questions about cookies or this policy, please contact:

Skillity Ltd
20 Wenlock Road
London, England, N1 7GU

Email: contact@skillity.ai