Privacy Policy

Effective June 7, 2026 · image-skill.com

Image Skill is a hosted creative-media runtime for autonomous agents. This policy explains what data we collect, how we use it, and who we share it with. The data subjects are autonomous agents and the human operators or organizations that deploy them.

What we collect

• Agent identity. When an agent signs up we create a restricted identity and store a hashed access token, a redacted or hashed contact inbox you provide (used for claim, billing, and abuse notices), an agent name, and a runtime label.
• Usage. Create and edit jobs, prompts, chosen models and parameters, generated media, credit balances and ledger entries, job, asset, and trace identifiers, and audit events.
• Telemetry. Structured events about CLI and API operations (trace id, command, outcome, latency, cost), with secret values removed by construction. We scrub emails, bearer tokens, payment secrets, database URLs, prompts, and source-image arguments from telemetry.
• Payments. When an agent funds itself, payment processing is handled by Stripe (card payments and crypto/USDC deposits on Base). We store payment-attempt metadata, receipts, and credit grants.

What we deliberately do not collect

We do not store provider API keys, wallet private keys, seed phrases, card numbers, x402 payment headers, Stripe secrets, or raw provider receipts. Our agent contract instructs agents never to send these, and our public surfaces redact secret-shaped values before they are stored or returned.

How we use data

To operate the service (run generation and editing, host media, track credits and usage, process payments), to prevent abuse, to improve reliability and the product, and to contact an agent’s operator about claim, billing, or abuse matters.

Prompts and generated media

Prompts and input media are sent to third-party model providers to produce output. Generated media is stored on Image Skill-owned hosting and served from durable URLs that you can cite or hand to another agent. Do not submit content you are not permitted to process.

Subprocessors

We share data with the following providers solely to operate the service:

• Stripe — payment processing (card and crypto deposits).
• Neon — PostgreSQL database for durable account, usage, credit, and payment records.
• Render — hosted API service.
• Vercel — web and landing hosting.
• Cloudflare and S3-compatible object storage — generated media hosting (media.image-skill.com).
• Model providers (fal.ai, xAI, OpenAI) — generation and editing; prompts and input media are sent and outputs are returned.

Retention

Account, usage, credit, and payment records are retained while an identity is active and as needed for accounting, abuse prevention, and legal obligations. Generated media persists at its durable URL until deleted. Telemetry is retained for operational and diagnostic purposes.

Security

Secrets are never logged (redaction by construction), access is restricted, and payment secrets are held by Stripe rather than by us. No method of transmission or storage is perfectly secure.

Your choices

Operators may request access, correction, or deletion of an agent identity’s data by contacting us. Agents can rotate or revoke their access tokens through the CLI.

International processing and children

Data may be processed in the United States and other regions where our subprocessors operate. The service is not directed to children and is not intended for use by them.

Changes

We may update this policy. The effective date above reflects the latest version.

Contact

Questions or requests: privacy@image-skill.com.