Privacy Policy
Last updated: January 2026
1. Introduction
Welcome to Asterism ("we," "our," or "us"). We are committed to protecting your privacy and personal information. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website (joinasterism.com), CLI tools, browser extensions, APIs, and related services (collectively, the "Service").
By using the Service, you consent to the data practices described in this policy. If you do not agree with our policies and practices, please do not use the Service.
Data Controller
Asterism Skills, Inc. is the data controller responsible for your personal data. For privacy inquiries or to exercise your rights, contact us at:
- Email: privacy@joinasterism.com
- Address: Asterism Skills, Inc., 548 Market St #78234, San Francisco, CA 94104, USA
For users in the European Economic Area (EEA), we have designated an EU representative who can be contacted at eu-privacy@joinasterism.com.
2. Information We Collect
2.1 Account Information
When you create an account, we collect information from your OAuth provider (GitHub or Google), including:
- Username and display name
- Email address
- Profile picture URL
- OAuth provider user ID
2.2 Usage Data
We automatically collect information about how you interact with our Service:
- Skills you view, download, install, or publish
- API usage patterns and request logs
- Feature usage and navigation paths
- Device type, browser, and operating system
- IP address and approximate geographic location
- Referring URLs and exit pages
2.3 CLI and Anonymous Telemetry
Our command-line interface (CLI) collects anonymous usage data to improve the Service:
- Skill names installed (for popularity metrics)
- Installation source (registry, GitHub, external)
- Target AI agents used
- CLI version and platform
This data is collected anonymously and is not linked to your account unless you are logged in. You can disable analytics with the --no-analytics flag.
2.4 Published Content
When you publish skills to our registry, we store:
- Skill content, metadata, and version history
- Security scan results
- Download and usage statistics
Public skills are visible to all users. Private skills are only visible to you and your organization members.
2.5 Skill Execution Data
When you use our Skill Playground or hosted execution features:
- Inputs you provide to skills during testing
- Execution logs and outputs (retained for 24 hours for debugging)
- Execution time and resource usage metrics
Execution data is processed in isolated sandbox environments and is not used to train AI models. Sensitive inputs should not be submitted to the playground.
2.6 Browser Extension Data
If you use our SkillHunt browser extension:
- URLs of pages where you discover skills (only when you click "Hunt")
- Skill content you choose to submit
- Your hunter attribution for gamification
The extension does not track your general browsing history or access data on pages where you don't actively use the extension.
2.7 Social Features
When you use social features, we collect:
- Comments, reviews, and ratings you post (publicly visible)
- Users you follow and who follow you
- Skills you star or endorse
- Activity that appears in the public feed
Your public profile, including username, avatar, published skills, and activity, is visible to all users. You can control some visibility settings in your account.
2.8 Payment Information
If you subscribe to a paid plan or purchase premium skills, payment processing is handled by Stripe. We do not store your full credit card number. We receive and store:
- Last four digits of your card
- Card expiration date
- Billing address
- Transaction history
3. Legal Basis for Processing (GDPR)
If you are in the European Economic Area (EEA), we process your personal data based on:
- Contract Performance: To provide you with the Service you requested
- Legitimate Interests: To operate, improve, and secure the Service; to prevent fraud; to analyze usage patterns
- Consent: For optional analytics and marketing communications (which you can withdraw at any time)
- Legal Obligation: To comply with applicable laws and regulations
4. How We Use Your Information
- To provide, maintain, and improve our Service
- To authenticate your identity and manage your account
- To process transactions and manage subscriptions
- To communicate with you about service updates, security alerts, and support
- To analyze usage patterns and improve user experience
- To detect, prevent, and address security issues and abuse
- To enforce our Terms of Service and protect our legal rights
- To calculate skill popularity and leaderboard rankings
- To provide personalized skill recommendations
5. Automated Decision-Making and AI
We use automated systems to process your data in the following ways:
5.1 Security Scanning
All published skills are automatically scanned for security issues. Skills scoring below 50/100 are automatically rejected. This automated decision helps protect all users from potentially harmful content. Publishers can review scan results and modify their skills to address flagged issues.
5.2 Personalized Recommendations
We use your usage patterns (skills viewed, installed, and starred) to provide personalized skill recommendations. This processing is based on legitimate interests to improve your experience. You can disable personalized recommendations in your account settings.
5.3 AI-Assisted Features
Optional features like AI skill generation and voice-to-skill transcription use third-party AI services. When you use these features:
- Your prompts and inputs are sent to AI providers (Anthropic, OpenAI)
- Generated content may be stored with your account
- Usage counts toward your plan limits
AI providers process data according to their own privacy policies. We do not use your content to train AI models.
5.4 Fraud Prevention
We use automated systems to detect and prevent abuse, including fake downloads, review manipulation, and spam. Accounts flagged for abuse may be temporarily restricted pending human review. You can appeal automated decisions by contacting support.
6. Information Sharing
We do not sell your personal information. We may share information with:
5.1 Service Providers
We use third-party services to operate our platform:
- Vercel - Hosting and infrastructure (Privacy Policy)
- Neon - Database hosting (Privacy Policy)
- Upstash - Redis caching (Privacy Policy)
- Cloudflare R2 - File storage (Privacy Policy)
- Stripe - Payment processing (Privacy Policy)
- Resend - Email delivery (Privacy Policy)
- PostHog - Product analytics (Privacy Policy)
- Sentry - Error monitoring (Privacy Policy)
5.2 Other Disclosures
- Law Enforcement: When required by law, subpoena, or legal process
- Safety: To protect the rights, property, or safety of Asterism, our users, or others
- Business Transfers: In connection with a merger, acquisition, or sale of assets
- Public Information: Your public profile and published skills are visible to all users
7. International Data Transfers
Your information may be transferred to and processed in countries other than your own, including the United States. These countries may have different data protection laws.
When we transfer data internationally, we use appropriate safeguards such as:
- Standard Contractual Clauses approved by the European Commission
- Data Processing Agreements with our service providers
- Technical and organizational security measures
8. Data Retention
We retain your personal data for as long as necessary to provide the Service and fulfill the purposes described in this policy:
- Account Data: Until you delete your account, plus 30 days for backup recovery
- Published Skills: Until you unpublish them or delete your account
- Usage Logs: 90 days for debugging and security; aggregated analytics retained longer
- Transaction Records: 7 years for tax and legal compliance
- Anonymous Telemetry: Aggregated indefinitely for service improvement
9. Data Security
We implement appropriate technical and organizational measures to protect your personal information:
- Encryption in transit (TLS 1.3) and at rest
- Secure authentication with OAuth 2.0
- API key hashing (SHA-256)
- Regular security audits and penetration testing
- Access controls and audit logging
- Automatic security scanning of all published skills
While we strive to protect your information, no method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it to security@joinasterism.com.
Your Security Responsibilities
You are responsible for:
- Keeping your API keys confidential and not sharing them
- Rotating API keys if you suspect compromise
- Using environment variables instead of hardcoding keys
- Reviewing skills before installing them in your environment
- Reporting suspicious skills or security issues
If you believe your API key has been compromised, immediately delete it in your dashboard and create a new one.
10. Your Privacy Rights
Depending on your location, you may have the following rights:
- Access: Request a copy of your personal information
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and associated data
- Portability: Export your data in a machine-readable format
- Restriction: Request limitation of processing
- Objection: Object to processing based on legitimate interests
- Withdraw Consent: Withdraw consent for optional processing
To exercise these rights, visit your account settings or contact us at privacy@joinasterism.com. We will respond within 30 days.
11. California Privacy Rights (CCPA)
If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA):
- Right to Know: What personal information we collect, use, and disclose
- Right to Delete: Request deletion of your personal information
- Right to Opt-Out: We do not sell personal information
- Right to Non-Discrimination: We will not discriminate against you for exercising your rights
To exercise your CCPA rights, contact us at privacy@joinasterism.com with subject line "CCPA Request".
12. Children's Privacy
The Service is not intended for children under 13 years of age (or 16 in the EEA). We do not knowingly collect personal information from children. If you believe we have collected information from a child, please contact us immediately at privacy@joinasterism.com and we will delete it.
13. Cookies and Tracking
We use cookies and similar technologies for authentication, preferences, and analytics. For detailed information about the cookies we use, please see our Cookie Policy.
Do Not Track
We respect Do Not Track (DNT) browser settings. When DNT is enabled, we will not load analytics cookies or track your browsing behavior.
14. Data Breach Notification
In the event of a data breach that affects your personal information, we will:
- Notify affected users within 72 hours of discovery (or as required by law)
- Notify relevant supervisory authorities as required
- Provide information about the breach and steps we are taking
- Offer guidance on protecting yourself
15. Third-Party Links
Our Service may contain links to third-party websites or skills that link to external resources. We are not responsible for the privacy practices of these third parties. We encourage you to review their privacy policies before providing any personal information.
16. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Posting the new policy on this page
- Updating the "Last updated" date
- Sending an email notification for significant changes
- Displaying a notice in the Service
Your continued use of the Service after changes constitutes acceptance of the updated policy.
17. Contact Us
If you have questions about this Privacy Policy or our data practices, please contact us:
- Email: privacy@joinasterism.com
- Security Issues: security@joinasterism.com
- GitHub: github.com/joinasterism/ask
For EEA residents, you also have the right to lodge a complaint with your local data protection supervisory authority.