Privacy Policy
SkillSwap (also referred to as Skill Connect)
Version: 1.0
Last updated: 28 May 2026
Status: Draft for product and Stripe marketplace launch — requires review by qualified legal counsel and, where required, a Data Protection Impact Assessment before publication.
Important notice
This Privacy Policy (“Policy”) explains how [Platform Operator Legal Name] (“we”, “us”, “our”) collects, uses, discloses, and protects personal data when you use the SkillSwap platform delivered primarily as a Telegram Mini App and related services (the “Platform” or “Service”).
Registered address: [Address]
Privacy / data protection contact: privacy@redskill.online
General support: support@redskill.online or Telegram: [@skillswap_support_bot — confirm handle before publication]
This Policy should be read together with our Terms of Use. Where we process payments, Stripe also processes personal data under its own privacy notices.
Replace bracketed placeholders before production use. Nothing in this Policy constitutes legal advice.
1. Who is responsible for your data?
Data controller (for purposes of the EU General Data Protection Regulation (“GDPR”) and similar laws):
[Platform Operator Legal Name], [registration number], [Address].
For Experts receiving payouts via Stripe Connect, Stripe may act as an independent controller or processor for identity verification, tax, and payout data — see Section 8.
2. Scope
2.1. This Policy applies to personal data processed when you:
- open and use the Telegram Mini App or related web endpoints we operate;
- create or use a Seeker and/or Expert account;
- book, pay for, conduct, review, or cancel Sessions;
- top up balance, receive payouts, or interact with payment flows;
- contact support or submit reports/complaints.
2.2. This Policy does not govern:
- Telegram’s own processing when you use the Telegram app (see Telegram’s [Privacy Policy](https://telegram.org/privacy));
- Stripe’s processing of payment and Connect data (see [Stripe Privacy Policy](https://stripe.com/privacy));
- third-party video providers (e.g. Daily.co) when you join a video room under their terms;
- websites or services we do not control, even if linked from the Platform.
2.3. The Service is intended for users who are at least 18 years old (or the age of majority in their jurisdiction, if higher). We do not knowingly collect data from children.
3. Definitions
- Personal data — information relating to an identified or identifiable natural person.
- Seeker — a user who searches for, books, and pays for expert Sessions.
- Expert — a user who offers paid Sessions and may receive payouts.
- Session / Booking — a scheduled consultation and its reservation record.
- Platform balance — internal accounting balance displayed in the app (not a bank account).
- Processor — a third party that processes personal data on our instructions (e.g. hosting, Stripe for certain functions).
4. Categories of personal data we collect
We collect data you provide, data generated through use of the Service, and data from integrated providers.
4.1. Telegram authentication and account identifiers
When you access the Service through Telegram, we receive and store data made available via Telegram Web App authentication (`initData`), typically including:
- Telegram user ID (primary account identifier on the Platform);
- first name, last name (if provided by Telegram);
- username;
- profile photo URL;
- language code;
- authentication metadata (e.g. auth date, hash) used to verify integrity of the login.
We verify `initData` using our bot token; we do not ask for your Telegram password.
4.2. Profile and role data
Depending on your role and settings:
- display name, bio, skills/categories, timezone, preferred language and theme;
- Expert listing details (session titles, descriptions, prices, duration, availability);
- mode (Seeker / Expert), registration date, activity timestamps;
- optional visibility preferences (see Section 6).
4.3. Booking and session data
- selected time slots, session status, cancellation/reschedule history;
- seeker notes submitted before payment;
- session reviews and ratings (text you submit);
- no-show, dispute, or complaint-related information;
- financial snapshots linked to a Booking (amounts, currency, platform fee, escrow/hold status).
4.4. Payment, balance, and ledger data
- Platform balance and transaction history (top-ups, holds, settlements, refunds, payouts);
- Stripe customer identifiers, Checkout session IDs, Payment Intent IDs, Connect account IDs;
- payout and reconciliation metadata.
We do not store full payment card numbers on our servers. Card data is handled by Stripe.
Experts completing Stripe Connect onboarding provide additional data directly to Stripe (identity, tax, bank details) as required by Stripe and applicable law.
4.5. Communications and notifications
- in-app notifications and read status;
- notification preferences (including whether to send messages to your Telegram chat);
- support requests and correspondence;
- Telegram outbound messages we send (e.g. booking confirmations, reminders, session links) when enabled.
4.6. Video sessions
For video Sessions we may generate or store:
- meeting room identifiers and join URLs (e.g. via Daily.co or successors);
- technical metadata needed to grant access during the Session window.
We do not intend to routinely record video or audio unless a feature is explicitly disclosed and enabled.
4.7. Reports, moderation, and safety
- content of reports/complaints, reporter and reported user IDs, session references;
- moderation notes, ban/suspension reasons and dates;
- fraud-prevention signals and audit logs.
4.8. Technical and usage data
- IP address and request logs (server, API, admin);
- app version, build identifiers, error/diagnostic logs;
- device/browser characteristics available through Telegram Web App APIs (e.g. platform, viewport, safe area);
- local storage on your device for preferences (e.g. language, theme, onboarding state) where used.
We do not use third-party advertising cookies in the Mini App as described in this draft; see Section 12.
4.9. Admin and compliance
- internal admin actions on accounts, balances, and disputes (restricted personnel);
- compliance profile fields for Experts (KYC/payout status, tax residency references, provider account linkage) as implemented in our systems.
5. How we collect personal data
- Directly from you — profile edits, session creation, notes, reviews, support messages, settings.
- Automatically — when you use the Service (logs, bookings, ledger entries, notifications).
- From Telegram — upon each authenticated Mini App session.
- From Stripe — payment outcomes, Connect account status, webhooks.
- From video infrastructure — room/token data necessary to join calls.
6. Purposes and legal bases (EEA/UK users)
Where GDPR applies, we rely on the following legal bases:
| Purpose | Examples | Legal basis |
|--------|----------|-------------|
| Provide the Service | account creation, booking, video access, balance display | Contract (Art. 6(1)(b) GDPR) |
| Payments and payouts | Stripe Checkout, holds, settlements, Connect onboarding coordination | Contract; Legal obligation where applicable |
| Security and fraud prevention | auth verification, abuse detection, audit logs | Legitimate interests (Art. 6(1)(f)); Legal obligation |
| Support and dispute handling | tickets, complaints, chargeback cooperation | Contract; Legitimate interests |
| Notifications | booking updates, reminders (per your settings) | Contract; Consent where required (e.g. promotional messages) |
| Improve and maintain the Platform | analytics on aggregated usage, bug fixing | Legitimate interests |
| Compliance | tax, accounting, regulatory requests | Legal obligation |
| Marketing | promotional offers (if enabled) | Consent |
You may withdraw consent where processing is consent-based without affecting lawfulness before withdrawal.
7. How we use personal data
We use personal data to:
7.1. operate the marketplace (discovery, booking, escrow-style holds, settlement, Expert payouts);
7.2. authenticate you and maintain your account;
7.3. display profiles and session listings according to your privacy settings (e.g. whether to show Telegram ID on a public Expert profile);
7.4. send transactional and optional notifications via in-app UI and Telegram;
7.5. provide video Session access links and reminders;
7.6. process payments through Stripe and reconcile our internal ledger;
7.7. enforce Terms, prevent fraud, and protect users;
7.8. comply with law and respond to lawful requests;
7.9. improve reliability and security of the Service.
We do not sell your personal data.
8. Sharing and recipients
We share personal data only as needed:
| Recipient | Role | Data typically shared |
|-----------|------|------------------------|
| Telegram | platform provider | governed by Telegram when you use their app; we send messages to your Telegram ID when notifications are enabled |
| Stripe | payment processor / Connect | payment, identity, payout data per Stripe policies |
| Daily.co (or successor) | video infrastructure | room names/URLs, tokens for join access |
| Hosting / cloud providers | infrastructure | server-stored data (region: [e.g. EU / specify]) |
| Professional advisers | legal, accounting | as necessary under confidentiality |
| Authorities | law enforcement / regulators | when legally required |
We require processors to protect personal data under contracts where GDPR Article 28 applies.
Between users: Seekers and Experts see information needed to complete a Booking (e.g. names, session time, notes you submit, ratings). Experts’ public profiles show fields you choose to make visible.
9. International transfers
Our infrastructure and processors may be located in the European Economic Area and/or other countries.
Where personal data is transferred outside the EEA/UK to countries without an adequacy decision, we implement appropriate safeguards (e.g. Standard Contractual Clauses, supplementary measures) as required by law.
Stripe and Telegram may process data globally under their own transfer mechanisms — review their documentation.
10. Retention
We retain personal data only as long as necessary for the purposes above, including:
- Account data — for the life of the account and [e.g. 3 years] after closure, unless longer retention is required by law or for disputes;
- Booking and ledger records — for the statutory accounting/tax period applicable to us ([specify jurisdiction, e.g. 7 years] where required);
- Support and complaint records — typically [e.g. 2 years] after resolution;
- Server logs — typically [e.g. 30–90 days], unless needed for security investigations;
- Stripe — retention governed by Stripe.
We may anonymise or aggregate data for statistics when identification is no longer required.
11. Security
We implement technical and organisational measures appropriate to the risk, including access controls, encryption in transit (HTTPS/TLS), hashed or tokenised payment references, and restricted admin access.
No method of transmission or storage is 100% secure. You are responsible for securing your Telegram account and device.
Report suspected security issues to security@redskill.online.
12. Cookies and local storage
12.1. The Telegram Mini App runs inside Telegram’s client; Telegram may use its own storage and identifiers.
12.2. Our web assets may use local storage or session storage for app preferences (language, theme, onboarding flags, UI mode) — not for cross-site advertising in this draft.
12.3. If we add non-essential cookies or trackers on standalone web pages, we will update this Policy and, where required, request consent.
13. Your rights
Depending on your location (especially the EEA, UK, and Switzerland), you may have the right to:
- access your personal data and receive a copy;
- rectify inaccurate data;
- erase data (“right to be forgotten”) in certain cases;
- restrict or object to processing based on legitimate interests;
- data portability for data you provided, in a structured format where technically feasible;
- withdraw consent where processing is consent-based;
- lodge a complaint with a supervisory authority (e.g. in your country of residence).
How to exercise rights: contact privacy@redskill.online from the email or Telegram account linked to your profile. We may ask for information to verify your identity.
EEA/UK supervisory authority example: [Your lead DPA — e.g. Dutch Autoriteit Persoonsgegevens if established in the Netherlands].
We will respond within timelines required by law (typically one month under GDPR).
14. Automated decision-making
We do not make decisions based solely on automated processing that produce legal or similarly significant effects without human involvement, except:
- routine fraud/risk checks by Stripe under its policies;
- automated enforcement rules (e.g. blocking banned accounts) that you may contact us to review.
15. Marketing
Promotional notifications are off by default in product settings where implemented. If you opt in, you may opt out via in-app settings or by contacting us.
Transactional messages (booking confirmations, reminders, payment status) are part of the Service and are not marketing.
16. Changes to this Policy
We may update this Policy. Material changes will be notified via the app, Telegram, or email where available. The “Last updated” date will be revised.
Continued use after the effective date constitutes acknowledgment unless applicable law requires explicit consent.
17. Contact
| Topic | Contact |
|-------|---------|
| Privacy requests | privacy@redskill.online |
| Support | support@redskill.online / Telegram support bot |
| Security | security@redskill.online |
| Data Protection Officer (if appointed) | privacy@redskill.online |
| Postal address | [Address] |
Annex A — Summary of main data uses (non-contractual)
| Data area | Main use | Shared with |
|-----------|----------|-------------|
| Telegram ID & profile | account, display, auth | other users per privacy settings |
| Bookings & notes | deliver Sessions | Seeker ↔ Expert |
| Payments | top-up, hold, payout | Stripe |
| Expert Connect | KYC & payouts | Stripe |
| Notifications | alerts & reminders | Telegram (if enabled) |
| Video metadata | join Session | Daily.co (or successor) |
| Logs | security & debugging | hosting provider |
*End of Privacy Policy*