Privacy & Data Governance

Data controller vs. data processor

When you use Skytells to build products:

• You are the data controller — you determine what data is submitted to the API
• Skytells is the data processor — it processes data on your instructions

This distinction matters for GDPR compliance. Skytells processes data only to fulfill your API requests and operates under a Data Processing Agreement (DPA) that formalizes these responsibilities.

What data Skytells stores

Your prompts are never used for model training. This is a hard guarantee — Skytells models are trained on licensed datasets, not user data.

Data retention configuration

The default 24-hour input/output retention can be extended or shortened via API:

{
  "model": "truefusion-pro",
  "input": {
    "prompt": "...",
    "data_retention_hours": 0
  }
}

Setting data_retention_hours: 0 deletes inputs and outputs immediately after the prediction completes — useful for sensitive workloads.

Deleting a prediction

You can delete a prediction and all associated data at any time:

curl -X DELETE https://api.skytells.ai/v1/predictions/pred_abc123 \
  -H "x-api-key: $SKYTELLS_API_KEY"

This permanently removes the prediction, its inputs, and its outputs from Skytells' storage.

GDPR compliance

Lawful basis

Your API usage should be grounded in a lawful basis under GDPR Article 6. Common bases:

• Legitimate interests — you operate a product where AI generation is a core feature
• Contract — generation is part of a service you've contracted to provide to a user
• Consent — user explicitly opted in to AI-generated content

Data subject rights

If an end user of your product exercises GDPR rights (access, erasure, portability), you are responsible for fulfilling these from your side. Skytells provides:

• Deletion API — to delete specific predictions containing user data
• Export — audit logs available for data access requests

DPA

For EU-based deployments or those handling EU resident data, request a Data Processing Agreement:

Email: DPA at Skytells.
Subject: DPA Request — [Company Name]

CCPA compliance

For California residents, Skytells supports:

• Right to Know — what personal information Skytells processes on your behalf
• Right to Delete — submit deletion requests via your account Dashboard
• Do Not Sell — Skytells does not sell personal information to third parties

Data residency (Enterprise)

Enterprise customers can request data residency in specific regions:

Data residency ensures your prediction data never leaves your selected region.

Sensitive data guidance

Avoid submitting the following in prompts or inputs:

• Personally identifiable information (PII) — names, emails, addresses
• Protected health information (PHI)
• Financial data — credit card numbers, account details
• Authentication credentials

If your use case requires processing such data, contact Enterprise Support to discuss a custom DPA with enhanced security controls.

Privacy-by-design practices

When building on Skytells, apply these patterns:

// 1. Strip PII from prompts before sending
function sanitizePrompt(userPrompt: string): string {
  // Remove email addresses
  return userPrompt.replace(/\S+@\S+\.\S+/g, '[email]')
    // Remove phone numbers
    .replace(/\b\d{3}[-.]?\d{3}[-.]?\d{4}\b/g, '[phone]');
}

// 2. Set minimal retention for sensitive workloads
const prediction = await client.predictions.create({
  model: 'truefusion-pro',
  input: {
    prompt: sanitizePrompt(userInput),
    data_retention_hours: 0, // Delete immediately after completion
  },
});

// 3. Delete predictions after your app has stored the output
await client.predictions.delete(prediction.id);

Summary

• Skytells is your data processor — you remain the data controller
• Prompts are never used for model training
• Default retention: inputs/outputs for 24 hours; configurable down to 0
• Delete predictions via API to remove data immediately
• DPA available for GDPR-covered deployments
• Data residency options available for Enterprise plans