Skillet Privacy Policy

Last Updated: May 14, 2026

1. Introduction

This Privacy Policy describes how Quizizz Inc., doing business as Skillet ("Skillet," "we," "us," or "our"), collects, uses, and discloses information in connection with the Skillet website (skillet.io), the Skillet mobile and web applications, and related services (collectively, the "Services").

Skillet provides an AI-powered roleplay training platform designed for enterprise customers. Most users access the Services because their employer (our "Customer") has authorized them to do so.

Where Skillet processes information on behalf of a Customer in connection with the Customer's use of the Services, Skillet acts as a data processor (or "service provider") and the Customer is the controller (or "business") of that information. The Customer's agreement with Skillet — including the Master SaaS and Services Agreement and Data Processing Addendum — governs that processing. To the extent any conflict exists between this Privacy Policy and the Customer's agreement with Skillet with respect to information processed on the Customer's behalf, the Customer's agreement controls.

This Privacy Policy describes Skillet's own practices, including how we handle information collected directly from website visitors, prospects, and authorized end users.

2. We Do Not Train AI Models on Customer Data

Skillet does not use Customer data, end user submissions, roleplay interactions, transcripts, audio, video, or related output to train, fine-tune, or otherwise improve generalized artificial intelligence or machine learning models for use outside the Services. We may use Customer data only to operate, maintain, secure, support, analyze, and improve the Services for the benefit of the Customer providing that data, consistent with our Customer agreements and applicable law. This includes activities such as quality assurance, debugging, performance optimization, analytics, model monitoring, and fraud or abuse prevention.

We do not sell or rent personal information.

3. Information We Collect

3.1 Information You Provide Directly

  • Account and contact information. When you register for an account, request a demo, contact sales or support, or subscribe to communications, we collect information such as your name, business email address, employer, job title, phone number, and any information you choose to provide in messages to us.

  • Authentication credentials. Where applicable, we collect credentials used to access the Services, including via single sign-on (SSO) providers approved by your employer.

  • Roleplay interaction data. When you use the Services, we collect content you submit or generate, including text inputs, responses to scenarios, performance scores, and feedback.

  • Audio and video recordings. Audio and video recordings are only captured when you proactively choose to engage with roleplay features in a practice environment that requires such functionality. We do not collect audio or video passively. We do not use these recordings to perform biometric identification or to extract sensitive personal attributes.

  • Support communications. Information you provide when contacting our support team, including via our customer support inbox.

3.2 Information Collected Automatically

  • Device and usage data. We collect information about your device and how you interact with the Services, such as device type, operating system, browser type, IP address, language preferences, referring URLs, pages viewed, features used, and timestamps.

  • Cookies and similar technologies. Our website uses cookies and similar technologies for authentication, security, preferences, analytics, and to understand how visitors use our site. See Section 9 for details and how to manage your preferences.

  • Log and diagnostic data. Application performance and error data used to detect and resolve technical issues.

3.3 Information from Third Parties

We may receive information about you from your employer (our Customer) when they authorize you to use the Services, from SSO and identity providers used to authenticate you, and from analytics, marketing, and business-data providers we use to improve our outreach and the Services.

3.4 Categories of Data We Do Not Intentionally Process

The Services are not designed or intended to process:

  • Protected health information subject to the U.S. Health Insurance Portability and Accountability Act ("HIPAA") or other patient-identifiable information;

  • Special category data as defined under Article 9 of the GDPR (including data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a person's sex life or sexual orientation); or

  • Personal data relating to medical patients.

Customers and end users are contractually instructed and prompted not to submit such data to the Services.

4. How We Use Information

We use information to:

  • Provide, operate, maintain, and secure the Services;

  • Authenticate users and manage accounts;

  • Generate roleplay scenarios, feedback, scores, and analytics for end users and their employers;

  • Provide customer support and respond to inquiries;

  • Communicate with you about the Services, including transactional messages, service announcements, and (where permitted) marketing communications you may opt out of at any time;

  • Analyze and improve the Services, including quality assurance, debugging, performance optimization, model monitoring, and fraud or abuse prevention; and

  • Comply with legal obligations, enforce our terms, and protect the rights, safety, and property of Skillet, our Customers, and others.

We do not use the information described above to train generalized AI or ML models for use outside the Services, as described in Section 2.

Customer Reference and Marketing

By using the Services as a paid account, business user, organization, or individual acting on behalf of an organization, you agree that Skillet may identify you or your organization as a customer of Skillet and use your organization's name and logo on the Skillet website, in marketing materials, presentations, and substantially similar formats. Unless stated otherwise in a customer order, you grant Skillet a revocable limited license to use your organization's name and logo solely to identify you as a customer. Skillet will not identify any individual end user by name for these purposes.

5. How We Share Information

We share information only as described below:

  • With our Customer (your employer). If you access the Services because your employer has authorized you to do so, we share information related to your use of the Services with that Customer, who is responsible for determining how that information is used within their organization.

  • With sub-processors and service providers. We use vetted sub-processors and service providers to deliver the Services under written agreements that impose confidentiality, security, and data protection obligations at least as protective as those in this Policy and our Customer agreements. By way of illustration, sub-processors support functions such as:

    • secure cloud infrastructure hosting, storage, encryption, backup, and network delivery;

    • AI voice and conversation services that process audio data and related metadata in real time to enable simulated roleplay conversations and to generate transcripts and feedback;

    • transactional and product-related email delivery;

    • application error logging, monitoring, and observability;

    • internal productivity and collaboration tools used to support operations and customer support; and

    • customer support ticketing and helpdesk services.

  • For legal and safety reasons. We may disclose information when we believe disclosure is required or permitted by law; in response to lawful requests by public authorities, including to meet national security or law enforcement requirements; to enforce our terms; to detect, prevent, or address fraud, security, or technical issues; or to protect the rights, property, or safety of Skillet, our Customers, end users, or others.

  • In corporate transactions. In the event of a merger, acquisition, or sale of company assets, information may be transferred as part of the transaction, subject to applicable law and our Customer agreements.

  • With your consent. We may share information with your consent or at your direction.

A current list of named sub-processors is available upon request. Cross-border transfers to sub-processors are made under EU Standard Contractual Clauses or other appropriate safeguards as required by applicable law.

We do not sell or rent personal information.

6. International Data Transfers

Skillet is headquartered in the United States, and we and our sub-processors may process information in the United States and other countries. By using the Services, you consent to the transfer and processing of your personal information in the United States. Where required by law, we rely on appropriate safeguards for international transfers, including the European Commission's Standard Contractual Clauses, the UK Addendum to the Standard Contractual Clauses, equivalent mechanisms for Swiss transfers, and the EU-U.S. Data Privacy Framework, the UK Extension to the EU-U.S. Data Privacy Framework, and the Swiss-U.S. Data Privacy Framework, together with supplementary technical and organizational measures where appropriate. Additional information about the Data Privacy Framework is set out in Section 10.2.

7. Data Retention

We retain personal data only for as long as necessary to provide the Services, comply with our legal obligations, resolve disputes, and enforce our agreements. When information is processed on behalf of a Customer, retention is governed by the Customer's agreement with Skillet and the Customer's instructions. Upon termination or expiration of the Customer's agreement, we will return or, at the Customer's written direction, delete personal data, subject to any legal obligation to retain it.

8. Data Security

We maintain administrative, technical, and organizational measures designed to protect personal data against unauthorized or accidental loss, access, alteration, disclosure, or destruction. These measures include access management controls, network security controls, device security, centralized authentication, formal security policies, periodic internal and external security assessments, and logging, monitoring, vulnerability management, risk management, and incident management programs. Quizizz Inc. maintains an ISO/IEC 27001:2022 certified information security management system covering the Services.

No security measure is infallible. If we become aware of a personal data breach affecting your information, we will respond as required by applicable law and our Customer agreements, including, where applicable under the GDPR or equivalent laws, notifying competent authorities without undue delay and, where feasible, no later than 72 hours after becoming aware of the breach.

9. Cookies and Similar Technologies

Our website uses cookies and similar technologies for purposes including authentication, security, remembering your preferences, measuring site performance, and understanding how visitors use our site.

You can control cookies through your browser settings and, where applicable, through cookie preferences offered on our website. Blocking certain cookies may affect functionality of the website.

10. Your Privacy Rights

Depending on where you live, you may have rights with respect to your personal data, including:

  • Access — the right to request a copy of personal data we hold about you;

  • Correction — the right to request correction of inaccurate or incomplete personal data;

  • Deletion — the right to request deletion of personal data, subject to certain exceptions;

  • Portability — the right to receive certain personal data in a portable format;

  • Restriction or objection — the right to restrict or object to certain processing;

  • Withdrawal of consent — the right to withdraw consent where processing is based on consent;

  • Non-discrimination — the right not to be discriminated against for exercising privacy rights;

  • Opt-out of sale or sharing — the right to opt out of any sale or sharing of personal information as those terms are defined under U.S. state privacy laws.

If you are an authorized end user accessing the Services through a Customer, please direct privacy rights requests to your Customer (your employer). We will support our Customer in responding to such requests as required by our agreement with them and by applicable law. If you contact us directly, we may forward your request to the relevant Customer.

To exercise rights with respect to data we control, or to ask questions about your rights, contact us at the address in Section 14. We will respond within the timeframe required by applicable law. We may need to verify your identity before fulfilling certain requests.

10.1 Additional Information for California Residents

The California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA"), provides California residents with specific rights regarding personal information. In the preceding 12 months, we have collected the categories of personal information described in Section 3, used them for the purposes described in Section 4, and disclosed them to the categories of recipients described in Section 5. California residents may exercise rights of access, correction, deletion, and non-discrimination as described above, and may opt out of any sale or sharing of personal information as those terms are defined under the CCPA/CPRA. You may designate an authorized agent to submit requests on your behalf.

10.2 Additional Information for EEA, UK, and Swiss Residents

If you are located in the European Economic Area, the United Kingdom, or Switzerland, our legal bases for processing personal data include:

  • Performance of a contract — where processing is necessary to provide the Services to you or to your Customer;

  • Legitimate interests — where processing is necessary for our legitimate interests in operating, securing, and improving the Services, and in promoting our business, provided those interests are not overridden by your rights and interests;

  • Compliance with legal obligations — where processing is required by law; and

  • Consent — where you have given consent, which you may withdraw at any time without affecting the lawfulness of prior processing.

You have the right to lodge a complaint with a supervisory authority. Our lead supervisory authority in the EEA is the Austrian Data Protection Authority (Österreichische Datenschutzbehörde).

EU-U.S., UK, and Swiss-U.S. Data Privacy Framework. Quizizz Inc., on behalf of Skillet, complies with the EU-U.S. Data Privacy Framework ("EU-U.S. DPF"), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework ("Swiss-U.S. DPF") as set forth by the U.S. Department of Commerce.

We have certified to the U.S. Department of Commerce that we adhere to the EU-U.S. DPF Principles with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension. We have also certified that we adhere to the Swiss-U.S. DPF Principles with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF.

If there is any conflict between the terms in this Privacy Policy and the DPF Principles, the DPF Principles shall govern. To learn more about the Data Privacy Framework program and to view our certification, please visit the Data Privacy Framework website at dataprivacyframework.gov.

With respect to personal data received or transferred pursuant to the EU-U.S. DPF, the UK Extension, and the Swiss-U.S. DPF, Skillet is subject to the investigatory and enforcement powers of the U.S. Federal Trade Commission. We may be required to disclose personal data in response to lawful requests by public authorities. Skillet remains liable for the transfer of personal data to third parties acting as our agents unless we can prove we were not a party to the events giving rise to the damages.

Independent dispute resolution. In compliance with the EU-U.S. DPF, UK Extension, and Swiss-U.S. DPF Principles, we commit to resolve complaints about our collection or use of your personal information transferred to the United States pursuant to those frameworks. EU, UK, and Swiss individuals with inquiries or complaints should first contact us by email at support@skillet.io. If your complaint is not resolved through that channel, you may contact our independent dispute resolution provider, JAMS, free of charge, at jamsadr.com/dpf-dispute-resolution. Under certain conditions, you may also invoke binding arbitration for residual claims not resolved by other redress mechanisms.

EU and UK representatives. We have appointed representatives under Article 27 of the GDPR and the UK GDPR. Contact details for our EU and UK representatives are provided in Section 14.

10.3 Additional Information for Canadian Residents

If you are a resident of Canada, including Quebec, you may have additional rights under the Personal Information Protection and Electronic Documents Act ("PIPEDA") and the Quebec Act respecting the protection of personal information in the private sector. Quebec residents may contact our designated person in charge of personal information at the address in Section 14.

11. Children's Privacy

The Services are intended for use by professionals in enterprise environments and are not directed to children. We do not knowingly collect personal information from children under the age of 13 (or under the applicable age in your jurisdiction, such as 16 in parts of the EEA). If you believe a child has provided personal information to us, please contact us using the details in Section 14 and we will take appropriate steps to delete the information.

12. Mobile Application; App Store Disclosures

If you access the Services through our mobile or desktop application:

  • Permissions. The app may request access to your device's microphone and camera in order to enable roleplay features that you proactively initiate. You can revoke these permissions at any time through your device settings; doing so may limit certain functionality. The app does not access these sensors passively.

  • Data categories collected through the app. Consistent with Section 3, the app may collect: contact information (name, business email), user content (roleplay inputs, audio and video you initiate), identifiers (account ID, device identifiers), usage data, and diagnostics. We do not use this data for tracking across apps or websites owned by other companies.

  • Tracking. We do not engage in tracking as defined under Apple's App Tracking Transparency framework. We do not share data with data brokers.

  • Account deletion. You may request deletion of your account and associated personal data at any time by following the in-app account deletion flow or by contacting us at the address in Section 14. For accounts provisioned by your employer, we will action your deletion request in accordance with applicable law and our Customer agreements, which may include notifying your employer of the deletion.

  • Linked content and third-party services. The Services may link to or integrate with third-party services (such as your SSO provider). Their privacy practices are governed by their own policies.

This Privacy Policy is the privacy policy referenced in the app's listing on the Apple App Store, Google Play, or any other distribution platform where the app may be made available.

13. Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, the Services, or legal requirements. When we make material changes, we will update the "Last Updated" date at the top of this Policy and, where required, provide additional notice (such as by posting a notice on the website or notifying you through the Services). Your continued use of the Services after the effective date of an updated Policy constitutes acceptance of the updates to the extent permitted by law.

14. Contact Us

General contact and Data Protection Officer. If you have questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact our Data Protection Officer:

Quizizz Inc. (d/b/a Skillet)

4204 Glencoe Ave

Building 3, Suite 220

Marina Del Rey, CA 90292, USA

Email: support@skillet.io

Attention: Data Protection Officer

EU representative (Article 27, GDPR). We have appointed GDPR-Rep.eu (Prighter) as our representative in the EU under Article 27 of the GDPR. To exercise your GDPR rights through our representative, please visit gdpr-rep.eu/q/13361347. Correspondence may also be sent to:

GDPR-Rep.eu at Prighter

Maetzler Rechtsanwalts GmbH & Co KG

Attorneys at Law

c/o Quizizz Inc.

Schellinggasse 3/10, 1010 Vienna, Austria

Please include the subject line: GDPR-REP ID: 13361347.

UK representative (Article 27, UK GDPR). Correspondence under the UK GDPR may be sent to:

Prighter Ltd (UK)

Attorneys at Law

c/o Quizizz Inc.

20 Mortlake High Street

London SW14 8JN, United Kingdom

Please include the subject line: GDPR-REP ID: 13361347.

For EEA, UK, or Swiss residents, please indicate your jurisdiction in your request so we can route it appropriately.