Skip to content
SkySageTrust center

SKYSAGE TRUST CENTER

Security Without Mystery.

SkySage is designed to keep authentication, saved travel data, and provider access within clear boundaries. These are the safeguards in the current product and the limits you should know.

Current product notice · Updated July 13, 2026

IDENTITY

Sign In With ChatGPT

SkySage does not operate a separate password system. Sign-in and sign-out use the ChatGPT identity flow.

ACCESS

Workspace Scoped

Profile, portfolio, trip, photo, saved-search, and connection requests require a signed-in identity and are queried for that owner.

PROVIDERS

Secrets Stay Server-Side

Configured provider credentials are used by server routes rather than placed in browser code or profile fields.

Current Safeguards

  • Identity-gated workspace data. Authenticated APIs require a ChatGPT identity before reading or changing saved records.
  • Owner-scoped records. Profiles, balances, searches, trips, private photos, and provider connections are stored and retrieved for the signed-in workspace owner.
  • Server-side provider access. Flight, award, and loyalty-provider credentials are read by server code rather than sent to the browser.
  • Encrypted photo-provider tokens. Google Photos and OneDrive tokens are encrypted before storage and are never returned to browser code.
  • Validated inputs and normalized results. The product validates workspace inputs and maps linked-account responses into the limited fields used by SkySage.
  • Consent-gated analytics. Anonymous-insight records are created only after a traveler opts in. A separate server secret produces pseudonymous subject and trip keys; raw account and trip identifiers are not copied into those analytics records.
  • Aggregate-only owner reporting. The analytics dashboard requires both ChatGPT sign-in and SkySage's exact server-side owner allowlist. It returns aggregate metrics, suppresses small route and program cohorts, and does not provide a customer-row browser.
  • Deletion controls. You can remove individual records, disconnect a loyalty provider, or delete all stored SkySage workspace data.

Credentials And Payments

SkySage does not ask for or store a separate SkySage password. It also does not ask for loyalty-program passwords. Supported loyalty linking uses the provider's consent process when that integration is available.

When you deliberately choose a paid plan, SkySage creates a server-side Checkout Session and sends you to Stripe-hosted checkout, where Link is the seller of record. Payment-method entry and billing management happen with Stripe and Link; SkySage stores only the customer, transaction, subscription, and entitlement information needed to confirm access. SkySage does not receive or store full card or bank-account numbers.

Buying a SkySage plan pays for access to decision tools. It does not authorize SkySage or Stripe to purchase, cancel, or change travel on your behalf.

Provider Boundaries

Provider searches can send itinerary details to configured cash-fare and award-data services. Provider availability, response quality, and security practices sit outside SkySage’s direct control.

Approved KAYAK and Skyscanner searches run through server-side APIs, and their credentials are never exposed to the browser. Booking and loyalty-program pages open as user-directed handoffs. SkySage does not scrape those pages, capture their sign-in forms, or treat an unopened partner page as searched inventory.

Search responses are returned with instructions not to cache them, but a result is still a point-in-time observation. Reprice fares and verify award inventory directly before making a purchase or an irreversible points transfer.

Disconnecting a provider removes the SkySage connection record and synced balances. It does not close or delete the external provider account.

Photo uploads require explicit file selection or capture. A browser cannot silently monitor a camera roll after SkySage closes. External photo albums and files remain subject to the provider's own controls.

Safer Use

  • Use only the official SkySage address you expect and check the address bar before signing in.
  • Never paste a ChatGPT password, loyalty password, payment card, API key, or recovery code into a SkySage field or support message.
  • Sign out of ChatGPT on a shared device and clear browser site data if you used the public sample.
  • Treat provider prices and availability as time-sensitive, and verify them at the source.

Report A Concern

If you believe you found a security issue, stop before testing against another person’s data or disrupting the service. Visit Support and provide the affected route, time, steps, and observed behavior without including secrets or personal travel data.

For suspected compromise of your ChatGPT, airline, loyalty, or provider account, sign out and contact that service directly through its official support channel.