Privacy Policy

Last updated: January 18, 2025

SnapShot Inc. ("we," "our," or "us") is committed to transparency about how we handle your data. This Privacy Policy explains what information we collect, how we use it, and your rights regarding your data.

Table of Contents

1. Information We Collect

1.1 Account Information

When you create an account, we collect:

  • Email address: Provided via Google OAuth, used for account identification and communication
  • Display name: From your Google profile (optional)
  • Profile photo URL: From your Google profile (optional)
Important: We use Google OAuth 2.0 for authentication. We do NOT store passwords. Your Google credentials never touch our servers.

1.2 Content You Save

When you save posts using SnapShot, we store:

  • Snapshot images: PNG screenshots of the posts you save, stored on Cloudflare R2
  • Post text content: The text of the tweet or post, stored in our PostgreSQL database
  • Metadata: Author, timestamp, engagement metrics (likes, retweets), post URL
  • Tags: Custom tags you add for organization
  • Timestamps: When you saved the post

Transparency About Data Access

Snapshot images and post text are NOT encrypted in storage. Our technical team can access this data for operational purposes (debugging, support tickets, platform maintenance) and if required by valid legal process.

We preserve public content that was already posted on social media platforms. We do not collect private messages or non-public content.

1.3 Authentication Tokens

When you sign in via Google OAuth, we store:

  • OAuth access tokens: Encrypted with AES-256-GCM before storage in PostgreSQL
  • OAuth refresh tokens: Encrypted with AES-256-GCM before storage
  • JWT session tokens: Used for authentication, 30-day expiration

These tokens are encrypted to protect your Google account access.

1.4 Usage and Technical Information

We automatically collect:

  • Browser information: Type, version, user agent
  • Device information: Operating system, screen resolution
  • IP address: For security and fraud prevention (anonymized after 24 hours)
  • Extension version: To provide compatibility and support
  • Usage statistics: Feature usage, error logs, performance metrics (aggregated and anonymized)

2. How We Use Your Information

We use the information we collect for the following purposes:

Service Provision

  • Create and manage your account
  • Store and retrieve your saved snapshots
  • Authenticate your access via Google OAuth
  • Provide search and organizational features
  • Enable data export

Service Improvement

  • Analyze usage patterns (anonymized)
  • Identify and fix bugs
  • Improve performance and reliability
  • Develop new features based on usage data

Communication

  • Send service updates and announcements
  • Respond to support requests
  • Send security alerts
  • Send promotional emails (opt-in only)

Legal and Security

  • Comply with legal obligations
  • Enforce our Terms of Service
  • Detect and prevent fraud and abuse
  • Respond to valid legal requests
We will NEVER:
  • Sell your personal information or snapshots to third parties
  • Use your saved content for advertising purposes
  • Train AI models on your private archives without explicit consent
  • Share your data with data brokers or marketing companies

3. Data Storage and Security

3.1 Where Your Data Is Stored

Data Type Storage Location Encryption Status
Account Info PostgreSQL (Fly.io) Database-level encryption at rest
Post Text & Metadata PostgreSQL (Fly.io) Database-level encryption at rest
Snapshot Images (PNG) Cloudflare R2 Server-side encryption
OAuth Tokens PostgreSQL (Fly.io) AES-256-GCM encrypted + database encryption

3.2 Security Measures

  • Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • Authentication: Google OAuth 2.0 with PKCE (Proof Key for Code Exchange) for secure sign-in
  • Session Management: JWT tokens with 30-day expiration and secure HTTP-only cookies
  • Access Controls: User-scoped data isolation. You can only access your own snapshots
  • Infrastructure Security: Fly.io (PostgreSQL) and Cloudflare R2 are SOC 2 Type II certified
  • Monitoring: 24/7 security monitoring and intrusion detection

3.3 What Can SnapShot Staff Access?

Honest disclosure: Our technical team can access your saved snapshots and post text when necessary for legitimate operational purposes:

  • Responding to your support requests
  • Debugging technical issues you report
  • Investigating abuse or Terms of Service violations
  • Complying with valid legal requests

We have strict internal access policies and audit logs to prevent unauthorized access. Staff access is logged and monitored.

4. Data Sharing and Disclosure

We share your information only in the following limited circumstances:

Category Partners Data Shared Purpose
Authentication Google OAuth authorization requests Sign-in via Google
Payment Processing Stripe Email, payment details Process subscriptions
Infrastructure Fly.io, Cloudflare All stored data Hosting and storage
Analytics None (self-hosted) Anonymized usage data Improve service

Law Enforcement Requests

We comply with valid legal requests. If served with a valid court order, subpoena, or search warrant, we may be required to provide:

  • Account information (email, name, creation date)
  • Saved snapshots (images and text)
  • Post metadata (timestamps, authors, URLs)
  • Usage logs and IP addresses

We review all requests for legal validity and notify users when permitted by law. SnapShot preserves public content that was already posted on social media. We are not preserving private communications.

5. Your Privacy Rights

Depending on your location (GDPR, CCPA, etc.), you may have the following rights:

Access

Request a copy of all personal data we hold about you.

Request Data →

Rectification

Correct inaccurate or incomplete personal data.

Update Data →

Erasure ("Right to be Forgotten")

Request deletion of your personal data and snapshots.

Delete Data →

Portability

Receive your data in a machine-readable format (JSON, CSV).

Export Data →

Objection

Object to processing of your personal data for specific purposes.

Object →

Restriction

Request restriction of processing in certain circumstances.

Restrict →

How to Exercise Your Rights

To exercise any of these rights:

  1. Email our Data Protection Officer at dpo@snapshot.so
  2. Include your account email and specific request
  3. We will respond within 30 days (GDPR) or 45 days (CCPA)

No charge. Exercising your privacy rights is free, unless requests are manifestly unfounded or excessive.

6. Data Retention

Data Type Retention Period Reason
Account Information Until account deletion Provide service
Saved Snapshots & Text Until account deletion or manual removal Core functionality
Payment Records 7 years after last transaction Tax and legal compliance
Support Tickets 3 years Customer service history
Anonymized Analytics 2 years Product improvement
Security Logs 1 year Incident response and fraud prevention

Account Deletion

When you delete your account, all personal data and saved snapshots are permanently deleted within 30 days. Backup copies are removed within 90 days. Payment records are retained as required by law (7 years).

7. International Data Transfers

SnapShot is based in the United States. If you access our services from outside the US, your information may be transferred to, stored, and processed in the US or other countries where our infrastructure providers operate.

GDPR Compliance (EU/EEA Users)

For users in the European Union or European Economic Area:

  • We use Standard Contractual Clauses (SCCs) approved by the EU Commission for data transfers
  • Fly.io (PostgreSQL) and Cloudflare R2 are GDPR-compliant infrastructure providers
  • You have the right to lodge a complaint with your local supervisory authority
  • Enterprise customers can request EU-region data residency (contact sales)

UK GDPR (UK Users)

We comply with UK data protection laws using International Data Transfer Agreements (IDTAs) and Standard Contractual Clauses.

8. Children's Privacy

SnapShot is not intended for use by individuals under 16 years of age (or under 13 in the US). We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, please contact us at dpo@snapshot.so and we will delete the information immediately.

9. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make material changes, we will notify you by:

  • Email notification (to your account email)
  • Prominent notice in the extension
  • Update date at the top of this policy

Your continued use of SnapShot after changes become effective constitutes acceptance of the updated policy. If you disagree with changes, you may delete your account.

Version History

  • January 18, 2025: Updated to reflect accurate data handling practices and security architecture
  • January 17, 2025: Initial publication

10. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices:

Data Protection Officer

dpo@snapshot.so

For privacy rights requests, data inquiries, and GDPR/CCPA compliance.

Mailing Address

SnapShot Inc.
Attn: Data Protection Officer
123 Infrastructure Lane
San Francisco, CA 94102
United States

Need Help?

For general questions, visit our help center or contact support.

Contact Support Security Details