Privacy Policy — SnapAudit

Effective date: 19 April 2026

1. Who we are

SnapAudit is operated by Blizzard Trade LLC, a Florida limited liability company (Document #L17000133723, registered with the Florida Department of State on 21 June 2017), with its principal place of business at 221 West Hallandale Beach Blvd, Suite 310, Hallandale Beach, FL 33009, USA. For questions about this policy or to exercise any of the rights described below, contact us at [email protected].

2. What personal data we process

We act as a data controller for account information, and as a data processor for content uploaded to the Service.

Account data (controller)

Email address — for authentication, email verification, and notifications.
Name (optional, self-supplied) — displayed inside the app.
Account preferences — language, notification toggles, balance and billing records.
Session cookies and security-relevant metadata (IP, user-agent at login).

Uploaded content (processor)

Reference photographs and inspection photographs uploaded by the Customer.
Photograph metadata: timestamp, inspection result, automatically-generated detection bounding boxes.

The Customer is the data controller for uploaded content. The Customer is responsible for ensuring any persons depicted have consented or that another lawful basis applies under their local data-protection law.

3. Legal bases (GDPR Article 6)

Contract performance — account data and content we process to deliver the Service.
Legitimate interests — security logging, abuse prevention, and service improvement in an aggregated, non-identifiable form.
Consent — for the weekly digest email (opt-out any time via the link in every digest). The one-click unsubscribe is implemented via RFC 8058 List-Unsubscribe-Post.
Legal obligation — retention of billing records as required by applicable tax law.

4. How long we keep data

Category	Retention
Account record	For the duration of the account + 30 days after deletion
Reference photographs	Until the checkpoint is deleted by the Customer
Inspection photographs	90 days (after which only metadata is archived)
Inspection metadata (archive)	Indefinitely, for historical analytics
Session cookies	30 days sliding window
Billing records	As required by applicable tax law (typically 7 years)

5. Your rights

Under GDPR (and equivalent legislation in the UK, California, and elsewhere) you have the right to:

Access — request a copy of the personal data we hold about you.
Rectification — correct inaccurate data.
Erasure ("right to be forgotten") — delete your account data; content uploaded by your employer as data controller is governed by their agreement with us.
Portability — export your data in a machine-readable format.
Objection — stop processing based on legitimate interests.
Withdraw consent — opt out of marketing or the weekly digest at any time.
Lodge a complaint with the supervisory authority in your country (for EU: your national DPA; for UK: the ICO).

To exercise any of these rights, email [email protected]. We respond within 30 days.

6. Security

All traffic uses TLS 1.2 or higher.
Photographs are stored in object storage with access-controlled credentials.
Passwords are hashed with bcrypt.
Session tokens are randomly generated and invalidated on password change.
HMAC-SHA256 is used for one-click email unsubscribe tokens.

No system is perfectly secure. If you suspect a security issue, email [email protected] — we aim to triage within 24 hours.

7. International transfers and sub-processors

Some processing is performed by sub-processors in categories including model inference, object storage, transactional email, CDN / DDoS protection, and payment processing. Some of these sub-processors operate outside the EEA / UK; where transfers leave the adequacy region, we rely on Standard Contractual Clauses (SCCs) and supplementary measures (encryption at rest, access controls) to provide appropriate safeguards under GDPR Articles 46–48.

The full sub-processor list with specific vendor names, processing regions, and contractual safeguards is shared with customers under our Data Processing Agreement — email [email protected] to request the DPA + accompanying sub-processor schedule. Customers with strict data-residency requirements can opt for an Enterprise deployment with a dedicated storage region by contract.

8. Changes to this policy

We will notify account holders of material changes at least 14 days before they take effect. The "Effective date" above always reflects the current version.

9. Contact

Privacy-specific enquiries: [email protected]. General enquiries: [email protected].