← Back to home
Privacy Policy — SnapAudit
Effective date: 19 April 2026
⚠ Draft — requires legal review before public launch.
Inline placeholders the lawyer must fill:
[COMPANY_NAME] — legal controller entity (must match ToS).[ADDRESS] — registered office, also serves as the privacy-contact postal address.[JURISDICTION] — country of incorporation + applicable national DPA.
Decisions the lawyer must confirm (not in-line — separate review memo):
- GDPR Article 28 processor terms — current wording is general; if EU customers demand a formal DPA, finalize the contract template.
- UK-GDPR carve-outs — same as GDPR but with UK supervisory authority (ICO) as backup.
- CCPA/CPRA disclosures — California residents need "Do Not Sell or Share" link + specific category disclosures if we serve CA-resident end-users.
- Sub-processor list completeness — confirm the full current list with the dev lead before every material change; GDPR requires advance notice to customers.
- International transfers — SCCs are referenced; counsel to confirm the specific SCC modules (controller-to-processor, processor-to-processor) that apply to each sub-processor.
- Children's-data clause — we don't intentionally collect data about minors. If that's still true at launch, add COPPA disclaimer for US.
- Automated decision-making disclosure (GDPR Art. 22) — AI inspection arguably isn't "solely automated" because a human manager reviews results, but confirm the phrasing.
1. Who we are
SnapAudit is operated by [COMPANY_NAME], registered in [JURISDICTION] at [ADDRESS]. For questions about this policy or to exercise any of the rights described below, contact us at [email protected].
2. What personal data we process
We act as a data controller for account information, and as a data processor for content uploaded to the Service.
Account data (controller)
- Email address — for authentication, email verification, and notifications.
- Name (optional, self-supplied) — displayed inside the app.
- Account preferences — language, notification toggles, balance and billing records.
- Session cookies and security-relevant metadata (IP, user-agent at login).
Uploaded content (processor)
- Reference photographs and inspection photographs uploaded by the Customer.
- Photograph metadata: timestamp, inspection result, AI-generated detection bounding boxes.
The Customer is the data controller for uploaded content. The Customer is responsible for ensuring any persons depicted have consented or that another lawful basis applies under their local data-protection law.
3. Legal bases (GDPR Article 6)
- Contract performance — account data and content we process to deliver the Service.
- Legitimate interests — security logging, abuse prevention, and service improvement in an aggregated, non-identifiable form.
- Consent — for the weekly digest email (opt-out any time via the link in every digest). The one-click unsubscribe is implemented via RFC 8058 List-Unsubscribe-Post.
- Legal obligation — retention of billing records as required by applicable tax law.
4. How long we keep data
| Category | Retention |
|---|
| Account record | For the duration of the account + 30 days after deletion |
| Reference photographs | Until the checkpoint is deleted by the Customer |
| Inspection photographs | 90 days (after which only metadata is archived) |
| Inspection metadata (archive) | Indefinitely, for historical analytics |
| Session cookies | 30 days sliding window |
| Billing records | As required by applicable tax law (typically 7 years) |
5. Sub-processors
We use the following sub-processors to operate the Service. This list is reviewed quarterly.
| Sub-processor | Purpose | Processing region |
|---|
| Google (Gemini API) | AI vision inference on inspection photos | US / EU |
| OpenAI, Anthropic | Fallback AI providers when Gemini unavailable | US |
| S3-compatible object storage | Encrypted photo blob storage | Varies by deployment |
| Transactional email provider | Verification, password reset, digest, alert emails | Varies by deployment |
| Cloudflare | DNS, CDN, DDoS protection | Global anycast |
| Stripe | Payment processing (when enabled) | US / IE |
The full sub-processor list with specific vendor names and processing regions is available on request at
[email protected] — we'll share it ahead of DPA signature. For customers with non-adequacy jurisdiction concerns, we offer Enterprise deployments with a dedicated storage region.
6. Your rights
Under GDPR (and equivalent legislation in the UK, California, and elsewhere) you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — correct inaccurate data.
- Erasure ("right to be forgotten") — delete your account data; content uploaded by your employer as data controller is governed by their agreement with us.
- Portability — export your data in a machine-readable format.
- Objection — stop processing based on legitimate interests.
- Withdraw consent — opt out of marketing or the weekly digest at any time.
- Lodge a complaint with the supervisory authority in your country (for EU: your national DPA; for UK: the ICO).
To exercise any of these rights, email [email protected]. We respond within 30 days.
7. Security
- All traffic uses TLS 1.2 or higher.
- Photographs are stored in object storage with access-controlled credentials.
- Passwords are hashed with bcrypt.
- Session tokens are randomly generated and invalidated on password change.
- HMAC-SHA256 is used for one-click email unsubscribe tokens.
No system is perfectly secure. If you suspect a security issue, email [email protected] — we aim to triage within 24 hours.
8. International transfers
Some of our sub-processors operate outside the EEA / UK. Where required, we rely on Standard Contractual Clauses (SCCs) and supplementary measures (encryption at rest, access controls) to provide appropriate safeguards under GDPR Articles 46–48.
9. Changes to this policy
We will notify account holders of material changes at least 14 days before they take effect. The "Effective date" above always reflects the current version.
10. Contact
Privacy-specific enquiries: [email protected]. General enquiries: [email protected].