This Privacy Policy describes how SnapAPI ("we", "us", "our") collects, uses, and shares information when you use our screenshot and OG image generation API available at getsnapapi.dev ("Service"). This Policy is incorporated into our Terms of Service.

1. Information We Collect

1.1 Information You Provide

• Email address: Collected at signup and used to associate your API Key, send service-related communications, and provide support.
• Plan selection: The subscription tier you choose (Free, Pro, or Business).
• Payment information: If you subscribe to a paid plan, payment details are collected and processed by our payment processor (Paddle). We do not store full card numbers or sensitive payment credentials on our servers.

1.2 Information Collected Automatically

• API request logs: Endpoint called, timestamp, HTTP status code, response time, and the URL parameter you submitted for capture.
• IP address: Collected per request for rate limiting, abuse prevention, and security purposes.
• Usage counters: Monthly request counts per API Key for quota enforcement.

1.3 What We Do NOT Collect or Store

• We do not persistently store the rendered screenshots or OG images generated by your requests. Images are generated on-demand and returned directly in the HTTP response.
• We do not store the content of the websites you capture.
• We do not use cookies or tracking pixels on the API endpoints.
• We do not sell, rent, or share your personal data with third parties for marketing purposes.

2. How We Use Your Information

Purpose	Data Used	Legal Basis (GDPR)
Provide and operate the Service	Email, API Key, usage logs	Contract performance
Billing and payment processing	Email, plan, payment info	Contract performance
Enforce usage quotas	API Key, request counts	Contract performance
Security and abuse prevention	IP address, request logs	Legitimate interests
Service communications (downtime, updates)	Email	Legitimate interests
Legal compliance	Any relevant data	Legal obligation

3. Data Sharing and Third Parties

We share data only as necessary to operate the Service:

• Paddle (payment processor): Processes subscription payments. Subject to Paddle's Privacy Policy.
• Cloud/hosting infrastructure: Our VPS provider (Hostinger) hosts the Service. Data is processed on servers within their infrastructure.
• Law enforcement / legal process: We may disclose data if required by law, court order, or to protect our rights or the rights of others.

We do not sell, trade, or rent your personal information to third parties.

4. Data Retention

• Account data (email, plan): Retained for as long as your account is active, plus 90 days after deletion to resolve disputes.
• API request logs: Retained for 90 days for security and debugging purposes, then automatically deleted.
• Billing records: Retained for 7 years as required by applicable financial regulations.
• Rendered images: Not retained (generated in-memory, returned immediately, discarded).

5. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate or incomplete data.
• Erasure ("Right to be forgotten"): Request deletion of your personal data, subject to our legal retention obligations.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Request your data in a machine-readable format.
• Objection: Object to processing based on legitimate interests.
• California (CCPA): California residents have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information.

To exercise any of these rights, email us at support@getsnapapi.dev with the subject "Privacy Request". We will respond within 30 days.

6. Security

We implement appropriate technical and organisational measures to protect your data, including:

• TLS/HTTPS encryption for all data in transit.
• API Keys stored as plain text but scoped to your account — treat them like passwords.
• Access controls limiting database access to the application process only.
• SSRF protections that block requests to internal network addresses.

No method of transmission over the internet or electronic storage is 100% secure. We cannot guarantee absolute security, but we follow industry best practices.

7. International Transfers

Your data may be processed on servers located outside your country of residence. By using the Service, you consent to the transfer of your data to these locations. Where required by law (e.g., GDPR), we ensure appropriate safeguards are in place.

8. Children's Privacy

The Service is not directed to individuals under 18 years of age. We do not knowingly collect personal information from children. If you become aware that a child has provided us with personal data, please contact us and we will delete it promptly.

9. Cookies and Tracking

The SnapAPI landing page (getsnapapi.dev) does not use third-party tracking cookies or analytics scripts. We use no advertising trackers. The only storage used is a session mechanism for the signup form, which is session-only and contains no third-party code.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated Policy on this page and updating the "Last updated" date. For significant changes, we will also notify you by email if you have an active account.

11. Contact and Data Controller

SnapAPI is the data controller for personal information collected through the Service.