GDPR Compliance

Overview
Data Controller
Legal Basis
Your GDPR Rights
Data Processing
International Transfers
Data Retention
Security Measures
Data Processing Agreement
Contact DPO

1. Overview

SnapAPI is committed to protecting your personal data and complying with the General Data Protection Regulation (GDPR). This page explains how we process personal data of individuals in the European Economic Area (EEA) and the United Kingdom.

This document supplements our Privacy Policy with specific information required by the GDPR.

2. Data Controller

For the purposes of the GDPR, SnapAPI acts as:

Data Controller for personal data we collect about our users (account information, usage data, billing)
Data Processor when processing URLs and content on behalf of our users

Contact details:

Email: dpo@snapapi.pics

3. Legal Basis for Processing

We process personal data under the following legal bases:

Processing Activity	Legal Basis
Account creation and management	Contract performance (Article 6(1)(b))
Processing API requests	Contract performance (Article 6(1)(b))
Payment processing	Contract performance (Article 6(1)(b))
Service-related communications	Legitimate interest (Article 6(1)(f))
Analytics and service improvement	Legitimate interest (Article 6(1)(f))
Marketing communications	Consent (Article 6(1)(a))
Legal compliance	Legal obligation (Article 6(1)(c))

4. Your GDPR Rights

Under the GDPR, you have the following rights:

Right to Access

Request a copy of all personal data we hold about you.

Right to Rectification

Request correction of inaccurate or incomplete personal data.

Right to Erasure

Request deletion of your personal data ("right to be forgotten").

Right to Restriction

Request limitation of processing of your personal data.

Right to Data Portability

Receive your data in a structured, machine-readable format.

Right to Object

Object to processing based on legitimate interests or for marketing.

Right to Withdraw Consent

Withdraw consent at any time where we rely on consent.

Right to Lodge Complaint

Lodge a complaint with a supervisory authority.

How to Exercise Your Rights

To exercise any of these rights, please contact us at dpo@snapapi.pics. We will respond to your request within 30 days.

You can also exercise many of these rights directly through your dashboard:

Download your data (data portability)
Update your information (rectification)
Delete your account (erasure)
Manage communication preferences (object/consent)

5. Data Processing Activities

5.1 Personal Data We Collect

Account Data: Email, name, password (hashed)
Payment Data: Billing address, transaction records (payment details processed by LemonSqueezy)
Usage Data: API requests, timestamps, IP addresses
Technical Data: Browser type, device information

5.2 Categories of Data Subjects

Registered users
Website visitors
API consumers

5.3 Sub-processors

We use the following sub-processors:

Sub-processor	Purpose	Location
LemonSqueezy	Payment processing	USA (Privacy Shield)
Google Cloud	Infrastructure hosting	EU (Frankfurt)
Cloudflare	CDN and DDoS protection	Global (EU data centers)

6. International Data Transfers

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

Standard Contractual Clauses (SCCs) approved by the European Commission
Adequacy decisions for transfers to countries with adequate protection
Binding Corporate Rules where applicable

You can request a copy of the relevant safeguards by contacting our DPO.

7. Data Retention

We retain personal data only as long as necessary:

Data Type	Retention Period	Justification
Account data	Until account deletion + 30 days	Contract performance
Usage logs	90 days	Legitimate interest (debugging)
Payment records	7 years	Legal obligation (tax laws)
Marketing consent	Until withdrawn	Consent records

8. Security Measures

We implement appropriate technical and organizational measures including:

Encryption of data in transit (TLS 1.3) and at rest (AES-256)
Regular security assessments and penetration testing
Access controls and role-based permissions
Employee training on data protection
Incident response procedures
Regular backups with encryption

9. Data Processing Agreement

For enterprise customers who need a Data Processing Agreement (DPA), we provide a GDPR-compliant DPA that includes:

Scope and nature of processing
Obligations of both parties
Sub-processor provisions
Data security requirements
Standard Contractual Clauses

Contact legal@snapapi.pics to request a DPA.

10. Contact Data Protection Officer

For any GDPR-related inquiries, please contact our Data Protection Officer:

Email: dpo@snapapi.pics

You also have the right to lodge a complaint with your local supervisory authority if you believe your data protection rights have been violated.