Legal
Privacy Policy
Last updated: April 23, 2026 · We take your privacy seriously. Here's exactly what we collect, why, and what we do with it.
1. What We Collect
Information you provide
- Account information — full name, username, email address, city, state, and country provided at registration
- Photos and media — images and video files you upload for processing
- Payment information — handled entirely by Stripe; we never see or store your card number
- Communications — emails or messages you send to us
Information collected automatically
- Server logs — IP address, browser type, pages visited, timestamps (standard web server logs, retained 30 days)
- Session data — authentication tokens stored in your browser's localStorage (not shared with third parties)
Special categories: biometric & facial data
Our AI restoration, enhancement, and Cinema animation features involve analysis of facial features within photos you upload. This processing is performed solely to deliver the service you requested. We do not build facial recognition databases, sell facial data, or use it for any purpose beyond your project.
We maintain a dedicated Biometric & Likeness Rights Policy that provides full disclosure of what facial data is collected, how long it is retained, your rights under Illinois BIPA, Texas CUBI, Washington MHMD, California CCPA/CPRA, and EU GDPR Article 9, and how we handle photos containing third-party faces. Please read it before submitting photos for AI processing.
2. How We Use Your Data
- To process your photos and deliver finished media to you
- To manage your account and subscription
- To communicate with you about your projects and account
- To detect and prevent fraud and abuse
- To comply with legal obligations
We do not use your personal photos or data to train AI models, serve advertising, or build behavioral profiles.
3. How We Share Your Data
We share data only as necessary to deliver the service:
- AI processing providers — third-party AI APIs (e.g., for restoration, upscaling, video generation) receive your uploaded media solely to process it for your project. These providers operate under data processing agreements and are prohibited from using your data for their own purposes.
- Stripe — payment processing. Stripe receives billing information under their own privacy policy.
- AWS — cloud infrastructure for hosting and storage.
- Legal requirements — we may disclose data if required by law, subpoena, or to protect our legal rights.
We do not sell your data. Ever.
4. Data Retention
- Original uploads — retained for 90 days after project completion, then deleted unless you request earlier deletion
- Processed output — retained for 180 days and available for download from your account
- Account data — retained while your account is active and for 30 days after deletion to allow recovery
- Billing records — retained for 7 years as required by financial regulations
5. Your Rights
Depending on your location, you may have the right to:
- Access — request a copy of the personal data we hold about you
- Correction — request correction of inaccurate data
- Deletion — request deletion of your account and associated data
- Portability — request your data in a machine-readable format
- Objection — object to certain processing activities
To exercise any of these rights, email hello@snapshots.cloud. We will respond within 30 days.
6. Children's Privacy
snapshots.cloud is not directed at children under 18. We do not knowingly collect personal information from minors. If you believe a minor has submitted data to us, contact us immediately and we will delete it.
7. Security
We use industry-standard security measures including encrypted storage, HTTPS, and access controls. No system is perfectly secure — if you believe your account has been compromised, contact us immediately at hello@snapshots.cloud.
8. Updates to This Policy
We will notify you by email of any material changes to this Privacy Policy. The "Last updated" date at the top reflects the most recent revision.
9. Contact
Privacy questions or requests: hello@snapshots.cloud
10. GDPR Disclosures (EU & UK Users)
If you are located in the European Union, European Economic Area, or United Kingdom, the following additional disclosures apply under the General Data Protection Regulation (GDPR) and UK GDPR.
Data Controller
snapshots.cloud is the data controller responsible for your personal data. For all privacy matters, contact us at: privacy@snapshots.cloud
Lawful Basis for Processing
We process your personal data under the following lawful bases (Article 6 GDPR):
- Contract (Article 6(1)(b)) — processing your account information, uploaded media, and payment data is necessary to deliver the service you have contracted for.
- Legitimate interests (Article 6(1)(f)) — server logs and fraud detection are processed for our legitimate interest in operating a secure and reliable service, balanced against your privacy interests.
- Legal obligation (Article 6(1)(c)) — billing records are retained to comply with financial record-keeping laws.
- Explicit consent (Article 9(2)(a)) — biometric and facial data (a special category under Article 9) is processed on the basis of your explicit consent given when you upload photos for AI processing. You may withdraw consent at any time.
Your GDPR Rights
Under GDPR, you have the following rights in relation to your personal data:
- Access (Article 15) — request a copy of the personal data we hold about you.
- Rectification (Article 16) — request correction of inaccurate or incomplete data.
- Erasure (Article 17) — request deletion of your personal data where there is no compelling reason for continued processing.
- Restriction (Article 18) — request that we restrict processing of your data in certain circumstances (e.g., while accuracy is contested).
- Portability (Article 20) — receive your data in a structured, machine-readable format.
- Objection (Article 21) — object to processing based on legitimate interests.
- Withdraw consent (Article 7(3)) — where processing is based on consent, withdraw it at any time without affecting the lawfulness of prior processing.
To exercise any right, email privacy@snapshots.cloud. We will respond within 30 days. In complex cases we may extend by a further 60 days and will notify you of any extension within the initial 30-day period.
You also have the right to lodge a complaint with your local supervisory authority. In the EU, find your authority at edpb.europa.eu. In the UK, contact the Information Commissioner's Office (ICO).
International Data Transfers
snapshots.cloud is hosted on AWS infrastructure in the United States (us-east-1 region). Your data is processed by the following US-based providers: AWS, Anthropic, fal.ai, Shotstack, ElevenLabs, and Stripe. Transfers of personal data from the EU/UK to the US are made on the basis of Standard Contractual Clauses (SCCs) adopted by the European Commission, or equivalent transfer mechanisms, where applicable under the provider's data processing agreements.
We rely on the EU-US Data Privacy Framework (where providers are certified) and SCCs as our transfer mechanisms. You may request details of the specific safeguards in place by contacting privacy@snapshots.cloud.
11. California Privacy Rights (CCPA / CPRA)
If you are a California resident, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) gives you specific rights regarding your personal information.
Categories of Personal Information We Collect
In the preceding 12 months, we have collected the following categories of personal information as defined by the CCPA:
- Identifiers — name, username, email address, IP address
- Geolocation data — city, state, country (provided by you at registration; approximate location from IP address in server logs)
- Biometric information — facial geometry data processed transiently during AI photo and video processing (see our Biometric Policy)
- Photos and visual content — images and video files you upload
- Internet or network activity — server logs including pages visited, browser type, timestamps
- Commercial information — credit purchase records and transaction history
- Inferences — none. We do not build behavioral profiles or make inferences about you from your data.
How We Use and Share Personal Information
We use personal information for the business purposes described in Section 2 of this policy. We share personal information with service providers (AWS, Stripe, AI processing APIs) solely to deliver the service — these are not "sales" or "sharing" under the CCPA.
We do not sell your personal information. We do not share your personal information for cross-context behavioral advertising. We have not sold or shared personal information in the preceding 12 months.
Your CCPA / CPRA Rights
- Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you in the preceding 12 months, including the sources, business purposes, and third parties with whom it was shared.
- Right to Delete — request deletion of personal information we have collected, subject to certain exceptions.
- Right to Correct — request correction of inaccurate personal information.
- Right to Opt-Out of Sale or Sharing — we do not sell or share personal information, so there is nothing to opt out of. If this changes, we will update this policy and provide an opt-out mechanism.
- Right to Limit Use of Sensitive Personal Information — we use sensitive personal information (including biometric data) only to deliver the service you requested. You may request further limitation by contacting us.
- Right to Non-Discrimination — we will not discriminate against you for exercising any of your CCPA rights. Exercising these rights will not result in denial of service, different prices, or different quality of service.
How to Submit a Request
To exercise your California privacy rights, contact us at: privacy@snapshots.cloud with the subject line "California Privacy Request." We will verify your identity before processing your request and respond within 45 days. We may extend by an additional 45 days when reasonably necessary and will notify you of any extension.
You may designate an authorized agent to submit a request on your behalf by providing written authorization and verifying your identity directly with us.