Privacy Policy
Last updated: April 23, 2026
Data controller
SnapSharp (snapsharp.dev) is operated by an individual. Payments and subscriptions are processed by Lemon Squeezy LLC (lemon.squeezy.com), acting as our Merchant of Record — they are the data controller for payment and billing data under their own Privacy Policy. For all other data described below, SnapSharp is the data controller.
Privacy questions: [email protected]
1. Data we collect
We collect your email address when you sign up, API usage logs (endpoint, status code, response time, IP address, user agent), and billing information if you subscribe to a paid plan. Billing is handled by Lemon Squeezy as our Merchant of Record — we do not store payment card details. Lemon Squeezy receives your payment information directly and processes it under their own privacy policy.
2. How we use your data
We use your data to provide the SnapSharp API service, enforce usage limits, detect abuse, send transactional emails (signup, plan changes), and improve the product. We do not sell your data to third parties.
3. Data retention
Request logs are retained for 90 days. Account data is retained until you delete your account. Screenshots are not stored — they are returned directly in the API response or cached in Redis with a TTL of up to 24 hours, then automatically evicted.
4. Sub-processors
We use the following third-party sub-processors to operate the service. Each is bound by its own privacy policy and, where required, a Data Processing Agreement.
| Sub-processor | Purpose | Location |
|---|---|---|
| Lemon Squeezy | Payment processing & subscriptions (Merchant of Record) | USA |
| Clerk | User authentication & identity management | USA |
| Cloudflare | CDN, DDoS protection, DNS | USA / Global |
| Axiom | Structured log storage & observability | USA |
| Resend | Transactional email delivery | USA |
5. AI providers
SnapSharp offers AI-powered endpoints (/v1/analyze, auto-generated OG images via /v1/og-image, and design recommendations in /v1/site-audit). These endpoints are strictly Bring Your Own Key (BYOK): you configure your own AI provider credentials in Settings → AI and SnapSharp forwards requests directly to that provider on your behalf.
No default SnapSharp-operated AI provider. If you have not configured a provider, AI endpoints return no_ai_provider (HTTP 400) and no call is made. We do not silently substitute a fallback.
What is sent to your configured AI provider: the captured screenshot bytes (PNG, base64-encoded), the prompt text from the selected template, minimal page metadata (title, description, URL), and the request ID. Your AI provider API key is decrypted only in memory for the duration of the outbound call and is never logged.
What is NOT sent: your SnapSharp API key, your billing information, request logs of other users, or any data unrelated to the current AI request.
Retention on SnapSharp side: screenshots used for AI requests are not persisted by SnapSharp. They exist transiently in memory during the request and in the Redis screenshot cache for up to 24 hours (then automatically evicted, same as any other screenshot). We do not use your screenshots, prompts, or AI responses to train models.
Data handling by your AI provider is governed entirely by that provider's own terms and privacy policy. You are the controller of this relationship — SnapSharp is a conduit. Common provider policies:
- Anthropic (Claude): anthropic.com/legal/privacy
- OpenAI: openai.com/policies/privacy-policy
- OpenRouter: openrouter.ai/privacy
- Custom endpoints: governed by the terms of the endpoint you configure.
Your AI provider API key is stored in our database encrypted with AES-256. You can rotate or delete it at any time from Settings → AI.
6. Your rights
You can request a copy of your data, request deletion of your account and associated data, or opt out of marketing emails at any time. Contact [email protected].
7. Data Processing Agreement (DPA)
Business customers who process personal data through our API can access our Data Processing Agreement for GDPR compliance purposes. You can also export or delete your account data at any time from your Account Settings.
8. California Privacy Rights (CCPA)
If you are a California resident, you have the following rights under the California Consumer Privacy Act (CCPA):
- Right to Know — request disclosure of the categories and specific pieces of personal information we have collected about you.
- Right to Delete — request deletion of personal information we have collected from you, subject to certain exceptions.
- Right to Opt-Out of Sale — we do not sell your personal information to third parties.
- Right to Non-Discrimination — we will not discriminate against you for exercising your CCPA rights.
To exercise these rights, email [email protected] with the subject line "CCPA Request". We will respond within 45 days.
9. Contact
Questions? Email [email protected].