Privacy Policy

1. Data Controller

The data controller responsible for processing your personal data is:

SnapStatic
Contact: [email protected]

2. Data We Collect

We collect the following categories of personal data depending on how you use our service:

a) Account Data

When you create an account, you authenticate using a third-party OAuth provider (currently GitHub, Google, or X/Twitter) through our authentication service (Supabase). We receive and store your email address, display name, and profile avatar URL from the OAuth provider. We do not receive or store your OAuth provider password.

b) Payment Data

Payments are processed by our third-party payment processor, Lemon Squeezy (Lemon Squeezy LLC). We do not store your credit card number, bank account details, or other financial credentials on our servers. Lemon Squeezy may collect payment information, billing address, and transaction details as described in their Privacy Policy. We receive from Lemon Squeezy only the data necessary to verify your subscription status (customer ID, subscription status, plan type, and billing dates).

c) Usage Data

We may collect non-personally-identifiable information such as pages visited, feature usage, and error logs to improve the service. This data is processed in aggregate and is not used to identify individual users. Server logs containing IP addresses are retained for a maximum of 30 days and are used solely for security monitoring and abuse prevention.

d) Site Content and Media

When you use SnapStatic, your site content (text, configuration, settings) is stored in our database (Cloudflare D1). Media files you upload (images, documents) are stored in cloud storage (Cloudflare R2, EU region). This data is associated with your user account and is not shared with third parties except as necessary to serve your published site to visitors.

e) Contact Form Submissions

If your published site includes a contact form, visitor submissions are stored in our database and are accessible only to you (the site owner). We do not use submission data for marketing or share it with third parties. Submissions are retained as long as your site is active and are deleted when your site or account is deleted.

3. Purpose and Legal Basis

We process your personal data for the following purposes and legal bases under GDPR:

• Contract performance (Art. 6(1)(b) GDPR): To provide the SnapStatic service, manage your account, store and serve your content, and process your subscription.
• Legitimate interest (Art. 6(1)(f) GDPR): To maintain service security, prevent abuse, monitor for Terms of Service violations, and improve the service.
• Legal obligation (Art. 6(1)(c) GDPR): To comply with tax, accounting, or other legal requirements related to payment processing.

4. Bot Protection (Cloudflare Turnstile)

We use Cloudflare Turnstile on selected forms to prevent automated abuse. Turnstile is cookie-free and only activates when the widget loads or a protected form is submitted.

For verification, Cloudflare may process limited technical data such as IP address, user-agent, and basic browser signals. This processing is carried out by Cloudflare as our data processor and is strictly necessary for service security (legitimate interest, GDPR Art. 6(1)(f)). Cloudflare does not use this data for advertising. See Cloudflare's Turnstile Privacy Addendum.

5. Third-Party Service Providers

We use the following third-party services (subprocessors) to operate SnapStatic:

• Supabase (Supabase Inc., USA): Authentication and user profile database. Receives: email, OAuth profile data. Privacy Policy
• Lemon Squeezy (Lemon Squeezy LLC, USA): Payment processing, invoicing, and tax compliance as Merchant of Record. Receives: billing and payment data. Privacy Policy
• Cloudflare (Cloudflare Inc., USA): Hosting, content delivery, database (D1), object storage (R2), and bot protection (Turnstile). Receives: site content, media files, technical request data. Privacy Policy

Each provider processes data in accordance with their own privacy policies and applicable data processing agreements. We only share the minimum data necessary for each provider to fulfill their function.

6. Analytics on Published Sites

SnapStatic allows site owners to optionally integrate third-party analytics services on their published sites, including Google Analytics, Plausible, and Umami. When a site owner enables analytics, the respective provider collects data directly from site visitors.

SnapStatic does not control, process, or store analytics data collected by these third-party providers. The analytics scripts run directly between the visitor's browser and the analytics provider. Site owners are responsible for disclosing analytics tracking to their visitors and obtaining any required consent under applicable privacy laws.

SnapStatic itself does not use analytics or tracking scripts on the studio application (studio.snapstatic.io) or the landing page (snapstatic.io).

7. International Data Transfers

Some of our third-party service providers (Supabase, Lemon Squeezy, Cloudflare) may process data outside the European Economic Area (EEA), including in the United States. Where data is transferred outside the EEA, appropriate safeguards are in place, such as EU Standard Contractual Clauses (SCCs) or an adequacy decision by the European Commission, in accordance with GDPR Chapter V.

Cloudflare R2 storage used by SnapStatic is configured in the EU region (Western Europe).

8. Data Retention

We retain your data according to the following schedule:

• Account data: Retained while your account is active. Deleted within 30 days of account deletion.
• Site content and media: Retained while your account is active and the site exists. Deleted within 30 days of site or account deletion.
• Contact form submissions: Retained while the associated site is active. Deleted when the site or account is deleted.
• Post-cancellation data: If your subscription expires without renewal, site data is retained for 90 days to allow reactivation, then deleted.
• Payment records: Transaction references and subscription history are retained for 7 years as required by tax and accounting regulations.
• Server logs: IP addresses and request logs are retained for a maximum of 30 days.
• Account deletion logs: A minimal deletion record (timestamp, anonymized identifier) is retained for 12 months for fraud prevention.

9. Your Rights (GDPR)

Under the EU General Data Protection Regulation, you have the right to:

• Access (Art. 15): Request a copy of the personal data we hold about you
• Rectification (Art. 16): Request correction of inaccurate data
• Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten")
• Restriction (Art. 18): Request restriction of processing in certain circumstances
• Data portability (Art. 20): Request your data in a structured, machine-readable format. You can export your site content through the account settings.
• Object (Art. 21): Object to processing based on legitimate interest
• Complaint: Lodge a complaint with a supervisory authority if you believe your rights have been violated

To exercise these rights, contact us at [email protected]. We will respond within 30 days as required by GDPR. We may ask you to verify your identity before processing your request.

10. Your Rights (CCPA — California Residents)

If you are a California resident, the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA) provide you with additional rights regarding your personal information:

• Right to Know: You may request that we disclose the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You may request deletion of your personal information, subject to certain legal exceptions.
• Right to Opt-Out of Sale: We do not sell your personal information to third parties.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights.

To exercise these rights, contact us at [email protected]. We will verify your identity and respond within 45 days as required by CCPA.

11. Children's Privacy

SnapStatic is not directed at children under 16 years of age. We do not knowingly collect personal data from children under 16. If you are a parent or guardian and believe your child has provided personal data to us, please contact us at [email protected] and we will promptly delete the account and associated data.

12. Cookies and Local Storage

SnapStatic uses essential cookies for authentication purposes only (session tokens set by Supabase). These cookies are strictly necessary for the service to function and do not require consent under the ePrivacy Directive. We do not use advertising, tracking, or analytics cookies on the SnapStatic application.

SnapStatic uses browser localStorage to persist editor state (draft content, UI preferences) between sessions. This data stays on your device and is not transmitted to our servers except when you explicitly save or publish.

13. Data Security

We implement appropriate technical and organizational measures to protect your personal data, including:

• Encryption in transit (HTTPS/TLS for all connections)
• Authentication tokens hashed with SHA-256 before storage
• Rate limiting to prevent brute-force and abuse
• Role-based access controls for administrative functions
• Data stored in Cloudflare's infrastructure with enterprise-grade security

No method of transmission or storage is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

14. Data Breach Notification

In the event of a personal data breach that poses a risk to your rights and freedoms, we will:

• Notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33
• Notify affected users without undue delay if the breach is likely to result in a high risk to their rights and freedoms, as required by GDPR Article 34
• Document the breach, its effects, and the remedial actions taken

15. Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices or legal requirements. For material changes, we will provide at least 14 days' notice by updating the date at the top of this page and notifying you through the application or by email. Continued use of the service after the notice period constitutes acceptance of the updated policy.

16. Sarili Mo Na Lead Magnet — Specific Data Handling

Philippine Data Privacy Act (RA 10173) compliance

SnapStatic complies with Republic Act 10173 (the Philippine Data Privacy Act of 2012) with respect to personal data collected from users who submit their email address via the Sarili Mo Na inline gate or any other Sarili Mo Na or Padala Na Kumikita content gate. Data subjects whose data is collected through these mechanisms have the following rights under RA 10173:

• Right to be informed: You have the right to know how your data is being collected and processed.
• Right to access: You may request a copy of the personal data we hold about you.
• Right to correct: You may request correction of inaccurate or incomplete data.
• Right to erasure or blocking: You may request deletion or blocking of your personal data when it is no longer necessary for the purpose for which it was collected.
• Right to object: You may object to the processing of your personal data for direct marketing or other purposes.
• Right to data portability: You may request a copy of your data in a structured, commonly used format.

To exercise any of these rights, contact us at [email protected]. We will respond within 15 business days as required by the National Privacy Commission guidelines.

The ss_gate cookie

When you successfully pass the Sarili Mo Na inline gate, a cookie named ss_gate is set in your browser. This cookie:

• Contains an HMAC-SHA256 signed token encoding only your email address and a timestamp. The cryptographic signature prevents the token from being forged or tampered with.
• Is set with a 1-year expiry, SameSite=Lax, and the Secure flag.
• Is used solely to let returning readers skip re-entering their email on subsequent visits to gated content on snapstatic.io. The cookie is not used to track you across other websites.
• Does not contain advertising identifiers, device fingerprints, or any data beyond your email and timestamp.

IP address and country data

When you submit your email via a Sarili Mo Na gate, two request headers provided by Cloudflare are logged alongside your subscriber record:

• CF-Connecting-IP: Your IP address at the time of submission, used for abuse prevention (e.g., blocking bulk submission attempts from a single IP).
• CF-IPCountry: A two-letter country code derived from your IP address, used for coarse geographic analytics (e.g., understanding what share of readers are in the Philippines). This data is country-level only, we do not derive more precise location data.

This data is not sold and is not shared with any third party except as described in the Third-Party Processors section below. IP addresses are not retained beyond 90 days from the date of collection.

Source tracking

When you subscribe through a gate, a source field is stored alongside your email record. This field identifies which post or gate captured your subscription (for example, gate:en:sarili-mo-na). This allows follow-up emails to be relevant to the content you signed up through. This field is not visible to third parties and is used only for internal list segmentation.

Unsubscribe

You can unsubscribe from Sarili Mo Na emails at any time using the one-click unsubscribe link included in every email, which calls our /api/unsubscribe endpoint (see Section 15 for the full unsubscribe policy). Unsubscribes are honored immediately, your record is flagged and no further marketing emails are sent. We do not apply a waiting period.

Data retention for gate subscribers

When you unsubscribe, your subscriber record is deleted from our KV store at the time of unsubscription. IP address and country data associated with your subscription are not retained beyond 90 days from the date of collection, regardless of subscription status.

Third-party processors for Sarili Mo Na data

The following third-party processors are involved specifically in the Sarili Mo Na lead magnet flow, in addition to the processors described in Section 5:

• Cloudflare (Cloudflare Inc., USA): Hosts the gate worker and KV store where subscriber records are held. Also provides Turnstile CAPTCHA used on the gate form to prevent bot submissions. Privacy Policy
• Resend (Resend Inc., USA): Transactional email delivery service used to send the lead magnet delivery email and any follow-up emails to gate subscribers. Privacy Policy

17. Contact

If you have questions about this policy, your data, or would like to exercise your privacy rights, please contact: [email protected]

We aim to respond to all privacy-related requests within 30 days. For complex requests, we may extend this by an additional 60 days with notice.