Privacy Policy
Last updated: April 26, 2026
This Privacy Policy describes how SnapToast collects, processes, and protects the personal data of users of the application. We care about your privacy and only process data to the extent necessary to provide our services.
1. Data Controller
The controller of your personal data is:
- SnapToast
- General contact: hello@snaptoast.app
- Data protection contact: dane@snaptoast.app
2. Purpose and Legal Basis for Data Processing
We process your personal data on the following legal bases:
Performance of the service (Art. 6(1)(b) GDPR)
Processing is necessary to perform the contract: providing the photo collection app, managing events, handling photobook orders and payments.
Consent (Art. 6(1)(a) GDPR)
Processing of photos, videos, and audio uploaded by guests is based on voluntary consent given before using the application.
Legitimate interest (Art. 6(1)(f) GDPR)
Analytics (anonymous, cookie-free), ensuring service security, preventing abuse, and improving the quality of the application.
3. Categories of Data Collected
We collect the following data when you use the application:
- Email address: event administrator account, optionally guest profile
- Photos, videos, and audio recordings: uploaded by guests as part of an event
- Device identifier (device_fingerprint): a random UUID assigned to the browser, used to identify a guest without requiring login
- IP address: automatically collected in server logs, stored temporarily
- Nickname: optionally provided by the guest for display in the gallery
- Avatar: optionally uploaded guest profile photo
- Photo metadata: EXIF data is automatically stripped from photos before saving to protect location and other sensitive information
4. Data recipients (sub-processors)
To provide our services, we use trusted third-party providers with whom we share data only to the extent necessary:
| Name | Purpose | Region | Compliance |
|---|---|---|---|
| Infrastructure and database provider | Hosting accounts, event data, and service operations | EU | SOC 2 |
| Object storage provider | Storing photos, videos, and audio recordings | EU | SOC 2, ISO 27001 |
| Payment processor | Card, BLIK, and P24 payments, plus payouts to event hosts | EU and third countries (SCCs) | PCI DSS Level 1 |
| Transactional email provider | Sending event notifications and confirmations | Third countries (SCCs) | SOC 2 |
| Anonymous visitor analytics | Page visit statistics without cookies and without tracking | EU | GDPR without cookies |
| Optional image analysis | Face detection for cropping, photo quality scoring, content moderation | EU and third countries (SCCs) | SOC 2, ISO 27001 |
| Photobook print partner | Printing and shipping ordered photobooks (recipient address details) | EU | GDPR |
| Application error monitoring | Diagnosing crashes and technical errors | EU | SOC 2 |
A full list of subprocessors is available on request at dane@snaptoast.app.
5. Data retention period
- Admin account data: until the account is deleted.
- Event data and guest photos are deleted according to your plan: Free Plan 30 days after the event expiration date, Pro Plan 365 days after the event expiration date. The expiration date is the point after the event date when no more photos can be added. The admin sets it when creating the event (up to 3 days after the event date). We send an email notification 14 days before deletion.
- Time Capsule (photos with delayed access): unlocked on the date set by the guest, up to the event data deletion date at the latest.
- Photobook orders and shipping data: up to 5 years after order fulfillment (required by accounting regulations).
- Server logs (IP, user-agent): up to 90 days.
- Payment and payout data: in accordance with applicable tax regulations, up to 5 years.
6. Your rights
As a data subject, you have the right to:
- Right of access (Art. 15 GDPR): obtain information about what data we process about you
- Right to rectification (Art. 16 GDPR): correct inaccurate or incomplete data
- Right to erasure (Art. 17 GDPR): request deletion of your data ("right to be forgotten"). Guests can use the "Delete my data" option in the guest profile menu, administrators in account settings.
- Right to data portability (Art. 20 GDPR): receive your data in a machine-readable format
- Right to object (Art. 21 GDPR): object to processing based on legitimate interest
- Right to withdraw consent: at any time, without affecting the lawfulness of processing carried out before withdrawal
You also have the right to lodge a complaint with the supervisory authority, the President of the Personal Data Protection Office (UODO): uodo.gov.pl.
7. Cookies and local browser data
SnapToast minimizes the use of cookies and local browser data:
- Anonymous analytics: does not use cookies or track users across sites. Fully GDPR-compliant without consent.
- Essential cookies: authentication session, guest device identifier (1 year), and saving consent choices. Required for the app to work.
- Local browser data (localStorage / IndexedDB): device identifier, queue of photos to upload in offline mode, and saved consent choices. This data stays only in your browser and is not sent to our servers.
8. Contact regarding personal data
For matters related to personal data protection, please contact our Data Protection Officer:
See also: Terms of Service