Privacy Policy
Last updated: March 28, 2026
This Privacy Policy describes how SnapToast collects, processes, and protects the personal data of users of the application. We care about your privacy and only process data to the extent necessary to provide our services.
1. Data Controller
The controller of your personal data is:
- SnapToast
- Contact email: hello@snaptoast.app
- Data Protection Officer (DPO): dane@snaptoast.app
- Location: Poland
2. Purpose and Legal Basis for Data Processing
We process your personal data on the following legal bases:
Performance of the service (Art. 6(1)(b) GDPR)
Processing is necessary for the performance of a contract β providing the photo collection app, managing events, processing photobook orders, and handling payments.
Consent (Art. 6(1)(a) GDPR)
Processing of photos, videos, and audio uploaded by guests is based on voluntary consent given before using the application.
Legitimate interest (Art. 6(1)(f) GDPR)
Analytics (anonymous, cookie-free), ensuring service security, preventing abuse, and improving the quality of the application.
3. Categories of Data Collected
We collect the following data when you use the application:
- Email address β event administrator account, optionally guest profile
- Photos, videos, and audio recordings β uploaded by guests as part of an event
- Device identifier (device_fingerprint) β a random UUID assigned to the browser, used to identify a guest without requiring login
- IP address β automatically collected in server logs, stored temporarily
- Nickname β optionally provided by the guest for display in the gallery
- Avatar β optionally uploaded guest profile photo
- Photo metadata β EXIF data is automatically stripped from photos before saving to protect location and other sensitive information
4. Data recipients (sub-processors)
To provide our services, we use trusted third-party providers with whom we share data only to the extent necessary:
| Name | Purpose | Region | Compliance |
|---|---|---|---|
| Supabase | Database, authentication, real-time communication | EU / US | SOC 2 Type II |
| Cloudflare R2 | Storage of photos, videos, and avatars | Global CDN network | SOC 2, ISO 27001 |
| Stripe | Payment processing (photobooks, TipJar) | Global (EU certified) | PCI DSS Level 1 |
| Resend | Sending transactional emails and notifications | US | SOC 2 Type II |
| Plausible Analytics | Website traffic analytics (no cookies, anonymous) | EU | GDPR-native, no cookies |
| AWS Rekognition | Face detection in photos (optional, for photobook cropping) | eu-central-1 (Frankfurt) | SOC 1/2/3, ISO 27001 |
| Anthropic | AI photo quality scoring (optional, for automatic selection) | US | SOC 2 Type II |
| Gelato | Printing and shipping photobooks (delivery address) | EU | GDPR |
5. Data retention period
- Admin account data β until account deletion.
- Event data and guest photos β 12 months from the event date. The administrator will receive an email notification 14 days before data deletion.
- Server logs (IP, user-agent) β up to 90 days.
- Payment data β in accordance with applicable tax regulations (up to 5 years).
6. Your rights
As a data subject, you have the right to:
- Right of access (Art. 15 GDPR) β obtain information about what data we process about you
- Right to rectification (Art. 16 GDPR) β correct inaccurate or incomplete data
- Right to erasure (Art. 17 GDPR) β request deletion of your data ("right to be forgotten"). Guests can use the "Delete my data" option in the guest profile menu, administrators in account settings.
- Right to data portability (Art. 20 GDPR) β receive your data in a machine-readable format
- Right to object (Art. 21 GDPR) β object to processing based on legitimate interest
- Right to withdraw consent β at any time, without affecting the lawfulness of processing carried out before withdrawal
You also have the right to lodge a complaint with a supervisory authority β the President of the Personal Data Protection Office (UODO): uodo.gov.pl.
7. Cookies
SnapToast minimizes the use of cookies:
- Analytics (Plausible) β does not use cookies or track users across sites. Fully GDPR-compliant without consent.
- Essential cookies β authentication session (Supabase Auth), guest device identifier (device_id, 1 year), and GDPR consent storage. Required for the application to function.
8. Contact regarding personal data
For matters related to personal data protection, please contact our Data Protection Officer:
See also: Terms of Service