We collect only the data needed to run the service. We never sell your data to third parties. You can request deletion of your account and all your data at any time.
01. Who we are
SnapCost is a Progressive Web App (PWA) for freelancers and self-employed professionals to manage expense reports, receipts, financial reports, and invoices.
Data controller: SnapCost SAS
Contact: [email protected]
02. Data we collect
We collect the following data when you use SnapCost:
| Category | Data | Purpose |
|---|---|---|
| Account | Email address, full name, hashed password (bcrypt), Google ID (if you sign in with Google) | Authentication and account management |
| Expenses | Receipt photos, amounts, currencies, categories, dates, notes | Providing the expense-tracking service |
| Invoices | Client information, invoice line items, totals, payment statuses | Generating professional documents |
| Payments | Stripe customer ID, subscription status (no payment-card details are ever stored on our servers) | Pro subscription management |
| Affiliate | Referral link, anonymized clicks, commissions earned | SnapCost affiliate program |
| Technical | Error logs, language preferences, JWT session token | Reliability, debugging and personalization |
We do not collect sensitive information (health data, ethnic origin, political opinions), precise location data, or external browsing history.
03. Legal basis for processing (GDPR)
- Performance of contract — processing your account and expense data to provide the service
- Legitimate interest — service improvement, security and fraud prevention
- Consent — sending monthly summaries and tips by email (can be turned off in settings at any time)
- Legal obligation — retention of invoicing data for the legally required period
04. Data storage and security
Your data is stored on secure servers hosted in Europe. We apply the following measures:
- Free plan: data stored locally on your device, limited backups
- Pro plan: encrypted cloud sync, automatic daily backups
- Passwords hashed with bcrypt (never stored in plain text)
- Communications encrypted via HTTPS/TLS
- Time-limited JWT tokens for sessions
- Receipt photos stored on our secure infrastructure, not publicly accessible
If you sign in via Google, we receive only your email, name and Google ID. We never store your Google password and never access your Google Drive or Gmail data.
05. Sharing of data
We share your data only with the following processors, strictly to the extent needed to operate the service:
- Stripe (Stripe Payments Europe, Ltd.) — payment and subscription processing. Stripe is PCI DSS Level 1 certified. Your payment-card details never pass through our servers.
- Resend — sending transactional emails (account confirmation, summaries, password recovery)
- Upstash Redis — session caching and queue management
We never sell, rent or share your personal data for advertising or commercial purposes.
06. Cookies and local storage
SnapCost uses a minimal set of storage technologies:
- localStorage — JWT session token, language preferences and offline data (receipts pending sync)
- No third-party tracking cookies — we do not use Google Analytics, Facebook Pixel or any other ad trackers
- Session cookie — lifetime limited to 7 days
07. Affiliate program
If you participate in the SnapCost affiliate program, we collect:
- The number of clicks on your referral link (anonymized)
- Conversions generated (sign-ups, subscriptions)
- Commissions accumulated and paid out
A 30-day tracking cookie is placed in the browser of visitors who click your link, solely to attribute the conversion. This cookie contains no personal information.
08. Your rights (GDPR)
As a user residing in the European Union, you have the following rights:
- Right of access — obtain a copy of all your personal data
- Right of rectification — correct inaccurate data
- Right to erasure — request deletion of your account and all your data
- Right to portability — receive your data in a structured format (JSON, CSV)
- Right to object — object to processing for marketing purposes
- Right to restriction — restrict processing in certain cases
To exercise these rights, send an email to [email protected]. We respond within 30 days. You also have the right to lodge a complaint with the relevant data-protection authority (e.g. the CNIL in France — www.cnil.fr).
09. Data retention
| Type of data | Retention period |
|---|---|
| Active account data | Subscription duration + 30 days after deletion |
| Invoicing data | 10 years (legal accounting obligation) |
| Security logs | 12 months |
| Affiliate data | Duration of program + 2 years |
| Receipt photos | Deleted on request, immediately |
10. Changes to this policy
For any substantial change to this policy, we will notify you by email at least 30 days in advance. The current version is always available on this page along with its update date.
11. Contact us
For any question regarding the privacy of your data:
- Email: [email protected]
- Response time: within 5 business days
For general support, see our support page.