Privacy Policy — SnapDiff

1Who we are

SnapDiff is operated by Corra LLC (“SnapDiff,” “we,” “us,” or “our”), a California limited liability company with a registered address at 2108 N Street, Suite N, Sacramento, CA 95816 (c/o Northwest Registered Agent, Inc.). We provide a visual regression testing service that captures screenshots of web pages and compares them pixel by pixel.

This Privacy Policy explains what personal data we collect when you visit snapdiff.ai, sign up for an account, or use the SnapDiff API, MCP server, or dashboard (collectively, the “Service”). For the purposes of the EU/UK General Data Protection Regulation (GDPR), Corra LLC is the data controller for personal data we collect about you directly. For the screenshot artifacts you generate using the Service, we act as a processor on your behalf.

2What we collect

Account data

Email address — required to create an account and receive transactional email.
Password hash — stored using a one-way cryptographic hash. We never store plaintext passwords.
OAuth identifiers — if you sign in with Google or GitHub, we receive your provider ID, email address, and (optionally) display name. We do not receive your provider password.
Email verification token — temporary, expires after use.

Billing data

Stripe customer ID and subscription metadata — we store these in our database.
Payment card details — we never see or store your card number. Payment data is collected and processed directly by Stripe, our payment processor. See Stripe’s privacy policy.
Billing address and tax information — collected by Stripe as required for invoicing and tax compliance.

Usage data

API request logs — endpoint, HTTP status, response time, API key ID, timestamp, and originating IP address. Used for rate limiting, debugging, billing, and abuse prevention.
Diff and screenshot job metadata — the URLs you submit, options you set (thresholds, viewport size, masking selectors), and job outcomes.
API keys — we store a hash of each key; the plaintext key is shown to you only at creation time.
Project and build records — project names, page URLs, baseline references, build history, and approval state.

Webhook and integration data

Webhook URLs you configure for watchers and build notifications.
GitHub personal access tokens or installation IDs if you connect a GitHub repository for PR status integration. These are encrypted at rest.

Technical data

IP address of devices accessing the Service.
User-agent and basic browser headers.
Session cookie identifier for dashboard authentication.

We do not currently run third-party advertising or behavioral-analytics trackers on snapdiff.ai.

3Screenshots of URLs you submit

The core of the Service is fetching the URLs you submit and capturing screenshots of the rendered pages. Because we render URLs on your behalf, the resulting screenshots may capture whatever content is visible on those pages, which can include third-party content or personal information depending on what you submit.

Your responsibility. You are responsible for ensuring that you have the legal right to submit URLs to SnapDiff for capture, and for not submitting URLs that contain content you are not authorized to process — for example, pages behind another party’s login wall, pages containing the personal data of third parties for which you do not have a lawful basis to process, or pages that are unlawful in your jurisdiction. See the Terms of Service for the full Acceptable Use policy.

Authenticated capture. If you provide credentials, cookies, or authentication headers so SnapDiff can capture pages behind a login, you do so at your own risk. We transmit these to the rendering browser only for the duration of the job and do not persist them after the job completes, but you should treat any credentials shared with a third-party rendering service as potentially exposed.

Cookie and ad blocking. By default the Service blocks 40+ cookie-consent banners, 20+ chat widgets, and 30+ ad/tracker domains during capture to produce clean screenshots. These blocks happen inside our headless browser and do not affect the live site.

4How we use your data

Provide the Service — run diffs, store screenshots, manage projects, deliver webhooks, send transactional email.
Bill you — meter usage against your plan, charge overages, send invoices via Stripe.
Rate-limit and prevent abuse — enforce per-plan request quotas, detect and block credential stuffing, scraping at scale, or other prohibited use.
Debug and improve the Service — investigate failures, monitor reliability, and improve performance. We use aggregated, non-personal usage statistics for product analytics.
Communicate — send account, security, and billing emails. We do not send marketing email unless you opt in.
Comply with law — respond to lawful requests from courts, regulators, and tax authorities; enforce our Terms.

We do not sell your personal data. We do not share personal data with third parties for their own marketing purposes.

5Legal bases (GDPR)

If you are in the EU, UK, or another GDPR-aligned jurisdiction, the legal bases on which we process your personal data are:

Performance of a contract — to provide the Service you signed up for (account, API access, billing).
Legitimate interests — to secure the Service, prevent fraud and abuse, and improve our product. We balance these interests against your rights and have determined they do not override your fundamental rights and freedoms.
Legal obligation — to meet tax, accounting, and other statutory record-keeping requirements.
Consent — for any optional processing where we ask for it (you can withdraw consent at any time).

6Cookies and similar tech

SnapDiff uses only strictly necessary cookies:

Session cookie — an HTTP-only, secure, SameSite=Lax cookie used to keep you signed in to the dashboard. Without it the Service cannot identify your session.
CSRF token (where applicable) — used to protect form submissions against cross-site request forgery.

We do not currently set advertising, behavioral-analytics, or social-media cookies. Because all cookies we set are strictly necessary for the Service to function, we do not display a cookie consent banner. If we add non-essential cookies in the future, we will update this policy and present a consent banner where required.

7Sub-processors

We use a small number of trusted service providers (“sub-processors”) to operate the Service. Each is bound by a data processing agreement and processes data only on our instructions and on terms at least as protective as this policy.

Provider	Purpose	Data	Region
Cloudflare R2	Screenshot & diff image storage, CDN delivery	Captured images, project metadata	Global (Cloudflare network)
Stripe	Payment processing & subscription billing	Name, email, billing address, card data (handled directly by Stripe)	US / EU
Resend	Transactional email (verification, alerts, billing)	Email address, message content	US
Railway	Application hosting, compute, and managed Postgres database	All Service data at rest and in transit (account, billing, usage records, screenshots metadata)	US-East
Google (OAuth)	Optional sign-in	Email, OAuth ID, display name (if you choose)	Global
GitHub (OAuth + status checks)	Optional sign-in & PR status integration	Email, OAuth ID, repo metadata (if you connect)	Global

We will give at least 30 days’ notice of any new sub-processor by updating this page. If you have concerns about a new sub-processor, you may terminate your subscription at any time.

8Data retention

Account data — retained while your account is active and for up to 12 months after deletion, then purged (financial records may be kept longer where required by law).
Screenshots and diff images — retained for the duration of your subscription plus 30 days, then deleted from object storage. You may delete individual projects or builds from the dashboard at any time.
API request logs — retained for 90 days, then aggregated or deleted.
Billing and tax records — retained for the period required by applicable tax law (typically 7 years).
Webhook secrets, GitHub PATs, and similar credentials — deleted when you remove the integration. Stored encrypted at rest.

9Security

We apply industry-standard controls to protect your data:

All traffic to snapdiff.ai and api.snapdiff.ai is served over TLS 1.2+.
Passwords are hashed with a memory-hard algorithm; we never store plaintext passwords.
API keys are stored as hashes; plaintext keys are shown only once at creation.
Sensitive integration credentials (GitHub PATs, webhook secrets) are encrypted at rest.
Access to production systems is restricted to a small number of authorized personnel and protected by multi-factor authentication.
Object storage (Cloudflare R2) is private by default; image URLs are unguessable and may be time-limited.

No system is perfectly secure. If you believe you have discovered a vulnerability, please email security.snapdiff@corralimited.com. We will acknowledge reports within 5 business days and work with you to remediate the issue.

10International transfers

SnapDiff is operated from the United States. If you access the Service from outside the US, your personal data will be transferred to and processed in the US. Where we transfer data from the EU, UK, or Switzerland to a country that has not been recognized as providing an adequate level of protection, we rely on the European Commission’s Standard Contractual Clauses (or the UK addendum) with our sub-processors and apply supplementary technical and organizational measures where appropriate.

11Your rights (GDPR / UK GDPR)

If you are in the EU, UK, or Switzerland, you have the right to:

Access the personal data we hold about you.
Rectify inaccurate or incomplete data.
Erase your data (“right to be forgotten”), subject to legal retention requirements.
Restrict or object to certain processing.
Port your data to another service in a structured, machine-readable format.
Withdraw consent at any time for processing based on consent.
Lodge a complaint with your local supervisory authority.

To exercise any of these rights, email privacy.snapdiff@corralimited.com. We will respond within 30 days. For account-data requests we may ask you to verify ownership of the account email.

12California disclosures (CCPA / CPRA)

If you are a California resident, you have the right to:

Know the categories of personal information we collect, the sources, and the purposes for which we use it (see sections 2 and 4 above).
Request a copy of the personal information we have about you.
Request deletion of your personal information.
Correct inaccurate personal information.
Opt out of the “sale” or “sharing” of personal information — we do not sell or share personal information as those terms are defined under the CCPA/CPRA.
Not be discriminated against for exercising these rights.

To submit a request, email privacy.snapdiff@corralimited.com. You may also designate an authorized agent to submit a request on your behalf, subject to reasonable verification.

Do Not Sell or Share My Personal Information

Corra LLC does not sell or share your personal information as those terms are defined under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA). We do not exchange personal information for monetary or other valuable consideration, and we do not share personal information with third parties for cross-context behavioral advertising.

Because we do not engage in sale or sharing, there is no opt-out for you to exercise. Nevertheless, if you would like written confirmation of this, or if you wish to instruct us to treat any specific information you have given us as “not for sale or sharing” out of an abundance of caution, email privacy.snapdiff@corralimited.com. We will acknowledge your request within 10 business days and confirm in writing.

We also honor the Global Privacy Control (GPC) signal as a valid opt-out request from any browser that sends it.

13Children

SnapDiff is a developer tool intended for use by businesses and adult software developers. The Service is not directed to children under 16, and we do not knowingly collect personal information from anyone under 16. If you believe a child has provided us with personal information, contact us at privacy.snapdiff@corralimited.com and we will delete it.

14Changes to this policy

We may update this Privacy Policy from time to time. When we make material changes, we will update the “Last updated” date at the top of this page and, where appropriate, notify account holders by email at least 14 days before the change takes effect. Continued use of the Service after a change takes effect constitutes acceptance of the updated policy.

15Contact

Questions, requests, or complaints about privacy:

Email: privacy.snapdiff@corralimited.com
Mail: Corra LLC, c/o Northwest Registered Agent, Inc., 2108 N Street, Suite N, Sacramento, CA 95816, USA

For security disclosures: security.snapdiff@corralimited.com.