24 May 2021
This Policy describes how we obtain and use personal data (which can be used to identify a specific individual) and anonymous data (which can’t) about our users. We may change this Policy at any time by posting the revised Policy here. We will notify current users of major changes through email. While we need certain Personal Data to provide the Services, we try to collect only what we need.
- Region Specific Provisions. Parts of the Policy apply only to people subject to geographically defined privacy laws like the California Consumer Privacy Act (“CCPA”), the European Union’s General Data Protection Legislation (“GDPR”) and Brazil’s LGPD. These provisions are clearly labeled. Otherwise, the Policy applies equally to all users of our Services.
- Changes. We may change this Policy at any time. When we do so, we will post the updated Policy on this page and, if the changes are material, inform existing users through email or the Services.
- Children. The Services are not directed to children. However, children who are invited to use the Services by a parent or guardian (under a Team Plan or equivalent) may do so. If you become aware that a child (based on the jurisdiction where the child lives, which in the United States means someone under 13) has provided us with Personal Data without parental consent, contact our help center. We will promptly remove such information from our systems.
- Personal and Anonymous Data. As used in this Policy, “Personal Data” means information that, either alone or when combined with other information we hold, identifies an individual, such as name, mailing address, email address, IP address, or telephone number. “Anonymous Data” means data that, alone or combined with other information available to us or a third party with whom the data is shared, does not permit identification of an individual. We collect and use both Personal Data and Anonymous Data as described below.
- Why Do We Need Your Personal Data? We need certain Personal Data to provide the Services. You will be asked to provide this information — and must agree to this Policy and the Terms —to download and use the Apps. This consent, which you may withdraw at any time, provides the legal basis we need to process your Personal Data. You are not required to provide the Personal Data that we request, but we may not be able to provide you with the Services or respond to your inquiries if you don’t.
- Who We Are. For the purpose of the GDPR, LGPD, and other legislation that requires the identification of a data controller of your Personal Data, the controller is Sniptt. You may contact our data protection officer at firstname.lastname@example.org.
- Must Read Sections: Please carefully review the sections entitled “Data Security and International Transfer” and “Your Rights Regarding Personal Data.”
We get data that you provide (such as when you create an Account or pay for a Subscription), that others provide (when you are invited to use Sniptt by your employer), that we obtain automatically from the Apps or through cookies, and from third parties. Personal Data we collect includes your email (used to create an Account) and (for Subscriptions) certain billing information, although complete payment information is only stored by our payment processors. We do not and cannot know your Master Password and, because of that, we do not and cannot know what Secured Data you store on the Services. We use technology to collect usage data that we use to provide and improve the Services.
We collect information in the following ways:
- Information You Provide.
- Registration Data. You must create an Account to use an App, and to do so you must provide a valid email address that will be used as your login to the Services. The only Personal Data required to open a Sniptt Free account is your email. For paid Accounts, users must provide billing data as specified below. It is critical to keep registration data current. We must be able to verify that you are the Account owner to respond to certain customer service requests. If you lose access to the validated email address associated with your Account or a phone number used to validate your identity (if applicable), you may be locked out of your Account, and we may be unable to help you.
- Billing Data. We use third party service providers to process payments made through the Site. We may be able to access the name, address and phone number associated with a payment method on a payment processor’s service, but this information is only stored by the processor. We never have your complete credit card information, nor do we receive or store any billing data if you pay for a Subscription.
- Master Password. Each user must create a “Master Password,” which is used to access their Account and generate the encryption keys that secure the information they store in the Apps (“Secured Data” as further defined below). Ultimately, the more secure a Master Password is, the safer Secured Data will be. Sniptt’s Zero Knowledge technology ensures that we do not and cannot know our users’ Master Passwords or the data used to generate encryption keys, so we cannot access Secured Data. There is no backdoor or master key; even if a hacker somehow obtained all the Secured Data on our servers, they would have to hack each Account separately. Apps do not store Master Passwords locally unless specifically directed by the user. If you direct an App to retain your Master Password and your device is stolen or compromised, your Secured Data may be exposed.
- Secured Data. Our Apps let you manage digital identity data, including sensitive information like credit card numbers and site or application credentials. This, and everything else you store on the Apps, is Secured Data. Secured Data is always encrypted when transmitted and stored and may only be decrypted locally on an authorised device. Secured Data on Sniptt servers cannot be accessed by Sniptt because we do not have access to the encryption key as noted above.
- Support and Correspondence. You may provide Personal Data in connection with user support requests and inquiries from our Site. User support histories are maintained until seven (7) days after the associated Account is deleted.
- Feedback. If you provide us with Feedback, or suggestions made via Productboard and other direct research or outreach, we may use Personal Data provided with the Feedback to respond to you. We may use Feedback without limitation as described in the Terms.
- Other Data. We may also collect other types of information in the manner disclosed by us when the information is collected.
- Device and Browser Data. We automatically log the following information (as applicable) when you access the Services: operating system name and version, device identifier, browser type, browser language, and IP address. This data is used to secure your Account, ensure the Services are presented in the correct language and optimised for your device, facilitate customer support, and for tax and compliance purposes (e.g., using the region associated with your IP address to display local regulatory notices). This data is kept in our system until seven (7) days after you delete your Account.
- Usage Data. We use logs to collect data about the use of the Services (“Usage Data”). We maintain two types of Usage Data: Event Data, which is linked to Registration Data, and Behavioral Data, which is fully anonymous.
- “Event Data” refers to the use of the Apps’ internal functions (e.g., what features are enabled, how many credentials are stored in Secured Data), and is used to provide relevant information and support to the user and to deliver, analyse and improve the Services. Event Data does not include information about how the Services interact with third parties. After an Account is deleted, Event Data is retained, but is fully anonymised (even if the same user created a new Account, Event Data from the old Account could not be associated with the new one). Retention of anonymised Event Data is necessary to maintain accurate historical records of the use of the Services. Certain Sniptt personnel can access Event Data to analyse the use of the Services and provide user and technical support. Event Data is used by the Services to automatically generate context-appropriate alerts (e.g., account set-up notices), and to generate Aggregated Data.
- Aggregated Data. We derive additional information about the use of our Services by aggregating Usage Data (e.g., number of users within a particular jurisdiction, most popular features). This “Aggregated Data” is Anonymous Data, is owned by Sniptt, and is primarily used to help analyse and improve the Services.
We use Personal Data to validate your Account, provide the Services, provide user support, communicate with you, and coordinate marketing efforts. We do not perform any automated decision making or profiling with your Personal Data.
- General. Sniptt uses Personal Data to provide and promote the Services and respond to your requests, including to:
- Establish, maintain, and secure your Account.
- Identify you as a user and provide the Services you request.
- Perform fraud detection and authentication.
- Measure Usage Data to improve the Services and your interactions with them.
- Send you administrative notifications, such as payment reminders or support and maintenance advisories. You will receive these notices even if you choose not to receive marketing communications.
- Provide you with interfaces and options you request or as required by the jurisdiction from which you access the Services.
- Provide personalised information by identifying whether you have used specific features within the Services, visited pages on our Site, or seen one of our advertisements.
- Respond to customer support inquiries and other requests.
- Promote the Services or send you other Sniptt marketing information, including announcements about offerings from selected Sniptt partners. Certain users, including those in Europe and Britain, must opt-in to receive marketing communications when creating an Account or afterwards. Users elsewhere (and those in Europe and Britain who have previously opted in) may always elect to stop receiving such communications.
- Manage advertising efforts on third party sites and platforms as further described below.
We never sell our users’ Personal Data. We share Personal Data with service providers who are contractually obliged to comply with all applicable laws (e.g., GDPR) and who only have access to the data they need to provide the relevant Services. The Services will share Secured Data (which may include Personal Data) with others as you direct. We may share Personal Data with our affiliates, all of whom are bound by this Policy, or with an acquirer if Sniptt is sold or merged. Finally, we may disclose Personal Data where required by law or where we believe it is necessary to protect our rights or the Services.
Sniptt will never sell your Personal Data (as “sell” is normally defined – see Sections 2(b) and 8 for information about “sales” as defined in California) or use it except as stated in this Policy. We share your Personal Data in the following circumstances:
- Third Parties You Designate. The Services will share Secured Data (which may include Personal Data) with third parties as instructed by you (e.g., when using the Services’ “sharing” feature). While this data is transferred through our servers, we do not have access to it, as noted elsewhere in this Policy.
- Service Providers. We share Personal Data with service providers solely as required to provide the Services, including to create Accounts, provide customer support, process payments, or enable communication between you and Sniptt (for example, Personal Data related to customer support requests is available to our agents on Zendesk). We review the security and data privacy practices of these service providers to ensure that they comply with applicable laws and this Policy. Secured Data stored by our data hosting provider (AWS) is always encrypted as described above.
- Corporate Restructuring. If Sniptt or its business or assets are acquired by, or merged into, another company, that company will possess any Personal Data we hold at such time, and will assume our rights and obligations under this Policy. Accordingly, we may share Personal Data in connection with any such transaction. Personal Data and other information may also be transferred as a business asset in the event of Sniptt’s insolvency, bankruptcy, or receivership.
- Other Disclosures. We will inform you of any other disclosures of your Personal Data, and obtain your consent prior to such disclosure. However, regardless of your choices regarding Personal Data, Sniptt may disclose your Personal Data (a) where required to comply with law enforcement directives, applicable laws or governmental orders; or (b) if we believe in good faith that doing so is necessary to protect our rights, those of other users, or the Services. However, because of our Zero-Knowledge Architecture, we are technically unable to provide any information about users beyond Registration Data and Event Data even if we are subject to a valid order. To the extent permitted by law, we will inform you of legally-mandated disclosures of Personal Data.
We strive to protect all data in our possession, including Personal Data, through a variety of means, and we continually work to improve and update these practices. However, we cannot and do not guarantee the security of Personal Data we process. Personal Data may be transferred to jurisdictions with less strict privacy laws than those in your home country, including the U.S., but we use technical and other measures that comply with European, British, and other relevant regulations to protect Personal Data when processed in the U.S.
- We use robust physical, organisational, technical, and administrative measures to safeguard all data we hold or process, and we regularly re-assess and revise our policies and practices to improve security. While we go to great lengths to protect your data, no method of data transmission or storage is totally secure; therefore, we cannot guarantee the security of data in our control. If you believe your data may have been compromised by us or the use of the Services, please contact our help center immediately.
- Your information, including Personal Data that we collect from you, may be transferred to, stored at, and processed by us, our Affiliates, and service providers outside your home country, including in the United States, where data protection and privacy regulations may not offer the same protections as in other parts of the world. When we do so, we will take the steps described in this Policy, including Section 5, which are designed to ensure that all Personal Data we or our service providers process (regardless of where it originates) is secured as required by applicable laws. By using the Services, you agree to the transfer, storing or processing of your data in accordance with this Policy.
If you currently receive marketing emails and no longer wish to do so, you may unsubscribe from within any such email. Even if you do so, we will still send you operational and transactional emails (e.g., renewal notices). Uninstalling Apps from your devices will remove all data associated with the Apps. Removing your Apps does not delete your Account. To do that, please send an email to email@example.com.
- Email Communications. With your consent, we will periodically send you emails promoting the use of the Services, including tips on using the Apps, or highlighting offerings from select Sniptt partners. You can opt out of these emails by following the unsubscribe instructions included in each email. You may also request removal through our help center. Note that unsubscribing from marketing communications will not affect operational and transactional communications, including breach notices and other alerts from within the Apps, renewal emails, etc.
- Applications. You can stop all collection of information by an App by uninstalling that App. You may use the standard uninstall process for the relevant device or platform. Uninstalling an App does not delete your Account.
Users subject to the laws of the EU, Britain, Brazil, California, and Nevada have certain rights regarding their Personal Data, including the right to access and modify Personal Data held by providers (like us), and to have providers “forget” Personal Data that is no longer relevant. Most of these rights must be accessed from within the privacy and data preferences in the Services, but you may always contact us for assistance. We will never provide worse services to, or in any way punish anyone who chooses to exercise these rights. We strongly support the intent behind these laws, and will do our best to honor requests to exercise these rights even if they do not technically apply to you.
- You have the following rights with respect to your Personal Data that we process. Except where indicated, these rights apply equally to users subject to the GDPR (and related laws), CCPA, and LGPD:
- Withdraw Consent: You may withdraw your consent to our processing of your Personal Data, in whole or in part (i.e., for marketing purposes). Certain Services may be ineffective upon opt out.
- Access / Request Information: You may access the Personal Data we hold about you at any time via your Account or by contacting us directly.
- Modification: You may modify incorrect or outdated Personal Data we hold about you at any time via your Account or by contacting us directly.
- Erase and Forget. In certain situations, for example when the Personal Data we hold about you is no longer relevant or accurate, you can request that we erase your Personal Data. If you delete your account, all Personal Data will be erased within a week of the date of deletion.
- Portability: You may request a copy of your Personal Data and may always move it to other entities as you desire.
If you have questions, concerns, or complaints about this Policy or our data collection or processing practices, or if you want to report any security violations, please email firstname.lastname@example.org.