Privacy Policy
Last updated: 16 February 2026
1. Who We Are
SnapScan LTD (“SnapScan”, “we”, “us”, or “our”)
85 Great Portland Street, London W1W 7LT, United Kingdom
Email: privacy@snapscan.link
SnapScan acts as:
• A Controller for Account Data, billing data, marketing preferences, operational analytics, and security logs.
• A Processor when processing Viewer Data, scan telemetry, and other Customer Personal Data on behalf of account holders.
Account holders act as Controllers of Customer Personal Data processed through their use of SnapScan.
85 Great Portland Street, London W1W 7LT, United Kingdom
Email: privacy@snapscan.link
SnapScan acts as:
• A Controller for Account Data, billing data, marketing preferences, operational analytics, and security logs.
• A Processor when processing Viewer Data, scan telemetry, and other Customer Personal Data on behalf of account holders.
Account holders act as Controllers of Customer Personal Data processed through their use of SnapScan.
2. Scope
This Policy applies to all SnapScan websites, web applications, APIs, dashboards, integrations, and related services (the “Services”).
It applies to creators, agencies, brands, organizations, sub-users, and individuals who scan QR codes or access SnapScan short links.
It applies to creators, agencies, brands, organizations, sub-users, and individuals who scan QR codes or access SnapScan short links.
3. Information We Collect
Account Information: Name, email, hashed password, optional company details, industry/role, phone number, SSO profile data.
Team Members/Sub-Users: Name, email, IP address, role permissions, login activity.
Uploaded Content: Videos, QR configuration data, destination URLs, branding assets.
Payment Information: Processed by Stripe. SnapScan does not store card numbers.
QR & Link Metadata: Destination URL, generated ID, Account ID, timestamp, IP address, region, platform handle (if provided).
Viewer Interaction Data: IP address, derived region, referrer, timestamp, device type, browser/OS, language, cookie or advertising identifiers (where consented).
Fraud & Security Signals: IP patterns, timestamp proximity.
Technical & Cookie Data: Session identifiers, authentication tokens, diagnostic logs, consent status.
Email Engagement Data: Delivery status, open and click metadata.
Marketing Data: Newsletter subscriptions, survey responses, referral information.
SnapScan does not collect biometric, health, or special-category personal data.
We collect only the minimum data necessary to operate, secure, and improve the Services.
Team Members/Sub-Users: Name, email, IP address, role permissions, login activity.
Uploaded Content: Videos, QR configuration data, destination URLs, branding assets.
Payment Information: Processed by Stripe. SnapScan does not store card numbers.
QR & Link Metadata: Destination URL, generated ID, Account ID, timestamp, IP address, region, platform handle (if provided).
Viewer Interaction Data: IP address, derived region, referrer, timestamp, device type, browser/OS, language, cookie or advertising identifiers (where consented).
Fraud & Security Signals: IP patterns, timestamp proximity.
Technical & Cookie Data: Session identifiers, authentication tokens, diagnostic logs, consent status.
Email Engagement Data: Delivery status, open and click metadata.
Marketing Data: Newsletter subscriptions, survey responses, referral information.
SnapScan does not collect biometric, health, or special-category personal data.
We collect only the minimum data necessary to operate, secure, and improve the Services.
4. Legal Bases for Processing
• Contract performance (account creation, QR rendering)
• Legal obligation (billing and tax compliance)
• Legitimate interests (analytics, fraud detection, service improvement)
• Consent (marketing communications and non-essential cookies)
Where relying on Legitimate Interests, SnapScan conducts balancing assessments.
SnapScan does not make solely automated decisions producing legal or similarly significant effects.
• Legal obligation (billing and tax compliance)
• Legitimate interests (analytics, fraud detection, service improvement)
• Consent (marketing communications and non-essential cookies)
Where relying on Legitimate Interests, SnapScan conducts balancing assessments.
SnapScan does not make solely automated decisions producing legal or similarly significant effects.
5. Customer Responsibilities
Account holders are responsible for ensuring their use of SnapScan complies with applicable laws and that destination URLs comply with applicable regulations.
SnapScan does not control third-party websites accessed via QR codes or short links.
SnapScan does not control third-party websites accessed via QR codes or short links.
6. Subprocessors
SnapScan shares Personal Data only with trusted providers under written agreements.
Subprocessors include:
• DigitalOcean (Hosting)
• Stripe (Payments)
• Google Analytics (Analytics)
• SendGrid / Mailgun (Email delivery)
• Airtable (Internal operational data management)
• Google Drive / iCloud / Dropbox (Cloud storage integrations)
We rely on Standard Contractual Clauses and the UK Addendum for international transfers.
SnapScan does not sell Personal Data.
Subprocessors include:
• DigitalOcean (Hosting)
• Stripe (Payments)
• Google Analytics (Analytics)
• SendGrid / Mailgun (Email delivery)
• Airtable (Internal operational data management)
• Google Drive / iCloud / Dropbox (Cloud storage integrations)
We rely on Standard Contractual Clauses and the UK Addendum for international transfers.
SnapScan does not sell Personal Data.
7. Data Retention
Account data: Active lifecycle + 3 years inactivity.
Scan analytics: 24 months (then anonymized).
Support tickets: 24 months after closure.
Inactive accounts may be archived for 30–60 days prior to deletion.
Upon deletion request, all associated data including QR redirects is permanently deleted.
Scan analytics: 24 months (then anonymized).
Support tickets: 24 months after closure.
Inactive accounts may be archived for 30–60 days prior to deletion.
Upon deletion request, all associated data including QR redirects is permanently deleted.
8. Data Subject Rights
You may request access, correction, deletion, restriction, portability, or objection.
Contact: privacy@snapscan.link
We respond within 30 days.
Complaints may be filed with the UK Information Commissioner’s Office (ICO).
Contact: privacy@snapscan.link
We respond within 30 days.
Complaints may be filed with the UK Information Commissioner’s Office (ICO).
9. Security
SnapScan implements:
• TLS 1.2+ encryption
• AES-256 encryption at rest
• Role-Based Access Controls
• Infrastructure isolation
• Security monitoring
Where SnapScan acts as a Processor, we notify Controllers without undue delay of personal data breaches.
• TLS 1.2+ encryption
• AES-256 encryption at rest
• Role-Based Access Controls
• Infrastructure isolation
• Security monitoring
Where SnapScan acts as a Processor, we notify Controllers without undue delay of personal data breaches.
10. Children’s Privacy
SnapScan is not intended for individuals under 16 years of age. If we become aware that data from a child has been collected without appropriate consent, we will delete it promptly.
SnapScan Data Processing Addendum (DPA)
1. Roles
Customer = Controller
SnapScan = Processor
This DPA applies where SnapScan processes Customer Personal Data on behalf of Customer.
SnapScan = Processor
This DPA applies where SnapScan processes Customer Personal Data on behalf of Customer.
2. Subject Matter & Duration
Processing relates to viewer scan data, IP addresses, device/browser data, referrer data, and engagement metadata.
Duration: For the term of the Services plus applicable retention periods.
Duration: For the term of the Services plus applicable retention periods.
3. Nature & Purpose of Processing
• Generating QR codes
• Redirect handling
• Scan analytics
• Fraud detection
• Security monitoring
• Redirect handling
• Scan analytics
• Fraud detection
• Security monitoring
4. Types of Personal Data
May include IP addresses, device identifiers, referrer URLs, timestamp data, and platform handles (if provided).
Special-category data is not intentionally processed.
Special-category data is not intentionally processed.
5. SnapScan Obligations
SnapScan shall:
• Process data only on documented instructions of Customer.
• Ensure confidentiality of personnel.
• Implement appropriate technical and organizational security measures.
• Assist with data subject requests.
• Notify Customer of personal data breaches without undue delay.
• Delete or return data upon termination unless legally required to retain it.
• Process data only on documented instructions of Customer.
• Ensure confidentiality of personnel.
• Implement appropriate technical and organizational security measures.
• Assist with data subject requests.
• Notify Customer of personal data breaches without undue delay.
• Delete or return data upon termination unless legally required to retain it.
6. Subprocessors
SnapScan may engage Subprocessors including DigitalOcean, Stripe, Google Analytics, SendGrid/Mailgun, and Airtable.
SnapScan remains responsible for Subprocessor compliance and will impose equivalent data protection obligations.
SnapScan remains responsible for Subprocessor compliance and will impose equivalent data protection obligations.
7. International Transfers
Transfers outside the UK/EEA rely on EU Standard Contractual Clauses, the UK Addendum, or other lawful safeguards.
8. Liability
Liability is subject to the limitations set forth in the SnapScan Terms of Service.