Snappo LLC Data Processing and Security

Data Subject:

An individual who can be identified, directly or indirectly, through personal data. For Snappo, this typically includes our platform users, such as brand owners, marketers, designers, and other professionals.

Personal Data:

Any information relating to an identified or identifiable individual. This includes, but is not limited to, names, email addresses, and details related to a user's professional work that can be linked back to them.

Processing:

Any action or series of actions performed on personal data. This includes collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, alignment, combination, restriction, erasure, or destruction.

Data Controller:

The entity (Snappo LLC, in this context) that determines the purposes and means of processing personal data. We are responsible for deciding how and why user data is processed.

Data Processor:

A third party that processes personal data on behalf of Snappo LLC, following our instructions and control. Examples include vendors or partners providing services such as cloud hosting, customer support, or analytics.

AI models:

Snappo uses the commercially licensed FLUX, Chat GPT, Claude models for content generation.

Effective Date:

This policy takes effect on Jun 28, 2025 and will remain in force until it is updated or replaced.

Review and Update Provisions:

The policy will be reviewed at least once a year, or more frequently if needed, to ensure it remains compliant with all applicable laws and regulations.

GDPR:

Snappo complies with the General Data Protection Regulation (GDPR), which governs the processing of personal data in connection with the activities of data controllers or processors established in the European Union.

CCPA:

Snappo also adheres to the California Consumer Privacy Act (CCPA), which provides California residents with specific rights over their personal information and imposes obligations on businesses operating in California.

Other Relevant Regional Laws:

In addition, Snappo complies with other applicable regional data protection laws that relate to our operations and those of our clients. We actively monitor global legislative developments to ensure our practices remain aligned with the evolving data protection landscape.

Right to Erasure:

Snappo LLC recognizes the importance of the data subject's right to erasure, commonly known as the "right to be forgotten." If a data subject withdraws consent for processing and there is no lawful basis to retain their information, they can request its deletion. The Snappo platform is designed to facilitate this process quickly and effectively.

Accelerated Data Deletion Procedures:

When a deletion request is received, Snappo follows an expedited and secure process designed to:

• Promptly locate and identify all personal data associated with the subject across our systems.
• Effectively and permanently remove the identified data from all storage locations, including active databases, backups, and logs.
• Anonymize any data retained for analytical purposes so it can no longer be linked to the individual.
• Provide the data subject with a verifiable confirmation of the data that was erased and certify that the process was completed thoroughly within a defined timeframe.

Retention Period Compliance:

Snappo routinely reviews stored data to ensure compliance with retention policies. Any data that has reached the end of its retention period, or is no longer necessary for its original purpose, is securely deleted. This process aligns with applicable legal, accounting, or regulatory requirements that may mandate data retention for a specific period.

Security Measures:

Snappo LLC uses a comprehensive, multi-layered approach to data security to protect personal information from unauthorized access, alteration, disclosure, or destruction. Our security strategy includes, but is not limited to:

• Encryption: All data is encrypted both at rest and during transmission using robust encryption protocols.
• Firewalls and Network Protection: Advanced firewalls and intrusion detection systems are in place to monitor and control network traffic according to established security rules.
• Access Control: Strict access control policies ensure that only authorized personnel with a legitimate need can access specific data. All access is logged and monitored.
• Regular Security Audits: To maintain the security and integrity of our systems, Snappo conducts regular security audits. These audits enable us to:
  • Detect and address any vulnerabilities.
  • Update security measures to respond to emerging threats.
  • Maintain compliance with current data protection laws and industry standards.

Data Breach Response:

In the rare event of a data breach, Snappo has a well-defined incident response plan designed to minimize potential harm. This includes promptly notifying affected users and relevant authorities, thoroughly investigating the breach, and implementing measures to prevent similar incidents in the future.

Data Storage Regions:

Snappo AI leverages Supabase and Vercel for its backend infrastructure and serverless deployment. Supabase manages data storage and database services, while Vercel provides global serverless hosting. Both providers operate using secure, industry-standard cloud platforms with worldwide points of presence, enabling us to serve users efficiently and securely across regions.

Regional Storage Considerations:

Supabase maintains data within selected cloud regions, subject to their own infrastructure configurations. While Snappo AI does not currently offer customer-specific region selection for data storage, we rely on Supabase's and Vercel's compliance with industry best practices and applicable data protection regulations to ensure that data is stored and processed appropriately.

Compliance with Data Protection Laws:

Snappo AI is committed to respecting data sovereignty and privacy requirements in the jurisdictions in which we operate. By using trusted providers like Supabase and Vercel, we aim to ensure that data handling aligns with applicable data protection laws and industry standards.

Data Protection Impact Assessments (DPIA):

At Snappo LLC, Data Protection Impact Assessments (DPIAs) are a core part of our proactive approach to identifying and managing potential data protection risks. A DPIA is carried out whenever a new project, system, or process is likely to pose a high risk to individuals' rights and freedoms, especially when introducing new technologies or data processing activities.

The DPIA process generally includes:

• A detailed description of the planned processing operations and their purposes, including any legitimate interests pursued by Snappo as the data controller.
• An evaluation of the necessity and proportionality of the processing in relation to its purpose.
• An assessment of potential risks to the rights and freedoms of data subjects.
• Identification of measures to address these risks, including safeguards, security controls, and mechanisms to ensure personal data protection and demonstrate compliance with GDPR requirements.

Consultation with Supervisory Authorities:

If it is determined that a proposed processing activity would present a high risk that cannot be adequately mitigated, Snappo will consult the relevant supervisory authority before proceeding. This involves submitting the completed DPIA to the authority for review and receiving guidance on whether the proposed safeguards sufficiently address the identified risks.

Right to Access:

Snappo LLC respects the data subject's right to access their personal information. This includes the right to confirm whether personal data about them is being processed and to receive a copy of that data in a structured, commonly used, and machine-readable format.

Right to Rectification:

Data subjects can request that inaccurate personal data be corrected and incomplete data be completed. Snappo is committed to handling such requests promptly and notifying the data subject once the correction has been made.

Right to Data Portability:

Snappo supports the right to data portability, allowing data subjects to move their personal data easily between different service providers. We provide secure ways for users to access and reuse their personal data for their own purposes across various services.

Procedures for Exercising Rights:

Snappo has clear and accessible procedures in place to help data subjects exercise these rights, including:

• A simple method for submitting requests, such as an online form or dedicated email address for privacy-related inquiries.
• Verification of the requester's identity to prevent unauthorized access or changes to personal data.
• Timely responses to requests, typically within one month of receipt, in line with GDPR requirements.

Cross-Border Data Transfers:

Snappo LLC understands the complexities involved in transferring data across international borders. In line with global data protection laws, we ensure that all international data transfers comply with the legal frameworks and standards governing cross-border data movement, such as the EU's General Data Protection Regulation (GDPR) and relevant frameworks for transatlantic data exchanges.

Safeguarding Measures:

To protect personal data during cross-border transfers, Snappo employs a variety of legal mechanisms, including:

• Standard Contractual Clauses (SCCs): We include SCCs in our agreements to guarantee that personal data transferred outside the EU maintains the same level of protection as within the EU.
• Binding Corporate Rules (BCRs): For transfers within our corporate group, we may use BCRs, which are internal policies that provide strong data protection guarantees for cross-border transfers within the organization.
• Data Processing Agreements (DPAs): We ensure that all third-party processors we work with are bound by DPAs that impose data protection obligations consistent with Snappo's standards.

Transparency and Consent:

Snappo maintains clear communication with clients about where their data is stored and processed. When necessary, we obtain explicit consent from data subjects for transferring their personal data to other countries, ensuring they are fully aware of the implications of such transfers.

Role of Subprocessors:

Snappo LLC engages subprocessors specifically to support sales channel operations. These partners help expand the reach of our platform and services. Importantly, these sales channel partners do not have access to the data processed by Snappo and are explicitly prohibited from accessing such information.

Data Access Restrictions:

All subprocessors are bound by contractual agreements that enforce Snappo's data privacy and security standards. They are not permitted to access or process client data for any purpose other than the specific sales and transactional support services they provide.

Monitoring and Evaluation:

Snappo regularly monitors and evaluates the performance and compliance of all subprocessors to ensure they consistently meet our high standards for data protection and privacy. Any breach of contract or failure to comply with our data protection requirements is taken seriously and may result in termination of the relationship with the subprocessor.

Data Protection Team:

Snappo LLC has established a dedicated Data Protection Team responsible for overseeing all aspects of data privacy and security. This team ensures our platform complies with data protection laws, implements privacy-by-design principles, and responds to any data-related inquiries or incidents.

Processing Records:

Our Data Protection Team maintains detailed records of all data processing activities. These records include essential information such as processing purposes, categories of data, types of data subjects, data recipients, and details about any transfers to other countries. This practice enhances the transparency of our operations and supports compliance with legal requirements.

Data Protection Officer (DPO) Role and Contact:

The Data Protection Officer is responsible for ensuring Snappo's compliance with data protection laws. They can be contacted at: contact@snappo.ai.

Maintaining Records of Processing Activities:

Snappo keeps thorough records of all processing activities carried out on behalf of the data controller, as required under GDPR and other relevant data protection regulations.

Cooperation with Regulatory Authorities:

Snappo is committed to full cooperation with regulatory authorities in the event of any data protection issues, audits, or investigations.

Liability Framework:

Snappo LLC operates under a clear liability framework that defines our responsibilities and potential liabilities related to data protection. In the event of a data breach or non-compliance with data protection regulations, Snappo acknowledges its obligations and the possibility of being held liable.

Mitigation and Remediation:

If a data breach occurs, our top priority is to minimize any potential harm and address the issue promptly. We have established policies to quickly identify breaches, assess their impact, notify affected individuals and authorities as required, and implement corrective measures without delay.

Compensation:

If Snappo is found responsible for a breach that causes material or non-material harm to a data subject, we are committed to providing appropriate compensation in accordance with applicable laws.

Clarity of Terms:

Snappo LLC is committed to ensuring that all terms used in our data protection policies are clear and unambiguous. We aim to interpret and apply these terms consistently with prevailing data protection laws and industry best practices.

Dynamic Interpretation:

As data protection laws and regulations evolve, so will our interpretation of them. Snappo is dedicated to regularly updating our policies and practices to stay aligned with legal requirements and technological advancements, ensuring continued compliance and protection of data subject rights.

Consultation with Legal Experts:

Snappo regularly works with legal professionals specializing in data protection to ensure our interpretations remain accurate and enforceable. This collaboration helps us uphold a high standard of data privacy and keeps us aware of new legal developments and regulatory guidance.