Last updated: June 1, 2026
Privacy Policy
OneSnapID is built around a simple principle: your photo is used only to create your result, then automatically deleted within 24 hours — never sold or shared. This policy explains exactly what data we collect, why, and what rights you have.
1. Who We Are (Data Controller)
OneSnapID ("we," "us," or "our") is the data controller under the EU GDPR, the UK GDPR, and all other applicable data-protection laws.
Data-protection enquiries: m_tas@outlook.com
2. The Short Version
✅ Your photo is processed in your browser. We only store it on our servers if you purchase a download — then it is encrypted and auto-deleted after 24 hours (see §3.1).
✅ AI Enhancement is optional. Only if you enable it does your image leave your device (sent to Google Gemini — see §4).
✅ No account required. We only collect your email if you make a purchase (to deliver your download).
✅ We do not sell your data. Ever.
✅ No advertising cookies. Only strictly-necessary cookies.
3. What Data We Collect and Why
3.1 Photographs You Upload
Your photo is formatted locally in your browser. If you enable AI Enhancement, it is transmitted securely to Google's Gemini API for processing.
If you purchase a download, your finished (processed) photo is then encrypted (AES-256) and stored temporarily on our servers (Upstash/Redis, EU region) solely to deliver your file. It is automatically deleted after 24 hours and is never used for any other purpose. If you do not purchase, the photo stays in your browser only.
A portrait photograph is personal data. Where AI processing involves analysis of facial geometry it may constitute biometric data under GDPR Article 9. AI Enhancement therefore requires your explicit consent via an opt-in checkbox before processing begins.
- Standard formatting (no AI): Lawful basis — Art. 6(1)(b) GDPR (contract performance).
- AI Enhancement: Lawful basis — Art. 6(1)(a) & Art. 9(2)(a) GDPR (explicit consent). You may withdraw consent at any time.
3.2 Payment & Email
We do not collect or store payment card details. Payments are handled by our Merchant of Record, Polar Software, Inc. (Polar.sh), under its own privacy policy. When you purchase, we receive your email address from Polar so we can email you the download link. Lawful basis: Art. 6(1)(b) GDPR (contract performance).
3.3 Analytics & Usage Data
We may collect anonymised usage data (device type, country-level location, pages visited) via a privacy-respecting analytics service. No advertising cookies. No profiling. Lawful basis: Art. 6(1)(f) GDPR (legitimate interests — improving the service).
3.4 Support Emails
If you contact us, we collect your email address and message content solely to respond. Lawful basis: Art. 6(1)(b)/(f) GDPR.
4. How We Share Your Data
We do not sell your data. We share it only with the following processors, under our instructions:
Google LLC — AI Processing (Gemini API)
When you opt into AI Enhancement your photo is sent to Google. Google acts as our data processor and does not use your data to train its AI models under our paid-tier API terms. EEA/UK users are covered by Google's Data Processing Addendum.
Polar Software, Inc. (Polar.sh) — Payments (Merchant of Record)
Processes payments and acts as Merchant of Record. We never see your card details. Polar also handles applicable sales tax/VAT. See polar.sh/legal/privacy.
Resend — Email Delivery
Sends your download-link email after purchase. Receives only your email address and the message content.
Upstash (Redis) & Vercel — Hosting & Temporary Storage
Serve the web application and temporarily hold your encrypted paid photo (24h) and operational data, under data-processing agreements.
Legal / Regulatory Disclosure
We may disclose data to law enforcement or regulators where required by law.
5. International Data Transfers
Where we or our processors transfer personal data outside the EEA or UK we rely on EU Standard Contractual Clauses (SCCs), the UK IDTA/Addendum, or adequacy decisions where applicable. Google LLC participates in relevant data-transfer frameworks; details are in Google's DPA.
6. Data Retention
| Data | Retention |
|---|---|
| Photographs — not purchased | Browser session only — never sent to our servers |
| Photographs — purchased download | Encrypted server-side; automatically deleted 24 hours after purchase |
| Photos sent to Gemini API (if AI used) | Not retained by us; Google processes transiently |
| Payment & email records | Polar (Merchant of Record) retains per their terms; we keep order confirmations for accounting |
| Analytics logs | Up to 12 months, then anonymised / deleted |
| Support emails | Deleted or anonymised within 2 years of resolution |
7. Your Rights (GDPR / UK GDPR)
- Access (Art. 15): Request a copy of the data we hold about you.
- Rectification (Art. 16): Ask us to correct inaccurate data.
- Erasure (Art. 17): Ask us to delete your data where there is no overriding legal basis to retain it.
- Restriction (Art. 18): Ask us to limit how we process your data in certain circumstances.
- Portability (Art. 20): Receive a machine-readable copy of data processed by consent or contract.
- Object (Art. 21): Object to processing based on legitimate interests.
- Withdraw consent: At any time, for any consent-based processing (including AI Enhancement). Withdrawal does not affect prior lawful processing.
To exercise any right: m_tas@outlook.com. We respond within 30 days (extendable to 90 days for complex requests, with notice).
EU users: lodge a complaint with your national supervisory authority — edpb.europa.eu. UK users: ICO — ico.org.uk / 0303 123 1113.
8. California Residents (CCPA / CPRA)
We do not sell or shareyour personal information for cross-context behavioural advertising. No "Do Not Sell" opt-out is currently required because we do not sell or share data. Photographs processed through AI that may constitute biometric data are treated as sensitive personal information under CPRA and are used only to provide the service you requested.
California rights include: right to know, right to delete, right to correct, right to opt out of sale/sharing, right to limit use of sensitive PI, and right to non-discrimination. Submit verifiable consumer requests to m_tas@outlook.com. We respond within 45 days (extendable by 45 days with notice).
9. Children's Privacy (COPPA)
OneSnapID is not directed to children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has submitted data to us, contact m_tas@outlook.com immediately and we will delete it promptly.
10. Security
All data in transit is encrypted via TLS. Because photographs are processed client-side and never stored on our servers, the primary attack surface for image data is minimised by design. In the event of a personal-data breach likely to risk your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.
11. Changes to This Policy
We may update this policy from time to time. Material changes will be announced with a prominent notice on the website. The "Last updated" date at the top reflects the most recent revision.
Contact
OneSnapID
Email: m_tas@outlook.com