OneSnapID
OneSnapID
🇬🇧

Last updated: June 1, 2026

Privacy Policy

OneSnapID is built around a simple principle: your photo is used only to create your result, then automatically deleted within 24 hours — never sold or shared. This policy explains exactly what data we collect, why, and what rights you have.

1. Who We Are (Data Controller)

OneSnapID ("we," "us," or "our") is the data controller under the EU GDPR, the UK GDPR, and all other applicable data-protection laws.

Data-protection enquiries: m_tas@outlook.com

2. The Short Version

Your photo is processed in your browser. We only store it on our servers if you purchase a download — then it is encrypted and auto-deleted after 24 hours (see §3.1).

AI Enhancement is optional. Only if you enable it does your image leave your device (sent to Google Gemini — see §4).

No account required. We only collect your email if you make a purchase (to deliver your download).

We do not sell your data. Ever.

No advertising cookies. Only strictly-necessary cookies.

3. What Data We Collect and Why

3.1 Photographs You Upload

Your photo is formatted locally in your browser. If you enable AI Enhancement, it is transmitted securely to Google's Gemini API for processing.

If you purchase a download, your finished (processed) photo is then encrypted (AES-256) and stored temporarily on our servers (Upstash/Redis, EU region) solely to deliver your file. It is automatically deleted after 24 hours and is never used for any other purpose. If you do not purchase, the photo stays in your browser only.

A portrait photograph is personal data. Where AI processing involves analysis of facial geometry it may constitute biometric data under GDPR Article 9. AI Enhancement therefore requires your explicit consent via an opt-in checkbox before processing begins.

  • Standard formatting (no AI): Lawful basis — Art. 6(1)(b) GDPR (contract performance).
  • AI Enhancement: Lawful basis — Art. 6(1)(a) & Art. 9(2)(a) GDPR (explicit consent). You may withdraw consent at any time.

3.2 Payment & Email

We do not collect or store payment card details. Payments are handled by our Merchant of Record, Polar Software, Inc. (Polar.sh), under its own privacy policy. When you purchase, we receive your email address from Polar so we can email you the download link. Lawful basis: Art. 6(1)(b) GDPR (contract performance).

3.3 Analytics & Usage Data

We may collect anonymised usage data (device type, country-level location, pages visited) via a privacy-respecting analytics service. No advertising cookies. No profiling. Lawful basis: Art. 6(1)(f) GDPR (legitimate interests — improving the service).

3.4 Support Emails

If you contact us, we collect your email address and message content solely to respond. Lawful basis: Art. 6(1)(b)/(f) GDPR.

4. How We Share Your Data

We do not sell your data. We share it only with the following processors, under our instructions:

Google LLC — AI Processing (Gemini API)

When you opt into AI Enhancement your photo is sent to Google. Google acts as our data processor and does not use your data to train its AI models under our paid-tier API terms. EEA/UK users are covered by Google's Data Processing Addendum.

Polar Software, Inc. (Polar.sh) — Payments (Merchant of Record)

Processes payments and acts as Merchant of Record. We never see your card details. Polar also handles applicable sales tax/VAT. See polar.sh/legal/privacy.

Resend — Email Delivery

Sends your download-link email after purchase. Receives only your email address and the message content.

Upstash (Redis) & Vercel — Hosting & Temporary Storage

Serve the web application and temporarily hold your encrypted paid photo (24h) and operational data, under data-processing agreements.

Legal / Regulatory Disclosure

We may disclose data to law enforcement or regulators where required by law.

5. International Data Transfers

Where we or our processors transfer personal data outside the EEA or UK we rely on EU Standard Contractual Clauses (SCCs), the UK IDTA/Addendum, or adequacy decisions where applicable. Google LLC participates in relevant data-transfer frameworks; details are in Google's DPA.

6. Data Retention

DataRetention
Photographs — not purchasedBrowser session only — never sent to our servers
Photographs — purchased downloadEncrypted server-side; automatically deleted 24 hours after purchase
Photos sent to Gemini API (if AI used)Not retained by us; Google processes transiently
Payment & email recordsPolar (Merchant of Record) retains per their terms; we keep order confirmations for accounting
Analytics logsUp to 12 months, then anonymised / deleted
Support emailsDeleted or anonymised within 2 years of resolution

7. Your Rights (GDPR / UK GDPR)

  • Access (Art. 15): Request a copy of the data we hold about you.
  • Rectification (Art. 16): Ask us to correct inaccurate data.
  • Erasure (Art. 17): Ask us to delete your data where there is no overriding legal basis to retain it.
  • Restriction (Art. 18): Ask us to limit how we process your data in certain circumstances.
  • Portability (Art. 20): Receive a machine-readable copy of data processed by consent or contract.
  • Object (Art. 21): Object to processing based on legitimate interests.
  • Withdraw consent: At any time, for any consent-based processing (including AI Enhancement). Withdrawal does not affect prior lawful processing.

To exercise any right: m_tas@outlook.com. We respond within 30 days (extendable to 90 days for complex requests, with notice).

EU users: lodge a complaint with your national supervisory authority — edpb.europa.eu. UK users: ICO — ico.org.uk / 0303 123 1113.

8. California Residents (CCPA / CPRA)

We do not sell or shareyour personal information for cross-context behavioural advertising. No "Do Not Sell" opt-out is currently required because we do not sell or share data. Photographs processed through AI that may constitute biometric data are treated as sensitive personal information under CPRA and are used only to provide the service you requested.

California rights include: right to know, right to delete, right to correct, right to opt out of sale/sharing, right to limit use of sensitive PI, and right to non-discrimination. Submit verifiable consumer requests to m_tas@outlook.com. We respond within 45 days (extendable by 45 days with notice).

9. Children's Privacy (COPPA)

OneSnapID is not directed to children under 13. We do not knowingly collect personal data from anyone under 13. If you believe a child under 13 has submitted data to us, contact m_tas@outlook.com immediately and we will delete it promptly.

10. Security

All data in transit is encrypted via TLS. Because photographs are processed client-side and never stored on our servers, the primary attack surface for image data is minimised by design. In the event of a personal-data breach likely to risk your rights, we will notify the relevant supervisory authority within 72 hours and affected individuals without undue delay.

11. Changes to This Policy

We may update this policy from time to time. Material changes will be announced with a prominent notice on the website. The "Last updated" date at the top reflects the most recent revision.

Contact

OneSnapID

Email: m_tas@outlook.com