snapCAD Privacy Policy
1. Introduction
snapCAD Pty Ltd ("snapCAD", "we", "us", "our") operates a browser-based 2D CAD application at https://app.snapcad.io (the "Service").
This Privacy Policy explains what personal data we collect, why we collect it, how we use and protect it, and what rights you have regarding your data. It applies to all users of the Service worldwide, and has been prepared to comply with:
- The EU General Data Protection Regulation (GDPR)
- The UK General Data Protection Regulation (UK GDPR)
- The Australian Privacy Act 1988 and Australian Privacy Principles (APPs)
- The California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA)
Our production infrastructure is primarily hosted in Microsoft Azure in the West Europe (Netherlands) region.
By using the Service you acknowledge that you have read this policy. Where we rely on consent as a lawful basis, we will ask for your explicit consent before the relevant processing begins.
2. Data Controller
snapCAD Pty Ltd is the data controller responsible for your personal data.
| Field | Detail |
|---|---|
| Entity | snapCAD Pty Ltd (Australia) |
| Contact | privacy@snapcad.io |
| Website | https://app.snapcad.io |
3. Personal Data We Collect
3.1 Account Data
When you sign in via Clerk (our identity provider), we receive and store the following:
- Email address
- Display name
- Identity provider ID (an opaque unique identifier)
Lawful basis (GDPR): Performance of a contract, necessary to provide you with an account and access to the Service.
3.2 Subscription and Payment Data
If you subscribe to a paid plan, we create a subscription record containing your plan type, status, and start/end dates. Payment processing is handled entirely by Stripe, Inc. We store Stripe's customer and subscription identifiers but never store your credit card number, CVC, or full billing address.
Lawful basis (GDPR): Performance of a contract.
3.3 Usage Analytics
With your consent, we collect pseudonymised usage events (for example, which commands are used and session duration) to improve the Service. These events may be linked to your internal user ID but do not contain your email or display name in event payloads. Usage events are automatically deleted after 35 days.
Lawful basis (GDPR): Consent. You can opt out at any time via the consent banner or your account settings.
3.4 Technical Data
Our servers automatically receive standard HTTP request data, including your IP address, browser type, and referring URL. This data is used solely for security, abuse prevention, and infrastructure operations. Server logs are retained for a maximum of 30 days and then deleted.
Lawful basis (GDPR): Legitimate interest, maintaining the security and availability of the Service.
3.5 Cookies and Local Storage
| Item | Purpose | Essential? |
|---|---|---|
| Authentication tokens | Maintain your signed-in session (Clerk) | Yes |
| WASM protection cookie | Required by the CAD engine for license verification (1-minute TTL) | Yes |
| UI preferences | Remember your panel layout and save-format choices | Yes (functional) |
We do not use third-party advertising or tracking cookies. Analytics data is only collected with your consent (see Section 3.3).
3.6 User-Uploaded Content
If you upload image files for use as drawing underlays, these are embedded directly in your drawing file and processed entirely within your browser. By default, your drawing content and underlay files are not uploaded to or stored on our servers.
4. How We Use Your Data
| Purpose | Data Used | Lawful Basis |
|---|---|---|
| Provide and maintain the Service | Account data, subscription data | Contract |
| Process payments | Subscription data (via Stripe) | Contract |
| Improve the Service | Pseudonymised usage analytics | Consent |
| Security and abuse prevention | Technical and log data | Legitimate interest |
| Enforce entitlements and feature access | User ID, subscription plan | Contract |
5. Third-Party Data Processors
We share personal data only with the following processors, under appropriate data processing agreements:
| Processor | Purpose | Data Shared | Location |
|---|---|---|---|
| Clerk, Inc. | Authentication and account session management | Account data | US and other regions used by Clerk (subject to Clerk contractual safeguards) |
| Microsoft Azure | Hosting and infrastructure operations | Service data, logs, and infrastructure metadata | West Europe (Netherlands) primary region, plus limited Azure-operated support regions |
| Stripe, Inc. | Payment processing | Email, subscription plan | US (Stripe DPA with SCCs) |
We do not sell, rent, or trade your personal data to any third party.
6. International Data Transfers
We host core application workloads in the EEA (West Europe). Some processors may process limited personal data outside your country of residence, including in Australia and the United States. Where data is transferred outside a jurisdiction with adequate data protection laws, we rely on:
- EU Standard Contractual Clauses (SCCs) with our processors
- Processor contractual safeguards, including DPAs and SCCs where applicable
- Stripe's Data Processing Agreement
7. Data Retention
| Data | Retention Period |
|---|---|
| Account data | Until you delete your account |
| Subscription records | Until you delete your account (or as required by tax law) |
| Usage analytics | Automatically deleted after 35 days |
| Server logs | 30 days |
| Drawing content files | Stored on your device unless you choose to store with a third-party provider |
| Consent records | Until account deletion or anonymisation, unless a longer retention period is legally required |
When you delete your account, we anonymise your personal data within 30 days. Certain records (for example, transaction history) may be retained in anonymised form to comply with legal and tax obligations.
8. Your Rights
Depending on your jurisdiction, you have some or all of the following rights regarding your personal data.
8.1 All Users
- Access: Request a copy of your personal data
- Correction: Request correction of inaccurate data
- Deletion: Request deletion of your account and personal data
- Data Export: Download your data in a machine-readable format (JSON)
- Withdraw Consent: Withdraw consent for analytics at any time
8.2 EU and UK Residents (GDPR)
- Right to Restriction: Request restriction of processing while we verify a complaint
- Right to Object: Object to processing based on legitimate interest
- Right to Portability: Receive your data in a structured, commonly used format
- Complaint: Lodge a complaint with your local supervisory authority
8.3 Australian Residents (Privacy Act 1988)
- You may access and request correction of your personal information under APPs 12 and 13
- You may lodge a complaint with the Office of the Australian Information Commissioner (OAIC)
8.4 California Residents (CCPA/CPRA)
- Right to Know: What personal information we collect and why
- Right to Delete: Request deletion of your personal information
- Right to Correct: Request correction of inaccurate information
- Right to Opt-Out: We do not sell or share your personal information for cross-context behavioural advertising
- Non-Discrimination: We will not discriminate against you for exercising your privacy rights
8.5 How to Exercise Your Rights
You can exercise your data rights directly from your account:
- Data Export: Use the data export feature in your account settings
- Account Deletion: Use the Delete My Account option in your account settings
- Analytics Opt-Out: Use the consent banner or account settings toggle
Alternatively, email privacy@snapcad.io and we will respond within 30 days (or any shorter period required by applicable law).
9. Data Security
We implement appropriate technical and organisational measures to protect your data:
- All data in transit is encrypted via TLS 1.2+
- Data at rest is encrypted using Azure managed encryption keys
- Authentication is handled by Clerk
- Access to production infrastructure is restricted and audited
- We do not store passwords; authentication is delegated to your identity provider
10. Children's Privacy
The Service is not directed at children under the age of 16 (or the applicable age of digital consent in your jurisdiction). We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact privacy@snapcad.io and we will delete it promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by displaying a notice within the Service or by email. The effective date at the top of this page indicates when the policy was last revised.
12. Contact Us
For any questions about this Privacy Policy, or to exercise your data protection rights, please contact us:
| Field | Detail |
|---|---|
| privacy@snapcad.io | |
| Entity | snapCAD Pty Ltd, Australia |
If you are in the EU/EEA and are not satisfied with our response, you have the right to lodge a complaint with your local Data Protection Authority.
If you are in Australia, you may complain to the Office of the Australian Information Commissioner (OAIC): https://www.oaic.gov.au
For users in the EEA, you can also contact the Dutch supervisory authority (Autoriteit Persoonsgegevens): https://autoriteitpersoonsgegevens.nl