Legal
Privacy Policy
Effective 17 February 2026 · DocSnippet LLC
DocSnippet LLC ("DocSnippet", "we", "us") operates the DocSnippet service at docsnippet.com. This policy explains what personal data we collect, why we collect it, and your rights under UK data protection law (UK GDPR and the Data Protection Act 2018).
Questions? Email privacy@docsnippet.com.
1. Data we collect
Account data
When you sign in via GitHub or Google we receive your name, email address, profile picture URL, and a provider-issued user identifier. We store these to create and maintain your account.
Session data
We issue a session token stored in an HttpOnly cookie. The token is hashed with SHA-256 before
being written to our database — we never store the plaintext token.
API keys
When you generate an API key, we store a SHA-256 hash and the first 12 characters (prefix) for display. The full plaintext key is shown once at creation and never recorded. We also store the key's name, creation timestamp, and the last date it was used.
Usage data
We record the number of API calls you make each day, broken down by tool (e.g. search_docs, read_url). This is used to enforce free-tier limits and show you your usage history in the dashboard.
Payment data
Subscription billing is handled by Stripe. We store your Stripe customer ID to link your account to your subscription. We do not store card numbers, CVVs, or bank details — Stripe holds those under their own privacy policy.
Rate-limiting data
For unauthenticated requests we use your IP address to enforce a daily call limit. The IP address is hashed with SHA-256 before storage and the hash is automatically deleted within 48 hours.
2. How we use your data
| Purpose | Lawful basis |
|---|---|
| Providing, operating, and improving the service | Performance of contract (UK GDPR Art. 6(1)(b)) |
| Processing subscription payments | Performance of contract (Art. 6(1)(b)) |
| Enforcing usage limits and preventing abuse | Legitimate interests (Art. 6(1)(f)) |
| Security, fraud prevention, and debugging | Legitimate interests (Art. 6(1)(f)) |
| Compliance with legal obligations | Legal obligation (Art. 6(1)(c)) |
3. Third-party processors
| Processor | Purpose | Location |
|---|---|---|
| GitHub | OAuth authentication | USA (SCCs) |
| OAuth authentication | USA (SCCs) | |
| Stripe | Payment processing | USA / UK (SCCs / adequacy) |
| Cloudflare | Infrastructure, CDN, database (D1), serverless compute | USA / EEA (SCCs) |
All international transfers are governed by UK-approved Standard Contractual Clauses or an adequacy decision where applicable. We do not sell your data to third parties.
4. Data retention
| Data type | Retention period |
|---|---|
| Account data (name, email, avatar) | Until you request deletion |
| Sessions | 30 days from creation, or until logout |
| API keys (hashed) | Until revoked; revoked keys purged on account deletion |
| Daily usage records | 90 days |
| Rate-limit hashes (IP-based) | Up to 48 hours |
5. Cookies
We use two first-party cookies:
| Cookie | Purpose | Expiry |
|---|---|---|
ds_session | Authenticates your session. HttpOnly, Secure, SameSite=Lax. | 30 days |
ds_logged_in | Non-sensitive flag read by client-side JS to show "Dashboard" vs "Log in" in the navigation. Contains no personal data. | 30 days |
We do not use advertising, tracking, or analytics cookies. No third-party cookies are set by DocSnippet.
6. Your rights
Under UK GDPR you have the right to:
- Access — request a copy of the personal data we hold about you.
- Rectification — ask us to correct inaccurate or incomplete data.
- Erasure — ask us to delete your account and associated data.
- Restriction — ask us to limit how we use your data in certain circumstances.
- Portability — receive your data in a structured, machine-readable format.
- Objection — object to processing based on legitimate interests.
To exercise any of these rights, email privacy@docsnippet.com. We will respond within one month. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
7. Security
We apply security measures proportionate to the risk, including: SHA-256 hashing of tokens and API keys
before storage, HttpOnly and Secure cookie flags, SameSite=Lax CSRF protection,
PKCE for our OAuth server flow, and HMAC-based timing-safe comparisons for secrets.
8. Children
DocSnippet is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has provided us personal data, contact us and we will delete it.
9. Changes to this policy
We may update this policy. Material changes will be communicated via the email associated with your account at least 14 days before taking effect. Continued use after the effective date constitutes acceptance.
10. Contact
DocSnippet LLC
United Kingdom
privacy@docsnippet.com