Privacy Policy

1. Introduction

This Privacy Policy ("Policy") describes how SaveSnippets ("SaveSnippets," "we," "us," or "our") collects, uses, discloses, and otherwise processes personal information when you visit, interact with, or use the SaveSnippets website and application (collectively, the "Services").

We are committed to protecting your privacy. By accessing or using the Services, you acknowledge that you have read and understood this Policy. If you do not agree with this Policy, please do not use the Services. Your continued use after any changes constitutes acceptance of the updated Policy.

This Policy applies in addition to, and is incorporated by reference into, our Terms of Service.

2. Scope

This Policy applies to the SaveSnippets website at savesnippets.com, the SaveSnippets web application, our APIs, and any related digital services we operate under the SaveSnippets brand.

3. Information We Collect

3.1 Information You Provide to Us

We collect personal information that you voluntarily provide when you:

• Create an account or sign in (email address, hashed password, display name, optional avatar image).
• Submit a support request or contact form (your name, email, message, and any files you attach).
• Subscribe to a newsletter or marketing communication.
• Purchase a subscription (handled by Stripe — see Section 3.3).
• Create code snippets, including their titles, descriptions, tags, language, public/private flag, and code body.
• Create server-vault entries or password-vault entries (these are end-to-end encrypted client-side — see Section 4).
• Submit comments, votes, flags, or other community content.
• Customize profile settings (bio, display preferences, theme).

3.2 Information Collected Automatically

When you use the Services, we (and our service providers) may automatically collect:

• Device and connection data — IP address, device type, operating system, browser type and version, screen resolution, language preference, and approximate geographic location derived from IP.
• Usage data — pages or screens viewed, time spent, click paths, referring URL, exit pages, search terms used on our Services, and date/time stamps.
• Performance and diagnostic data — crash reports, error logs, server response times, and other technical signals used to maintain and improve the Services.
• Rate-limit and abuse-detection signals — counters of recent requests per IP/account for the purpose of preventing scraping, brute-force, and account-takeover attacks.
• Cookies and similar technologies — see Section 6.

3.3 Information From Third Parties

We may receive information about you from:

• Stripe, our payment processor, which confirms successful payments and provides limited card metadata (brand, last four digits, expiration, customer ID). We do not receive or store full card numbers.
• Google AdSense (for users on the Free plan or browsing anonymously), for the purpose of serving advertisements — see Section 10.
• Publicly available sources (e.g., links you have made public in your snippet descriptions or profile).

3.4 Sensitive Information

We do not knowingly collect sensitive personal information (such as government identifiers, health, biometric, or precise geolocation data) unless you voluntarily place it in a vault, snippet, or profile field. Where required by applicable law, we will obtain your consent before processing sensitive personal information.

4. Zero-Knowledge Vaults

4.1 How It Works

When you initialize an encrypted vault, your browser (or our server, acting on your behalf at the moment of derivation only) derives a master key from your login password using a memory-hard key-derivation function (Argon2id). That master key is used to encrypt your vault entries using authenticated symmetric encryption (libsodium crypto_secretbox). The master key itself is wrapped (re-encrypted) by both:

• a key derived from your login password (so you can unlock your vault by signing in normally), and
• a one-time recovery key shown to you when the vault is first set up (so you can recover access if you forget your password).

4.2 What We Store

We store only:

• The two encrypted copies of your master key (one wrapped by your password, one wrapped by your recovery key).
• The encrypted ciphertext of each vault entry (including the URL/host, username, password, notes, and tags).
• Metadata necessary for the Service to function (entry IDs, timestamps, your user ID).

We do NOT store: your login password, your recovery key, the unwrapped master key, or any plaintext copy of your vault entries.

4.3 What This Means for You

• Even SaveSnippets staff cannot read your vault contents.
• Even a full database compromise would not expose your vault contents in plaintext.
• If you forget your login password AND lose your recovery key, your vault contents are permanently unrecoverable. We have no technical means to assist.
• You can regenerate your recovery key at any time from account settings; doing so invalidates the previous key immediately.

5. How We Use Information

We use the personal information we collect to:

• Provide and operate the Services — authenticate you, store and serve your snippets and vault entries, respond to support requests, process transactions, and operate the features you use.
• Maintain and improve the Services — diagnose technical issues, monitor performance, prevent abuse, enforce rate limits, and develop new features.
• Communicate with you — respond to your inquiries, send service-related notices (e.g., security alerts, policy updates, billing receipts), and, where you have opted in, send marketing communications you can unsubscribe from at any time.
• Personalize your experience — remember your preferences (theme, sidebar state, recently viewed items), surface relevant content, and tailor recommendations.
• Protect rights and safety — detect, investigate, and prevent fraud, account takeovers, security incidents, abuse, and violations of our Terms of Service or applicable law.
• Comply with legal obligations — respond to lawful requests, enforce our agreements, and protect our legal rights.
• Aggregate and anonymize — produce de-identified statistics and insights about how the Services are used.

We do not sell your personal information, nor do we use it for purposes incompatible with the purposes described in this Policy without your consent.

6. Cookies & Tracking Technologies

"Cookies" are small text files stored on your device by your web browser. We and our service providers also use related technologies such as web beacons, pixels, local storage, and session storage. Collectively, these are referred to as "tracking technologies."

6.1 Cookies We Use

6.2 Categories

• Strictly necessary — required for the Services to function (session management, authentication, security, CSRF, fraud prevention). These cannot be disabled.
• Functional — remember your preferences (theme, language, recently viewed items) to enhance your experience.
• Advertising & marketing — used by Google AdSense to deliver and measure advertisements for Free-plan and anonymous visitors only. Paid subscribers are not served these cookies.

6.3 Managing Cookies

Most browsers let you refuse or delete cookies through their settings. You can also opt out of certain analytics and advertising cookies through industry tools such as the Digital Advertising Alliance's WebChoices tool (optout.aboutads.info) and the Network Advertising Initiative (optout.networkadvertising.org). Disabling strictly-necessary cookies will prevent the Services from functioning. Upgrading to a paid plan removes advertising cookies entirely.

6.4 Server Logs

Even without cookies, our servers maintain logs of requests for security, abuse prevention, and operational diagnostics. These logs include IP addresses and request metadata and are retained only as long as necessary for these purposes.

7. How We Share Information

We do not sell your personal information. We share information only in the following limited circumstances:

• With your consent or at your direction (including by choosing to make a snippet public).
• Service providers and processors who perform functions on our behalf (see Section 8). These parties are bound by contracts requiring them to handle your information consistent with this Policy.
• Public snippets — when you mark a snippet as public, its title, description, code body, tags, language, vote count, and your display name and avatar are visible to all visitors of the Services and may be indexed by search engines.
• Legal compliance and protection — to comply with subpoenas, court orders, or other valid legal processes; to respond to lawful requests from public authorities; to enforce our Terms; or to protect the rights, property, or safety of SaveSnippets, our users, or others.
• Business transfers — in connection with a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, in which case information may be transferred as part of that transaction. We will notify you of any such transfer and any choices you may have.
• Aggregate or de-identified data — we may share aggregated or de-identified information that cannot reasonably be used to identify you.

8. Sub-Processors

We rely on the following third-party sub-processors to operate the Services. Each is bound by their own privacy commitments, which you can review at the links below.

We may update this list as our infrastructure evolves. Material additions will be reflected by an update to the "Last updated" date at the top of this Policy.

9. Third-Party Links & Content

Our Services may contain links to, or embedded content from, third-party websites, services, or applications that are not owned or controlled by SaveSnippets — including links posted within user-created snippets. We do not endorse and are not responsible for the privacy practices, content, products, or services of those third parties. This Policy does not apply to third-party properties. We encourage you to read the privacy policies of any third-party site you visit.

10. Advertising & AdSense

SaveSnippets is supported in part by advertising. Free-plan users and unauthenticated visitors may see ads delivered by Google AdSense. Paid subscribers (Hobby and Indie plans) do not see ads.

Google, as a third-party vendor, uses cookies and similar technologies to serve ads based on a user's prior visits to our Services or other websites. Google's use of advertising cookies enables it and its partners to serve ads to you based on your visit to our Services and/or other sites on the Internet. You may opt out of personalized advertising by visiting Google Ads Settings.

For more information about how Google collects and uses information when you use our Services, see Google's privacy policy at policies.google.com/privacy and "How Google uses information from sites or apps that use our services" at policies.google.com/technologies/partner-sites.

11. Affiliate Disclosures

Certain Services may include affiliate links, sponsored placements, or other commercial relationships. When you click a qualifying affiliate link and complete a purchase or other action, SaveSnippets may receive a commission, referral fee, or other compensation at no additional cost to you.

We disclose material connections as required by the U.S. Federal Trade Commission's "Guides Concerning the Use of Endorsements and Testimonials in Advertising" (16 CFR Part 255). Affiliate relationships do not influence our editorial or product recommendations.

The third-party merchant determines what information is collected when you purchase through an affiliate link, and that purchase is governed by the merchant's own terms and privacy policy.

12. Children's Privacy

The Services are not directed to children under the age of 13 (or 16 in jurisdictions where that higher age applies). We do not knowingly collect personal information from children. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at privacy@savesnippets.com and we will take steps to delete the information from our records.

13. Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Policy, including providing the Services, complying with our legal obligations, resolving disputes, and enforcing our agreements. Retention periods depend on the nature of the information:

• Account information — retained for the life of the account plus a reasonable period after closure for backups, audit, and legal compliance.
• Snippets and vault entries — retained for the life of the account; deleted entries are removed from active storage promptly and from backups within our backup-rotation window.
• Support and contact records — retained for our business follow-up window and then archived or deleted on a rolling basis.
• Transaction and billing records — retained as required by applicable tax, accounting, and consumer-protection laws (typically up to seven years).
• Server logs — retained for a short period sufficient for security, abuse prevention, and diagnostic purposes.
• Closed accounts — after account closure, we retain only what is necessary for legitimate operational, legal, or compliance purposes; the rest is deleted or anonymized.

When we no longer need personal information, we will securely delete or anonymize it.

14. Data Security

We implement administrative, technical, and physical safeguards designed to protect personal information from unauthorized access, disclosure, alteration, or destruction. These include:

• Encrypted transport (HTTPS / TLS 1.2+) for all connections.
• Password storage using modern memory-hard hashing (Argon2id or bcrypt at high cost).
• Zero-knowledge encryption for all vault contents (see Section 4).
• Per-account session tokens with HTTP-only, SameSite=Strict cookies.
• CSRF tokens on all state-changing requests.
• Application-level rate limiting and abuse detection.
• Principle-of-least-privilege access controls for production systems.
• Routine security review of our codebase, dependencies, and infrastructure.

No method of transmission over the Internet or method of electronic storage is 100% secure. While we strive to use commercially acceptable means to protect your information, we cannot guarantee its absolute security. You are responsible for keeping your account credentials and recovery key confidential and for any activity occurring under your account.

15. Your Privacy Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access — request a copy of the personal information we hold about you.
• Correction — ask us to correct information you believe is inaccurate or incomplete.
• Deletion — request that we delete your personal information, subject to applicable exceptions.
• Portability — receive your personal information (including snippets and vault metadata) in a structured, commonly used, machine-readable format. JSON export is available in-product on paid plans.
• Restriction or objection to certain processing activities.
• Withdrawal of consent where processing is based on your consent.
• Opt out of marketing communications — use the unsubscribe link in any marketing email, or contact us.
• Non-discrimination for exercising your privacy rights.

15.1 California (CCPA / CPRA)

California residents have specific rights under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, including the right to know what personal information is collected, used, shared, or sold; the right to delete personal information; the right to correct inaccurate personal information; the right to opt out of the "sale" or "sharing" of personal information (we do not sell or share personal information as those terms are defined under California law); and the right to limit the use of sensitive personal information. California residents may exercise these rights by contacting us at privacy@savesnippets.com.

15.2 EU / UK (GDPR)

If you are located in the European Economic Area, the United Kingdom, or Switzerland, you have rights under the General Data Protection Regulation and equivalent UK and Swiss laws, including the rights listed above and the right to lodge a complaint with your local supervisory authority. The legal bases on which we rely include performance of a contract, our legitimate interests, your consent, and compliance with legal obligations.

15.3 Other U.S. State Privacy Laws

Residents of other U.S. states with comprehensive privacy laws (including but not limited to Virginia, Colorado, Connecticut, Utah, Texas, Oregon, Montana, and others as enacted) have similar rights. Contact us to exercise them.

15.4 How to Exercise Your Rights

Submit requests to privacy@savesnippets.com. We may need to verify your identity before responding. We will respond within the time required by applicable law (generally 30–45 days). You may use an authorized agent if permitted by law; we may require written authorization and verification.

16. International Data Transfers

SaveSnippets is based in the United States, and our primary infrastructure is hosted in Texas. If you access the Services from outside the United States, your information may be transferred to, stored, and processed in the United States or other countries where our service providers operate. Data-protection laws in those countries may differ from those in your jurisdiction. Where required by law, we implement appropriate safeguards (such as Standard Contractual Clauses) for such transfers.

17. Do Not Track & Global Privacy Control

Some browsers transmit a "Do Not Track" (DNT) signal. There is no consistent industry standard for how to respond to these signals, and we do not currently change our practices in response to DNT. Where required by law (for example, the Global Privacy Control signal in California), we honor recognized opt-out signals.

18. Changes to This Policy

We may update this Policy from time to time to reflect changes in our practices, technology, legal requirements, or other reasons. When we make material changes, we will update the "Last updated" date and, where appropriate, notify you through the Services or by email to your account address. Your continued use of the Services after the changes take effect constitutes your acceptance of the updated Policy.

19. Contact Us

If you have questions about this Policy or our privacy practices, contact us at:

This Policy is provided for informational purposes and does not constitute legal advice. If you have specific questions about how the law applies to your situation, please consult a qualified attorney.