Privacy Policy

1.1 In providing the service we process the following categories of personal data:

User and visitor data

• identification and contact data: name, business name, registered office address, email, phone;
• billing data: Company ID, Tax ID, VAT ID, payment data (processed by Stripe — we do not store full card numbers);
• login data: email and password hash;
• technical data: IP address, device type, browser, language preferences, login and activity logs;
• communication content: content of emails and messages sent via the contact form or to info@snapio.sk.

Data about the user’s clients and vendors

1.2 For invoicing and document scanning we process personal data of third parties (name, address, email, phone, Company/Tax IDs, invoicing data and similar). We process this data on behalf of the user as a processor under Art. 28 GDPR.

Document content

1.3 The service processes documents created or uploaded by the user (invoices, expenses, bank statements, contacts, scanned documents, emails received at the inbox address). These documents may contain personal data to the extent required for accounting and tax records.

2.1 We process personal data on the following legal bases:

Performance of a contract (Art. 6(1)(b) GDPR)

• user registration and account management;
• providing the service in the scope purchased;
• invoicing and payment processing;
• service-related communication (outage notices, amendments to Terms);
• processing personal data of the user’s clients and vendors as a processor.

Legal obligation (Art. 6(1)(c) GDPR)

• issuing and retaining tax records under § 35 Act No. 431/2002 Coll.;
• compliance with Act No. 222/2004 Coll. on VAT;
• compliance with lawful requests from public authorities.

Legitimate interests (Art. 6(1)(f) GDPR)

• service security and fraud prevention (login logs, anomaly detection);
• technical and product analytics to improve the service (aggregate pseudonymised data);
• debt collection and defence of legal claims;
• direct marketing to existing customers about similar services under § 116(14) Act No. 452/2021 Coll. (users may object at any time, free of charge, at info@snapio.sk).

Consent (Art. 6(1)(a) GDPR)

• marketing communication outside the scope of legitimate interests (e.g. newsletters for non-customers);
• non-essential cookies (analytics, marketing);
• any use of document content to improve Snapio AI models (collected separately and voluntarily).

2.2 Providing the data listed in the registration form is a contractual and legal obligation. Without it we cannot conclude a service agreement or issue an invoice.

3.1 We retain personal data only for as long as necessary for the purpose:

• user account data: duration of the contract + 14-day grace period;
• accounting records: 10 years from the end of the accounting period (§ 35 Act No. 431/2002 Coll.);
• tax records: the period prescribed by tax law, typically 10 years;
• support correspondence: 3 years from the last interaction;
• logs and security records: 12 months;
• technical web analytics: 14 months;
• marketing consents: 3 years from granting or until withdrawn, whichever is earlier;
• records of data-subject requests: 3 years after handling.

3.2 Upon expiry we securely delete or anonymise personal data, except for data we must continue to retain by law.

4.1 Regarding user data (registration, billing, contact data of the user) we are the data controller.

4.2 Regarding personal data of the user’s clients and vendors that the user stores in the service for their own invoicing and record keeping, we are a processor under Art. 28 GDPR; the user is the controller. This Policy, or a separate written agreement concluded at the user’s request, serves as the data processing agreement under Art. 28(3) GDPR.

4.3 As a processor we act only on documented instructions from the user, commit to confidentiality, and implement appropriate technical and organisational measures.

5.1 We do not share personal data with third parties except with the following sub-processors, chosen with care and contractually bound to protect your data at the same standard:

• hosting and infrastructure: certified data centre in Vienna, Austria — all data stays within the EU;
• payment gateway: Stripe Payments Europe, Limited (Ireland) — card processing;
• transactional email: an SMTP provider based in the EU;
• customer support tooling: email correspondence is handled on the Operator’s own infrastructure;
• service analytics: internal pseudonymised aggregates; where third-party tools are used (e.g. Matomo, Plausible) they are configured without storing personal data or with IP anonymisation;
• external accountant: billing data for bookkeeping purposes, subject to confidentiality.

5.2 A current list of sub-processors is available on request. We will inform users before engaging a new sub-processor that will process personal data of the user’s clients.

6.1 We primarily process data inside the EU/EEA. If any sub-processor (e.g. the payment provider) transfers data outside the EU (in particular to the US), such transfers are secured by appropriate safeguards:

• European Commission adequacy decision (e.g. EU–US Data Privacy Framework);
• Standard Contractual Clauses approved by the European Commission;
• Binding Corporate Rules.

7.1 Under GDPR and Act No. 18/2018 Coll. you have the following rights regarding your personal data:

• right of access — to confirm processing and obtain a copy of the data (Art. 15);
• right to rectification — correction of inaccurate data and completion of incomplete data (Art. 16);
• right to erasure (“right to be forgotten”) — where the purpose has ceased or consent is withdrawn (Art. 17);
• right to restriction of processing (Art. 18);
• right to data portability — receive data in a structured, machine-readable format (Art. 20);
• right to object, including direct marketing (Art. 21);
• right to withdraw consent at any time, without affecting the lawfulness of processing up to the withdrawal;
• right to lodge a complaint with the supervisory authority — Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava (www.dataprotection.gov.sk).

7.2 You may exercise your rights by emailing info@snapio.sk or in writing to our registered office. We will respond without undue delay and within 30 days at the latest. For more complex requests we may extend this period by two further months, of which we will inform you.

8.1 Our websites use cookies and similar technologies to provide core functionality, improve usability and analyse traffic.

8.2 Categories:

• essential (technical) — required for the website or app to work (e.g. session cookies for login); consent not required;
• analytics — help us understand how visitors use the site; used only with consent, except where data is anonymised and collected locally without third-party transfer;
• marketing — used for targeted advertising; used only with consent.

8.3 You may grant or withdraw consent for analytics and marketing cookies at any time via the cookie settings in the footer. Essential cookies cannot be disabled without impacting functionality.

9.1 We have implemented appropriate technical and organisational measures to protect personal data against unauthorised access, loss, destruction or alteration, including:

• encryption in transit (TLS 1.3 or newer);
• encryption at rest;
• password hashing with modern algorithms (bcrypt or argon2);
• daily automated backups stored in a geographically separated location;
• least-privilege staff access control;
• regular security reviews and penetration tests;
• access logging on production systems.

9.2 In the event of a personal data breach likely to result in a high risk to the rights of affected individuals we will notify the affected users without undue delay and fulfil the supervisory notification duty under Articles 33 and 34 GDPR.

10.1 The service is intended solely for persons aged 18 and over. We do not knowingly collect personal data of children. If we learn that we have obtained data of a child under 16, we will delete it without undue delay.

11.1 We may update this Policy, notably to reflect changes in our processes, technology or applicable law. The current version is always published at snapio.sk/en/legal/privacy.

11.2 We will notify you at least 30 days before a material change takes effect, by email or in the user account.

12.1 For any questions about the processing of your personal data or to exercise your rights under this Policy, contact us at info@snapio.sk or at our registered office: OceanWeb Technologies s. r. o., Jána Hollého 738/99, 071 01 Michalovce, Slovak Republic.

12.2 You also have the right to lodge a complaint with the supervisory authority — Office for Personal Data Protection of the Slovak Republic, Hraničná 12, 820 07 Bratislava, www.dataprotection.gov.sk.