SnappiSnappiBack to home

Last updated · 22 May 2026

Privacy Policy

This policy explains what data Snappi collects, why we collect it, where it lives, and the rights you have over it. Plain English, no dark patterns.

1. Who we are

Snappi (“we”, “our”) is a work-management SaaS operated from Colombo, Sri Lanka. Contact: [email protected].

2. What we collect

  • Account data — email address (required), display name and avatar URL (from OAuth, optional).
  • Workspace content — boards, items, comments, attachments that you choose to create or upload.
  • Authentication artefacts — short-lived magic-link tokens, hashed session IDs, OAuth state & PKCE values.
  • Operational logs — request method, status, timestamp, and Cloudflare edge metadata for security and reliability. Retained for 30 days.
  • Activity audit — who changed which item, when. Stored per workspace.

We do not collect: ad-tracking identifiers, third-party cookies, location data, biometric data, payment information (no paid tier yet).

3. Why we collect it

  • Sign you in (sessions, magic links).
  • Render and sync the boards, items, and comments you create.
  • Send service-related email (sign-in links, account notifications).
  • Detect abuse and rate-limit (anti-spam, anti-brute-force).
  • Comply with legal obligations where applicable.

We do not sell personal data, share it with advertisers, or use it to train third-party AI models without your consent.

4. Where it lives

  • Cloudflare Pages, D1, R2, KV — edge runtime, global. Cloudflare is a SOC 2 Type II-attested infrastructure provider.
  • Neon Postgres — primary relational data, AWS region ap-southeast-1 (Singapore).
  • Resend — outbound transactional email only (sign-in links). No marketing lists.
  • Google OAuth — if you use “Continue with Google”, Google authenticates you and shares your email + name + avatar with us. Scopes requested: openid email profile. We never request Gmail, Drive, Calendar, or any sensitive scope.

5. Cookies

We set one functional cookie:

  • __snappi_session — random session identifier, HttpOnly, Secure, SameSite=Lax, 30-day rolling expiry. No tracking.

Two short-lived OAuth cookies (__snappi_oauth_state, __snappi_oauth_pkce) exist only during a sign-in round-trip and are deleted immediately after.

6. Your rights

Regardless of jurisdiction, you can:

  • Access your data — request a copy at the contact email.
  • Correct inaccurate data — edit in-app or email us.
  • Delete your account and all associated data — email us; we’ll process within 30 days.
  • Export your data in a portable format (JSON).
  • Withdraw consent for any optional processing.

7. Data retention

  • Account + workspace data: kept while your account is active. Deleted within 30 days of account deletion.
  • Operational logs: 30 days.
  • Magic-link tokens: 15 minutes (single-use, then deleted).

8. Children

Snappi is not directed at children under 16. We do not knowingly collect data from minors.

9. Changes

If we change this policy materially, we’ll notify all account holders by email at least 14 days before the change takes effect.

10. Contact

Questions, requests, or complaints: [email protected].