SnappiSnappiBack to home

Last updated · 22 May 2026

Privacy Policy

This policy explains what data Snappi collects, why we collect it, where it lives, and the rights you have over it. Plain English, no dark patterns.

1. Who we are

Snappi (“we”, “our”) is a work-management SaaS operated from Colombo, Sri Lanka. Contact: [email protected].

2. What we collect

  • Account data — email address (required), display name and avatar URL (from OAuth, optional).
  • Workspace content — boards, items, comments, attachments that you choose to create or upload.
  • Authentication artefacts — short-lived magic-link tokens, hashed session IDs, OAuth state & PKCE values.
  • Operational logs — request method, status, timestamp, and Cloudflare edge metadata for security and reliability. Retained for 30 days.
  • Activity audit — who changed which item, when. Stored per workspace.
  • Connected calendar data (only if you connect a calendar) — see “Google Calendar integration” below for the exact scopes, what we cache, and how to revoke.

We do not collect: ad-tracking identifiers, third-party cookies, location data, biometric data, payment information (no paid tier yet).

3. Why we collect it

  • Sign you in (sessions, magic links).
  • Render and sync the boards, items, and comments you create.
  • Send service-related email (sign-in links, account notifications).
  • Detect abuse and rate-limit (anti-spam, anti-brute-force).
  • Comply with legal obligations where applicable.

We do not sell personal data, share it with advertisers, or use it to train third-party AI models without your consent.

4. Where it lives

  • Cloudflare Pages, D1, R2, KV — edge runtime, global. Cloudflare is a SOC 2 Type II-attested infrastructure provider.
  • Neon Postgres — primary relational data, AWS region ap-southeast-1 (Singapore).
  • Resend — outbound transactional email only (sign-in links). No marketing lists.
  • Google OAuth (sign-in) — if you use “Continue with Google”, Google authenticates you and shares your email + name + avatar with us. Scopes requested: openid email profile.
  • Google Calendar (optional integration) — see “Google Calendar integration” below.

4a. Google Calendar integration

Connecting Google Calendar from Settings → Integrations is entirely optional. If you connect it, the following applies:

  • Scopes we requesthttps://www.googleapis.com/auth/calendar.events and https://www.googleapis.com/auth/calendar.readonly (plus openid email profile). These let us read your events, create new events on your calendar (with Google Meet links you opt-in to), and look up free/busy windows.
  • What we do with that data
    • Cache your events in our database so the in-app calendar view loads quickly and shows events without round-tripping Google on every page load.
    • Create events you explicitly schedule from inside Snappi (a meeting modal, a task with a date, etc.), including auto-provisioned Google Meet links when you tick “Add Google Meet”.
    • Look up free/busy information for workspace members who have also connected their own Google account, so the meeting modal can suggest times when everyone is mutually free. Free/busy data is computed transiently — we do not store other members’ busy intervals on disk.
  • What we do not do — we do not sell, share, transfer, or otherwise disclose Google user data; do not use it for advertising; do not use it to train AI or machine-learning models; do not allow other Snappi users to read your event titles, descriptions, or attendee lists; do not access Gmail, Drive, Contacts, or any other Google service.
  • How tokens are stored — OAuth access tokens and refresh tokens are encrypted at rest using AES-GCM with a key held in Cloudflare Secrets Store. The encryption key never leaves the runtime.
  • How to revoke — click Disconnect on Settings → Integrations. This deletes your tokens and all cached events from Snappi within minutes. You can also revoke from your Google Account at myaccount.google.com/permissions; doing so causes our next sync to fail and self-mark the connection as requiring re-auth, after which cached data is purged on disconnect or within 30 days.
  • Policy compliance — Snappi’s use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements.

5. Cookies

We set one functional cookie:

  • __snappi_session — random session identifier, HttpOnly, Secure, SameSite=Lax, 30-day rolling expiry. No tracking.

Two short-lived OAuth cookies (__snappi_oauth_state, __snappi_oauth_pkce) exist only during a sign-in round-trip and are deleted immediately after.

6. Your rights

Regardless of jurisdiction, you can:

  • Access your data — request a copy at the contact email.
  • Correct inaccurate data — edit in-app or email us.
  • Delete your account and all associated data — email us; we’ll process within 30 days.
  • Export your data in a portable format (JSON).
  • Withdraw consent for any optional processing.

7. Data retention

  • Account + workspace data: kept while your account is active. Deleted within 30 days of account deletion.
  • Operational logs: 30 days.
  • Magic-link tokens: 15 minutes (single-use, then deleted).

8. Children

Snappi is not directed at children under 16. We do not knowingly collect data from minors.

9. Changes

If we change this policy materially, we’ll notify all account holders by email at least 14 days before the change takes effect.

10. Contact

Questions, requests, or complaints: [email protected].