GDPR Compliance and Privacy in ProofSnap

Our Privacy-First Philosophy

At ProofSnap, privacy isn't an afterthought—it's foundational to our architecture. We believe that capturing digital evidence shouldn't require sacrificing your privacy or uploading sensitive data to unknown servers.

Core Principle: Your evidence stays on your device. ProofSnap operates entirely locally in your browser. We don't see your captures, we don't store your data, and we can't access your evidence.

How ProofSnap Protects Your Privacy

🔒 Local-First Architecture

All capture, processing, and signature generation happens entirely on your device. Your evidence never touches our servers—or any servers.

🚫 Zero Data Collection

We don't collect analytics, telemetry, usage data, or any personal information. What you capture is yours alone.

🔐 Client-Side Encryption

Your private keys are generated and stored locally on your device, encrypted with your browser's security mechanisms.

⛓️ Blockchain Privacy

Only cryptographic hashes are timestamped on the blockchain—not your actual evidence. The blockchain proves "when" without revealing "what."

GDPR Compliance in Detail

The General Data Protection Regulation (GDPR) sets strict requirements for how companies handle EU citizens' personal data. ProofSnap's architecture makes GDPR compliance straightforward:

Article 5: Principles of Data Processing

Lawfulness, Fairness, and Transparency

No hidden data collection: ProofSnap doesn't process your personal data
Open source verification: Our cryptographic methods are transparent and auditable
Clear privacy policy: We document exactly what happens to your data (nothing)

Purpose Limitation

ProofSnap has one purpose: capturing and timestamping web evidence locally
No data is collected for marketing, analytics, or any other purpose
The Chrome extension only requests necessary permissions

Data Minimization

We collect zero personal data—the ultimate minimization
Only essential technical data is captured (URLs, timestamps, page content)
No tracking pixels, cookies, or identifiers

Accuracy

Cryptographic signatures ensure data accuracy
Blockchain timestamps provide irrefutable time accuracy
Captured content is preserved exactly as rendered

Storage Limitation

Evidence is stored only on your local device
You control retention periods
Delete evidence packages anytime without our involvement

Integrity and Confidentiality

RSA-2048 encryption protects integrity
Evidence remains on your device (maximum confidentiality)
Optional password protection for sensitive cases

Article 6: Lawful Basis for Processing

ProofSnap doesn't process personal data, so no lawful basis is required. However, if you capture evidence containing personal data of others, you must have a lawful basis:

Legitimate interests: Legal proceedings, investigations
Legal obligation: Compliance requirements
Public interest: Journalism, research

Article 15-22: Data Subject Rights

Since ProofSnap doesn't hold your data, these rights are automatically satisfied:

Right to access: You have complete access to your local evidence
Right to rectification: Not applicable (we don't store data)
Right to erasure: Delete files locally anytime
Right to data portability: Your evidence is already in standard formats (ZIP, PDF, JSON)
Right to object: Not applicable (no processing occurs)

Article 32: Security of Processing

ProofSnap implements strong security measures:

Encryption: RSA-2048 for signatures, AES-256 for optional file encryption
Pseudonymization: Blockchain hashes pseudonymize evidence content
Integrity: Cryptographic signatures detect any tampering
Confidentiality: Local-only storage ensures maximum confidentiality

Other Privacy Regulations

CCPA (California Consumer Privacy Act)

ProofSnap's local-first architecture makes CCPA compliance automatic:

No sale of personal information: We don't have it to sell
No sharing with third parties: Everything stays local
Right to deletion: Delete locally anytime
Right to know: Complete transparency about data handling

UK GDPR

Post-Brexit UK GDPR maintains similar principles to EU GDPR. ProofSnap's compliance approach works identically.

Other Jurisdictions

ProofSnap's privacy-first design complies with most privacy regulations worldwide, including:

PIPEDA (Canada): Personal Information Protection and Electronic Documents Act
LGPD (Brazil): Lei Geral de Proteção de Dados
PDPA (Singapore): Personal Data Protection Act
Privacy Act (Australia): Australian Privacy Principles

Your Responsibilities as a User

While ProofSnap protects your privacy, you have responsibilities when capturing evidence containing others' personal data:

Lawful Basis

Ensure you have a lawful basis to capture evidence:

Legal proceedings: Evidence for court cases
Legitimate interest: Protecting your rights or investigating fraud
Public interest: Journalism or academic research
Consent: If required by circumstances

Data Subject Rights

If you capture evidence containing others' data:

Individuals may request access to their data
You may need to provide copies or allow deletion
Document your legal basis for collection
Implement appropriate security measures

Special Category Data

Extra care is required for sensitive data (health, race, political views, etc.):

Higher bar for lawful basis
Enhanced security measures recommended
Consider redaction of unnecessary sensitive information
Consult legal counsel for high-risk situations

Technical Privacy Features

Minimal Permissions

ProofSnap requests only essential Chrome extension permissions:

activeTab: Access the current tab for capture (only when you click the button)
storage: Save settings locally in your browser
downloads: Save evidence packages to your computer

We do NOT request: browsing history, bookmarks, cookies, or access to all websites.

No External Connections

ProofSnap makes minimal network requests:

OpenTimestamps servers: Only to submit cryptographic hashes (not your evidence)
Bitcoin blockchain: Only hash data is anchored (via OpenTimestamps)
No analytics services: No Google Analytics, Mixpanel, etc.
No advertising networks: No tracking pixels or ad services

Audit Trail Privacy

ProofSnap v2.0 includes optional local audit logging:

Logs are stored only on your device
No remote logging or telemetry
You control what's logged and retention period
Logs can be encrypted for sensitive cases

Enterprise Privacy Considerations

Data Processing Agreements

Organizations using ProofSnap don't need Data Processing Agreements (DPAs) with us because:

We never act as a data processor
Evidence never leaves your organization's control
No sub-processors are involved

Data Residency

Evidence resides entirely on your organization's devices and networks. You control:

Where evidence is stored (which devices/servers)
Whether data crosses borders
Who has access within your organization
Retention and deletion policies

Breach Notification

Since ProofSnap doesn't process or store data, we cannot experience a data breach affecting your evidence. You maintain full control over breach prevention and notification.

Privacy by Design Principles

ProofSnap embodies the seven principles of Privacy by Design:

Proactive not reactive: Built from the ground up with privacy
Privacy as default: Maximum privacy with no configuration needed
Privacy embedded: Architecture inherently protects privacy
Full functionality: Privacy without sacrificing features
End-to-end security: Protection throughout entire evidence lifecycle
Visibility and transparency: Open about our privacy practices
User-centric: You control your evidence and privacy

Frequently Asked Questions

Can ProofSnap see my captured evidence?

No. ProofSnap operates entirely locally on your device. We have no servers that store or process your evidence. It's technically impossible for us to access your captures.

What happens to evidence stored on blockchain?

Only a cryptographic hash (fingerprint) of your evidence is stored on the Bitcoin blockchain via OpenTimestamps. The actual evidence content is never uploaded. The hash reveals nothing about the content.

Do you share data with third parties?

We have no data to share. The only external service we use is OpenTimestamps for blockchain timestamping, which receives only cryptographic hashes—not your evidence.

Can law enforcement request my evidence?

Law enforcement cannot request evidence from us because we don't have it. Your evidence exists only on your device. Any legal requests would need to be directed to you or your organization.

What if I capture someone else's personal data?

You become the data controller for that information. Ensure you have a lawful basis for collection (legal proceedings, legitimate interest, etc.) and comply with applicable privacy regulations.

Is ProofSnap HIPAA compliant?

ProofSnap's local-first architecture means we're not a HIPAA "covered entity" or "business associate." However, if you capture protected health information (PHI), you must follow HIPAA requirements for securing and handling that data.

Transparency Reports

We publish annual transparency reports documenting any government requests or legal demands. To date:

Government data requests: 0 (we have no data to provide)
Law enforcement inquiries: 0
National security letters: 0
Data breaches: 0 (nothing to breach)

Commitment to Privacy

Privacy isn't a marketing claim for ProofSnap—it's our fundamental architecture. We believe that capturing digital evidence shouldn't require trusting a third party with sensitive data.

Our local-first, zero-data-collection approach means we simply cannot violate your privacy, even if compelled by government requests. Your evidence is yours alone.

Questions about privacy? Contact our privacy team at privacy@getproofsnap.com. We're happy to discuss our privacy practices in detail or help organizations understand their compliance obligations when using ProofSnap.