GDPR Compliance and Privacy in ProofSnap

Our Privacy-First Philosophy

At ProofSnap, privacy isn't an afterthought — it's foundational to our architecture. We believe that capturing digital evidence shouldn't require sacrificing your privacy or uploading sensitive data to unknown servers.

Core Principle: Your evidence stays on your device. ProofSnap's evidence capture operates entirely locally in your browser — we never see your captures, store your evidence, or access your screenshots. For account and billing purposes, we collect only your email and process payments via Stripe, as detailed in our Privacy Policy.

How ProofSnap Protects Your Privacy

GDPR Compliance in Detail

The General Data Protection Regulation (GDPR) sets strict requirements for how organizations handle the personal data of EU residents. ProofSnap's architecture makes GDPR compliance straightforward:

For a deeper look at how cryptographic proofs work in evidence capture, see our guide on smart contracts and blockchain chain of custody. For questions about whether digital evidence holds up in legal proceedings, read Are Screenshots Admissible in Court?

Article 5: Principles of Data Processing

Lawfulness, Fairness, and Transparency

• No hidden data collection: ProofSnap doesn't process your evidence data — account data (email, auth) is clearly disclosed in our Privacy Policy
• Verifiable cryptography: Our cryptographic methods (SHA-256, RSA-2048, OpenTimestamps) are based on open standards and independently auditable
• Clear privacy policy: We document exactly what data we collect, how we use it, and your rights

Purpose Limitation

• ProofSnap has one purpose: capturing and timestamping web evidence locally
• Account data is collected solely for authentication and billing — not for marketing or profiling
• The Chrome extension only requests necessary permissions

Data Minimization

• We collect zero evidence data — your captures stay entirely on your device
• Account data is limited to the minimum necessary: email address and encrypted credentials (via Firebase), payment processing (via Stripe)
• You can opt out of website analytics; no tracking occurs within the extension itself

Accuracy

• Cryptographic signatures ensure captured data has not been altered
• Blockchain timestamps provide verifiable, tamper-proof time accuracy
• Captured content is preserved exactly as rendered

Storage Limitation

• Evidence is stored only on your local device
• You control retention periods
• Delete evidence packages anytime without our involvement

Integrity and Confidentiality

• RSA-2048 digital signatures protect integrity
• Evidence remains on your device (maximum confidentiality)
• Optional password protection for sensitive cases

Article 6: Lawful Basis for Processing

ProofSnap doesn't process your evidence data on our servers. For account and billing data, our lawful bases are:

• Contract performance (Art. 6(1)(b)): Processing email and payment data is necessary to provide the service you subscribed to
• Legitimate interests (Art. 6(1)(f)): Fraud prevention and service security

If you capture evidence containing personal data of others, you must have a lawful basis as the data controller for that content:

• Legitimate interests: Legal proceedings, investigations
• Legal obligation: Compliance requirements
• Public interest: Journalism, research

Articles 15–22: Data Subject Rights

For your evidence data, these rights are automatically satisfied since all evidence stays on your device. For your account data, we fully support your GDPR rights:

• Right to access (Art. 15): You can access your local evidence anytime. For account data, contact support@getproofsnap.com to request a copy
• Right to rectification (Art. 16): You can update your account email and credentials through the extension settings
• Right to erasure (Art. 17): Delete local evidence anytime. Delete your account to have all personal data removed from our systems within 30 days
• Right to data portability (Art. 20): Evidence is already in standard formats (ZIP, PDF, JSON). Account data can be exported on request
• Right to object (Art. 21): You may opt out of non-essential analytics through extension settings

Article 32: Security of Processing

ProofSnap implements strong security measures:

• Digital signatures: RSA-2048 signatures ensure evidence authenticity and detect tampering
• Encryption: TLS 1.3 for data in transit, AES-256 for account data at rest
• Pseudonymization: Only cryptographic hashes (SHA-256) are submitted for blockchain timestamping — not the evidence itself
• Confidentiality: Evidence stored locally on your device ensures maximum confidentiality

Other Privacy Regulations

CCPA (California Consumer Privacy Act)

ProofSnap's local-first architecture makes CCPA compliance automatic:

• No sale of personal information: We do not sell any user data
• No sharing of evidence with third parties: All evidence stays on your device
• Right to deletion: Delete local evidence anytime; delete your account to remove all personal data
• Right to know: Full transparency about data handling in our Privacy Policy

UK GDPR

The post-Brexit UK GDPR maintains similar principles to EU GDPR. ProofSnap's compliance approach applies identically.

Other Jurisdictions

ProofSnap's privacy-first design complies with most privacy regulations worldwide, including:

• PIPEDA (Canada): Personal Information Protection and Electronic Documents Act
• LGPD (Brazil): Lei Geral de Proteção de Dados
• PDPA (Singapore): Personal Data Protection Act
• Privacy Act (Australia): Australian Privacy Principles

Your Responsibilities as a User

While ProofSnap protects your privacy, you have responsibilities when capturing evidence containing others' personal data:

Lawful Basis

Ensure you have a lawful basis to capture evidence. For guidance on how courts evaluate digital evidence, see our complete legal admissibility guide.

• Legal proceedings: Evidence for court cases
• Legitimate interest: Protecting your rights or investigating fraud
• Public interest: Journalism or academic research
• Consent: If required by circumstances

Data Subject Rights

If you capture evidence containing others' data:

• Individuals may request access to their data
• You may need to provide copies or allow deletion
• Document your legal basis for collection
• Implement appropriate security measures

Special Category Data

Extra care is required for special category data (health, racial or ethnic origin, political opinions, etc.):

• A higher bar for establishing a lawful basis
• Enhanced security measures recommended
• Consider redaction of unnecessary sensitive information
• Consult legal counsel for high-risk situations

Technical Privacy Features

Minimal Permissions

ProofSnap requests only essential Chrome extension permissions:

• activeTab: Access the current tab for capture (only when you initiate a capture)
• storage: Save settings locally in your browser
• downloads: Save evidence packages to your computer

We do NOT request: browsing history, bookmarks, cookies, or access to all websites.

Minimal External Connections

The ProofSnap extension makes only essential network requests:

• OpenTimestamps servers: Only to submit cryptographic hashes (not your evidence content)
• Bitcoin blockchain: Only hash data is anchored (via OpenTimestamps)
• Firebase (Google Cloud): For authentication and account management only
• Stripe: For payment processing only — we never see or store your card details
• No advertising networks: No tracking pixels or ad services in the extension

Note: Our website (getproofsnap.com) uses Google Analytics for anonymous visitor statistics. The Chrome extension itself does not include Google Analytics or any third-party analytics SDK.

Audit Trail Privacy

ProofSnap generates forensic logs and chain-of-custody records locally:

• The forensic log (forensic_log.json) and chain-of-custody record (chain_of_custody.json) are stored only on your device
• No remote logging or telemetry of your evidence activity
• You control retention and deletion of all local files

Enterprise GDPR Compliance

Data Processing Agreements

For evidence data, no DPA is needed — we never process or access your captured evidence. For account data (email, authentication, billing), ProofSnap acts as the data controller. Our sub-processors include:

• Firebase (Google Cloud): Authentication and account management (Firebase Privacy Policy)
• Stripe: Payment processing, PCI-DSS compliant (Stripe Privacy Policy)
• AWS: Serverless backend functions (AWS Privacy Policy)

Enterprise customers requiring a DPA for account data processing can contact support@getproofsnap.com.

Data Residency

Evidence resides entirely on your organization's devices and networks. You control:

• Where evidence is stored (which devices/servers)
• Whether data crosses borders
• Who has access within your organization
• Retention and deletion policies

Breach Notification

Your evidence data cannot be breached through us — it never leaves your device. For account data (email, auth credentials), we implement industry-standard security measures (TLS 1.3, AES-256 encryption at rest). In the unlikely event of a breach affecting account data, we will notify affected users and relevant supervisory authorities within 72 hours as required by GDPR Article 33.

Privacy by Design: GDPR Article 25

ProofSnap embodies the seven principles of Privacy by Design:

1. Proactive, not reactive: Built from the ground up for privacy
2. Privacy as the default: Maximum privacy with no configuration needed
3. Privacy embedded: Architecture inherently protects privacy
4. Full functionality: Privacy without sacrificing features
5. End-to-end security: Protection throughout the entire evidence lifecycle
6. Visibility and transparency: Open about our privacy practices
7. User-centric: You control your evidence and privacy

Frequently Asked Questions

Can ProofSnap see my captured evidence?

No. Evidence capture and processing happen entirely on your device. Our servers never receive, store, or have access to your captured evidence. It's technically impossible for us to see your screenshots, HTML captures, or evidence packages.

What happens to evidence stored on blockchain?

Only a cryptographic hash (fingerprint) of your evidence is stored on the Bitcoin blockchain via OpenTimestamps. The actual evidence content is never uploaded. The hash reveals nothing about the content. Learn more in our blockchain evidence guide.

Do you share data with third parties?

We never share your evidence data — it stays on your device. For account operation, we use Firebase (authentication), Stripe (payments), and AWS (backend). OpenTimestamps receives only cryptographic hashes for blockchain timestamping — never your evidence content. See our Privacy Policy for full details.

Can law enforcement request my evidence?

Law enforcement cannot obtain your evidence from us because we don't have it — it exists only on your device. Any legal requests for evidence would need to be directed to you or your organization. We hold only minimal account data (email, subscription status).

What if I capture someone else's personal data?

You become the data controller for that information. Ensure you have a lawful basis for collection (legal proceedings, legitimate interest, etc.) and comply with applicable privacy regulations.

Is ProofSnap HIPAA compliant?

ProofSnap's local-first architecture means we're not a HIPAA "covered entity" or "business associate." However, if you capture protected health information (PHI), you must follow HIPAA requirements for securing and handling that data.

Transparency Reports

We are committed to transparency about any government requests or legal demands. As of February 2026:

• Government data requests: 0 (we hold only minimal account data — no evidence content)
• Law enforcement inquiries: 0
• National security letters: 0
• Data breaches: 0

Key Takeaways: GDPR Compliance & Privacy

• 1. Local-first evidence architecture — All evidence capture, processing, and signing happens on your device. Your captures never touch any server.
• 2. Minimal account data — We collect only what's necessary for service operation (email, auth, billing). No evidence content is ever collected or stored by us.
• 3. Blockchain privacy preserved — Only cryptographic hashes are timestamped, not your evidence content. The hash reveals nothing about the original data.
• 4. Global compliance — Architecture satisfies GDPR, CCPA, UK GDPR, LGPD (Brazil), PIPEDA (Canada), and most privacy regulations worldwide.
• 5. You control your evidence — Delete evidence anytime, choose storage location. Account data can be deleted on request within 30 days.

Our Commitment to Data Protection

Privacy isn't a marketing claim for ProofSnap — it's our fundamental architecture. We believe that capturing digital evidence shouldn't require trusting a third party with sensitive data.

Our local-first architecture means your evidence never leaves your device — we cannot access it, even if compelled by government requests. For the minimal account data we do hold, we apply strict data protection measures and full GDPR compliance as detailed in our Privacy Policy.

Questions about privacy? Contact our privacy team at support@getproofsnap.com. We're happy to discuss our privacy practices in detail or help organizations understand their compliance obligations when using ProofSnap.