Privacy Policy
Last updated: 12 April 2026 · Effective: 12 April 2026
This Privacy Policy explains how Software Innovations Group LLC ("ProofSnap", "we", "us") processes personal data in connection with the ProofSnap website at getproofsnap.com, the ProofSnap Chrome extension and the ProofSnap Beweissicherung / Capture-as-a-Service (collectively the "Services"). It is written to meet the information obligations of Articles 13 and 14 of the EU General Data Protection Regulation (Regulation (EU) 2016/679, "GDPR"), the German Federal Data Protection Act (BDSG), § 25 of the German Telecommunications Digital Services Data Protection Act (TTDSG) and the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021).
1. Controller
The controller responsible for the processing of personal data described in this Privacy Policy is:
Software Innovations Group LLC
Sharjah Media City (SHAMS) Free Zone
Sharjah, United Arab Emirates
Phone: +971 58 521 1220
Email: support@getproofsnap.com
SHAMS Formation No. 2536261, License No. 2536261.01. Full company information is available in our Impressum.
2. Data Protection Contact
For all questions about this Privacy Policy or to exercise any of your rights under Articles 15 to 22 GDPR, please contact us at support@getproofsnap.com with the subject line "GDPR Data Request". We aim to respond substantively within 30 days (Article 12(3) GDPR).
We are a company established in the United Arab Emirates. We have assessed our obligations under Article 27 GDPR and have determined that our processing is occasional, does not include large-scale processing of special categories of data under Article 9 GDPR or criminal conviction data under Article 10 GDPR, and is unlikely to result in a risk to the rights and freedoms of natural persons. We therefore currently rely on the exemption in Article 27(2)(a) GDPR and do not designate a Union representative. We will reassess this position regularly and publish any change here.
3. Categories of Personal Data We Process
3.1 Account data
- Email address, hashed password, optional display name (provided when you register)
- Subscription plan, quota usage, renewal status
- Support correspondence and ticket history
3.2 Order data (Beweissicherung Capture-as-a-Service)
- Billing name, postal and invoicing address, VAT / Tax ID (where provided)
- Email address, phone number (where provided)
- URL to be captured, case reference, order notes
- Payment reference (Stripe Payment Intent ID, Checkout Session ID)
3.3 Evidence data (zero-knowledge architecture)
For Chrome extension captures performed by you, evidence packages (screenshots, HTML source, DOM text, metadata) are generated and stored locally on your device. We do not receive, view or store this evidence on our servers. Only a SHA-256 cryptographic hash of the evidence manifest is transmitted to enable blockchain timestamping (OpenTimestamps) and, where you use the eIDAS Qualified Timestamp feature, to our EU qualified trust service provider Disig a.s.
For Beweissicherung Capture-as-a-Service orders, our operator performs the capture on a clean browser session on our infrastructure and transmits the resulting ZIP package to the email address you provided. We retain a copy of the ZIP package for 30 days for support and dispute resolution purposes, after which it is automatically deleted.
3.4 Website usage data
- IP address (truncated by Google Analytics IP anonymization)
- Browser, operating system, device type, screen resolution
- Referrer URL, pages visited, time on page, click events
- Consent state stored in
localStorageunder the keyps_consent_v1
Usage data is collected only if you grant consent through our cookie banner. You can revoke your consent at any time via the "Cookie Settings" link in the footer.
4. Purposes and Legal Bases of Processing
| Purpose | Data categories | Legal basis |
|---|---|---|
| Providing the Chrome extension and user account | Account data | Art. 6(1)(b) GDPR — performance of a contract |
| Processing Beweissicherung CaaS orders, including payment, capture execution and delivery | Order data, evidence data | Art. 6(1)(b) GDPR — performance of a contract |
| Generating qualified timestamps (Disig) and Bitcoin blockchain anchors (OpenTimestamps) | SHA-256 hash (no personal data content) | Art. 6(1)(b) GDPR — performance of a contract; Art. 6(1)(f) GDPR — legitimate interest in providing eIDAS-compliant evidence services |
| Issuing invoices and fulfilling tax and accounting obligations | Order data | Art. 6(1)(c) GDPR — legal obligation (UAE Corporate Tax; German § 14 UStG and § 147 AO retention obligations for recipients) |
| Responding to support requests and handling disputes | Contact and correspondence data | Art. 6(1)(b) or Art. 6(1)(f) GDPR — performance of a contract or legitimate interest |
| Google Analytics 4 website analytics | Usage data, cookies, device identifiers | Art. 6(1)(a) GDPR and § 25(1) TTDSG — consent (granted via cookie banner) |
| Storing your cookie consent choices | Consent state in localStorage |
§ 25(2) No. 2 TTDSG — strictly necessary; Art. 6(1)(f) GDPR — legitimate interest in complying with our own consent obligations |
| Detecting fraud and preventing abuse | Account, order and usage data | Art. 6(1)(f) GDPR — legitimate interest |
5. Cookies and Similar Technologies
We use Google Consent Mode v2. On your first visit all non-essential storage is set to "denied" by default. No analytics, advertising or personalization signals are transmitted until you give explicit consent through our cookie banner. You can revoke, change or re-confirm your consent at any time via the "Cookie Settings" link in the footer.
5.1 Strictly necessary
| Name | Provider | Purpose | Storage |
|---|---|---|---|
ps_consent_v1 |
ProofSnap (first-party) | Stores your cookie consent choices so the banner is not shown again | localStorage, 13 months |
5.2 Analytics (consent required)
| Name | Provider | Purpose | Storage |
|---|---|---|---|
_ga, _ga_* |
Google Ireland Ltd. (Google Analytics 4) | Distinguishes visitors, measures sessions and page views with IP anonymization | Cookies, up to 14 months |
Google Analytics is configured with anonymize_ip: true. Google Ireland Ltd. is our processor under Article 28 GDPR; data may be transferred to Google LLC in the United States on the basis of the EU-US Data Privacy Framework (adequacy decision of 10 July 2023) and the Standard Contractual Clauses implemented by Google.
6. Recipients and Categories of Recipients
We share personal data only with the following processors and recipients, and only to the extent necessary for the purposes described above:
| Recipient | Role | Data shared | Country |
|---|---|---|---|
| Stripe Payments Europe Ltd. | Processor — payment processing, invoicing, tax calculation | Order data, billing address, email, payment method details | Ireland (EU) with sub-processors in the US |
| Google Ireland Ltd. (Firebase Authentication) | Processor — authentication and account management for the Chrome extension | Email, hashed password, authentication tokens | Ireland (EU) with sub-processors in the US |
| Google Ireland Ltd. (Google Analytics 4) | Processor — website analytics (consent required) | Anonymized IP, device data, usage events | Ireland (EU) with sub-processors in the US |
| Amazon Web Services EMEA SARL | Processor — serverless backend (Lambda, S3) | Account tokens, SHA-256 hashes, operational logs | Luxembourg (EU) / Frankfurt (DE) |
| Disig a.s. | Qualified Trust Service Provider (EU Trusted List) — eIDAS qualified timestamps | SHA-256 hash only (no personal data) | Slovakia (EU) |
| OpenTimestamps calendar servers | Public aggregation servers that anchor hashes to the Bitcoin blockchain | SHA-256 hash only | Decentralized / worldwide |
| Software Innovations Group LLC (controller) | Operator — Beweissicherung CaaS fulfilment and customer support | Order, contact and correspondence data | United Arab Emirates |
We do not sell personal data. We do not share personal data with advertisers. Beyond the recipients listed above, disclosure only occurs where required by binding law (for example in response to a lawful court order or mandatory request from a competent authority).
7. International Data Transfers
ProofSnap is operated from the United Arab Emirates. The UAE is not the subject of an adequacy decision of the European Commission under Article 45 GDPR. Personal data of users in the European Economic Area is nevertheless processed by us in the UAE on the following bases:
- Contractual necessity (Art. 49(1)(b) GDPR) — where the transfer is necessary for the performance of a contract between you and us, or for pre-contractual measures taken at your request, for example when you place a Beweissicherung CaaS order or use the Chrome extension under a paid subscription.
- Explicit consent (Art. 49(1)(a) GDPR) — where you have explicitly consented to the transfer after having been informed of the possible risks of such transfer for you due to the absence of an adequacy decision and appropriate safeguards.
- Appropriate safeguards at processor level — where data is processed by our EU-established processors (Stripe, Google Ireland, AWS EMEA, Disig) it stays within the European Union. Onward transfers by these processors to their own sub-processors outside the EU are governed by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the EU-US Data Privacy Framework, as implemented by each processor.
The UAE has its own data protection regime under Federal Decree-Law No. 45 of 2021 (PDPL), which imposes obligations on us as a UAE controller including security, breach notification and data subject rights substantially similar to GDPR.
8. Retention Periods
- Account data: kept for as long as your account is active; deleted within 30 days after account deletion, subject to any longer retention required by law.
- Order data and invoices: retained for 7 years to comply with tax and accounting obligations (UAE Corporate Tax, German § 147 AO retention requirements on customer side).
- Beweissicherung CaaS ZIP packages: retained on our operational storage for 30 days after delivery, then automatically deleted. You remain able to verify the evidence independently using the SHA-256 hash and qualified timestamp contained in your downloaded ZIP.
- SHA-256 hashes submitted to Disig / OpenTimestamps: processed in real time. No hash is persisted on our servers after the timestamp response is returned to you.
- Support correspondence: kept for up to 3 years after case closure to enable recurring support and dispute handling.
- Google Analytics data: the default GA4 retention period is 14 months; data is anonymized and not linked to your account.
- Cookie consent state (
ps_consent_v1): up to 13 months.
9. Your Rights Under the GDPR
As a data subject you have the following rights in relation to personal data we process about you. You can exercise these rights at any time, free of charge, by emailing support@getproofsnap.com. We may ask for reasonable verification of your identity before acting on a request.
- Right of access (Art. 15 GDPR): obtain confirmation whether personal data concerning you is processed and, if so, a copy of that data together with the information listed in Art. 15(1) GDPR.
- Right to rectification (Art. 16 GDPR): have inaccurate personal data corrected or incomplete data completed.
- Right to erasure / "right to be forgotten" (Art. 17 GDPR): request deletion of your personal data where one of the grounds in Art. 17(1) GDPR applies.
- Right to restriction of processing (Art. 18 GDPR): request that we restrict processing in the situations listed in Art. 18(1) GDPR.
- Right to data portability (Art. 20 GDPR): receive the personal data you have provided to us in a structured, commonly used and machine-readable format, and transmit it to another controller.
- Right to object (Art. 21 GDPR): object, on grounds relating to your particular situation, to processing that is based on our legitimate interests (Art. 6(1)(f) GDPR). Where you object, we will stop processing unless we demonstrate compelling legitimate grounds that override your interests or the processing is needed for the establishment, exercise or defence of legal claims.
- Right to withdraw consent (Art. 7(3) GDPR): withdraw any consent you have given at any time, without affecting the lawfulness of processing based on consent before its withdrawal. Use the "Cookie Settings" link in the footer to change your cookie choices.
- Right to lodge a complaint (Art. 77 GDPR): lodge a complaint with a supervisory authority, in particular in the Member State of your habitual residence, place of work or the place of the alleged infringement. In Germany this is the Landesdatenschutzbeauftragte of the federal state in which you reside; in Austria the Datenschutzbehörde; in Switzerland the Eidgenössischer Datenschutz- und Öffentlichkeitsbeauftragte (EDÖB).
10. Security
We implement appropriate technical and organisational measures in accordance with Article 32 GDPR, including TLS 1.3 encryption for data in transit, AES-256 encryption for account data at rest, hashed passwords, access control on administrative functions, least-privilege IAM policies for cloud resources, audit logging and regular security reviews. Because evidence data generated by the Chrome extension is stored locally on your device and never reaches our servers, it cannot be compromised by a breach of our infrastructure.
11. Children
ProofSnap is a business tool intended for adults, legal professionals and organizations. We do not knowingly collect personal data from children under the age of 16. If you believe that a child has provided personal data to us, please contact us at support@getproofsnap.com and we will promptly delete the data.
12. Changes to This Privacy Policy
We may update this Privacy Policy from time to time to reflect changes to our Services, our processors, or applicable law. The "Last updated" date at the top of this page indicates when this version became effective. Material changes affecting how we process your personal data will be announced in advance via email to registered users or a prominent notice on our website.
13. Cookie Settings
You can review or change your consent choices at any time: