Privacy Policy
The short version: we collect only the data needed to run Snaproll, we don't sell it to anyone, and you can ask for a copy or full deletion any time. The rest of this page is the long version, written to comply with India's Digital Personal Data Protection Act, 2023 (DPDP Act).
1. Who we are
Snaproll is operated by Tanweer Mohammad (Sole Proprietor), based in Hyderabad, Telangana, India. For the purposes of the DPDP Act, we are the Data Fiduciary for personal data we collect about you directly (e.g. when you sign up). When you upload records and photographs of your organisation's members, those individuals are your data subjects and you are their Data Fiduciary; we act as your Data Processor.
2. What we collect
2.1 Data you give us directly
| Category | Examples |
|---|---|
| Lead enquiry | Name, organisation, position, email, phone, optional message |
| Account | Username, hashed password, contact name, contact phone |
| Payment | Handled by our payment processor (Razorpay) — we receive a transaction ID and amount, never card numbers |
| Support | Anything you write to us when you email or message support |
2.2 Data your organisation uploads on behalf of its members
| Category | Examples |
|---|---|
| Records | Names, ID numbers, class / department, dates, custom fields you define |
| Photographs | Headshot photos uploaded by your organisation |
| Annotations | Modified-by name and timestamp on each edit |
2.3 Data we collect automatically
- IP address and browser user-agent of every request (for abuse prevention and rate limiting; auto-purged after 90 days)
- Server logs of API calls (no body content; metadata only)
- Local storage on your device for the auth token (so the PWA stays logged in)
3. Why we collect it
We collect each category of data only for the purposes listed:
- Lead enquiry data: to respond to your demo or registration request.
- Account data: to authenticate you, allow you to manage your organisation, and contact you about your subscription.
- Records and photographs: to provide the records-and-photo management features your organisation signed up for. We do not look at, search, or process this content beyond what's needed to serve your own requests.
- Server logs and IP: to detect and prevent abuse, debug failures, and meet basic security obligations.
- Payment data: to process your subscription and issue receipts.
We do not sell your data, your records, or your photographs to anyone, ever. We do not use your uploaded data to train models or build derivative datasets.
4. Who we share it with
We share data only with service providers that help us run Snaproll, and only the minimum needed for them to do their job:
| Provider | What they receive | Purpose |
|---|---|---|
| Resend (email delivery) | Recipient email + email content for confirmations, OTPs, notifications | Sending transactional emails |
| MSG91 (SMS, when enabled) | Recipient phone + the OTP code | Sending OTP for verification |
| Razorpay (payments, when enabled) | Buyer email, name, amount | Processing payment |
| Oracle Cloud (hosting) | All operational data is stored on a server we control on Oracle Cloud Infrastructure | Hosting Snaproll |
We may also disclose data if required by a valid legal order from an Indian court or regulatory authority. We will, where lawfully permitted, notify the affected customer before doing so.
5. Children's data and the schools clause
Important for school customers: if your organisation uploads records or photographs of individuals under the age of 18 (e.g. students), you must obtain verifiable consent from a parent or legal guardian before doing so. The DPDP Act treats children's data as sensitive and requires explicit parental consent.
You confirm to us that you have obtained such consent for every child whose data you upload. We process this data on your instructions, as your processor.
We do not knowingly collect children's data directly (the Snaproll account-holder is always an adult representative of an organisation). If you believe a child's data has been uploaded without parental consent, please email support@snaproll.in and we will remove it.
6. How long we keep data
| Category | Retention |
|---|---|
| Lead enquiry data | Until you ask us to delete it, or 12 months after the last contact, whichever comes first |
| Account & subscription data | For the lifetime of your subscription, plus 90 days for backups |
| Records & photographs you uploaded | Until you delete them, or your account is closed; backups retained for an additional 90 days then permanently purged |
| Server logs and IPs | Up to 90 days, then auto-purged |
| OTP codes | 10 minutes (auto-expires) |
| Payment receipts | 7 years (Income Tax Act recordkeeping requirement) |
7. Your rights under the DPDP Act
You have the right to:
- Access the personal data we hold about you.
- Correct any inaccurate or incomplete data.
- Erase your personal data (subject to legal retention obligations like payment records).
- Withdraw consent at any time. Withdrawing consent does not affect processing done before the withdrawal.
- Nominate another individual to exercise your rights in the event of your death or incapacity.
- Lodge a grievance with us, and (if unresolved) with the Data Protection Board of India.
To exercise any of these rights, email support@snaproll.in. We will respond within 30 days.
8. Cookies and local storage
Snaproll uses minimal browser storage:
- Local storage: stores your authentication token so you stay logged in across sessions in the installed PWA. Cleared when you log out.
- Service worker cache: stores recently-loaded photos and the application shell so the app works offline. Cleared on logout.
We do not use third-party tracking cookies, advertising pixels, or behavioural analytics on the application. Aggregate, non-personal usage statistics may be collected from the public landing page in the future; this policy will be updated if so.
9. How we protect data
- All traffic to and from Snaproll is encrypted in transit (HTTPS / TLS).
- Passwords are hashed using bcrypt; we never store plain-text passwords.
- Authentication tokens are signed JWTs; OTP codes are single-use and expire in 10 minutes.
- The hosting server is a dedicated virtual machine with restricted SSH access, key-based authentication only.
- Database backups are taken regularly and stored on the same provider's storage with encryption at rest.
- We follow a "least privilege" principle — only the proprietor has production access; this will be expanded to a documented access list as the team grows.
No system is perfectly secure. If you become aware of a vulnerability, please report it responsibly to support@snaproll.in.
10. Cross-border data transfers
Snaproll's primary infrastructure (database, file storage, application server) is hosted in India. Some service providers (e.g. Resend, Razorpay) may operate servers outside India; in those cases, the limited data we share with them (described in Section 4) may transit through their infrastructure under their own privacy commitments. We do not transfer the bulk of your records or photographs outside India.
11. Changes to this policy
We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent revision. When we make material changes, we will email account holders at least 14 days before the changes take effect.
12. Contact and grievances
For privacy questions, data requests, or grievances:
- Email: support@snaproll.in (subject line "Privacy")
- Phone / WhatsApp: +91 70321 50909
- Address: Hyderabad, Telangana, India
If you are not satisfied with our response, you may approach the Data Protection Board of India under the DPDP Act.