Privacy Policy
Last updated:

Privacy Policy

Effective date: 2025-10-20

1. Controller / Contact

Helionyx GmbH
Marienstr. 70
56341 Kamp-Bornhofen
Rhineland-Palatinate
Germany
Email: info@snapcard.ninja

2. Purposes, Categories, Legal Bases

We process personal data to provide the Service, manage accounts, billing, security/abuse prevention, support, and—optionally—analytics.

  • Registration/Account: name, email, password hash; for Google login: profile data. Legal basis: contract performance.
  • Uploads/Content: images, tasks, metadata. Legal basis: contract performance.
  • AI processing: sending content to AI providers (e.g., Azure) to deliver features (“Flashcards”, “Solve”). Legal basis: contract performance.
  • Payments/Billing: email, invoicing/transaction data. Legal basis: contract & legal obligations.
  • Security/Anti-bot: Cloudflare Turnstile, server/WAF logs. Legal basis: legitimate interests in availability and fraud prevention.
  • Usage/Credit metrics: counters, rate/limit events, plan/subscription status. Legal basis: contract performance & legitimate interests in stability/abuse prevention.
  • Cookies/Analytics (optional): Legal basis: consent where required.

3. Processors / Recipients

  • Appwrite Cloud (Frankfurt/EU): auth, database, storage.
  • Microsoft / Azure (US/EU regions): AI processing.
  • Stripe: payments & invoicing.
  • Google: OAuth login (if you use it).
  • Sentry (US): error tracking and analysis.
  • Datadog (US): performance monitoring and analysis.
  • Cloudflare Turnstile: bot protection (may set necessary cookies/technologies).
  • Other technical providers (email, logging/monitoring) as needed.

We sign Data Processing Agreements and review subprocessors. The privacy policies and terms of service of these providers may apply.

4. International Transfers (notably US)

Using Azure in US regions and services like Stripe/Google/Cloudflare may involve transfers to the United States. Transfers rely on appropriate safeguards (e.g., EU-US Data Privacy Framework and/or Standard Contractual Clauses plus transfer risk assessments). Check each provider’s privacy pages for current certifications.

5. Retention

  • Images/uploads: kept in Appwrite storage only until the AI response (typically up to 2 minutes), then deleted.
  • Generated sets/history: until you delete them or your account is deleted.
  • Account/billing: for the contract term; invoice retention 6–10 years (per tax/commercial laws).
  • Server/security logs: typically up to 30 days (longer if needed for incident handling).
  • Usage/credit metrics: up to 24 months to verify billing, investigate abuse, and support requests.
  • Cookies/Analytics: per your consent settings.

The user can request the deletion of their data and account via support or the contact email address. We do not have or have limited control over third-party services and their data handling and/or data retention policies and practices. For more information, please refer to the respective privacy policies of these providers.

6. Cookies & Similar Technologies

We use necessary cookies/technologies (e.g., session, Turnstile). Non-essential cookies (e.g., analytics) are used only with consent via a banner offering an equally prominent “reject” option. Details appear in the cookie layer.

7. AI Processing & Model Training

We send your content to AI providers (e.g., Azure) to deliver features. We do not train our own models on your content. Providers process data to operate and secure their services; according to their policies, base-model training on customer prompts/content does not occur or only as stated therein. Please review each provider’s documentation.

8. Your Rights

Where applicable (e.g., EU/EEA), you have rights to access, rectification, erasure, restriction, portability, to object to processing based on legitimate interests, and to withdraw consent (prospectively). You may lodge a complaint with an EU supervisory authority.

9. Children

Not directed to children under 13. For 13–15, parental consent may be required; access may be restricted if verification is missing.

10. Security

We implement appropriate technical and organizational measures (e.g., in-transit encryption, access controls). No method is 100% secure; keep your credentials safe.

11. Notice & Action

You can report allegedly illegal content via /legal/notice or email. We review promptly and provide a reasoned decision.

12. Changes

We will update this Policy when services or laws change and notify you appropriately.

Privacy, abuse and support contact: info@snapcard.ninja | Terms-of-Service | Cookie settings | Support

Back to start