Legal

Beta draft

Privacy notice

What SessionShot collects, why, and how it is protected during beta. Written plainly; subject to legal review before commercial launch.

Privacy

Last updated: July 2026.

Product draft

This notice is a product draft prepared for beta and is subject to legal review and change before public commercial launch.

1. What we collect

  • Account and profile — email address, name, optional business name, consent timestamps, and marketing preference.
  • Workspace data — workspace name, membership, and configuration such as allowed domains.
  • API key metadata — key names, prefixes, hashes, and usage timestamps. The full secret is never stored after creation.
  • Capture metadata — target hostname, output format, status, timestamps, sizes, and safe error codes.
  • Result assets — the screenshots and PDFs your requests produce, stored privately.
  • Capture payloads — session state you submit (cookies, localStorage) is encrypted for hand-off to the capture worker, is not displayed anywhere, and is designed to be read once and discarded after processing.
  • Operational logs — request metadata (not secrets) needed to run and debug the service.

2. Why we process it

To provide the Service: authenticate you, run your capture requests, enforce allowed domains, store and serve results, keep the platform secure, and communicate with you about the beta. Marketing email is sent only if you opted in, and you can opt out in settings.

3. Storage and security

Data is stored with the infrastructure providers below, protected by row-level access controls, hashed credentials, encrypted payload hand-off, private storage buckets, and short-lived signed URLs. Production secrets live in encrypted provider configuration. The security page describes the model in detail.

4. Retention

During beta, capture results and metadata are retained while your account is active; plan-based retention windows will be defined with billing. You can revoke keys and disable domains at any time, and account closure leads to deletion of workspace data within a reasonable operational window.

5. Third-party providers

The Service runs on:

  • Vercel — application hosting for the website, dashboard, and API.
  • Supabase — authentication, database, and private file storage.
  • Render — the capture worker service.

Each processes data as needed to provide their infrastructure under their own terms. We do not sell your data.

6. Your rights

You can access and update profile and workspace data in the dashboard, export your capture results while links are valid, opt out of marketing at any time, and request account closure and deletion through the private-beta contact channel. Where applicable data-protection law grants additional rights, we aim to honor requests within its timelines.

7. Changes and contact

Material changes to this notice are posted here with an updated date. Questions can be raised through the contact channel provided with your private-beta invitation.