Legal
Beta draftPrivacy notice
What SessionShot collects, why, and how it is protected during beta. Written plainly; subject to legal review before commercial launch.
Privacy
Last updated: July 2026.
Product draft
1. What we collect
- Account and profile — email address, name, optional business name, consent timestamps, and marketing preference.
- Workspace data — workspace name, membership, and configuration such as allowed domains.
- API key metadata — key names, prefixes, hashes, and usage timestamps. The full secret is never stored after creation.
- Capture metadata — target hostname, output format, status, timestamps, sizes, and safe error codes.
- Result assets — the screenshots and PDFs your requests produce, stored privately.
- Capture payloads — session state you submit (cookies, localStorage) is encrypted for hand-off to the capture worker, is not displayed anywhere, and is designed to be read once and discarded after processing.
- Operational logs — request metadata (not secrets) needed to run and debug the service.
2. Why we process it
To provide the Service: authenticate you, run your capture requests, enforce allowed domains, store and serve results, keep the platform secure, and communicate with you about the beta. Marketing email is sent only if you opted in, and you can opt out in settings.
3. Storage and security
Data is stored with the infrastructure providers below, protected by row-level access controls, hashed credentials, encrypted payload hand-off, private storage buckets, and short-lived signed URLs. Production secrets live in encrypted provider configuration. The security page describes the model in detail.
4. Retention
During beta, capture results and metadata are retained while your account is active; plan-based retention windows will be defined with billing. You can revoke keys and disable domains at any time, and account closure leads to deletion of workspace data within a reasonable operational window.
5. Third-party providers
The Service runs on:
- Vercel — application hosting for the website, dashboard, and API.
- Supabase — authentication, database, and private file storage.
- Render — the capture worker service.
Each processes data as needed to provide their infrastructure under their own terms. We do not sell your data.
6. Your rights
You can access and update profile and workspace data in the dashboard, export your capture results while links are valid, opt out of marketing at any time, and request account closure and deletion through the private-beta contact channel. Where applicable data-protection law grants additional rights, we aim to honor requests within its timelines.
7. Changes and contact
Material changes to this notice are posted here with an updated date. Questions can be raised through the contact channel provided with your private-beta invitation.