Privacy Policy
Introduction
ScreenshotFreeAPI ("we", "our", or "us") operates the screenshot capture API and developer platform available at screenshotfreeapi.com. This Privacy Policy explains what personal data we collect when you register, use our API, visit our website, or interact with us — and what we do with it.
We are committed to handling your data lawfully, transparently, and only for the purposes described here. This policy applies to all visitors, registered users, and API customers.
Data We Collect
We collect different categories of data depending on how you interact with the service.
Account & Identity data
- Email address (used for login, billing, and product communications)
- Name (optional, used for invoicing and support)
- Hashed password (bcrypt; we never store plaintext passwords)
- OAuth identifiers when you sign in with Google or GitHub
API & Usage data
- URLs submitted for capture, app names, and HTML payloads
- Job identifiers, job status, capture format, and result metadata
- API key prefixes (the first 8 characters only — never the full key)
- Webhook delivery logs including target URL, response codes, and timestamps
- Storage keys and presigned URL access patterns
Payment & Billing data
- Billing email and plan tier
- Stripe customer and subscription identifiers — card details are processed and held exclusively by Stripe; we never store raw payment card numbers
- Invoice history and quota consumption records
Technical & Device data
- IP address and approximate geolocation (country/region level)
- HTTP user-agent string
- Browser type and operating system
- Error stack traces and performance timings from Sentry
- Request latency and HTTP response codes from our infrastructure logs
Content captured through the API
Screenshot images and PDFs generated via your API jobs are stored temporarily in our managed storage (or your own S3 bucket on Business+ plans). We treat captured content as yours — we do not use it to train AI models, and we do not access it except for security incidents or support requests you initiate.
How We Use Your Data
We use the data we collect to:
- Provide the service — authenticate API requests, queue and process capture jobs, deliver results via webhooks, and route files to storage
- Manage your account — handle registration, plan changes, quota enforcement, and API key lifecycle
- Process payments — charge subscriptions, issue invoices, and handle upgrades and downgrades via Stripe
- Communicate with you — send transactional emails (account confirmation, invoice receipts, API key events), product updates, and reliability notices; never unsolicited marketing without consent
- Improve the product — analyse aggregated usage patterns to prioritise features, fix errors, and tune infrastructure performance
- Ensure security — detect abuse, enforce rate limits, block SSRF attempts, and investigate potential fraud or policy violations
- Meet legal obligations — retain records as required under applicable tax and financial regulations
Legal Basis for Processing (GDPR)
For users in the European Economic Area and United Kingdom, we rely on the following legal bases under GDPR / UK GDPR:
| Processing activity | Legal basis |
|---|---|
| Delivering API captures, queuing jobs, webhook delivery | Contract performance (Art. 6(1)(b)) |
| Account creation and authentication | Contract performance (Art. 6(1)(b)) |
| Processing subscription payments via Stripe | Contract performance (Art. 6(1)(b)) |
| Transactional emails (invoices, key events) | Contract performance (Art. 6(1)(b)) |
| Security monitoring, SSRF prevention, fraud detection | Legitimate interests (Art. 6(1)(f)) |
| Product analytics and usage telemetry | Legitimate interests (Art. 6(1)(f)) |
| Tax and financial record retention | Legal obligation (Art. 6(1)(c)) |
| Analytics and non-essential cookies | Consent (Art. 6(1)(a)) |
| Marketing communications | Consent (Art. 6(1)(a)) |
Where we rely on legitimate interests, you have the right to object. Where we rely on consent, you may withdraw it at any time without affecting the lawfulness of processing prior to withdrawal.
Data Sharing
We do not sell, rent, or trade your personal data. We share data only with the sub-processors listed below, and only to the extent necessary to deliver the service.
| Processor | Purpose | Location |
|---|---|---|
| Stripe | Payment processing, subscription management | USA (SCCs) |
| Amazon Web Services | Cloud infrastructure, screenshot storage (S3) | USA / EU |
| Vercel | Frontend hosting, CDN, edge functions | USA / Global |
| Sentry | Error tracking and performance monitoring | USA (SCCs) |
| Postmark / Resend | Transactional email delivery | USA (SCCs) |
| Neon / Supabase | PostgreSQL database hosting | USA / EU |
We may also disclose data when required by law, court order, or government authority, or when necessary to protect the rights, property, or safety of ScreenshotFreeAPI, our users, or the public. We will notify affected users where legally permitted to do so.
Data Retention
| Data type | Retention period | Notes |
|---|---|---|
| Account data | Until deletion requested | Deleted within 30 days of verified request |
| Captured screenshots & PDFs | 30 days | Purged automatically; earlier deletion on request |
| Job metadata & logs | 90 days | Job ID, status, timestamps; no captured content |
| Billing & invoice records | 7 years | Legal / tax obligation under financial regulations |
| API access logs | 90 days | Rolling window; used for security and debugging |
| Error traces (Sentry) | 90 days | Automatically purged by Sentry retention policy |
When you delete your account, we initiate deletion of all associated personal data within 30 days, except data we are required to retain by law (e.g. billing records) or where retention is necessary to resolve outstanding disputes.
Your Rights
Depending on where you are located, you have the following rights over your personal data:
GDPR rights (EEA & UK)
- Right of access (Art. 15)
- Right to rectification (Art. 16)
- Right to erasure (Art. 17)
- Right to data portability (Art. 20)
- Right to restrict processing (Art. 18)
- Right to object (Art. 21)
- Rights re automated decision-making (Art. 22)
- Right to withdraw consent (Art. 7)
California residents (CCPA / CPRA) have the right to know what personal information we collect and how it is used, the right to delete personal information, the right to opt out of sale (we do not sell data), and the right to non-discrimination for exercising these rights.
To exercise any right, email privacy@screenshotfreeapi.com with your registered email address and the right you wish to exercise. We respond to all verified requests within 30 days (extendable by a further 60 days for complex requests with notice).
If you believe we have mishandled your data, you have the right to lodge a complaint with your local supervisory authority. For EEA residents, you can find your authority at edpb.europa.eu .
Security
We apply industry-standard technical and organisational security measures:
- All data in transit is encrypted via TLS 1.2+ (HTTPS enforced)
- Data at rest is encrypted using AES-256 on AWS infrastructure
- API keys are stored as bcrypt hashes — we never store or log raw keys
- Screenshots are served via time-limited presigned S3 URLs (15-minute TTL)
- Inbound URLs are validated against an SSRF blocklist before any browser navigation
- Each capture job runs in an isolated browser context — no cross-job cookie or storage sharing
- Access to production systems requires multi-factor authentication
- Dependency audits run on every CI build; critical CVEs are patched within 24 hours
No system is perfectly secure. In the event of a data breach that is likely to result in risk to your rights and freedoms, we will notify affected users and the relevant supervisory authority within 72 hours of becoming aware.
To report a security vulnerability, email security@screenshotfreeapi.com. We operate a responsible disclosure programme and respond to valid reports within 5 business days.
Cookies & Tracking
We use cookies and similar tracking technologies to authenticate sessions, measure product usage, and maintain security protections. For a complete breakdown of every cookie we set — including name, purpose, expiry, and category — see our dedicated Cookie Policy.
You can manage your cookie preferences at any time using the preference panel accessible from the banner shown on first visit, or by clearing cookies in your browser settings. Withdrawing consent for non-essential cookies does not affect your ability to use the API.
International Data Transfers
ScreenshotFreeAPI is incorporated in the United States. When you use the service from the EEA, UK, or Switzerland, your data is transferred to and processed in the United States. We rely on the following safeguards for such transfers:
- Standard Contractual Clauses (SCCs) — we have executed the European Commission's approved SCCs with all US-based sub-processors
- UK International Data Transfer Agreements (IDTA) — used for transfers subject to UK GDPR
- Adequacy decisions — where transfers are to countries that have received an EU adequacy decision
You may request a copy of the applicable transfer mechanisms by contacting us at privacy@screenshotfreeapi.com.
Policy Updates
We may update this Privacy Policy from time to time. When we make material changes — changes that expand the data we collect, alter how we use it, or affect your rights — we will:
- Update the "Effective" date at the top of this page
- Display a banner on the dashboard for at least 14 days
- Send an email notification to all registered accounts
Continued use of the service after the effective date constitutes acceptance of the updated policy. If you do not agree to material changes, you may delete your account at any time.
Contact & DPO
For any privacy-related questions, data subject requests, or concerns about this policy, contact our Data Protection team:
We target a response time of 5 business days for general enquiries and 30 days for formal data subject requests.