Privacy Policy
Last updated: May 17, 2026
snapout is a place where people come to be honest about hard things. That means privacy is taken seriously. This page explains exactly what is collected, where it goes, who sees it, and what your rights are.
If anything here is unclear, write to help@snapout.me and I will explain.
Who is behind snapout
snapout is built and operated by me, Sep Advani, an independent developer based in the Netherlands. I am the only person working on it. There is no team, no investor, no parent company.
If you need a postal address for any reason, write to help@snapout.me and I will share it directly. I have not published it on this page because snapout is currently a personal alpha, not a commercial operation.
What is collected
When you sign up:
- Your email address
- Your password, only if you sign up with email, and only in hashed form. The plain text of your password is never seen or stored.
- Your first name, which you provide on the welcome screen right after signing up. It's used for personalized email correspondence and so that Somer can address you naturally in conversation. You can update it later by telling Somer the name you'd rather be called.
During signup, you agree to our Terms of Use, which include a confirmation that you are 18 or older. We do not store your age, date of birth, phone number, or address.
When you use snapout:
- The messages you send and the messages snapout sends back, in full
- Information about each session: when it started, when it ended, how long it was
- The notes snapout keeps about you (the observations extracted from each session, and the synthesized "About me" page they roll up into)
- Anonymized usage events (like "session_started," "session_ended") used to understand how snapout is being used overall. These never include the content of your messages.
- The language detected in each message, so the response is in the same language
What is not collected:
- Your IP address (it is not stored; the infrastructure routing your connection sees it transiently and does not retain it in any system I control)
- Your browser fingerprint or device information
- Tracking cookies, analytics cookies, or advertising cookies
- Your location
The only cookie set is an authentication cookie that keeps you signed in. It is marked secure and httpOnly, which means it is protected against common web attacks and not readable by JavaScript.
Where your data lives
Your data is stored on Supabase, in their EU West region (Ireland). Supabase encrypts everything at rest using AES-256 and uses TLS for everything in transit. Supabase keeps short-term backups for disaster recovery, up to 24 hours on the current plan.
The application itself runs on Vercel, which serves the website and handles incoming requests. Vercel does not store your messages or session content; it routes traffic.
Your conversations are processed by Anthropic, the company that makes the Claude AI models I use. Each message you send goes to Anthropic's API for the response, and the same happens when notes are extracted from your sessions in the background.
When you send a voice message, the audio is sent to OpenAI for transcription. OpenAI returns the text; the audio is then discarded. snapout does not store voice audio at any point. See Voice messages below.
About Anthropic and AI training
This is the part that matters most for your privacy, so I want to be precise.
I use Anthropic Claude as snapout's AI engine. Anthropic's standard data retention is up to 30 days. They may retain conversation data for that period for abuse-detection purposes only, after which it is deleted. Anthropic does not use your conversations to train any AI model. This is part of their standard API terms.
I have requested Zero Data Retention from Anthropic, which would mean even the 30-day window does not apply. Whether ZDR is enabled on snapout's workspace depends on Anthropic's eligibility process, which is currently under review. If and when ZDR is enabled, this page will be updated to reflect that.
I do not sell your data. I do not share your conversations with advertisers, marketers, or any third party for commercial reasons. Your conversations are not used to make snapout's AI smarter for other users.
Voice messages
You can record voice messages in any chat. Tap the mic, speak, then send or discard. Here's exactly what happens.
Audio is never stored on snapout's servers. Recording happens in your browser. The preview after you tap stop still lives in your browser. If you discard at that point, the audio is thrown away from browser memory and nothing has been uploaded anywhere.
When you tap send, the audio is uploaded once to OpenAI's Whisper API, which returns the transcribed text. As soon as the text comes back, the audio is discarded, by snapout, and by OpenAI.
OpenAI's documented policy for the Whisper transcription endpoint is zero retention: audio is not retained for abuse monitoring or any other purpose, and API inputs are not used to train their models. This is the default behavior, not a paid tier or a special agreement.
Only the transcribed text is stored, as part of your normal message history. In the chat thread, voice messages appear as a voice bubble showing the duration of the recording. Tap the chevron to reveal the transcribed text. Somer sees only the text; she has no awareness of whether you spoke or typed.
When you delete a session or your account, the transcribed text of voice messages is deleted along with everything else.
Other services involved
In addition to Supabase, Vercel, and Anthropic, snapout uses:
- Vercel Analytics for anonymous usage statistics (page views, basic performance). No message content, no per-user data tied to your identity.
- Vercel Speed Insights for anonymous Core Web Vitals measurements (page load timing, responsiveness, layout stability). Reports only timing numbers and the page path, never message content, never per-user identifiers. Used to confirm that performance improvements measured in development actually reach real devices.
- GitHub Actions for scheduled background jobs that don't access user data.
- Cloudflare Email Routing for receiving email at help@snapout.me.
- Brevo as the outbound email relay for sending account-related emails (signup confirmation, password reset).
- Gmail, where I personally read and respond to email sent to help@snapout.me.
I do not use Google Analytics, Meta Pixel, Mixpanel, PostHog, Sentry, Stripe, or any advertising networks.
How long data is kept
Your data is kept as long as your account is active.
When you delete a session, that session's messages, the notes extracted from it, and the synthesized parts of your "About me" page that came from it are removed. The "About me" is then regenerated from your remaining sessions.
When you delete your account, the following are permanently removed from the database:
- Your account record and login credentials
- All your sessions and messages
- All notes snapout kept about you, including the "About me" one-pager
- Your daily-message-count row
- Any pending background jobs are cancelled
Aggregate usage events (token-count rows used for cost monitoring, error counts, pipeline timing) are kept, but the link to you is removed. Your user ID is set to NULL on those rows; the rows themselves no longer identify you and sit alongside aggregate stats for all users. Anonymized data is outside the scope of GDPR under Article 4(1).
This is a hard delete with no grace period. There is no backup copy retained on my side. Deletion is immediate from the database. Supabase's automated short-term backups, which exist for disaster recovery only, roll off within 24 hours.
You can delete your account yourself from the "About me" page. If you can't access your account, email help@snapout.me and I'll process the deletion manually.
Your rights under GDPR
snapout is operated from the Netherlands and follows the General Data Protection Regulation (GDPR). This applies to all users, anywhere.
You have the right to:
- Access your data. You can see your "About me" page anytime in the app. For a complete export of everything in your account, email help@snapout.me.
- Correct your data. If something is wrong, email help@snapout.me and I will fix it.
- Delete your data. You can delete your account and all your data yourself from the "About me" page in the app. The deletion is immediate. If you can't access your account, email help@snapout.me and I will process the deletion manually within 7 days, and always within 30 days as required by law.
- Take your data with you (portability). Email help@snapout.me for a copy in machine-readable format.
- Object to how your data is processed. Email help@snapout.me with your concern.
- Lodge a complaint. If you believe your data has been handled improperly, you can complain to the Dutch Data Protection Authority (Autoriteit Persoonsgegevens) at autoriteitpersoonsgegevens.nl.
I aim to respond to all data requests within 7 days, and always within 30 days as required by law.
Security
Reasonable steps are taken to keep your data secure:
- All data is encrypted at rest (AES-256, via Supabase)
- All connections use TLS encryption in transit
- Passwords are hashed with industry-standard methods
- Authentication uses secure, httpOnly cookies that protect against common web attacks
- Database access is restricted and authenticated
That said, no online service is perfectly secure. If a data breach ever occurs that affects you, I will tell you within 72 hours of becoming aware, as GDPR requires.
Children
snapout is for adults 18 and over. Data is not knowingly collected from anyone under 18. If you believe a child has created an account, write to help@snapout.me and the account will be investigated and deleted.
Changes to this policy
If anything material about how data is handled changes, I will let you know by email and through a notice in the app. The "Last updated" date at the top of this page reflects the most recent change.
Contact
For anything privacy-related or general: help@snapout.me