Privacy Policy
Last updated: December 30, 2025
1. Introduction
This Privacy Policy describes how ScreenCraft ("we", "us", or "our") collects, uses, and protects your personal information when you use our screenshot and PDF generation API services ("Services"). By using our Services, you agree to the collection and use of information in accordance with this policy.
ScreenCraft is committed to protecting your privacy and ensuring transparency about our data practices. This policy applies to all users of our API, dashboard, and related services.
2. Information We Collect
2.1 Account Information
When you create an account, we collect:
- Email address
- Name (if provided)
- Password (stored securely hashed)
- OAuth profile data (if using GitHub login)
2.2 Usage Data
We automatically collect information about your API usage:
- API call timestamps and frequency
- Request parameters (URL, viewport size, format options)
- Response status codes and processing times
- Rate limit and quota consumption
2.3 Technical Data
For security and service improvement, we collect:
- IP addresses
- User agent strings
- API key identifiers (not the full key)
- Request origin and referrer headers
2.4 Payment Information
Payment processing is handled by Stripe. We do not store your credit card numbers, bank account details, or other sensitive payment information on our servers. Stripe's privacy policy governs the handling of your payment data.
3. Information We Do NOT Collect or Store
We are committed to minimal data collection. The following data is never stored on our systems:
3.1 Authentication Credentials
- Auth headers: Any authentication headers (cookies, Bearer tokens, Basic auth) you pass for capturing authenticated pages are used transiently and immediately discarded.
- Session cookies: Cookies you provide for authenticated screenshots are never logged or stored.
3.2 Content Data
- Raw HTML: When you submit HTML for PDF generation, the content is processed in memory and not persisted.
- Screenshot content: The actual visual content of screenshots is automatically deleted according to your plan's retention period. We do not analyze, index, or train models on your screenshot content.
4. Data Retention
We retain different types of data for different periods:
| Data Type | Free Plan | Pro Plan | Business/Enterprise |
|---|---|---|---|
| Screenshot files | 1 hour | 7 days | 30 days |
| PDF files | 1 hour | 7 days | 30 days |
| Usage metadata | 7 days | 90 days | 1 year |
| Account data | Until you request deletion | ||
After the retention period, data is permanently deleted and cannot be recovered.
5. How We Use Your Information
We use collected information to:
- Provide and maintain our Services
- Process your API requests and generate screenshots/PDFs
- Monitor usage and enforce rate limits
- Detect and prevent abuse, fraud, and security incidents
- Send important service notifications (outages, security alerts)
- Improve our Services based on aggregated usage patterns
- Comply with legal obligations
We do not sell your personal data or use it for advertising purposes.
6. Data Security
We implement robust security measures to protect your data:
6.1 Encryption
- In transit: All API communications use TLS 1.3 encryption
- At rest: Stored data is encrypted using AES-256
- API keys: Stored using secure one-way hashing
6.2 Infrastructure
- Hosting: Our servers are hosted in Hetzner data centers in Germany (EU)
- DDoS protection: Cloudflare provides network-level protection
- Access control: Strict internal access policies and audit logging
6.3 Security Practices
- Regular security audits and penetration testing
- Automated vulnerability scanning
- Incident response procedures
- Employee security training
7. Your Rights (GDPR)
If you are located in the European Economic Area (EEA), you have the following rights under the General Data Protection Regulation (GDPR):
7.1 Right to Access
You can request a copy of all personal data we hold about you. We will provide this within 30 days of your request.
7.2 Right to Rectification
You can update your account information at any time through the dashboard, or contact us to correct any inaccurate data.
7.3 Right to Erasure
You can request deletion of your account and all associated data. Upon request, we will:
- Delete your account and profile data
- Delete all API keys
- Delete all stored screenshots and PDFs
- Delete usage history and logs
Some data may be retained for legal compliance (e.g., billing records for tax purposes).
7.4 Right to Data Portability
You can request an export of your data in a machine-readable format (JSON).
7.5 Right to Object
You can object to certain data processing activities. Note that objecting to essential processing may limit your ability to use the Services.
7.6 Exercising Your Rights
To exercise any of these rights, contact us at:
- Email: [email protected]
We will respond to your request within 30 days.
8. Third-Party Services
We use the following third-party services that may process your data:
| Service | Purpose | Data Shared |
|---|---|---|
| Stripe | Payment processing | Email, payment details |
| Cloudflare | CDN and DDoS protection | IP address, request headers |
| Hetzner | Cloud hosting | All data (encrypted at rest) |
Each third-party service has its own privacy policy governing their data handling practices. We recommend reviewing their policies:
9. International Data Transfers
Our primary data processing occurs within the European Union (Germany). If you access our Services from outside the EU, your data will be transferred to and processed in the EU.
For transfers outside the EU, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
10. Cookies
We use minimal cookies for essential functionality:
- Session cookies: To maintain your login state
- CSRF tokens: To prevent cross-site request forgery
We do not use tracking cookies, advertising cookies, or third-party analytics that track individual users.
11. Children's Privacy
Our Services are not intended for users under 18 years of age. We do not knowingly collect personal information from children. If you believe we have collected data from a minor, please contact us immediately.
12. Changes to This Policy
We may update this Privacy Policy from time to time. When we make changes:
- The "Last updated" date at the top of this page will be revised
- For material changes, we will notify you via email or a prominent notice on our website
- We will provide at least 30 days notice before significant changes take effect
Your continued use of the Services after changes become effective constitutes acceptance of the updated policy.
13. Contact Us
If you have any questions about this Privacy Policy or our data practices, please contact us:
- Privacy inquiries: [email protected]
- General support: [email protected]
- Legal matters: [email protected]
14. Data Protection Officer
For GDPR-related inquiries, you may also contact our Data Protection Officer at:
- Email: [email protected]
If you are not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.