Legal

GDPR Compliance

Our commitment to GDPR and data protection regulations

Last updated: January 15, 2026

Last Updated: January 15, 2026

Effective Date: January 15, 2026

1. Introduction

This document outlines how SnowCoder complies with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and related data protection laws. It is intended for customers, particularly those in the European Union (EU), European Economic Area (EEA), and United Kingdom (UK).

1.1 Our Commitment

SnowCoder is committed to:

  • Protecting the privacy and personal data of our users
  • Complying with GDPR and applicable data protection laws
  • Providing transparency about our data processing activities
  • Enabling users to exercise their data protection rights

1.2 Scope

This guide covers:

  • How we process personal data under GDPR
  • Your rights as a data subject
  • Our data protection measures
  • How to exercise your rights

2. Data Controller and Processor Roles

2.1 When SnowCoder Acts as Controller

SnowCoder is the Data Controller for:

  • Account registration information
  • Billing and payment data
  • Customer support communications
  • Website analytics data
  • Marketing communications (with consent)

Legal Bases for Controller Processing:

Purpose Legal Basis
Account management Contractual necessity
Billing and payments Contractual necessity
Service communications Legitimate interest
Security and fraud prevention Legitimate interest
Marketing Consent
Legal compliance Legal obligation

2.2 When SnowCoder Acts as Processor

SnowCoder is the Data Processor when processing:

  • Customer data submitted to the Services
  • ServiceNow instance data
  • User-generated content and conversations

When acting as Processor, we process data only according to customer instructions as documented in our Data Processing Agreement.

3. Personal Data We Process

3.1 Categories of Personal Data

Category Examples Purpose
Identity Data Name, username Account management
Contact Data Email address Communications
Technical Data IP address, browser info Security, analytics
Usage Data Feature usage, logs Service improvement
Financial Data Payment info (via Stripe) Billing
Content Data Code, conversations Service delivery

3.2 Special Categories of Data

We do not intentionally collect special category data (sensitive personal data). If you submit such data, you do so at your own risk and should ensure you have a lawful basis.

3.3 Data We Do NOT Collect

  • Biometric data
  • Political opinions
  • Religious beliefs
  • Trade union membership
  • Health data
  • Sexual orientation

4. Lawful Bases for Processing

4.1 Contractual Necessity (Article 6(1)(b))

We process data necessary to:

  • Create and manage your account
  • Provide the Services you requested
  • Process payments for subscriptions
  • Deliver customer support

4.2 Legitimate Interests (Article 6(1)(f))

We process data based on legitimate interests for:

  • Security and fraud prevention
  • Service improvement and analytics
  • Enforcing our terms of service
  • Business operations

Balancing Test: We have conducted legitimate interest assessments ensuring our interests do not override your fundamental rights and freedoms.

4.3 Consent (Article 6(1)(a))

We obtain consent for:

  • Marketing communications
  • Non-essential cookies
  • AI model training (with opt-out)
  • Specific data uses as disclosed

4.4 Legal Obligation (Article 6(1)(c))

We process data to comply with:

  • Tax and financial reporting
  • Law enforcement requests
  • Regulatory requirements
  • Court orders

5. Your GDPR Rights

5.1 Right of Access (Article 15)

You have the right to:

  • Confirm whether we process your data
  • Obtain a copy of your personal data
  • Receive information about processing activities

How to Exercise:

  1. Email: [email protected]
  2. Subject: "Data Access Request"
  3. Include: Your name, email, and account details
  4. Response time: 30 days

5.2 Right to Rectification (Article 16)

You have the right to:

  • Correct inaccurate personal data
  • Complete incomplete personal data

How to Exercise:

5.3 Right to Erasure (Article 17)

You have the right to request deletion when:

  • Data is no longer necessary for its purpose
  • You withdraw consent (where consent was the basis)
  • You object to processing based on legitimate interests
  • Data was unlawfully processed
  • Legal obligation requires erasure

Exceptions: We may retain data where required by law or for legal claims.

How to Exercise:

  1. Email: [email protected]
  2. Subject: "Erasure Request"
  3. Response time: 30 days

5.4 Right to Restrict Processing (Article 18)

You have the right to restrict processing when:

  • You contest data accuracy (during verification)
  • Processing is unlawful but you prefer restriction to erasure
  • We no longer need the data but you need it for legal claims
  • You have objected to processing (pending verification)

5.5 Right to Data Portability (Article 20)

You have the right to:

  • Receive your data in a structured, machine-readable format
  • Transmit data to another controller

Scope: Applies to data you provided, processed by automated means, based on consent or contract.

Format: JSON or CSV export available.

5.6 Right to Object (Article 21)

You have the right to object to:

  • Processing based on legitimate interests
  • Direct marketing
  • Profiling

How to Exercise:

5.7 Rights Related to Automated Decision-Making (Article 22)

You have the right to:

  • Not be subject to decisions based solely on automated processing
  • Obtain human intervention
  • Contest automated decisions

Our Practice: We do not make significant automated decisions affecting your legal rights without human oversight.

5.8 Right to Withdraw Consent

Where processing is based on consent, you may withdraw at any time:

  • This does not affect lawfulness of prior processing
  • You can withdraw via account settings or by contacting us
  • Some services may no longer be available after withdrawal

6. Exercising Your Rights

6.1 How to Make a Request

Email: [email protected]

Required Information:

  • Your full name
  • Email address associated with your account
  • Specific right you wish to exercise
  • Any additional details relevant to your request

6.2 Identity Verification

To protect your data, we may need to verify your identity:

  • We may ask for additional information
  • We will not release data until identity is verified
  • We use reasonable methods that minimize additional data collection

6.3 Response Times

Request Type Initial Response Maximum Time
Standard requests 30 days 30 days
Complex requests 30 days 90 days (with notice)
Manifestly unfounded May refuse With explanation

6.4 Fees

We do not charge for reasonable requests. We may charge a reasonable fee for:

  • Manifestly unfounded or excessive requests
  • Repetitive requests
  • Additional copies beyond the first

6.5 Complaints

If unsatisfied with our response, you may:

  1. Contact us again for review
  2. Lodge a complaint with your supervisory authority
  3. Seek judicial remedy

7. International Data Transfers

7.1 Transfer Mechanisms

We transfer data outside the EEA using:

  • Standard Contractual Clauses (SCCs): EU-approved contractual protections
  • Adequacy Decisions: Where the EU has determined adequate protection
  • Your Consent: For specific transfers where you have consented

7.2 Third Country Transfers

Recipient Country Transfer Mechanism
AWS US/EU SCCs + Supplementary Measures
Anthropic US SCCs + Supplementary Measures
Stripe US SCCs
Cloudflare Global SCCs

7.3 Supplementary Measures

We implement supplementary measures including:

  • End-to-end encryption
  • Data minimization
  • Access controls
  • Security monitoring
  • Contractual protections

7.4 Schrems II Compliance

Following the Schrems II decision, we have:

  • Assessed transfer risks for each third country
  • Implemented supplementary technical measures
  • Updated our SCCs to the new EU-approved version
  • Documented our transfer impact assessments

8. Data Security

8.1 Technical Measures

  • Encryption at rest (AES-256-GCM)
  • Encryption in transit (TLS 1.3)
  • Access control and authentication
  • Intrusion detection and monitoring
  • Regular security assessments

8.2 Organizational Measures

  • Data protection policies
  • Staff training and awareness
  • Confidentiality agreements
  • Incident response procedures
  • Regular policy reviews

8.3 Security Certifications

See our Security Assurance Pack for detailed security documentation.

9. Data Retention

9.1 Retention Periods

Data Type Retention Period Basis
Account data Account lifetime + 30 days Contractual
Billing records 7 years Legal obligation
Access logs 90 days Legitimate interest
Conversations Until deletion or 5 years Contractual
Marketing preferences Until withdrawal Consent

9.2 Deletion Process

When data is deleted:

  1. Active data removed immediately
  2. Backups purged within 30-90 days
  3. Deletion logged for compliance
  4. Confirmation available upon request

10. Data Protection by Design

10.1 Privacy by Design Principles

We implement GDPR Article 25 through:

  • Minimization: Collect only necessary data
  • Pseudonymization: Where appropriate
  • Security: Built into all systems
  • Access Controls: Limit data access
  • Transparency: Clear privacy notices

10.2 Privacy Impact Assessments

We conduct Data Protection Impact Assessments (DPIAs) for:

  • New products or features
  • Significant changes to data processing
  • High-risk processing activities
  • AI and automated decision-making

11. Sub-processors

11.1 Current Sub-processors

We maintain a list of sub-processors at: https://snowcoder.ai/legal/sub-processors

11.2 Sub-processor Requirements

All sub-processors must:

  • Enter into data processing agreements
  • Implement appropriate security measures
  • Process data only on our instructions
  • Allow for audit rights

11.3 Sub-processor Changes

  • We notify customers of new sub-processors
  • 30-day objection period provided
  • Customers may terminate if objection unresolved

12. Contact Information

12.1 Data Protection Officer

Email: [email protected]

The DPO is available to:

  • Answer GDPR-related questions
  • Receive complaints
  • Coordinate with supervisory authorities

12.2 Privacy Team

Email: [email protected]

Response Time: 10 business days

12.3 Supervisory Authority

If you are in the EU/EEA, you may contact your local Data Protection Authority. A list is available at: https://edpb.europa.eu/about-edpb/board/members_en

Our lead supervisory authority (for matters involving multiple EU states): Irish Data Protection Commission

13. Updates to This Guide

We update this guide to reflect:

  • Changes in our data processing
  • New GDPR guidance or interpretations
  • Changes in applicable law

Material updates will be communicated via email.

Document Status: Production Ready Classification: Customer-Facing Review Cycle: Annual