Legal

GDPR & UK Data Protection

How Snowcoder complies with GDPR, UK GDPR, and the Data Protection Act 2018

Last updated: October 2, 2025

1. Our Commitment to GDPR

SNowCoder is committed to protecting the privacy and personal data of all individuals in the European Union (EU) and European Economic Area (EEA). We comply with the General Data Protection Regulation (GDPR) and have implemented appropriate technical and organizational measures to ensure data protection.

This GDPR statement is governed by the laws of England and Wales and aligns with UK data protection requirements, including the UK GDPR and Data Protection Act 2018.

2. Legal Basis for Processing

We process personal data under the following legal bases:

  • Consent: When you explicitly agree to our data processing (e.g., joining our waitlist)
  • Contract Performance: To provide our services as outlined in our Terms of Service
  • Legitimate Interests: For improving our services, security, and fraud prevention
  • Legal Obligations: To comply with applicable laws and regulations

3. Your Rights Under GDPR

As a data subject, you have the following rights:

3.1 Right to Access

You have the right to request a copy of all personal data we hold about you. We will provide this information in a structured, commonly used format within 30 days.

3.2 Right to Rectification

You can request correction of inaccurate or incomplete personal data. We will update your information promptly upon verification.

3.3 Right to Erasure ("Right to be Forgotten")

You can request deletion of your personal data when:

  • The data is no longer necessary for the original purpose
  • You withdraw consent and there's no other legal basis
  • You object to processing and there are no overriding legitimate grounds
  • The data was unlawfully processed

3.4 Right to Data Portability

You can request your personal data in a machine-readable format (JSON, CSV) and have it transferred to another service provider.

3.5 Right to Restrict Processing

You can request limitation of data processing in certain circumstances, such as when contesting data accuracy or processing legality.

3.6 Right to Object

You can object to processing based on legitimate interests or for direct marketing purposes. We will cease processing unless we have compelling legitimate grounds.

3.7 Rights Related to Automated Decision-Making

You have the right not to be subject to decisions based solely on automated processing, including profiling, that produce legal or significant effects.

4. How to Exercise Your Rights

To exercise any of your GDPR rights, you can:

  • Email us at: [email protected]
  • Use the privacy controls in your account settings
  • Submit a request through our support portal

We will respond to your request within 30 days. In complex cases, we may extend this period by an additional 60 days with notification.

5. Data Protection Measures

5.1 Technical Measures

  • End-to-end encryption (TLS 1.3) for data in transit
  • AES-256 encryption for data at rest
  • Regular security assessments and penetration testing
  • Secure authentication with MFA support
  • Automated backup and disaster recovery procedures

5.2 Organizational Measures

  • Data Protection Officer (DPO) appointed and accessible
  • Privacy by Design and by Default principles
  • Regular staff training on data protection
  • Data Processing Impact Assessments (DPIAs) for high-risk processing
  • Vendor management and third-party assessments

6. International Data Transfers

When we transfer personal data outside the EU/EEA, we ensure adequate protection through:

  • Standard Contractual Clauses (SCCs): EU Commission-approved data transfer agreements
  • Adequacy Decisions: Transfers to countries deemed adequate by the EU Commission
  • Data Processing Agreements (DPAs): Contractual safeguards with all processors
  • Data Localization Options: EU-only data storage available for enterprise customers

7. Data Processing Activities

Processing ActivityData CategoriesLegal BasisRetention Period
Account ManagementName, email, credentialsContractAccount lifetime + 90 days
Service ProvisionCode snippets, usage dataContractReal-time processing only
AnalyticsUsage patterns, features usedLegitimate Interest90 days
MarketingEmail, preferencesConsentUntil consent withdrawn
BillingPayment info, invoicesLegal Obligation7 years

8. Third-Party Processors

We work with the following categories of processors, all bound by GDPR-compliant DPAs:

  • Cloud Infrastructure: AWS (with EU region deployment)
  • Payment Processing: Stripe (PCI-DSS compliant)
  • Email Services: Resend (GDPR compliant)
  • Analytics: Privacy-focused analytics tools (anonymized data)

9. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify the relevant supervisory authority within 72 hours of discovery
  • Inform affected individuals without undue delay if there's a high risk to rights and freedoms
  • Document all breaches, including facts, effects, and remedial actions
  • Implement measures to prevent recurrence

10. Children's Privacy

SNowCoder is not intended for individuals under 16 years of age. We do not knowingly process personal data of children without parental consent.

11. Supervisory Authority

You have the right to lodge a complaint with your local data protection authority. For EU residents, you can find your authority at:European Data Protection Board

12. Data Protection Officer

Our Data Protection Officer can be reached at:

Email: [email protected]
Address: Data Protection Officer, Kumoco Limited, 180 Strand, London, WC2R 1EA, United Kingdom

13. Updates to GDPR Compliance

We regularly review and update our GDPR compliance measures. Material changes will be communicated via email and posted on this page.