Legal

Privacy Policy

How SnowCoder collects, uses, and protects your personal data

Last updated: January 15, 2026

Last Updated: January 15, 2026

Effective Date: January 15, 2026

1. Introduction

SnowCoder ("Company," "we," "us," "our") operates as a SaaS platform that helps ServiceNow developers write code using artificial intelligence. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our website, application, and services (collectively, the "Services").

We are committed to protecting your privacy and ensuring you have a positive experience on our website and with our Services. Please read this Privacy Policy carefully. If you do not agree with our policies and practices, please do not use our Services.

2. Information We Collect

2.1 Information You Provide Directly

Account Registration:

  • Email address
  • Full name (optional)
  • Password (hashed and encrypted, never stored in plain text)
  • Organization/company information
  • Role and job title

Billing Information:

  • Billing name and address
  • Payment information (processed by Stripe; we never store raw credit card data)
  • Invoice history
  • Subscription tier and pricing plan

ServiceNow Integration Data:

  • ServiceNow instance URLs
  • ServiceNow credentials (OAuth tokens or API keys - encrypted end-to-end with AES-256-GCM)
  • Instance metadata and configuration details

User-Generated Content:

  • Code snippets and artifacts generated during sessions
  • Conversations with the Claude AI assistant
  • Prompt history and search queries

2.2 Information Collected Automatically

Session Data:

  • Access tokens and refresh tokens (stored as encrypted, httpOnly cookies)
  • CSRF tokens for security
  • Session identifiers
  • Last login timestamp

Device and Technical Information:

  • IP address
  • Browser type and version
  • Operating system
  • Device type
  • Referring website
  • Pages visited and time spent

API Usage and Analytics:

  • API endpoints accessed
  • Request timestamps
  • Response times and HTTP status codes
  • Token consumption for Claude API
  • Feature usage and engagement metrics

2.3 Information from Third Parties

Cloudflare:

  • Bot detection results (Turnstile CAPTCHA)
  • WAF security event logs
  • DDoS prevention data

Stripe:

  • Payment verification status
  • Subscription status
  • Billing event history

3. How We Use Your Information

3.1 Core Service Delivery

We use your information to:

  • Create and maintain your account
  • Authenticate and authorize access to Services
  • Process payments and manage billing
  • Deliver Claude AI-powered code generation
  • Connect to and manage your ServiceNow instances
  • Store conversation history and artifacts

3.2 Service Improvement

We analyze usage patterns (in aggregate) to:

  • Improve product features and user experience
  • Optimize performance and reliability
  • Identify and fix bugs
  • Develop new features aligned with user needs

3.3 Security and Compliance

We use information for:

  • Detecting and preventing fraud, abuse, and security threats
  • Enforcing our Terms of Service
  • Complying with legal obligations
  • Rate limiting and DoS protection
  • Audit logging and forensic analysis

3.4 AI Model Training

Important: We may use conversations and prompts submitted to SnowCoder to train and improve our AI models in partnership with Anthropic.

User Controls: You may opt out of AI training for your account by contacting [email protected]. Opt-out applies to new conversations only.

4. How We Share Your Information

4.1 No Sale of Personal Data

We do not sell, rent, or trade your personal information.

4.2 Service Providers and Processors

We share information with third-party service providers who process data on our behalf:

Service Purpose Data Shared
Anthropic (Claude) AI code generation Conversations, prompts, code snippets
Amazon Web Services Infrastructure Database, files, logs
Cloudflare CDN, security Request data, IP addresses
Stripe Payments Payment information, billing address
SendGrid Email Email addresses, message content
Sentry Error tracking Error logs, stack traces

All processors have data processing agreements ensuring they:

  • Use data only as instructed
  • Maintain appropriate security
  • Respect applicable privacy laws

4.3 Legal and Safety Requirements

We may disclose information when required by law or to:

  • Comply with legal process (subpoena, warrant, court order)
  • Enforce our Terms of Service
  • Protect rights, property, and safety
  • Prevent fraud and security threats

5. Data Storage and Retention

5.1 Storage Locations

User data is stored in:

  • Primary Database: Amazon RDS (PostgreSQL) - EU West region
  • File Storage: Amazon S3 / Cloudflare R2
  • Cache: Amazon ElastiCache (Redis)

5.2 Data Retention Periods

Data Type Retention Period
Account information Duration of account + 30 days
Conversation history Until user deletion or 5 years
API usage logs 90 days
Access logs 30 days
Payment records 7 years (tax compliance)
Audit logs 2 years

5.3 Data Deletion Upon Account Termination

When you delete your account:

  1. User-generated content is deleted immediately
  2. Account information is deleted
  3. ServiceNow credentials are securely deleted
  4. Backup copies are deleted after 30 days

6. Security Measures

6.1 Encryption

In Transit:

  • All data transmitted uses TLS 1.3 encryption
  • Mandatory HTTPS; HTTP requests are redirected

At Rest:

  • Database credentials encrypted with AES-256-GCM
  • ServiceNow credentials encrypted with AES-256-GCM
  • Encryption keys managed by AWS SSM Parameter Store

6.2 Access Controls

  • Authentication required for all sensitive operations
  • Role-based access control (RBAC)
  • Multi-factor authentication for admin accounts
  • All API access logged and monitored

6.3 Architectural Security

  • Services hosted in Amazon VPC (isolated network)
  • Database not accessible from public internet
  • Cloudflare WAF protects against web attacks
  • DDoS protection enabled
  • Rate limiting prevents abuse
  • CSRF protection on state-changing operations

7. Your Privacy Rights

7.1 GDPR Rights (European Residents)

If you are in the EU/EEA, you have the following rights:

Right of Access: Request a copy of personal data we hold about you.

Right to Rectification: Request correction of inaccurate or incomplete data.

Right to Erasure: Request deletion of your data (with legal exceptions).

Right to Restrict Processing: Request limits on how we use your data.

Right to Data Portability: Request your data in machine-readable format (JSON/CSV).

Right to Object: Object to certain uses of your data, including marketing.

Right to Withdraw Consent: Withdraw consent for any processing that depends on it.

To exercise these rights, contact: [email protected]

We will respond within 30 days (may extend by 60 days for complex requests).

7.2 CCPA Rights (California Residents)

If you are a California resident:

Right to Know: Request information about what personal data we collect and use.

Right to Delete: Request deletion of personal data (with exceptions).

Right to Opt-Out: Opt out of sale or sharing of personal data.

Right to Correct: Request correction of inaccurate personal data.

Right to Non-Discrimination: We will not discriminate for exercising CCPA rights.

To submit a verified request, contact: [email protected]

7.3 LGPD Rights (Brazilian Residents)

You have rights similar to GDPR including access, correction, deletion, and data portability.

7.4 PIPEDA Rights (Canadian Residents)

You have the right to access, correct, and delete your personal data.

8. Cookies and Tracking Technologies

8.1 Essential Cookies

Cookie Name Purpose Duration
access_token JWT authentication 15 minutes
refresh_token Session refresh 7 days
csrf_token CSRF protection 1 hour

These cookies are httpOnly (not accessible to JavaScript) and secure (HTTPS only).

8.2 Managing Cookies

You can control cookies through browser settings. Blocking essential cookies may impair functionality.

See our Cookie Policy for full details.

9. International Data Transfers

9.1 Data Transfer Mechanisms

SnowCoder is based in the United Kingdom. Your data may cross international borders.

Legal Bases for Transfers:

  • Standard Contractual Clauses (SCCs) for EU transfers
  • Your consent by using SnowCoder
  • Business necessity to provide the Services

9.2 Transfers to Third Parties

Service Data Transferred Transfer Mechanism
Anthropic Conversations, prompts API call (TLS 1.3)
AWS User data, files, logs Private network
Stripe Payment information PCI DSS encrypted
Cloudflare Request data, IP HTTPS API

10. Children's Privacy (COPPA)

SnowCoder is not intended for users under 13 years old.

We do not knowingly collect personal information from children under 13. If we become aware that a child has provided information, we will delete it immediately.

Parents: If you believe your child has provided information to SnowCoder, contact [email protected] immediately.

11. Changes to This Privacy Policy

We may update this Privacy Policy periodically. Changes will:

  • Update the "Last Updated" date
  • Be communicated via email for major changes
  • Be effective upon posting (continued use constitutes acceptance)

12. Contact Us

Privacy Questions and Requests

Email: [email protected]

Data Protection Officer (EU Residents): [email protected]

Mailing Address: Kumoco Limited (trading as SnowCoder) 180 Strand London, WC2R 1EA United Kingdom

Response Times

  • Privacy requests: 30 days
  • Deletion requests: 30 days
  • Data portability requests: 30 days

13. Legal Basis for Processing (GDPR)

We process personal data under the following legal bases:

Purpose Legal Basis
Service delivery Contractual Necessity
Security, fraud prevention Legitimate Interest
Tax, financial compliance Legal Obligation
Marketing, AI training Consent (with opt-out)

Document Status: Production Ready Classification: Customer-Facing Review Cycle: Annual