Snak — Privacy Policy
Effective Date: 15 April 2026
Last Updated: 15 April 2026
1. Introduction
This Privacy Policy explains how SXDA Pty Ltd (ABN 62 649 069 778), trading as Snak Software(“we”, “us”, “our”), collects, uses, stores, discloses, and protects your personal information when you use the Snak platform (“the Service”) at www.snak.io.
We are an Australian company and comply with the Australian Privacy Act 1988 (Cth) and the Australian Privacy Principles (APPs). We also respect the privacy rights of users worldwide and have designed this policy to align with international privacy standards, including the principles of the EU General Data Protection Regulation (GDPR) and similar frameworks, where applicable.
By using the Service, you consent to the collection and use of your personal information as described in this Privacy Policy. If you do not agree to this policy, please do not use the Service.
2. Information We Collect
2.1 Information You Provide
When you create an account, use the Service, or contact us, we may collect:
- Account information: First name, last name, email address, password (stored as a secure hash — we never store plain text passwords), agency/organisation name, and country.
- Business data:Information you enter into the Service, including client details, contact information, leads, hosting records, service contracts, software licenses, notes, and any other data you choose to store (“Your Data”).
- Payment information: If and when paid plans are introduced, we will collect billing information such as your name, billing address, and payment method details. Payment card details are processed and stored by our third-party payment provider (Stripe) — we do not store full card numbers on our servers.
- Communications: Any messages, feedback, or correspondence you send to us via email or other channels.
- Legal records: Records of your acceptance of our Terms of Service, including your IP address, user agent, terms version, and timestamp at the time of acceptance.
2.2 Information Collected Automatically
When you use the Service, we may automatically collect:
- Usage data: Pages visited, features used, actions taken within the Service, timestamps, and session duration.
- Device and browser information: IP address, browser type and version, operating system, device type, and screen resolution.
- Cookies and similar technologies: We use essential cookies to maintain your authentication session. We do not use third-party tracking cookies or advertising cookies. See Section 8 for more information.
2.3 Information We Do Not Collect
We do not knowingly collect:
- Personal information from children under 16 years of age.
- Sensitive information (as defined by the Australian Privacy Act) such as racial or ethnic origin, political opinions, religious beliefs, health information, sexual orientation, or criminal records, unless you choose to enter such information into free-text fields within the Service.
3. How We Use Your Information
We use your personal information for the following purposes:
| Purpose | Lawful Basis |
|---|---|
| To create and manage your account | Contractual necessity |
| To provide, maintain, and improve the Service | Contractual necessity / Legitimate interest |
| To send transactional emails (verification, password reset, team invitations, renewal reminders) | Contractual necessity |
| To process payments (when paid plans are introduced) | Contractual necessity |
| To respond to your enquiries and provide support | Legitimate interest |
| To detect, prevent, and address security issues, fraud, or technical problems | Legitimate interest |
| To comply with legal obligations | Legal obligation |
| To send product updates and announcements about the Service | Legitimate interest (with opt-out) |
We will not use your personal information for purposes materially different from those described above without your consent.
4. How We Share Your Information
We do not sell, rent, lease, or trade your personal information to third parties.
We may share your personal information with the following categories of recipients, solely for the purposes described in this policy:
4.1 Service Providers
We use trusted third-party service providers to help us operate the Service. These providers process data on our behalf and are contractually obligated to protect your information:
| Provider | Purpose | Data Shared | Location |
|---|---|---|---|
| Supabase (via AWS) | Database hosting, authentication | Account data, Your Data | Sydney, Australia |
| Vercel | Application hosting | Request logs, IP addresses | Global (edge network) |
| Postmark (ActiveCampaign) | Transactional email delivery | Email addresses, email content | United States |
| Stripe (when activated) | Payment processing | Billing name, email, payment details | United States |
4.2 Legal Requirements
We may disclose your information if required to do so by law, or if we believe in good faith that such disclosure is necessary to:
- Comply with a legal obligation, court order, or government request;
- Protect and defend our rights or property;
- Prevent or investigate possible wrongdoing in connection with the Service;
- Protect the personal safety of users of the Service or the public.
4.3 Business Transfers
If SXDA Pty Ltd is involved in a merger, acquisition, asset sale, or bankruptcy, your personal information may be transferred as part of that transaction. We will notify you before your personal information is transferred and becomes subject to a different privacy policy.
5. Data Storage and Security
5.1 Where Your Data Is Stored
Your Data is primarily stored on servers located in Sydney, Australia, operated by Supabase (hosted on Amazon Web Services). Some data may be processed by our service providers in other jurisdictions (see Section 4.1).
5.2 International Data Transfers
If you are located outside of Australia, your personal information will be transferred to and processed in Australia. By using the Service, you consent to this transfer. We ensure that any international data transfer is conducted in accordance with applicable privacy laws and that appropriate safeguards are in place.
For users in the European Economic Area (EEA), the United Kingdom, or other jurisdictions with data transfer restrictions: we rely on the necessity of the transfer for the performance of our contract with you (our Terms of Service) as the lawful basis for transferring your data to Australia.
5.3 Security Measures
We implement reasonable technical and organisational measures to protect your personal information, including:
- Encryption of data in transit (TLS/HTTPS);
- Encryption of data at rest (database-level encryption provided by AWS);
- Secure password hashing (passwords are never stored in plain text);
- Row-Level Security (RLS) policies to enforce multi-tenant data isolation;
- Authentication tokens are cryptographically hashed (SHA-256) before storage;
- Role-based access controls within the application;
- Regular security audits of the application code.
Despite these measures, no method of electronic transmission or storage is completely secure. We cannot guarantee the absolute security of your information and accept no liability for any unauthorised access, loss, or breach that occurs despite our reasonable security efforts.
6. Data Retention
We retain your personal information for as long as your account is active or as needed to provide you with the Service.
| Data Type | Retention Period |
|---|---|
| Account information | Duration of account + 30 days after deletion |
| Your Data (business data) | Duration of account + 30 days after deletion |
| Authentication tokens (verification, password reset) | Automatically expire (1-7 days) and are cleaned up periodically |
| Team invitation tokens | Automatically expire (7 days) |
| Payment records (when applicable) | As required by Australian tax law (up to 7 years) |
| Legal acceptance records | Indefinitely (as required for legal compliance) |
After account deletion, Your Data will be permanently deleted within 30 days. Backups containing Your Data may persist in our backup systems for a reasonable period but will not be actively used or accessible.
7. Your Rights
7.1 Australian Privacy Act Rights
Under the Australian Privacy Principles, you have the right to:
- Access: Request access to the personal information we hold about you.
- Correction: Request correction of any inaccurate, incomplete, or out-of-date personal information.
- Complaint: Lodge a complaint with us or with the Office of the Australian Information Commissioner (OAIC) if you believe we have breached the APPs.
7.2 Additional Rights for International Users
If you are located in the European Economic Area, United Kingdom, or other jurisdictions that grant additional privacy rights, you may also have the right to:
- Erasure: Request deletion of your personal information (subject to legal retention requirements).
- Restriction: Request that we restrict the processing of your personal information in certain circumstances.
- Portability: Request a copy of your personal information in a structured, commonly used, and machine-readable format.
- Objection: Object to the processing of your personal information for direct marketing or other purposes based on legitimate interest.
- Withdraw consent: Where processing is based on your consent, withdraw that consent at any time.
To exercise any of these rights, please contact us at hello@snak.io. We will respond to your request within 30 days.
7.3 Right to Complain
If you are unsatisfied with our response to a privacy concern, you have the right to lodge a complaint with:
Office of the Australian Information Commissioner (OAIC)
Website: www.oaic.gov.au
Phone: 1300 363 992
For EEA residents, you may also lodge a complaint with your local data protection authority.
8. Cookies and Tracking
8.1 Essential Cookies
We use essential cookies that are strictly necessary for the operation of the Service. These cookies are used to:
- Maintain your authenticated session;
- Remember your authentication state across page loads;
- Protect against cross-site request forgery (CSRF).
These cookies are first-party cookies and do not track you across other websites.
8.2 No Tracking or Advertising Cookies
We do not use:
- Third-party tracking cookies;
- Advertising or remarketing cookies;
- Social media tracking pixels;
- Any cookies for the purpose of behavioural advertising or cross-site tracking.
8.3 Analytics
We may, in the future, implement privacy-respecting analytics to understand how the Service is used. If we do, we will update this policy to reflect the specific analytics provider and the data collected. We will never use analytics tools that track individual users across the web.
9. Third-Party Links
The Service may contain links to third-party websites or services (e.g., client websites stored in hosting records, purchase URLs for software). We are not responsible for the privacy practices of these third-party sites. We encourage you to review the privacy policies of any third-party services you visit.
10. Children's Privacy
The Service is not directed to children under the age of 16. We do not knowingly collect personal information from children under 16. If we become aware that we have collected personal information from a child under 16, we will take steps to delete that information promptly.
11. Changes to This Policy
We may update this Privacy Policy from time to time. We will notify you of material changes by:
- Sending an email to the address associated with your account; or
- Posting a prominent notice within the Service.
Your continued use of the Service after the effective date of any update constitutes your acceptance of the updated Privacy Policy.
12. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or our handling of your personal information, please contact us at:
SXDA Pty Ltd
Trading as Snak Software
ABN 62 649 069 778
Email: hello@snak.io
Website: www.snak.io
For privacy-specific enquiries, please include “Privacy” in the subject line of your email.
This Privacy Policy was last updated on 15 April 2026.