Znippet and the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a privacy regulation enacted by the European Union (EU) to strengthen the protection of individuals' data. It became enforceable on May 25, 2018, and applies to any company that handles the data of EU citizens, no matter where the company is based.

This page explains how Znippet implements GDPR principles and ensures that your data is handled transparently, securely, and respectfully.

Data Controller

The data controller responsible for your personal data is:

As a small company, Znippet is not required to appoint a Data Protection Officer (DPO) under GDPR Article 37, as we do not carry out large-scale systematic monitoring or process special categories of data as a core activity. For any data protection inquiries, please reach out via our dashboard.

• Who we are and how to contact us
• What types of data we collect
• Why we collect your data and the legal basis for processing
• How long we retain your data
• Third-party services and data processors we use
• Your rights over your data under GDPR
• How you can manage, update, or delete your information
• How to contact us about your data

What is GDPR?

In simple terms, GDPR gives you greater control over your personal information. Service providers (like Znippet) must be transparent about what data they collect, how they use it, and how they share it — and users must have full rights to access, modify, or delete their data.

Although GDPR is an EU regulation, it affects any business that collects or processes the data of EU residents, including Znippet.

How Znippet Implements GDPR

Znippet has always prioritized user data privacy. Our core practices align with GDPR principles, and we continuously improve our processes to ensure full compliance. We process data based on the following legal bases: consent, contractual necessity, and legitimate interest.

Data we collect

• Account Information: Your name, email address, and encrypted authentication credentials during account registration (via email/password or Google OAuth). Passwords are stored as a secure bcrypt hash — we never store plaintext passwords.

• Payment & Order Data: Billing address, payment method details (processed securely by Paddle — we do not store full card numbers), invoices, and subscription status.

• Browsing & Usage Behavior: Pages you visit, features you use within the plugin, time spent on the site, session recordings (via Microsoft Clarity), and interaction with our marketing campaigns.

• Technical Data: IP address, browser type, device information, operating system, and referral source.

• Plugin Usage Analytics: Analytical data about how you use the Znippet plugin, including which features are used, how frequently, session duration, workflow patterns, and device/software environment (OS, Premiere Pro version). Used solely to improve the product.

• AI Processing Data: Transcript text submitted to AI-powered features (Social Media Snippet Maker, YouTube Video Editor, automated B-Roll generation). Processed via OpenRouter and not used to train AI models.

Why we collect your data

• To create and manage your Znippet account and authenticate your identity
• To process subscriptions, generate invoices, and prevent fraudulent transactions via Paddle
• To deliver and license our Adobe Premiere Pro plugin
• To provide AI-powered editing features through secure third-party API processing
• To improve your experience through personalized content and feature recommendations
• To analyze site traffic using Google Analytics 4 (legitimate interest — restricted mode, no consent required) and Microsoft Clarity (consent required for session recordings)
• To analyze plugin feature usage and improve the product based on how users interact with Znippet (legitimate interest)
• To measure advertising effectiveness and build remarketing audiences via Google Ads (conversion tracking and remarketing — consent required)

Data retention

We retain your personal data only for as long as necessary to fulfill the purposes outlined above. Specifically:

• Account data: Retained for the duration of your active account and deleted upon verified request.

• Payment records: Retained as required by tax and financial regulations (typically 7 years).

• Analytics data: Aggregated and anonymized data may be retained indefinitely; identifiable analytics data follows provider-specific retention policies.

• AI prompts: Not stored persistently by Znippet. Processed in real-time and discarded.

Third-party services and data processors

We use the following third-party services to operate Znippet. Each service acts as a data processor under GDPR, and we have ensured appropriate data processing agreements are in place:

• Paddle: Merchant of Record and payment processor for secure subscription billing and transaction management. Paddle is PCI-DSS Level 1 certified. Privacy policy: paddle.com/legal/privacy.

• Google Analytics 4: For traffic analysis and understanding user behavior on our website. Active by default in restricted mode — IP addresses are always anonymized by Google, advertising signals are disabled, and Google Signals is turned off. Legal basis: legitimate interest. No consent required. Data may be transferred to the US under Google's data processing terms.

• Microsoft Clarity: For session recordings, heatmaps, and behavioral analytics to improve user experience. Microsoft processes data under their DPA.

• Google Ads: For conversion tracking to measure the effectiveness of our advertising campaigns, and to build remarketing audiences to show ads to past visitors on Google properties. Only activated with consent. Data may be transferred to the US under Google's data processing terms.

• OpenRouter: AI data processor powering the Social Media Snippet Maker, YouTube Video Editor, and automated B-Roll generation. Data is sent via our Cloudflare proxy and is not retained for model training.

• Supabase: PostgreSQL database hosting for user accounts, license data, and application state. Data is encrypted at rest and in transit.

• Cloudflare: Infrastructure provider for hosting our API (Workers), CDN, DNS, and DDoS protection. Cloudflare processes data in accordance with their DPA.

• NextAuth.js: Authentication framework for secure email/password and Google OAuth sign-in. Session tokens are stored securely as HTTP-only cookies.

International data transfers

Znippet is based in the Netherlands. Your data may be transferred to and processed in jurisdictions where our service providers operate, including the United States. We ensure appropriate safeguards are in place for these transfers, including relying on our processors' Standard Contractual Clauses (SCCs) and Data Processing Agreements (DPAs) as approved by the European Commission.

Your data rights under GDPR

Under the GDPR, you have the following rights regarding your personal data. To exercise any of these rights, contact us via our dashboard:

• Right of Access (Article 15) — request a copy of all personal data we hold about you

• Right to Rectification (Article 16) — correct any inaccurate or incomplete personal data

• Right to Erasure (Article 17) — request deletion of your personal data ("right to be forgotten")

• Right to Restrict Processing (Article 18) — limit how we use your data while a dispute is resolved

• Right to Data Portability (Article 20) — receive your data in a structured, machine-readable format (e.g., JSON or CSV)

• Right to Object (Article 21) — object to processing based on legitimate interests, including direct marketing

• Right to Withdraw Consent (Article 7(3)) — withdraw consent at any time without affecting the lawfulness of prior processing

• Right Regarding Automated Decisions (Article 22) — not be subject to decisions based solely on automated processing that significantly affect you

How to manage or delete your data

• You can update your profile details anytime from your account dashboard at znippet.ai.
• To request a complete data deletion, data export, or to exercise any of your GDPR rights, contact us via our dashboard
• We will respond to all data rights requests within 30 days, as required by GDPR. If we need more time, we will notify you within the initial 30-day period.
• If you are unsatisfied with our response, you have the right to lodge a complaint with your local data protection authority (supervisory authority).

This GDPR compliance page was last updated on March 9, 2026. We may update this page from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated via email or a notice on our website.