Privacy Policy

1. Introduction

This Privacy Policy explains how Nulook Projects Ltd, trading as SnagDoc, collects, uses, stores, and protects your personal data. We are committed to compliance with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

This policy applies to all users of the SnagDoc application, including subscribers, portal users (clients and assignees), and visitors to our website.

2. Data We Collect

Account data: full name, email address, company name, phone number (optional), and password (encrypted).

Project data: project details (names, references, addresses, clients), floor plans, snag descriptions and metadata, photographs, comments, checklist items, and sharing preferences.

Usage data: login timestamps, pages and features accessed, device type, browser type, operating system, and IP address.

Payment data: subscription plan selection, billing dates, and payment status. Card numbers and bank details are processed and stored exclusively by Stripe, Inc. — we do not have access to or store this information on our servers.

Communication data: email addresses used for invites, support requests, and feedback submissions.

3. How We Use Your Data

• To provide, operate, and maintain the SnagDoc service
• To create and manage your account
• To process payments and manage subscriptions via Stripe
• To send transactional emails (account verification, password resets, invite notifications, welcome messages, removal notices)
• To generate PDF reports containing your project data
• To facilitate project sharing via client and assignee portals
• To improve the Service through anonymised usage analytics
• To communicate important service updates, security notices, or changes to these policies
• To respond to support requests and feedback
• To detect and prevent fraud, abuse, or security threats

4. Legal Basis for Processing

Contract performance (Article 6(1)(b) UK GDPR): processing your data is necessary to provide the service you have registered for or subscribed to, including account management, project storage, and email communications.

Legitimate interests (Article 6(1)(f) UK GDPR): we process usage data and anonymised analytics to improve the Service, maintain security, and detect abuse. We have assessed that these interests do not override your rights and freedoms.

Legal obligation (Article 6(1)(c) UK GDPR): we retain payment records as required by UK tax and accounting regulations.

Consent (Article 6(1)(a) UK GDPR): where applicable, we obtain your consent for optional communications such as product updates or marketing. You may withdraw consent at any time.

5. Data Sharing & Third-Party Processors

We do not sell, rent, or trade your personal data to any third party.

We share data with the following third-party processors, each operating under appropriate data processing agreements:

• Supabase, Inc. — database hosting, authentication, and file storage (servers within EU/UK, AWS infrastructure)
• Vercel, Inc. — application hosting and serverless function execution
• Stripe, Inc. — payment processing and subscription management
• Resend — transactional email delivery (invites, welcome emails, notifications)

When you share a project via a portal link, the recipient(s) can view the project data you have chosen to share. You control what is shared and with whom.

We may also disclose your data if required by law, regulation, or court order, or to protect the rights, property, or safety of Nulook Projects Ltd, our users, or the public.

6. International Data Transfers

Some of our third-party processors (Vercel, Stripe) may process data outside the UK. Where this occurs, we ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the Information Commissioner's Office, or reliance on adequacy decisions where applicable.

7. Data Storage & Security

Your data is primarily stored on servers within the EU/UK via Supabase (AWS infrastructure). We implement the following security measures:

• All data encrypted in transit using TLS 1.2+
• Data encrypted at rest on database servers
• Access controls and role-based permissions
• Secure authentication with hashed passwords
• Regular security reviews and dependency updates
• Photos and plan images stored in access-controlled cloud storage buckets

While we take all reasonable steps to protect your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee absolute security.

8. Data Retention

• Active accounts: data is retained for as long as your account is active and the Service is in use.
• Cancelled subscriptions: your data remains accessible until you close your account. Paid features revert to free tier limits.
• Closed accounts: data is retained for 30 days after account closure to allow for reactivation or data export, then permanently deleted.
• Payment records: retained for 7 years as required by HMRC tax regulations.
• Anonymised analytics: may be retained indefinitely as they contain no personally identifiable information.
• Invite tokens: retained for 90 days after creation, then automatically expired.

You may request immediate deletion of your data at any time by contacting support@snagdoc.com.

9. Your Rights Under UK GDPR

You have the following rights regarding your personal data:

• Right of access — request a copy of the personal data we hold about you
• Right to rectification — request correction of inaccurate or incomplete data
• Right to erasure — request deletion of your data ("right to be forgotten")
• Right to restrict processing — request that we limit how we use your data
• Right to data portability — request your data in a structured, machine-readable format
• Right to object — object to processing based on legitimate interests
• Right to withdraw consent — where processing is based on consent, withdraw it at any time
• Rights related to automated decision-making — we do not make automated decisions that produce legal effects concerning you

To exercise any of these rights, contact us at support@snagdoc.com. We will respond within 30 days. If your request is complex, we may extend this by a further 60 days with notice.

There is no fee for exercising your rights, unless requests are manifestly unfounded or excessive.

10. Cookies & Tracking

SnagDoc uses only essential cookies required for the Service to function:

• Authentication cookies: maintain your login session
• Security cookies: prevent cross-site request forgery

We do not use advertising cookies, tracking pixels, or third-party analytics cookies. We do not engage in cross-site tracking or behavioural advertising.

11. Children

SnagDoc is not intended for use by individuals under 18 years of age. We do not knowingly collect personal data from children. If we become aware that we have collected data from a person under 18, we will take steps to delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Where we make material changes, we will notify you via email or in-app notification at least 14 days before the changes take effect. The "Last updated" date at the top of this policy indicates the most recent revision.

We encourage you to review this policy periodically.

13. Contact & Complaints

For any privacy-related enquiries, data requests, or concerns:

Nulook Projects Ltd (trading as SnagDoc)
83-89 Phoenix Street, Sutton-In-Ashfield, England, NG17 4HL
Company Number: 13544311 · VAT: GB 395373165
Telephone: 0115 8571322
Email: support@snagdoc.com

If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):

Website: ico.org.uk
Helpline: 0303 123 1113
Address: Wycliffe House, Water Lane, Wilmslow, Cheshire, SK9 5AF