SnappArchieve
SnappArchive
Legal Compliance

GDPR Compliance

1. Introduction

This page outlines SnappArchive's commitment to compliance with the General Data Protection Regulation (GDPR), EU Regulation 2016/679, and Belgian data protection law. SnappArchive provides AI-powered document digitization, OCR, classification, and archiving services designed with privacy, security, and regulatory compliance at the core. By using SnappArchive, you benefit from enterprise-grade data protection practices that align with the strictest European privacy standards.

2. GDPR Compliance Commitment

SnappArchive is fully committed to complying with GDPR and Belgian data protection requirements. We implement comprehensive technical and organizational measures to ensure all personal data is processed lawfully, fairly, transparently, and securely. Our compliance program includes periodic internal compliance reviews, employee training, data protection impact assessments where required, incident response procedures, and continuous monitoring of regulatory developments. We are working toward ISO 27001 alignment and readiness to further strengthen our information security management systems.

3. Data Controller & Data Processor Roles

Under GDPR Article 4, it is essential to distinguish between the roles of Data Controller and Data Processor:

3.1 SnappArchive as Data Controller

  • Account information (name, email, company details)
  • Billing and payment information
  • Platform usage data, audit logs, and analytics
  • Support and communication records
  • As Data Controller for this information, SnappArchive determines the purposes and means of processing and bears full responsibility for GDPR compliance.

3.2 Customer as Data Controller / SnappArchive as Data Processor

  • You remain the Data Controller of all documents and any personal data contained within them.
  • SnappArchive acts solely as a Data Processor under GDPR Article 28, processing your documents exclusively in accordance with your instructions and the terms of our Data Processing Agreement (DPA).
  • We do not use, disclose, or access the content of your documents for any purpose other than providing the Services.
  • We do not use customer documents or extracted text to train AI models unless you explicitly consent.
  • A Data Processing Agreement (DPA) is available upon request for enterprise customers. Contact hello@snapparchive.eu to request a signed DPA.

4. Lawful Basis for Processing

All personal data processing activities conducted by SnappArchive are mapped to lawful bases defined under GDPR Article 6(1):

Contract Performance (Art. 6(1)(b)): Processing necessary to deliver the Services and fulfill our contractual obligations to you.

Legitimate Interests (Art. 6(1)(f)): Processing necessary for fraud prevention, system security, service improvement, and business operations, provided these interests do not override your fundamental rights.

Legal Obligation (Art. 6(1)(c)): Processing required to comply with legal obligations, including tax, accounting, and Belgian regulatory requirements.

Consent (Art. 6(1)(a)): Processing based on your explicit consent for specific purposes, such as marketing communications. You may withdraw consent at any time.

Special categories of personal data (GDPR Article 9) are only processed when explicitly authorized by you or where legally required, and additional safeguards are applied.

5. GDPR Data Protection Principles

SnappArchive adheres to the six core data protection principles set forth in GDPR Article 5:

  • Lawfulness, Fairness, and Transparency: All data processing is lawful, fair, and transparent.
  • Purpose Limitation: Personal data is collected only for specified, explicit, and legitimate purposes.
  • Data Minimization: Only the minimum personal data necessary is collected and processed.
  • Accuracy: Personal data is kept accurate and up-to-date.
  • Storage Limitation: Data is retained only as long as necessary or legally required.
  • Integrity and Confidentiality (Security): Data is protected against unauthorized access, loss, destruction, or damage.

6. Data Subject Rights

Under GDPR Articles 15–22, you have the following rights:

  • Right of Access (Art. 15)
  • Right to Rectification (Art. 16)
  • Right to Erasure / "Right to be Forgotten" (Art. 17)
  • Right to Restriction of Processing (Art. 18)
  • Right to Data Portability (Art. 20)
  • Right to Object (Art. 21)
  • Rights Related to Automated Decision-Making and Profiling (Art. 22)
  • Right to Withdraw Consent

Details:

  • Access: Obtain confirmation of processing and a copy of your data.
  • Rectification: Correct inaccurate or incomplete personal data.
  • Erasure: Request deletion when data is no longer necessary.
  • Restriction: Limit processing under certain circumstances.
  • Portability: Receive data in a machine-readable format and transmit it to another controller.
  • Object: Object to processing for legitimate interests or marketing.
  • Automated Decision-Making: Request human review of automated decisions.

7. Data Security Measures

SnappArchive implements state-of-the-art technical and organizational security measures:

7.1 Encryption

  • Data in Transit: TLS 1.3 encryption
  • Data at Rest: AES-256 encryption

7.2 Access Controls

  • Role-based access control (RBAC)
  • Multi-factor authentication (MFA) where supported
  • Zero-knowledge principles where applicable
  • Audit logging of document access where technically feasible

7.3 Infrastructure and Hosting

  • All data stored in EU-based, geo-redundant data centers
  • EU data residency guaranteed
  • Penetration testing and third-party security audits
  • Intrusion detection and prevention systems
  • Automated backup systems with encrypted storage (30-day retention, EU-only)

7.4 Organizational Measures

  • Employee training on data protection and GDPR compliance
  • Confidentiality agreements for staff with access to personal data
  • Incident response and breach notification procedures
  • Regular review and updating of security policies

8. Data Protection Impact Assessments (DPIA)

DPIAs are performed for high-risk processing activities to identify and mitigate privacy risks before implementation.

9. Data Retention Policies

SnappArchive retains personal data only as long as necessary:

Account Data

  • Retained for the duration of your active account, deleted within 30 days upon account deletion, except where legally required.

Documents

  • Retained only as long as you choose to store them. Deleted within 30 days including backups.

Billing Data

  • Retained for 7 years according to Belgian law.

Backup Data

  • Retained for a maximum of 30 days.

Audit Logs

  • Retained for 12 months, then anonymized or deleted.

10. Sub-Processors

SnappArchive engages trusted third-party sub-processors. All sub-processors are GDPR compliant and bound by Data Processing Agreements. Contact hello@snapparchive.eu for a current list.

11. International Data Transfers

All personal data is stored and processed exclusively within the EU. Transfers outside the EU occur only with adequate safeguards, SCCs, or other GDPR-compliant measures. Notifications are provided for such transfers.

12. Data Breach Procedures

SnappArchive has incident response and data breach notification procedures in accordance with GDPR Articles 33 and 34. Relevant authorities and affected individuals are notified without undue delay and in accordance with GDPR Articles 33 and 34.

13. Exercising Your Rights

You can exercise your GDPR rights through account settings or by contacting hello@snapparchive.eu. Requests are processed within 30 days or extended up to 90 days if complex.

14. Complaints

If you believe SnappArchive has not handled your data according to GDPR or Belgian law, you can lodge a complaint with the Belgian Data Protection Authority:
Website: www.gegevensbeschermingsautoriteit.be
Email: contact@apd-gba.be

15. Contact Information

Email: hello@snapparchive.eu
Data Protection Officer (DPO): Will be appointed when legally required. Until then, direct inquiries to hello@snapparchive.eu.