Plain-English privacy policy.
We collect the minimum we need to run the product. We don't sell your data, we don't run analytics on you, and we don't share anything with third parties beyond the few processors named below. This page lays out exactly what we do and what we don't.
The 30-second version
- We only collect what we need: your email, your Stripe billing record, the Facebook groups + keywords you tell us to watch, the posts that match those keywords, and (if you connect Facebook) an encrypted copy of your Facebook session cookies.
- We never see your Facebook password — our Chrome extension only reads cookies, and only for facebook.com.
- Facebook session cookies are encrypted at rest with AES-256-GCM. The decryption key lives on our server, not in our database.
- We don't sell, rent, share, or otherwise monetize your data. The companies listed under 'Service providers' below process specific data for us under their own contracts (Supabase for our database, Stripe for billing, Cloudflare for DNS, Vercel for hosting once we deploy).
- We don't run analytics, tracking pixels, ad tech, or third-party telemetry on you. There's no Google Analytics, no Facebook Pixel, no Mixpanel, no fingerprinting.
- You can request deletion of your account and all associated data at any time by emailing hello@snipegroups.com. We'll do it within 30 days, usually within 48 hours.
What we collect
Account information
When you sign up: your email address and a password (hashed via Supabase Auth — we never see your plaintext password). When you subscribe: a Stripe customer ID and subscription record. We store the email so we can send you account-related notifications and so you can sign in. We store the Stripe customer ID so we can show your billing status and let you manage your subscription.
Configuration data you give us
The Facebook group IDs you want monitored, the keywords you want matched, and the destination you want alerts sent to (a Discord webhook URL, Telegram bot token + chat ID, ntfy topic, etc). We need these to do the job you're paying us for.
Facebook session cookies (Personal tier only)
If you're on the Personal tier and connect a Facebook account via our Chrome extension, the extension sends us the cookies your browser already has set for facebook.com (typically c_user, xs, and a few session-scoping values). These let us load Facebook group pages on your behalf, the same way your browser would.
How we protect them: the cookie blob is encrypted at rest with AES-256-GCM. The decryption key (32 bytes) is kept on our server in an environment variable, not in our database. A database dump alone cannot decrypt your cookies. We never log cookies in plaintext, never share them with third parties, and never use them for anything other than reading the groups you've configured.
What we don't get: your Facebook password, your messages, your photos, your friends list, your private posts, groups you didn't tell us to watch, or anything outside the specific group pages we're configured to poll.
Match history
When a Facebook post matches your keywords and we send you an alert, we save a record of it (post author, post text, post URL, which keywords matched, when we sent the notification). This powers the "Recent matches" view in your dashboard. You can clear this history at any time by deleting the relevant group, or request a full wipe by emailing us.
Risk acknowledgment audit
When you accept the risk disclosure to connect a Facebook account, we save a record of your acceptance: the version of the document you saw, the literal text of that version, a SHA-256 hash of the text for tamper-evidence, the timestamp, your IP address, and your browser's User-Agent string. This is purely defensive evidence — if a customer later disputes whether they were told about the risks, we have a clear audit trail.
Server logs
Like every web service, our servers log incoming requests: timestamp, IP address, requested URL, response code, User-Agent. These are kept for up to 30 days and used only for debugging, abuse detection, and security. We don't analyze them for behavioral profiling.
What we explicitly don't collect
- Your Facebook password (we never see it)
- Your Facebook profile information beyond the user ID we infer from the c_user cookie (so we can label your session in the dashboard)
- Any Facebook content from groups you haven't configured us to watch
- Your location, beyond the rough geographic information your IP address implies
- Behavioral analytics — page-by-page tracking, scroll depth, click heatmaps, etc. We don't run any of this.
- Third-party tracking pixels (no Google Analytics, no Facebook Pixel, no LinkedIn Insight Tag, no Mixpanel, no PostHog, no anything)
- Cookies that aren't strictly necessary — we use a session cookie via Supabase Auth to keep you signed in, and that's it
Service providers (the only third parties)
We use a small number of vendors to run the service. Each one only sees the data it needs to do its specific job, governed by their own published privacy policies:
| Vendor | What they see | Their policy |
|---|---|---|
| Supabase | Our database (everything in 'What we collect' above except logs and Stripe data) | supabase.com/privacy |
| Stripe | Email + name + payment method when you subscribe (Stripe is the merchant of record for the charge, we never see your card) | stripe.com/privacy |
| Cloudflare | DNS + edge HTTPS termination — sees IP + URL of every request to snipegroups.com | cloudflare.com/privacypolicy |
| Vercel | Web hosting — receives every HTTP request to snipegroups.com | vercel.com/legal/privacy-policy |
| Zoho Mail | Hosts hello@snipegroups.com (incoming + outgoing). Sends transactional emails (welcome, waitlist confirmation, session-expired alerts). Receives recipient email + message content. Receives any inbound mail you send to hello@snipegroups.com. | zoho.com/privacy.html |
We do not use any other third-party services that touch your data. We don't run a CDN beyond Cloudflare's standard offering, we don't use email-marketing platforms, we don't use customer-success or chat-widget vendors, and we don't use feature-flag services that phone home.
Where alerts go (your choice)
When a post matches your keywords, we POST it to whatever destination you configured: a Discord webhook URL, a Telegram bot chat, an ntfy topic, or (eventually) an email address. Once we send the alert it leaves our infrastructure entirely and is governed by the destination provider's privacy policy. We don't track delivery beyond a success/failure log.
How long we keep your data
- Account + subscription data: for as long as your account exists. Deleted within 30 days of an explicit delete request.
- Facebook session cookies: until you disconnect from the dashboard, Facebook expires the session, you delete the account, or one year passes — whichever comes first. Expired sessions are deleted automatically.
- Match history: 30 days on Personal tier; unlimited on Professional/Enterprise; deleted with the account.
- Risk acknowledgment audit: kept for as long as your account exists, even across document version bumps. Deleted with the account.
- Server logs: 30 days, then deleted.
- Stripe billing records: kept by Stripe per their own retention policy (typically 7 years for tax/audit). We can delete our local references to them; the records on Stripe's side are governed by Stripe.
Your rights
Regardless of where you live, we honor these rights for every customer (yes, even if you're not in the EU or California):
- Access: email us and we'll send you a JSON dump of everything we have on you within 30 days.
- Correction: most fields are editable directly from the dashboard. For anything that isn't, email us.
- Deletion: email us and we'll delete your account and all associated data within 30 days. Most deletions complete within 48 hours.
- Export: same as Access — full JSON dump on request.
- Opt-out of marketing: we don't send marketing email currently. If we ever do, every message will have an unsubscribe link.
Contact: hello@snipegroups.com. We respond within 5 business days.
Cookies we set
We set the minimum cookies required to keep you signed in. As of today that means:
| Cookie | Purpose | Lifetime |
|---|---|---|
| sb-...-auth-token | Supabase session — keeps you signed in | ~1 hour, refreshed silently |
| __cf_bm | Cloudflare bot management — protects against scrapers/abuse | 30 minutes, rolling |
We don't set tracking cookies, advertising cookies, or analytics cookies. There's nothing to opt out of.
International users
If you're in the EU/UK, we process your data based on (a) contract performance for paying customers and (b) legitimate interest for running the service for free-tier users. You have the rights granted under GDPR, including the right to lodge a complaint with your local data protection authority. We use Standard Contractual Clauses for data transfer to our US-based service providers.
If you're in California, you have the rights granted under CCPA / CPRA. We don't sell your personal information (we don't sell it to anyone, ever). You have the right to know what we collect and to request deletion — both already covered above.
Children
snipegroups is intended for users 18 and older. We do not knowingly collect data from anyone under 18. If you believe a minor has created an account, email us and we'll delete it.
Changes to this policy
We'll update this page when our practices change. The "Last updated" date at the top of the page reflects the most recent change. For substantive changes (new categories of data, new third-party processors, materially different uses), we'll email everyone at least 30 days before the change takes effect.
Contact
Questions, requests, complaints, or anything else: hello@snipegroups.com. We read every message. We respond within 5 business days, usually within 24 hours.