Privacy Policy

• Account & Profile Information: name, email address, profile picture, job title, and organization name when you create or update your account.
• Authentication Credentials: hashed passwords or identity-provider tokens (e.g., Google OAuth). We store passwords only in hashed form and do not store OAuth tokens beyond active session management.
• Content You Upload: videos, images, documents (PDFs, Office files), and other materials you create, upload, or record through the Services.
• Interactive Responses: answers to quizzes and knowledge-check questions within learning content.
• Billing Information: our PCI-compliant payment processor collects your payment method and billing details on our behalf. We do not store full card numbers on our servers.
• Communications: information you provide when contacting us for support, submitting feedback, or subscribing to newsletters.

• Device & Browser Data: browser type, operating system, screen resolution, and general device identifiers.
• Log Data: IP address, access times, pages visited, referring URLs, and HTTP request metadata.
• Learning Analytics: video watch progress, quiz responses, completion rates, and mastery scores.
• Diagnostic Data: error details, navigation breadcrumbs, and user agent string collected when application errors occur. This may include your user identifier and organization name.
• Analytics Data: we use first-party behavioral event data to understand route templates, key-action clicks, funnel steps, reload signals, and stuck or error indicators inside the product. We do not use session replay, heatmaps, form values, transcript text, or full URL query strings for this telemetry.

If your organization enables AI-powered features (such as automatic transcription or AI-generated quiz questions), portions of your content, such as video audio and transcript text, are sent to our AI service providers for processing. All AI providers operate under zero-data-retention agreements, meaning they delete submitted content immediately after processing and do not use your content to train their models. See Section 3 for details.

We do not intentionally collect sensitive personal information as defined under applicable privacy laws (such as precise geolocation, biometric identifiers, racial or ethnic origin, health data, or financial account numbers beyond payment processing). If you believe sensitive information has been submitted inadvertently, please contact us at support@snack.io and we will take steps to delete it.

Student personal information, including education records, is subject to enhanced protections described in Section 13.

If you access the Services through an organization (employer, school, or other entity), administrators of that organization may view your profile information, learning progress, and usage analytics. The organization controls data-retention settings for content created within their workspace.

We engage third-party companies solely to help us operate and improve the Services. These providers process data only on our behalf, under contractual obligations that prohibit independent use and require appropriate security. Categories of sub-processors include:

• Cloud Infrastructure & Hosting: application hosting, database management, authentication, and content delivery.
• Video Processing: video encoding, hosting, streaming, and thumbnail generation.
• AI & Transcription: automated transcription and AI-powered content generation. All AI providers operate under zero-data-retention agreements.
• Payment Processing: PCI-compliant payment processor. We do not store full card numbers.
• Email Delivery: transactional email delivery (invitations, notifications, account alerts).
• Error Monitoring & Diagnostics: automated error-reporting tools that include user identifiers and contextual information needed to reproduce and fix issues.
• Behavior Analytics: first-party event analytics stored and reviewed internally by Snack for route templates, key clicks, funnel steps, and error signals. No session replay or advertising features are used.

A current list of sub-processors is available upon request by contacting support@snack.io. We will notify organizational customers of material changes to our sub-processors before such changes take effect.

We may disclose information if we believe in good faith that disclosure is necessary to comply with applicable law, a court order, or a valid government or regulatory request.

In connection with a merger, acquisition, reorganization, or sale of assets, your information may be transferred as part of that transaction. We will provide advance notice of any such change via our website and direct notification where required by law.

We may share information for other purposes when you give us explicit, informed consent to do so.

• Access: request a copy of the personal information we hold about you.
• Correction: request correction of inaccurate or incomplete information.
• Deletion: request deletion of your personal information, subject to legal retention requirements.
• Data Portability: download your content, analytics, and account data in a portable format.
• Opt-Out of Communications: unsubscribe from non-essential communications at any time using the unsubscribe link in our emails.

Depending on the state in which you reside, additional rights may apply. The following rights are available to residents of states with comprehensive privacy laws (including California, Colorado, Connecticut, Texas, Virginia, and others):

• Right to opt out of the sale of personal information: we do not sell personal information, so this right is not triggered.
• Right to opt out of targeted advertising: we do not engage in cross-context behavioral advertising. This right is not triggered.
• Right to opt out of profiling in furtherance of decisions that produce legal or similarly significant effects: contact us at support@snack.io if you believe such profiling applies to you.
• Right to appeal: if we deny your privacy rights request, you may appeal by contacting support@snack.io with the subject line “Privacy Rights Appeal.” We will respond within the timeframe required by your state’s law.
• Authorized Agent: you may designate an authorized agent to submit requests on your behalf. We will verify the agent’s authority before processing the request.
• Universal Opt-Out Signals: where required by applicable state law (including Colorado), we honor recognized universal opt-out mechanisms such as Global Privacy Control (GPC) for non-essential data collection.

To protect your privacy, we will verify your identity before processing access, correction, deletion, or portability requests. Verification may include confirming your email address, account details, or other information we have on file. We will not require you to create an account to submit a request.

The table below describes the categories of personal information we collect, the sources, purposes, and parties to whom it is disclosed. We do not sell or share (as defined under California law) any categories of personal information.

We do not collect sensitive personal information as defined under the CPRA (such as government IDs, precise geolocation, racial or ethnic origin, religious beliefs, union membership, health data, sex life or sexual orientation, or biometric data) except as incidentally submitted by users in uploaded content. We do not use or disclose sensitive personal information for purposes beyond providing the Services.

Retention periods by category are set out in Section 7 above.

We do not sell personal information for monetary consideration. We do not share personal information for cross-context behavioral advertising as defined under California law. Our first-party behavioral analytics do not use advertising features, third-party trackers, or session replay, and do not constitute “sharing” under California law.

California residents have the right to know what personal information is collected and how it is used; correct inaccurate information; delete personal information; opt out of sale or sharing; limit use of sensitive personal information (not applicable here); and not be discriminated against for exercising these rights. To exercise these rights, contact us at support@snack.io or by mail at 2655 N Ocean Drive, STE 405, Singer Island, FL 33404.

Snack acknowledges that Educational Institutions may share “education records” as defined by the Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g. When an Educational Institution provides student education records to Snack, we act as a “school official” with a “legitimate educational interest” as those terms are defined under FERPA, and only where the Educational Institution retains direct control over Snack’s use and maintenance of those education records through its contract and instructions. In this capacity, Snack will:

• Not disclose education records to third parties without the prior written consent of the Educational Institution, except as permitted by FERPA or required by law.
• Use education records solely to provide and support the Services as directed by the Educational Institution.
• Allow the Educational Institution to inspect, review, and request correction of education records in our possession upon written request.
• Return or delete education records upon termination of services, as directed by the Educational Institution.

Snack’s Services may be used by Educational Institutions that serve students under the age of 13. Where this is the case, Snack relies on the school-operator consent model under the Children’s Online Privacy Protection Act (COPPA), 15 U.S.C. § 6501 et seq. Under this model:

• Snack provides Educational Institutions with the operator disclosures required by COPPA so that the institution may provide informed authorization on behalf of parents and guardians.
• Snack collects and uses personal information from children under 13 only for school-authorized educational purposes and only to the extent necessary to provide the Services to the institution.
• Snack does not use children’s personal information for commercial purposes, advertising, or any purpose outside the school-authorized educational context.
• Educational Institutions represent and warrant that they have obtained all necessary parental consents and authorizations before allowing students under 13 to access the Services, and that use of the Services complies with their obligations under COPPA.
• Parents and guardians may request to review, correct, or delete their child’s personal information through the Educational Institution or by contacting us directly at support@snack.io.

Snack will not use any student personal information, including education records, learning analytics, quiz responses, or any other data generated by student users, for the following purposes:

• Targeted advertising or behavioral profiling of students or their families
• Sale or rental to third parties
• Product improvement, product development, or any internal research purpose

This prohibition is absolute and applies regardless of whether the data has been deidentified or aggregated.

Snack is designed to support compliance with applicable state student data privacy laws, including:

• California: Student Online Personal Information Protection Act (SOPIPA) and CCPA/CPRA where applicable.
• New York: Education Law § 2-d and its implementing regulations.
• Other States: we contractually support school- and district-specific requirements under applicable state student privacy laws. If your state has specific requirements not addressed here, contact us at support@snack.io and we will work with you to meet your district’s needs.

To the extent that Snack’s Services are used to administer surveys, evaluations, or assessments to students, Educational Institutions are responsible for ensuring compliance with the Protection of Pupil Rights Amendment (PPRA), 20 U.S.C. § 1232h, including obtaining any required parental consent prior to administering such activities.

In addition to the general security measures described in Section 6, Snack implements the following safeguards specifically for student data:

• Access to student information is restricted to authorized personnel who require it to perform their job functions.
• Student data is logically separated from non-educational customer data.
• We will notify affected Educational Institutions of any confirmed breach involving student personal information without undue delay and within the timeframe specified in your contract or DPA.

Educational Institutions with questions, concerns, or data requests regarding student privacy may contact us directly: