Privacy Policy
Last updated: March 2026 · Effective date: March 2026
This Privacy Policy explains how Rekabytes Enterprise (“we”, “us”, or “our”), the operator of Snap-It (snapit.rekabytes.com), collects, uses, stores, and protects information when you use the service. We are committed to complying with the Personal Data Protection Act 2010 (Akta 709) and its 2024 amendments.
1. Data Controller
The data controller responsible for your personal data is:
You may contact us at any time to exercise your rights or ask questions about this policy.
2. Scope of This Policy
This policy applies to all visitors of Snap-It. Snap-It is a free, browser-based screenshot beautifier that requires no account or login. All image processing occurs locally in your browser — your image files are never uploaded to our servers.
The only data we collect is anonymous usage analytics, described below, and only when you have given consent.
3. Data We Collect
Subject to your consent, we may record the following anonymous data points when you interact with Snap-It:
| Data point | Example | Source |
|---|---|---|
| Event type | image_uploaded, exported | Your action in the editor |
| Country / Region | Malaysia / Selangor | IP address lookup — IP is never stored |
| Browser name | Chrome, Firefox | User-Agent header |
| Operating system | macOS, Windows | User-Agent header |
| Device type | desktop, mobile | User-Agent header |
| Anonymous visitor ID | a3f8…c21d (UUID) | Generated in your browser on first consent |
Sensitive personal data as defined under the PDPA (e.g., health information, biometric data, political opinions, religious beliefs) is never collected.
Your image files are never sent to our servers. All editing and rendering happens entirely within your browser using the HTML Canvas API.
4. What We Never Collect
- Your name, email address, or any account credentials
- Your IP address (used transiently for geo-lookup only — immediately discarded and never written to our database)
- The content or pixels of your screenshots or uploaded images
- Payment or billing information
- Precise location (only country and region are inferred, never GPS coordinates)
- Sensitive personal data (health, biometric, political, or religious information)
- Cross-site tracking identifiers
- Cookies (we use localStorage — see our Cookie Policy)
5. Legal Basis for Processing
Under the PDPA 2010 (General Principle, Section 6), personal data may only be processed with the consent of the data subject or under a permitted exception. We rely exclusively on your freely given, explicit consent as our legal basis.
When you first visit Snap-It you are shown a cookie/consent banner. No analytics data is recorded until you actively choose “Allow All” or “Necessary Only”. If you close the banner without choosing, no data is collected.
You may withdraw consent at any time by clearing your browser's localStorage (the banner will re-appear and all future analytics will be suppressed). See also the Cookie Policy for full details on consent levels.
6. The Seven PDPA Principles — Our Compliance
The PDPA 2010 requires data users to comply with seven data protection principles. Here is how Snap-It addresses each one:
General Principle (Consent)
Analytics data is collected only after you grant explicit consent via the cookie banner. No analytics are fired before a consent decision is made.
Notice and Choice Principle
We notify you of the purposes of collection (improving Snap-It) via the cookie banner, this Privacy Policy, and our Cookie Policy. You have a clear choice between “Necessary Only” and “Allow All”.
Disclosure Principle
Your data is never disclosed to third parties. We use no third-party analytics, advertising, or tracking services. All data stays on our own servers.
Security Principle
We take practical steps to protect data: IP addresses are discarded immediately after geo-lookup, data is stored on server-side infrastructure accessible only to us, and our codebase undergoes regular review. Data processors (if any) are contractually required to comply with this principle.
Retention Principle
Data is automatically deleted on a rolling basis: general events after 3 months, core events and consent records after 12 months. An automated cleanup job runs every 24 hours.
Data Integrity Principle
We collect only what is necessary for our stated purpose. No editing, linking, or enrichment of the anonymous data is performed.
Access Principle
You have the right to access and correct data associated with your anonymous visitor ID. Contact us at support@rekabytes.com.
7. Purposes of Processing
We use anonymous analytics data solely to:
- Understand which features and export formats are most used
- Detect drops in upload or export success rates that may indicate bugs
- Make informed decisions about which features to build or improve
- Share anonymised aggregate statistics publicly (e.g. “10,000 exports this month” — these totals cannot identify any individual)
We do not use the data for advertising, profiling, direct marketing, or any automated decision-making.
8. Third-Party Sharing
None. We do not sell, rent, share, or transfer your data to any third party for any purpose. We use no third-party analytics tools (no Google Analytics, Meta Pixel, Hotjar, Mixpanel, or similar services). All data goes directly to our own servers and stays there.
9. Cross-Border Data Transfer
No cross-border transfer of your data takes place. Our servers are operated by Rekabytes Enterprise and are not located in or transferred to foreign jurisdictions outside Malaysia. Accordingly, the cross-border transfer provisions of the PDPA 2010 and the 2024 Amending Act (effective April 1, 2025) do not apply.
10. Data Retention
| Data type | Retained for | Deleted automatically |
|---|---|---|
| General events (bg_changed, copied, shadow_toggled) | 3 months | Yes — daily cleanup job |
| Core events (image_uploaded, exported) | 12 months | Yes — daily cleanup job |
| Consent records (visitor ID + consent level) | 12 months | Yes — daily cleanup job |
Upon the expiry of the retention period, data is permanently deleted from our database. You may also request early deletion — see Section 11 below.
11. Your Rights Under PDPA 2010
Under the Personal Data Protection Act 2010 (Akta 709) and its 2024 amendments, you have the following rights:
Right of Access (Section 30, PDPA 2010)
You may request a copy of any data we hold that is associated with your anonymous visitor ID.
Right of Correction (Section 34, PDPA 2010)
You may request that inaccurate data associated with your visitor ID be corrected.
Right to Withdraw Consent (Section 38, PDPA 2010)
You may withdraw consent at any time. Clearing your browser's localStorage removes your consent preference — the cookie banner will re-appear and no further analytics will be recorded.
Right to Object / Restrict Processing
You may object to the processing of your data for any of the stated purposes by contacting us at the email address below.
Right to Data Portability (Amending Act, effective June 1, 2025)
Upon request, we will provide a copy of data linked to your visitor ID in a machine-readable format.
Right to Erasure
You may request deletion of your data at any time, prior to the automatic retention cutoff. We will process your request within 30 calendar days.
To exercise any of these rights, email support@rekabytes.com with the subject line Data Request — Snap-It. Include your anonymous visitor ID if available (found in your browser's localStorage under the key snap_visitor_id). We aim to respond within 30 calendar days.
12. Data Breach Notification
In the event of a personal data breach, we will comply with the mandatory breach notification obligations under the Personal Data Protection (Amendment) Act 2024, which comes into force on June 1, 2025:
- Notify the Personal Data Protection Commissioner as soon as reasonably possible after becoming aware of the breach
- Notify affected data subjects without unnecessary delay where the breach causes or is likely to cause significant harm
Given that we collect only anonymous, non-sensitive data with no PII, the risk of harm from any breach is minimal. However, we maintain this obligation in good faith.
13. Security Measures
In accordance with the Security Principle under the PDPA 2010, we take the following practical steps to protect your data:
- IP addresses are discarded immediately after geo-lookup and are never written to our database
- All data is stored on servers operated and controlled solely by Rekabytes Enterprise
- Access to admin dashboards and backend systems is protected by authentication
- Automated retention jobs ensure data is not kept beyond the stated periods
- No sensitive or personally identifiable information is collected
14. Children and Minors
Snap-It is intended for users aged 13 and above. We do not knowingly collect data from children under 13. If you are a parent or guardian and believe your child under 13 has used Snap-It, please contact us at support@rekabytes.com and we will take appropriate steps.
Under the PDPA 2010, where consent is required from a data subject under the age of 18, consent must be obtained from the parent, guardian, or person with parental responsibility.
15. Governing Law
This Privacy Policy and any data processing carried out by Rekabytes Enterprise is governed by the laws of Malaysia, specifically the Personal Data Protection Act 2010 (Akta 709) and the Personal Data Protection (Amendment) Act 2024. Any dispute arising in connection with this policy shall be subject to the jurisdiction of the courts of Malaysia.
16. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be reflected by an updated date at the top of this page. Continued use of Snap-It after changes are posted constitutes acceptance of the revised policy. For significant changes, we may also reset the consent banner so you can review and reconfirm your preferences.