Privacy Policy

Last updated: December 2024 · Version 1.0

Privacy at a Glance

  • Your SMS messages and OTP codes are NEVER sent to our servers
  • OTP codes travel only within your local network (LAN)
  • We collect only email, license key, and hashed device ID for licensing
  • SMS content is processed locally and immediately discarded
  • We do not sell, share, or monetize your data
  • No advertising, no tracking, no analytics on your SMS data

SMS Permission & Data Handling

Why SnapCode Requires SMS Permission

The Android app requires the RECEIVE_SMS permission as its core functionality. Without this permission, SnapCode cannot detect incoming verification codes and therefore cannot function. This permission is essential, not optional.

What SMS Data We Access

When you receive an SMS, the SnapCode Android app:

  • Scans the message for OTP/verification code patterns only (typically 4-8 digit codes)
  • Extracts the numeric code from the message and immediately discards the message content after extraction
  • Identifies the sender name for display purposes (e.g., "Google", "Bank")

What Happens to SMS Data

  • Transmitted locally only: The extracted code is sent directly to your Windows PC over your local network (Wi-Fi/LAN)
  • Never transmitted externally: OTP codes are NEVER sent to our servers, any cloud service, or any third party
  • Ephemeral processing: Codes are held in memory only long enough to transmit to your PC (typically under 1 second), then immediately discarded
  • No persistent storage: We do not store, log, or retain any SMS content or OTP codes

Our SMS Data Commitments

  • • SMS data is never uploaded to any server
  • • SMS data is never shared with third parties
  • • SMS data is never used for advertising or marketing
  • • SMS data is never sold or monetized in any way
  • • SMS data is never analyzed for profiling or analytics
  • • Full SMS message content is never stored or logged. It's processed locally only to extract the OTP, then immediately discarded

Responsible SMS Handling

The SMS permission is used exclusively for the app's core functionality: extracting OTP codes and transmitting them to your paired Windows PC. We do not use SMS data for any other purpose.

Why We Use RECEIVE_SMS Permission

Google provides an SMS Retriever API that doesn't require SMS permissions. However, this API only works with specially formatted messages from Google-verified senders. Most banks, financial services, and other institutions do not use this format.

To provide a universal solution that works with all SMS-based verification codes (banks, government services, social media, etc.), SnapCode requires the RECEIVE_SMS permission. This is the only way to ensure compatibility with the wide variety of 2FA implementations used globally.

No Logging Policy

OTP codes are never logged anywhere:

  • Not written to any log files
  • Not included in crash reports or diagnostics
  • Not stored in app databases or caches
  • Not visible in system logs

Android App Permissions

The SnapCode Android app requests only the permissions strictly necessary for its functionality. Here is a complete list:

PermissionWhy It's Needed
RECEIVE_SMSDetect incoming SMS messages containing OTP codes (core functionality)
INTERNETLocal network communication with your Windows PC (LAN only, not used for internet access)
FOREGROUND_SERVICEKeep the app running in background to monitor for incoming codes
POST_NOTIFICATIONSShow persistent notification when service is active (required by Android)
WAKE_LOCKEnsure reliable delivery when phone screen is off

Permissions We Do NOT Request

  • READ_SMS — We only receive new messages, not read existing ones
  • READ_CONTACTS — No access to your contacts
  • ACCESS_FINE_LOCATION — No location tracking
  • CAMERA / MICROPHONE — No media access
  • READ_CALL_LOG — No access to call history

Background Service Disclosure

SnapCode runs a foreground service to monitor incoming SMS messages. This is necessary because:

  • OTP codes can arrive at any time, even when you're not actively using your phone
  • Android requires a visible notification for apps running in the background
  • You will see a persistent "SnapCode is active" notification when the service is running

The background service only processes incoming SMS — it does not access your existing messages, and all processing happens locally on your device.

In-App Permission Disclosure

Before requesting any permissions, the SnapCode app displays a clear explanation of:

  • What permission is being requested
  • Why the permission is necessary
  • How your data will be handled
  • That you can deny or revoke permission at any time

You must explicitly grant permission before SnapCode can access any SMS data.

Data Safety Summary

Here's a summary of our data practices:

  • Data not collected: SMS content, OTP codes
  • Data not shared: No data shared with third parties
  • Data encrypted in transit: HMAC-SHA256 signed
  • Data deletion available: Uninstall removes all local data

User Control & Opt-Out

You have complete control over SnapCode's SMS access at all times:

How to Disable SMS Monitoring

Option 1: In-App Toggle

Open the SnapCode app and tap the "Pause" or "Stop" button. This immediately stops all SMS monitoring while keeping your pairing intact.

Option 2: Android Settings

Go to Settings → Apps → SnapCode → Permissions → SMS → Deny. This revokes permission at the system level.

Option 3: Uninstall

Uninstalling SnapCode removes all app data and immediately stops all SMS access. No data remains on your device.

What Happens When You Opt Out

  • SMS monitoring stops immediately
  • No OTP codes will be sent to your PC
  • Your pairing configuration is preserved (unless you uninstall)
  • You can re-enable at any time
  • No data is retained after opting out

Your Choice, Your Control

SnapCode will never re-enable itself without your explicit action. If you pause or disable SMS monitoring, it stays disabled until you choose to turn it back on.

How SnapCode Works

SnapCode consists of two components that communicate directly with each other:

Android App (Free)

Runs in the background, monitors incoming SMS for OTP patterns, and sends extracted codes to your paired Windows PC over your local network.

Windows App (Licensed)

Receives OTP codes from your phone and automatically copies them to your clipboard, ready to paste.

Data Flow Architecture

All communication occurs exclusively within your local network:

  1. SMS arrives on your Android phone
  2. SnapCode Android app detects an OTP pattern
  3. Code is extracted and signed with your unique pairing key
  4. Code is transmitted over your local Wi-Fi/LAN to your PC
  5. SnapCode Windows app verifies the signature and copies to clipboard
  6. Code is immediately discarded from both devices' memory

At no point does any data leave your local network or touch our servers.

Data We Collect

We collect minimal data necessary for licensing and support:

DataPurposeRetention
Email addressLicense delivery, supportUntil deletion request
License keySoftware activationUntil deletion request
Machine ID (hashed)Device limit enforcementUntil deactivation
Stripe customer IDPayment, refundsAs required by law

Machine IDs are one-way hashed (SHA-256) before transmission. We cannot reverse this to identify your actual device.

Data We Do NOT Collect

We want to be explicit about what we never collect:

SMS content or OTP codesNever leaves your local network
Phone numberNot required, not collected
Contact listNo access requested
Location dataNo access requested
Browsing historyNo tracking whatsoever
App usage patternsNo analytics on app behavior
Device identifiersOnly hashed machine ID for licensing
Credit card detailsHandled entirely by Stripe

Local Device Storage & Security

SnapCode stores minimal configuration data locally on your devices, using platform-native encryption:

Windows

  • • License key and email (for activation)
  • • Pairing secret (for secure communication)
  • • Encrypted using Windows Data Protection API (DPAPI)

Android

  • • Pairing secret (for secure communication)
  • • Target PC network address
  • • Encrypted with AES-256-GCM via EncryptedSharedPreferences (Android Keystore)

Communication Security

  • 256-bit shared secret established during QR pairing
  • All codes are signed with HMAC-SHA256 using your unique pairing key
  • Signatures are verified on receipt to prevent tampering
  • Timestamps and unique request IDs prevent replay attacks
  • Communication occurs only between paired devices on your LAN
  • No data is transmitted over the internet

Third-Party Services

We use the following third-party services:

Stripe (Payment Processing)

Handles all payment processing. We never see or store your credit card details.

Stripe Privacy Policy →

Android App Distribution

The Android app is distributed directly from our website as an APK file. We provide SHA-256 checksums for verification. No third-party app stores are involved in the distribution process.

Resend (Email Delivery)

Used to send your license key and purchase confirmation email.

Resend Privacy Policy →

We do not share your SMS data or OTP codes with any third party. Only licensing data (email, license key) is processed by these services.

Data Retention & Deletion

We retain different types of data for different periods:

  • License data: Retained while your license is active. Deleted within 30 days of a deletion request.
  • Activation records: Retained until you deactivate a device or request deletion.
  • Payment records: Retained as required by law and for refund processing (typically 7 years for tax purposes).
  • SMS/OTP data: Never stored. Processed ephemerally and immediately discarded.

Requesting Data Deletion

To delete your data, email support@snapcode.run with your registered email address. Note that deleting your license data will deactivate your software.

Your Rights

Depending on your location, you may have the following rights:

All Users

  • Access the personal data we hold about you
  • Request correction of inaccurate data
  • Request deletion of your data
  • Export your data in a portable format

EU/EEA Residents (GDPR)

  • Right to object to processing
  • Right to restrict processing
  • Right to withdraw consent
  • Right to lodge a complaint with a supervisory authority

California Residents (CCPA)

  • Right to know what personal information is collected
  • Right to delete personal information
  • Right to opt-out of sale of personal information (we do not sell data)
  • Right to non-discrimination for exercising your rights

To exercise any of these rights, contact us at support@snapcode.run. We will respond within 30 days.

Children's Privacy

SnapCode is not intended for use by children under 13 years of age. We do not knowingly collect personal information from children under 13. If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@snapcode.run.

International Users

SnapCode is available to users worldwide. By using SnapCode, you understand that:

  • SMS data stays local: Your OTP codes never leave your device or local network, regardless of your location
  • License data processing: License and payment data may be processed in the United States through our service providers
  • Applicable law: This policy is governed by applicable data protection laws in your jurisdiction

If you are located in the European Economic Area (EEA), United Kingdom, or other regions with data protection laws, you have specific rights detailed in the "Your Rights" section above.

Changes to This Policy

We may update this privacy policy from time to time. When we make changes:

  • We will update the "Last updated" date at the top of this page
  • For significant changes, we will notify you via email
  • Continued use of SnapCode after changes constitutes acceptance

We encourage you to review this policy periodically.

Contact Us

If you have any questions about this privacy policy, our data practices, or your rights, please contact us:

SnapCode Support

Email: support@snapcode.run

Website: https://www.snapcode.run

We typically respond to inquiries within 1-2 business days.

This privacy policy is effective as of December 2024 and applies to SnapCode for Windows and SnapCode for Android.