Security & data handling

Screenshots.live is a German-operated service. This page describes how your account data, templates, and rendered screenshots are stored, processed, and protected. Last updated: 2026-05-05.

Where is data hosted?

Application servers and the rendering pipeline run on EU-based cloud infrastructure (primarily Hetzner, Frankfurt and Helsinki regions). The PostgreSQL primary, Redis cache, and S3-compatible object storage all reside in the EU. No customer data leaves the EU under normal operation.

How is data encrypted?

All traffic between your client and Screenshots.live is TLS 1.3. Database connections from application servers to PostgreSQL use TLS. Object storage uses HTTPS. Backups are encrypted at rest. API keys are stored as bcrypt hashes — only the prefix (e.g. sa_live_…) is kept in cleartext for display.

Where are rendered screenshots stored?

Renders are written to an S3-compatible bucket on Hetzner under a per-user prefix. Each render has a unique signed URL valid for 24 hours by default. Trial-tier renders are deleted after 24 hours. Standard- and Pro-tier renders are retained for 30 days. You can delete any render manually via the API or dashboard.

What happens when I delete an account?

Account deletion removes all account data (user record, templates, items, renders, fonts, API keys) within 24 hours. A nightly orphan-cleanup job removes any storage objects no longer referenced by an active record. Backup retention is 30 days; data inside backups is purged on the standard rotation.

What is your GDPR posture?

Screenshots.live processes account data under GDPR Article 6(1)(b) (contract necessity). We sign Data Processing Agreements (DPAs) on request — contact eric.isensee@icloud.com. Data subject rights (access, rectification, erasure, portability) can be exercised via the dashboard or by emailing the same address.

Do you collect analytics?

Marketing-site analytics (Microsoft Clarity, optional GA4) are loaded only after explicit cookie consent and respect prefers-reduced-motion and Do-Not-Track signals. Application-side telemetry is limited to operational metrics (request rate, render duration, error counts) and does not track individual user behavior.

How do you handle incidents?

Production incidents are tracked internally; significant outages and any data-related incidents are communicated to affected users via email within 72 hours of confirmed impact. We do not currently maintain a public status page; reach out via the contact email if you observe degraded behavior.

Are there third-party processors?

Sub-processors include Hetzner (hosting), Stripe (payments), and Microsoft Clarity (optional analytics). Stripe receives only the billing email and payment-method token; payment-card details never touch Screenshots.live servers. The full sub-processor list is available on request.

What about SOC 2 / ISO 27001?

Screenshots.live is not currently SOC 2 or ISO 27001 certified. For enterprise customers requiring formal assurance, we're happy to walk through our internal controls and sign a custom security questionnaire. Email eric.isensee@icloud.com to start that conversation.

How do I report a vulnerability?

Email eric.isensee@icloud.com with details. We commit to acknowledging within 48 hours and to working with reporters in good faith. We do not currently run a paid bug bounty program but will publicly credit reporters with permission.