Privacy policy
Shotbot · Last updated: 12 May 2026
1. Data controller
The controller of data collected on www.shotbot.net and www.shotbot.fr is:
| Controller | Valentin Beck, sole trader, RCS Strasbourg 443 543 152 |
|---|---|
| Address | Strasbourg, Grand-Est, France |
| Contact | Contact form |
| Supervisory authority | CNIL (France), www.cnil.fr |
The service is intended for professional use and for persons aged 16 or older. It is not directed at children.
2. Data collected
Depending on how you use the service, we collect the following categories of data:
| Account data | Email address, hashed password (bcrypt), registered websites, registration date |
|---|---|
| Login data | IP address, session timestamps, session identifier |
| Usage data | Captured URLs, screenshot count, submission dates and options. Note: avoid submitting URLs that contain authentication tokens, passwords, or personal data in plain-text query parameters. |
| Payment data | Processed exclusively by Stripe (PCI-DSS certified). No payment card data passes through our servers. |
| Geolocation data | Country and city derived from IP address, displayed on the sessions page. Resolution is performed locally from a local IP database (DB-IP City Lite) - no external API. |
| HTTP credentials (Pro option) | HTTP basic username and password provided for capturing a password-protected page. Deleted after the capture completes. |
3. Purposes of processing
Your data is processed for the following purposes:
- Providing the automated screenshot service
- Managing accounts and API keys
- Processing payments and managing credits
- Preventing abuse and enforcing quotas
- Improving the service and anonymized statistical analysis
- Sending service-related notifications (quota reached, payment confirmation)
4. Legal basis
| Contract performance | Providing the service, account management, payment processing |
|---|---|
| Legitimate interest | Service security, abuse prevention, quota enforcement |
| Consent | Optional service updates (maintenance windows, API changes, pricing) |
| Legal obligation | Log retention (French decree 2011-219), accounting data |
5. Retention periods
| Account data | Until account deletion + 30 days. Accounts inactive for more than 2 years (no login, payment, or activity) are deleted automatically, with a 90-day email notice beforehand; signing in cancels the deletion. Accounts that have ever paid or hold credit are excluded. |
|---|---|
| Login sessions | 30 days rolling |
| Signup logs | 90 days (IP address and timestamp recorded at account creation) |
| Login logs (nginx access logs) | 12 months (as required by French decree 2011-219) | fields logged: IP address, HTTP method, request path, response code, bytes transferred, User-Agent, referrer |
| Screenshot history | Duration of account activity. Screenshots from accounts inactive for more than one year (no login, payment, or view) may be deleted. |
| Screenshot execution logs | 30 days rolling | browser messages, error code, captured URL, timestamps |
| Inactive scheduled captures | Deleted after 1 year of scheduling inactivity |
| Anonymous quota files | 24 hours |
| Geolocation cache | 90 days |
| Application error logs | 90 days |
| Abuse-prevention files (rate limiting) | 6 hours |
| Authentication tokens (password reset, email verification, magic link) | Deleted on expiry |
| HTTP credentials (Pro option) | Deleted after capture completes (2 hours maximum) |
| Payment data | 10 years (legal accounting obligation | French Commercial Code, Art. L123-22) |
6. Your rights (GDPR)
Under EU Regulation 2016/679 (GDPR), you have the following rights:
| Right of access | Obtain a copy of your personal data |
|---|---|
| Right to rectification | Correct inaccurate or incomplete data |
| Right to erasure | Request deletion of your data ("right to be forgotten"). Deleting your account immediately removes account data, preferences and sessions. Completed capture records and payment data are retained separately (10-year accounting obligation for payments; captures purged automatically after 1 year of account inactivity). Screenshot image files on the CDN are deleted within 30 days upon explicit erasure request. |
| Right to portability | Export my data (JSON) | account, preferences, capture history, scheduled captures, payments |
| Right to object | Object to processing based on legitimate interest |
| Right to restriction | Temporarily suspend a processing activity |
To exercise these rights, use our contact form. We commit to responding within 30 days.
7. Cookies and local storage
Shotbot uses only cookies and local storage entries that are strictly necessary for the service or tied to your interface preferences. No consent banner is required: no analytics, advertising, or third-party tracking cookies are set.
| Type | Name | Duration | Purpose |
|---|---|---|---|
| Cookie | PHPSESSID | Session | PHP session: site operation, CSRF protection, antispam, capture form preferences |
| Cookie | sb_auth | 30 days | Keeps you logged in after authentication |
| Cookie | sb_status_lang | 1 year | Language preference on the service status page |
| localStorage | sb-theme | Persistent | Visual theme preference (dark / light / CDE) |
| localStorage | sb-tester-lang | Persistent | Language setting in the online API tester |
| localStorage | sb-form-opts | Persistent | Capture form preferences (preset, format, viewport, options) | restored across captures |
These entries remain on your device or within the shotbot.fr / shotbot.net domain and are never shared with third parties.
8. Sub-processors & hosting
Your personal data (account, sessions, logs, final captures) is hosted on servers located in France (European Union), managed by Permalink. Transactional emails are routed via Permalink's relay, which uses Amazon SES region eu-west-3 (Paris) | no transfer outside the EU. Payments are processed by Stripe Technology Europe Ltd (Irish entity, EU).
Geolocated rendering (Pro option, opt-in).
The APIv2 render_region parameter lets you route a capture's
render via a non-French egress point:
fr-paris | Paris, France (EU) | Scaleway | default, no transfer |
|---|---|
ca-montreal | Montreal, Canada | OVH Beauharnois | partial adequacy decision (commercial) |
sg-singapore beta | Singapore | OVH Singapore | no adequacy |
au-sydney beta | Sydney, Australia | OVH Sydney | no adequacy |
vn-hanoi beta | Hanoi, Vietnam | FPT residential FTTH | no adequacy |
An API call with render_region is a documented instruction from the customer (controller).
The target page content may transit the chosen egress point.
Selecting sg-singapore, au-sydney or vn-hanoi is your responsibility as
controller [GDPR]: consent, legitimate interest or contractual clauses are on you.
See geolocated screenshots for details.
9. Security
Technical and organizational measures implemented:
- Encrypted communications (HTTPS/TLS)
- Password hashing (bcrypt)
- Sessions identified by cryptographic random token
- Restricted access to personal data
- Payments delegated to Stripe (PCI-DSS Level 1 certified)
10. Contact and complaints
For any question about your personal data or to exercise your rights, use our contact form.
You may also lodge a complaint with the CNIL (French data protection authority):
| Website | www.cnil.fr |
|---|---|
| Address | 3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France |
| Phone | +33 (0)1 53 73 22 22 |
Questions about this document?
Contact us