Privacy policy

Shotbot · Last updated: 23 June 2026

1. Data controller

The controller of data collected on www.shotbot.net and www.shotbot.fr is:

ControllerValentin Beck, sole trader, RCS Strasbourg 443 543 152
Address67200 Strasbourg, Grand-Est, France
ContactContact form
Supervisory authorityCNIL (France), www.cnil.fr

The service is intended for professional use and for persons aged 16 or older. It is not directed at children.

2. Data collected

Depending on how you use the service, we collect the following categories of data:

Account dataEmail address, hashed password (bcrypt), registered websites, registration date
Login dataIP address, session timestamps, session identifier
Usage dataCaptured URLs, screenshot count, submission dates and options. Note: avoid submitting URLs that contain authentication tokens, passwords, or personal data in plain-text query parameters.
Payment dataProcessed exclusively by Stripe (PCI-DSS certified). No payment card data passes through our servers.
Geolocation dataCountry and city derived from IP address, displayed on the sessions page. Resolution is performed locally from a local IP database (DB-IP City Lite) - no external API.
HTTP credentials (Pro option)HTTP basic username and password provided for capturing a password-protected page. Deleted after the capture completes.

3. Purposes of processing

Your data is processed for the following purposes:

  • Providing the automated screenshot service
  • Managing accounts and API keys
  • Processing payments and managing credits
  • Preventing abuse and enforcing quotas
  • Improving the service and anonymized statistical analysis
  • Sending service-related notifications (quota reached, payment confirmation)

4. Legal basis

Contract performanceProviding the service, account management, payment processing
Legitimate interestService security, abuse prevention, quota enforcement, access logs
ConsentOptional service updates (maintenance windows, API changes, pricing)
Legal obligationLCEN deposit journal (identifying a content author, decree 2021-1362 of 20 October 2021), accounting records

5. Retention periods

Account dataUntil account deletion + 30 days. Accounts inactive for more than 2 years (no login, payment, or activity) are deleted automatically, with a minimum 90-day email notice beforehand; signing in cancels the deletion. Accounts that have ever paid or hold credit are excluded.
Login sessions30 days rolling
Signup logs90 days (IP address and timestamp recorded at account creation)
Access logs (nginx)90 days (security and abuse prevention, legitimate interest) | fields: IP address, HTTP method, request path, response code, bytes transferred, User-Agent, referrer
Deposit journal (LCEN identification)12 months from each operation on the content (creation, update or removal), not from account deletion | author email and IP address at the time of the operation, date, type and reference of the content. Kept even if the account is deleted; disclosed upon judicial request.
Screenshot historyDuration of account activity. Screenshots from accounts inactive for more than one year (no login, payment, or view) may be deleted.
Private captures (CLI / MCP default)Stored off-CDN and deleted automatically after 24 hours (re-usable download link until then, then 410 Gone). Public CDN mode (opt-in via --cdn / cdn:true) follows the "Screenshot history" retention above.
Screenshot execution logs30 days rolling | browser messages, error code, captured URL, timestamps
Inactive scheduled capturesDeleted after 1 year of scheduling inactivity
Anonymous quota files24 hours
Geolocation cache90 days
Application error logs90 days
Abuse-prevention files (rate limiting)6 hours
Authentication tokens (password reset, email verification, magic link)Deleted on expiry
HTTP credentials (Pro option)Deleted after capture completes (2 hours maximum)
Payment data10 years (legal accounting obligation | French Commercial Code, Art. L123-22)

6. Your rights (GDPR)

Under EU Regulation 2016/679 (GDPR), you have the following rights:

Right of accessObtain a copy of your personal data
Right to rectificationCorrect inaccurate or incomplete data
Right to erasureRequest deletion of your data ("right to be forgotten"). Deleting your account immediately removes account data, preferences and sessions. Completed capture records and payment data are retained separately (10-year accounting obligation for payments; captures purged automatically after 1 year of account inactivity). Private captures (CLI / MCP default) auto-delete within 24 hours; image files published to the CDN are deleted within 30 days upon explicit erasure request.
Right to portabilityExport my data (JSON) | account, preferences, capture history, scheduled captures, payments
Right to objectObject to processing based on legitimate interest
Right to restrictionTemporarily suspend a processing activity

To exercise these rights, use our contact form. We commit to responding within 30 days.

7. Cookies and local storage

Shotbot uses only cookies and local storage entries that are strictly necessary for the service or tied to your interface preferences. No consent banner is required: no analytics, advertising, or third-party tracking cookies are set.

TypeNameDurationPurpose
CookiePHPSESSIDSessionPHP session: site operation, CSRF protection, antispam, capture form preferences
Cookiesb_auth30 daysKeeps you logged in after authentication
Cookiesb_status_lang1 yearLanguage preference on the service status page
localStoragesb-themePersistentVisual theme preference (dark / light / CDE)
localStoragesb-tester-langPersistentLanguage setting in the online API tester
localStoragesb-form-optsPersistentCapture form preferences (preset, format, viewport, options) | restored across captures

These entries remain on your device or within the shotbot.fr / shotbot.net domain and are never shared with third parties.

8. Sub-processors & hosting

Your personal data (account, sessions, logs, final captures) is hosted on servers leased from Oneprovider (BrainStorm Network Inc.), a reseller of Scaleway infrastructure, at the Scaleway DC5 (PAR-2) datacenter in the Paris region (France). Backups are kept within the European Union, at OVH's Warsaw datacenter (Poland). Administration and infrastructure management (CDN, email) are handled by Permalink (Valentin Beck), which is not a third-party host.

Transactional emails rely on Amazon SES (region eu-west-3, Paris). As Amazon Web Services is a US company, this sub-processor may involve processing outside the EU, covered by appropriate safeguards (standard contractual clauses / EU-US Data Privacy Framework); a migration to email hosted in France is planned. Payments are processed by Stripe Technology Europe Ltd (Irish entity); as Stripe belongs to a US group, any transfers are covered by the same safeguards (SCCs / EU-US DPF). No payment card data passes through our servers.

By default, rendering and storage of your captures stay within the EU; only the geolocated captures below (Pro option, opt-in) can route content outside the EU, at your request.

Geolocated rendering (Pro option, opt-in). The APIv2 render_region parameter lets you route a capture's render via a non-French egress point:

fr-parisParis, France (EU) | Scaleway | default, no transfer
ca-montrealMontreal, Canada | OVH Beauharnois | partial adequacy decision (commercial)
sg-singapore betaSingapore | OVH Singapore | no adequacy
au-sydney betaSydney, Australia | OVH Sydney | no adequacy
vn-hanoi betaHanoi, Vietnam | FPT residential FTTH | no adequacy

An API call with render_region is a documented instruction from the customer (controller). The target page content may transit the chosen egress point. Selecting sg-singapore, au-sydney or vn-hanoi is your responsibility as controller [GDPR]: consent, legitimate interest or contractual clauses are on you. See geolocated screenshots for details.

9. Security

Technical and organizational measures implemented:

  • Encrypted communications (HTTPS/TLS)
  • Password hashing (bcrypt)
  • Sessions identified by cryptographic random token
  • Restricted access to personal data
  • Payments delegated to Stripe (PCI-DSS Level 1 certified)

10. Contact and complaints

For any question about your personal data or to exercise your rights, use our contact form.

You may also lodge a complaint with the CNIL (French data protection authority):

Websitewww.cnil.fr
Address3 Place de Fontenoy, TSA 80715, 75334 Paris Cedex 07, France
Phone+33 (0)1 53 73 22 22

Questions about this document?

Contact us