Privacy Policy

Last updated: March 2026

1. Introduction

Snolly ("we", "us", "our") is a web application that provides AI-powered assistance for ServiceNow development. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our service at snolly-ai.com.

We are committed to protecting your privacy in compliance with the General Data Protection Regulation (GDPR), the ePrivacy Directive, and applicable data protection laws.

2. Data Controller

The data controller responsible for your personal data is:

We have not appointed a Data Protection Officer (DPO) as we are a small-scale operation that does not engage in large-scale processing of special categories of data. For all privacy inquiries, contact support@snolly-ai.com.

3. Data We Collect

Authentication Data

  • Email address
  • User ID (randomly generated UUID)
  • Authentication tokens

Storage: Supabase (encrypted at rest, US region)
Retention: Until account deletion

API Credentials (Your Keys)

  • OpenRouter / Anthropic / OpenAI API keys
  • ServiceNow instance credentials (username and password)

Storage: Encrypted with AES-256-GCM in your browser's localStorage. Credential tokens (encrypted JWTs) are sent to our backend per-request but never persisted server-side.
Retention: Client-side only, until you remove them or clear browser data.
Important: We never log or permanently store your credentials on our servers.

Usage Analytics (Pseudonymized)

  • Request counts and tool usage statistics
  • AI model used and token counts
  • Error events (no personal data in error content)

Storage: PostgreSQL via Supabase
Retention: 90 days (automatically purged)
Note: Analytics events are linked to your user ID (pseudonymized, not anonymous). No message content, ServiceNow data, or conversation history is stored server-side. You can opt out of analytics collection in your Settings page.

Conversation History

Chat messages and conversation history are stored exclusively in your browser's localStorage. They are never sent to or stored on our servers. You can export or delete them at any time from the Settings page.

4. Legal Basis for Processing (GDPR Art. 6)

  • Contract performance (Art. 6(1)(b)): Processing your email and authentication data is necessary to provide the Snolly service you signed up for.
  • Legitimate interest (Art. 6(1)(f)): Pseudonymized usage analytics help us improve service reliability, detect abuse, and monitor performance. You can opt out in Settings.
  • Consent (Art. 6(1)(a)): Non-essential cookies (sidebar preference) are set only after you accept via the cookie consent banner. You may withdraw consent at any time.

5. Data We Do Not Collect

  • ServiceNow record content (we proxy requests but do not store responses)
  • Your ServiceNow credentials in plaintext on our servers
  • Conversation content or chat history (stored only in your browser)
  • Personal information beyond your email address
  • Tracking cookies or advertising data

6. Sub-Processors and Third-Party Services

We use the following sub-processors to deliver our service. Your data may be transferred to and processed in the United States by these providers:

ProviderPurposeData ProcessedLocation
SupabaseAuthentication, analytics databaseEmail, user ID, analytics eventsUS
AnthropicAI model provider (Claude)Prompts and responses (via your API key)US
OpenAIAI model provider (optional)Prompts and responses (via your API key)US
OpenRouterAI model routingPrompts and responses (via your API key)US
VercelFrontend hostingIP address, request logsUS
RailwayBackend hostingAPI requests, application logsUS

AI Providers Note: When you use Snolly, your prompts are sent to AI providers using your own API key (BYOK model). Snolly acts as an intermediary but does not control these providers' data practices. Review their privacy policies:

Google Fonts

We use Google Fonts (Geist family) which are self-hosted via Next.js optimization. No requests are made to Google servers at runtime.

7. International Data Transfers

Your data may be transferred to and processed in the United States by our sub-processors listed above. These transfers are protected by:

  • EU-US Data Privacy Framework (DPF): Where applicable, our US-based sub-processors are certified under the EU-US Data Privacy Framework.
  • Standard Contractual Clauses (SCCs): Where DPF certification is not available, we rely on the European Commission's Standard Contractual Clauses as the legal mechanism for transfers.

8. Your Rights (GDPR)

Under the GDPR, you have the following rights:

  • Right to Access (Art. 15): Request a copy of all personal data we hold about you. Use the "Export My Data" button in Settings.
  • Right to Rectification (Art. 16): Update or correct your personal information.
  • Right to Erasure (Art. 17): Delete your account and all associated data. Use the "Delete Account" button in Settings.
  • Right to Data Portability (Art. 20): Download your data in a structured, machine-readable JSON format.
  • Right to Restrict Processing (Art. 18): Request limitation of processing in certain circumstances.
  • Right to Object (Art. 21): Object to processing based on legitimate interest (e.g., opt out of analytics).
  • Right to Withdraw Consent: Withdraw cookie consent at any time by clearing your cookies or using the consent management in Settings.

To exercise any of these rights, use the self-service options in your Settings page or contact us at support@snolly-ai.com. We will respond within 30 days.

9. Right to Lodge a Complaint

If you believe your data protection rights have been violated, you have the right to lodge a complaint with a supervisory authority in the EU/EEA member state of your habitual residence, place of work, or where the alleged infringement occurred. A list of supervisory authorities is available at edpb.europa.eu.

10. User Responsibility

Important: When using Snolly, you must not include third-party personal data (names, emails, employee IDs, etc.) in your prompts or queries unless you have a legal basis to process that data. Snolly is a developer tool — if you query ServiceNow records containing personal data, your organization's data protection policies and legal basis apply.

11. Security

  • All connections use HTTPS/TLS 1.3 encryption
  • Credentials are encrypted client-side with AES-256-GCM
  • JWT-based authentication with Supabase
  • Rate limiting (100 requests/minute per IP)
  • Security headers (CSP, X-Frame-Options, HSTS)
  • Non-root Docker containers in production
  • No long-term storage of sensitive credentials on our servers

12. Data Retention

Data TypeRetention PeriodLocation
Account data (email, user ID)Until account deletionSupabase (server)
API credentialsUntil you remove themBrowser localStorage (client)
Conversation historyUntil you delete itBrowser localStorage (client)
Usage analytics90 days (auto-purged)PostgreSQL via Supabase (server)
ServiceNow dataNot stored (proxied only)N/A

13. Cookies

We use a minimal number of cookies for authentication and preferences. No tracking or advertising cookies are used. Non-essential cookies (sidebar preference) are only set after you consent via the cookie banner. For full details, see our Cookie Policy.

14. Automated Decision-Making (GDPR Art. 22)

Snolly uses AI models to generate responses based on your prompts. These AI-generated outputs are informational and advisory only. No automated decisions with legal or significant effects are made about you. All code execution on your ServiceNow instance requires your explicit approval unless you manually enable skip-confirmations mode.

15. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users of material changes via email. The "Last updated" date at the top of this page indicates the most recent revision.

16. Contact Us

If you have any questions about this Privacy Policy or wish to exercise your data protection rights: