Privacy Policy
Effective May 8, 2026
This Privacy Policy explains how Sunset Point Software, Inc. ("we," "us," or "our") collects, uses, and safeguards information in connection with Snapshot and the Snapshot Insights browser extension (together, the "Service"). It applies to information about authorized users of the Service and the data those users submit while using it.
Information We Collect
Account information
When you sign in to Snapshot through Microsoft Entra ID, we receive standard profile information from your organization's directory: your name, email address, user identifier, tenant identifier, and group memberships used to determine your access within the Service. Multi-factor authentication for these accounts is handled by Microsoft Entra ID in your home tenant; we do not store MFA state for accounts that sign in this way.
If your account is managed directly within Snapshot rather than through Microsoft Entra ID, we store a hashed password. If two-factor authentication is enabled on a Snapshot-managed account, we store the state of that configuration along with one-way hashes of your recovery codes; we cannot recover these for you if you lose them.
Customer Content
The Service stores the documents, snapshots, metadata, notes, and other data you submit. This content is uploaded to Microsoft Azure infrastructure that supports the Service. Access to your organization's data is restricted to authenticated, authorized users of your organization, enforced through role-based access control.
Diagnostic and usage data
We collect operational telemetry through Azure Application Insights — including HTTP request paths, response status, latency, error traces, and the IP address of the client making the request — to monitor service health and troubleshoot issues. We do not use this data for advertising or third-party analytics.
How We Use Information
We use the information described above to:
- Provide, operate, and improve the Service;
- Authenticate you and enforce role-based access;
- Process Customer Content according to your instructions (for example, to extract text from images, run search queries, or generate AI-assisted responses);
- Send transactional emails such as account confirmation and password reset messages;
- Monitor for security incidents, abuse, and operational failures;
- Comply with legal obligations.
We do not sell your information, and we do not use Customer Content for advertising or marketing.
Subprocessors
We rely on the following third-party services to operate the Service. Each is bound by its own data protection commitments to Microsoft or to us.
| Subprocessor | Role |
|---|---|
| Microsoft Entra ID | Authentication and directory services |
| Microsoft Azure | Application hosting, database, and storage infrastructure |
| Azure OpenAI Service | AI-assisted analysis of Customer Content when you invoke AI features |
| Azure AI Document Intelligence | Optical character recognition (OCR) on uploaded images and documents |
| Azure AI Search | Full-text search indexing of Customer Content |
| Azure Application Insights | Diagnostic telemetry and operational monitoring |
| SendGrid (Twilio) | Transactional email delivery (account confirmation, password reset) |
AI Processing
When you use AI-assisted features, your prompts and the relevant Customer Content are sent to the Azure OpenAI Service for processing. Microsoft's published commitments for the Azure OpenAI Service state that customer prompts, completions, embeddings, and training data:
- Are not available to OpenAI or other model providers;
- Are not used by Microsoft or model providers to improve their models or services;
- Are not used to train any generative AI foundation models without your permission;
- Are not used to improve Microsoft or third-party products or services without your explicit instruction.
We do not train AI models on your data, and we do not authorize our subprocessors to do so.
Data Retention
We retain Customer Content and account information for as long as your organization maintains an active account with the Service or until you request deletion. To request deletion of your data, contact info@sunsetpointsoftware.com. We will action verified deletion requests in a reasonable time, subject to any legal obligation we have to retain specific information.
Security
We follow defense-in-depth security practices:
- Identity and access: Authentication to Azure services — including Storage, Key Vault, AI Search, Azure OpenAI, Document Intelligence, and SQL — uses identity-based authentication rather than shared keys or static credentials. Each service is granted only the permissions it needs (principle of least privilege).
- Network: Storage, Key Vault, SQL, and AI Search are reachable only through private endpoints; public network access is disabled. Application compute runs inside a Virtual Network with restricted egress rules.
- Encryption: All data in transit uses TLS 1.2 or higher. Data at rest is encrypted using Azure-managed keys.
- Authentication: User accounts support TOTP-based two-factor authentication. Recovery codes are hashed before storage.
- Secrets: All sensitive configuration values are stored in Azure Key Vault.
- Logging: Database security events, platform activity, and resource diagnostics stream continuously to Azure Log Analytics and are retained for 365 days.
Your Choices and Rights
You may:
- Access or correct your account information through your organization's Microsoft Entra ID administrator;
- Request a copy of Customer Content associated with your account;
- Request deletion of your account and associated Customer Content;
- Withdraw consent and stop using the Service at any time.
To exercise any of these rights, contact info@sunsetpointsoftware.com. We may need to verify your identity before acting on a request.
Cookies and Local Storage
Snapshot uses cookies and browser storage strictly to operate the Service:
- Authentication cookies maintain your sign-in session;
- Anti-forgery cookies protect against cross-site request forgery;
- Browser local storage preserves non-sensitive UI state, such as your last-selected project or snapshot type.
We do not use third-party advertising cookies or cross-site tracking.
Data Location
Your data is currently stored in Microsoft Azure data centers in the United States. As our customer base grows, we may expand to additional regions and will update this notice if we do.
International Users
The Service is operated from the United States. If you access the Service from outside the United States, you understand that your information may be processed in the United States, where data protection laws may differ from those of your country. For data subject requests under laws applicable to your jurisdiction, contact us at info@sunsetpointsoftware.com.
Children's Privacy
The Service is intended for use by organizations and their authorized employees and contractors. It is not directed to anyone under 18, and we do not knowingly collect personal information from anyone under 18.
Security Incidents
If we become aware of a security incident affecting your data, we will notify affected customers without undue delay following discovery, in accordance with applicable law.
Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes, we will provide reasonable notice — for example, by posting the updated policy here with a new effective date or by emailing the contact on file with your organization. Your continued use of the Service after the updated policy takes effect constitutes acceptance of the changes.
Contact
Questions about this Privacy Policy or our data practices? Contact us at info@sunsetpointsoftware.com.