Privacy Policy

1. Overview

The Singularity Marketplace ("Marketplace") is operated by Snippai LLC ("Company", "we", "us", "our"). This Privacy Policy explains what data we collect, how we use it, and your rights regarding that data. This policy applies to the Marketplace website, publisher accounts, and related services. It does not apply to the Snippbot desktop application (see snippbot.com/privacy for that policy).

2. Data We Collect

2.1 Account Information

When you create a Publisher account, we collect:

• Publisher name — Your chosen public username (publicly visible)
• Display name — Optional display name (publicly visible)
• Email address — Used for account verification, security notifications, and essential communications
• Password — Stored as an argon2id hash (legacy bcrypt hashes from earlier in the Marketplace's history are transparently re-hashed to argon2id on next login); we never store or have access to your plaintext password. See Section 9 for the OWASP-aligned hashing parameters.

2.2 Package Data

When you publish a Package, we store:

• Package metadata (name, description, version, category, tags, license)
• Package source code and assets (the files you upload)
• Download and install counts (aggregate, non-personally-identifiable)
• Publication timestamps and version history

2.3 Bounty Data

When you create or participate in Bounties, we store:

• Bounty details (title, description, reward amount, category, status)
• Claim and submission records
• Submission URLs you provide

2.4 Automatically Collected Data

When you access the Marketplace website, our servers may automatically log:

• IP address (for security, rate limiting, and abuse prevention)
• Request timestamps
• User agent string (browser/client identification)
• Requested URLs

These server logs are retained for a maximum of 30 days and are used solely for security monitoring, abuse prevention, and debugging. They are not used for tracking, profiling, or advertising.

3. What We Do NOT Collect

• No third-party analytics — We do not use Google Analytics, Mixpanel, Amplitude, or any third-party analytics service
• No advertising trackers — We do not use advertising pixels, retargeting, or ad networks
• No behavioral tracking — We do not build user profiles, track browsing patterns, or perform cross-site tracking
• No cookie-based tracking — We use cookies only for essential authentication (session management)
• No data sales — We do not sell, rent, lease, or trade your personal data to any third party, ever

4. How We Use Your Data

We use your data exclusively for:

• Operating the Marketplace — Account management, Package hosting and distribution, search and discovery
• Security — Abuse prevention, rate limiting, fraud detection, and security scanning of Packages
• Communications — Account verification, security alerts, and essential service notifications (we do not send marketing emails unless you opt in)
• Aggregate analytics — Understanding Marketplace usage patterns in aggregate (e.g., total Packages published, download trends) without identifying individual users
• Legal compliance — Responding to valid legal requests and enforcing our Terms of Service

5. Package Privacy

Packages published to the Marketplace are public by default. Package metadata, source code, and documentation are visible to all Marketplace users and may be indexed by search engines.

Important: When you install and run a Package from the Marketplace, that Package executes on your local machine (or your self-hosted Snippbot server). Snippai LLC does not have access to, control over, or visibility into how Packages behave on your system. Individual Packages may collect data, make network requests, or interact with external services according to their own logic. Review each Package's description and source code before installation.

6. Data Sharing

We do not sell your data. We may share limited data in these circumstances:

• Public profile — Your Publisher name, display name, and published Packages are publicly visible
• Legal requirements — If required by valid legal process (subpoena, court order, or applicable law)
• Security incidents — If necessary to investigate or prevent security threats, fraud, or abuse
• Business transfers — In the event of a merger, acquisition, or sale of assets, your data may be transferred to the successor entity

6.1 Sign in with Google or Facebook (OAuth)

When you sign in to the Marketplace using Google or Facebook, we receive your email address and (where available) your display name and profile picture URL from the provider. We use this data only to:

• Identify your account across logins so your Packages, purchases, and license history persist;
• Send you transactional emails (license confirmations, package update notifications, security alerts) that are critical to operating your account;
• Prevent duplicate account creation when an account with the same email address already exists.

We do not use this data for marketing, do not share it with third parties for advertising purposes, and do not retain a real-time link to your Google or Facebook account beyond the access token we use at sign-in time. You may disconnect a provider at any time from Settings → Connected accounts. Disconnecting calls the provider's permissions-revocation endpoint (best-effort) and removes the link from our database.

Per Facebook Platform Terms and Google's privacy policy, the use of information received from these providers will adhere to their respective platform policies, including the limited use requirements. We retain your provider-linked email address until you delete your account; see Section 7 for the retention schedule.

7. Data Retention

• Account data — Retained for as long as your account is active
• Package data — Retained while published; unpublished Packages are soft-deleted and may be fully purged after 90 days
• Server logs — Retained for a maximum of 30 days
• Deleted accounts — Account data is deleted within 30 days of account deletion request, except as required for legal compliance

7.1 Data Deletion

To request deletion of all data we have stored about your account — including any data received from Google or Facebook — email [email protected] from the email address on file. We will confirm receipt within one business day and complete deletion within 30 days. Deletion is irreversible; once it completes, your Publisher name, Packages, license history, and provider links cannot be restored.

Alternatively, if you want to remove a connected social account (Google or Facebook) without deleting your Snippbot account, go to Settings → Connected accounts and click Disconnect. This revokes our access token through the provider's permissions API and removes the link from our database, but keeps your Publisher account, Packages, and license history intact.

8. Your Rights

You have the following general rights regarding your data. Residents of certain U.S. states and jurisdictions outside the United States have additional rights described in Sections 8.1 through 8.4.

• Access — Request a copy of the personal data we hold about you.
• Correction — Update or correct inaccurate account information through your dashboard settings, or request correction by contacting us.
• Deletion — Request deletion of your account and associated personal data.
• Export / Portability — Request an export of your data in a portable, machine-readable format.
• Objection — Object to specific data processing activities.

To exercise these rights, contact [email protected]. We will respond within the timeframes required by applicable law (generally 45 days for U.S. state privacy laws and 30 days for the GDPR/UK GDPR). We do not discriminate against you for exercising these rights.

8.1 Minnesota Residents (MCDPA)

If you are a Minnesota resident, the Minnesota Consumer Data Privacy Act (Minn. Stat. ch. 325O, "MCDPA"), effective July 31, 2025, may grant you additional rights with respect to personal data we control or process about you. Subject to the MCDPA's eligibility thresholds and exemptions, those rights include:

• The right to confirm whether we are processing your personal data and to access that data;
• The right to correct inaccurate personal data;
• The right to delete personal data we have collected from or about you;
• The right to obtain a portable copy of your personal data in a usable format;
• The right to opt out of (a) targeted advertising, (b) the sale of personal data, and (c) profiling in furtherance of decisions that produce legal or similarly significant effects;
• The right to obtain a list of the specific third parties to which we have disclosed your personal data;
• The right to question the result of profiling, including the right to be informed of the reason that the profiling resulted in the decision and, where feasible, to be informed of what actions you might have taken to secure a different decision and what actions you can take to secure a different decision in the future.

Snippai LLC does not sell personal data and does not use personal data for targeted advertising as those terms are defined in the MCDPA. Minnesota residents may submit MCDPA requests via [email protected]. If we deny a request, you may appeal that denial by replying to the denial email; we will respond to appeals within 45 days. If your appeal is denied, you may also submit a complaint to the Minnesota Attorney General at ag.state.mn.us.

8.2 California Residents (CCPA / CPRA)

If you are a California resident, the California Consumer Privacy Act as amended by the California Privacy Rights Act (Cal. Civ. Code §1798.100 et seq., "CCPA") may grant you the rights to know, access, correct, delete, and port your personal information, the right to opt out of the sale or sharing of personal information, the right to limit the use of sensitive personal information, and the right not to be discriminated against for exercising any of these rights. Snippai LLC does not sell or share personal information for cross-context behavioral advertising as defined under the CCPA. Submit CCPA requests via [email protected] or by calling our privacy line listed in Section 13.

8.3 Other U.S. States with Comprehensive Privacy Laws

Residents of Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), Utah (UCPA), Texas (TDPSA), Oregon (OCPA), Montana (MTCDPA), Iowa (ICDPA), Tennessee (TIPA), Indiana (ICDPA), New Hampshire, New Jersey, Delaware, Nebraska, Maryland, and Rhode Island have comparable rights to those described above for Minnesota and California residents, subject to each state law's own eligibility thresholds, exemptions, and procedures. Snippai LLC honors verifiable rights requests from residents of these states in accordance with the applicable state law. Submit requests via [email protected].

8.4 European Union, United Kingdom, and Other GDPR-Equivalent Jurisdictions

If you are located in the European Economic Area, the United Kingdom, or another jurisdiction with a data-protection regime modeled on the EU General Data Protection Regulation, you have rights to access, rectification, erasure, restriction of processing, data portability, and to object to processing. You also have the right to lodge a complaint with your local supervisory authority. The legal basis on which we process your personal data is (a) the performance of a contract with you under GDPR Article 6(1)(b) (for account, authentication, billing, and Marketplace operations), (b) our legitimate interests under GDPR Article 6(1)(f) (for security, fraud-prevention, and improving the Marketplace), and (c) where applicable, your consent under GDPR Article 6(1)(a) (which you may withdraw at any time). We do not have an EU establishment; data subjects in the EU and UK may exercise their rights and lodge complaints by contacting [email protected]. If you would like to learn how international transfers of your personal data are protected, see Section 11.

9. Security

We implement reasonable administrative, technical, and physical safeguards designed to protect your personal data, including:

• Passwords are hashed using argon2id with parameters (time_cost=3, memory_cost=64 MiB, parallelism=4) consistent with OWASP recommendations. Pre-existing bcrypt-hashed passwords from earlier in the Marketplace's history are transparently re-hashed to argon2id on next login.
• API tokens and session tokens are stored as SHA-256 hashes; plaintext tokens are never persisted.
• Multi-factor authentication is available for publisher accounts and recommended for organization owners and admins.
• HTTPS / TLS 1.2+ encryption is required for all data in transit; HTTP requests are redirected to HTTPS.
• Database backups are encrypted at rest.
• Access controls limit employee access to user data on a least-privilege basis; access is logged and reviewed.
• We perform periodic security reviews of our infrastructure and engage independent security scanning of submitted Packages (see ToS §6).

No system is 100% secure. If you discover a security vulnerability, please report it to [email protected]. We do not currently operate a paid bug-bounty program, but we will acknowledge good-faith reports and credit reporters in our changelog where appropriate.

9.1 Notification of Data Breach

If a confirmed security incident results in the unauthorized acquisition of unencrypted personal data of users, we will notify affected users without unreasonable delay and in accordance with applicable breach-notification laws (including Minn. Stat. §325E.61, Cal. Civ. Code §1798.82, and other state breach-notification statutes), and will notify the Minnesota Attorney General and other regulators where required by law.

10. Children

The Marketplace is not directed at children under 13. We do not knowingly collect personal data from children under 13. If we become aware that we have collected such data, we will delete it promptly.

11. International Users and Cross-Border Data Transfers

The Marketplace is operated from the United States, and our primary data processors (including our hosting, payment, and email providers) are likewise located in the United States or other jurisdictions outside the EEA, UK, and Switzerland. If you access the Marketplace from outside the United States, your data will be transferred to, processed in, and stored in the United States, which may not provide the same level of data-protection rights as your country of residence.

For transfers of personal data originating in the European Economic Area, the United Kingdom, or Switzerland, Snippai LLC relies on the following safeguards under GDPR Chapter V:

• Standard Contractual Clauses (Module 1 or Module 2, as applicable) under European Commission Implementing Decision (EU) 2021/914 of 4 June 2021;
• The United Kingdom International Data Transfer Addendum issued by the UK Information Commissioner's Office, version B1.0 (effective 21 March 2022), where personal data originates in the United Kingdom; and
• Where Snippai LLC processors are self-certified under the EU–U.S. Data Privacy Framework (DPF), the protections of the DPF apply to transfers to those processors.

A copy of the safeguards we rely on for a particular transfer is available on request via [email protected]. By creating an account or otherwise using the Marketplace from outside the United States, you acknowledge these cross-border transfers and the safeguards described above.

12. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated through the Marketplace or via email to registered Publishers. The "Last updated" date at the top of this page reflects the most recent revision. Continued use of the Marketplace after changes constitutes acceptance of the updated policy.

13. Contact

Privacy questions or data requests:
Snippai LLC
Email: [email protected]
General inquiries: [email protected]