SnowFairy AI Labs — SnowFairy AI IntelliRecover (Windows Desktop Software)
Last updated: June 26, 2026 · Governing law: India · Designed to support GDPR, UK GDPR, CCPA/CPRA & DPDP Act 2023 rights
SnowFairy AI Labs ("SnowFairy", "we", "us") is committed to transparency about data collection. This Privacy Policy explains exactly what data our Software collects, why, how long it is kept, who sees it, and the rights you have. We have designed the Software with a clear two-stream architecture — one stream is mandatory for the Software to function lawfully and securely, and one is fully optional.
The Software's data collection is divided into two clearly defined, separately described streams with different purposes, scopes, and legal bases:
Required for the Software to function. Cannot be disabled without disabling the Software entirely. Covers identity, license, device fingerprint, session data, and recovery evidence (including up to 100 file names per session for chargeback defence). Legal basis: contract performance + legitimate interest in fraud prevention. GDPR Art. 6(1)(b)(f) DPDP Act 2023 §4
Disabled by default. Zero file names · Zero file paths · Zero file contents · Zero personal identifiers. Enable via Settings → Privacy → Analytics. Auto-deleted after 30 days. Legal basis: explicit consent. GDPR Art. 6(1)(a) DPDP Act 2023 §5
The following data is collected during every session as a condition of using the Software. You consent to this collection by installing and using the Software, as disclosed in the in-app Terms of Service.
When you create an account: your email address. If you use OAuth (e.g., Google Sign-In): your display name and profile photo URL as provided by that service. Passwords are managed entirely by Firebase Authentication — we never see or store raw passwords.
Your License Key, product tier (e.g., Pro, Elite), activation date, expiry date (annual plans), region (India / UK / Global), and a one-way SHA-256 hashed machine identifier derived from hardware properties of your PC. The hash is mathematically irreversible — it cannot be used to identify your PC to anyone other than SnowFairy for the specific purpose of per-device license enforcement.
Collected at activation: Windows OS edition and build number, CPU model and core count, RAM capacity, GPU model, screen resolution, and connected storage drive labels and capacities. This profile is used to enforce license limits, assist support diagnosis, and provide context in dispute evidence.
IP address at session start (used for geolocation — see Section 6 — and logged once per session under your license record), session start and end timestamps, cumulative launch count, and features used during each session.
Per scan session, we record: number of files found and recovered, recovered file types (e.g., .jpg, .docx), recovered total size in MB, drive type and scan mode, scan duration — and up to 100 recovered file names per session. File names (not contents) are captured as evidence of successful recovery for the purpose of defending against fraudulent chargeback and refund claims. The recovery engine never transmits file contents to SnowFairy servers under any circumstances. If you voluntarily paste or share file content via the AI chat assistant or a support request, that content is processed solely as a support communication and is not linked to your recovery session data. We recommend not sharing sensitive personal data via support or chat channels.
This evidence is stored in Firebase Firestore under your license record, accessible only to SnowFairy administrators, and automatically deleted after 90 days via Firestore TTL policy. It may be disclosed to the payment processor or Merchant of Record, acquiring banks, or card network dispute resolution bodies in the event of a chargeback or fraud claim. GDPR Art. 6(1)(f) DPDP Act 2023 §4(1)(b)
We receive from the payment processor or Merchant of Record (shown at checkout): your purchase email, order reference, product tier purchased, and transaction amount — solely for license delivery and support. We do not receive, process, or store your payment card number, CVV, bank details, or billing address.
Stream B is disabled by default and requires your explicit opt-in action in Settings → Privacy → Analytics. You may withdraw consent at any time by returning to that setting.
When enabled, Stream B collects: scan duration, files-found and files-recovered counts by category, recovery rate percentages, drive type and scan mode, phase timings, and hardware profile (RAM, OS version). This data is:
Crash reports are automatically generated if the Software terminates unexpectedly. Before transmission, the report is processed by our SafeLogSanitizer component, which strips file system paths and any strings that may contain user-identifiable data. The sanitised report contains: application version, Windows OS version, error type, and a truncated stack trace. Crash reports are linked to an anonymous session fingerprint, not your email or account. Retained for 90 days, then permanently deleted.
Support logs are generated on your explicit request when you contact support. They use the same sanitisation pipeline. Sharing a log is always your choice — it is never transmitted automatically. Support logs may be reviewed by our support team to diagnose your issue and are retained for the duration of your support case plus 12 months.
When the Software launches, it makes a single HTTP request to ipapi.co (a third-party geolocation service) to determine your approximate country, region, and city based on your IP address. This is used to: (a) display the correct currency for your region, and (b) show regionally relevant promotional campaigns via our Campaign system.
The result is cached locally on your device for 24 hours. We do not store your IP address in our own databases beyond the single session-start log entry described in Section 2(d). The session-start IP is subject to the 90-day Stream A retention window.
If you prefer not to share geolocation data, block outbound requests to ipapi.co in your firewall; the Software will default to global (USD) pricing. DPDP Act 2023 §5 GDPR Recital 26
Our website and web portals (snowfairy.ai and subdomains) use:
.snowfairy.ai upon login. Enables single sign-on across all SnowFairy subdomains. Expires after 1 hour of inactivity. The web portal enforces automatic logout after 5 minutes of inactivity (tracked by mouse, keyboard, and scroll events within the portal tab only) for security. Cookie flags: Secure; SameSite=Lax.We do not use advertising cookies, cross-site tracking, retargeting pixels, or third-party analytics scripts on our website.
| Data | Purpose | Stream | Legal Basis |
|---|---|---|---|
| Email address | License key delivery; renewal reminders; critical security notices | A | Contract performance |
| License key & tier | Validate license; enforce feature gates | A | Contract performance |
| Hashed machine ID | Enforce per-device limits; detect concurrent misuse | A | Contract performance |
| Device & system profile | License enforcement; support diagnosis; dispute context | A | Contract / Legitimate interest |
| Session IP + location | Fraud detection; geolocation for pricing; dispute evidence | A | Legitimate interest |
| Recovery file names (≤100) | Chargeback defence; fraud prevention | A | Legitimate interest (fraud prevention) |
| Crash reports (sanitised) | Bug diagnosis; product stability | A | Legitimate interest |
| Support logs (sanitised) | Resolve support tickets (your choice to share) | A | Contract performance |
| Usage analytics (anonymous) | Feature adoption; product development | B | Explicit consent |
| Benchmark telemetry (anonymous) | Public performance benchmarks | B | Explicit consent |
We do not sell your personal data. We do not use your data for advertising profiling. We do not share data with data brokers.
Stream A Recovery Evidence (Section 2(e)) exists to protect both parties. From your perspective, it proves what was recovered from your device — useful if your recovery is disputed. From our perspective, it allows us to defend against fraudulent chargeback claims by users who recovered data successfully and then filed a false payment reversal.
In the event of a chargeback, refund dispute, or fraud allegation, Stream A data — including recovered file names, device fingerprint, session timestamps, and license records — may be disclosed to:
This disclosure is lawful under GDPR Article 6(1)(f) (legitimate interests), DPDP Act 2023 Section 4(1)(b) (legal purposes), and equivalent provisions in other jurisdictions. Records are retained for 90 days and then permanently deleted. GDPR Art. 6(1)(f) DPDP Act 2023 §4(1)(b) IT Act 2000 §79
All account, license, and telemetry data is stored in Google Firebase (Firestore + Firebase Authentication), hosted on Google Cloud infrastructure in the United States. Google's data processing terms (including Standard Contractual Clauses for EU data transfers) apply.
Security measures:
In the event of a personal data breach that poses a risk to your rights, we will notify you as required by applicable law. GDPR Art. 33–34 IT Act 2000 §43A DPDP Act 2023 §8(6)
| Data Type | Retention Period | Deletion Method | Stream |
|---|---|---|---|
| Account data (email, auth) | Until you request account deletion | Manual on request | A |
| License records | 7 years (tax & audit compliance) | Manual after legal hold | A |
| Device profile + activation logs | Life of license + 1 year | Manual on account deletion | A |
| Recovery evidence (file names, session data) | 90 days from session date | Firestore TTL — automatic | A |
| Session IP address | 90 days (part of session record) | Firestore TTL — automatic | A |
| Crash reports (sanitised) | 90 days | Firestore TTL — automatic | A |
| Support correspondence | 3 years from last correspondence | Manual on request | A |
| Geolocation cache | 24 hours — local device only | Automatic (local cache expiry) | A |
| Web session cookie (sf_session) | 1 hour from last activity | Automatic expiry | A |
| Usage analytics (raw, Stream B) | 30 days, then permanently deleted | Firestore TTL — automatic | B |
| Benchmark telemetry runs (Stream B) | 30 days | Firestore TTL — automatic | B |
| Aggregated benchmark statistics | Indefinite (no personal data) | N/A | B |
| Service | Purpose | Data Shared | Privacy Policy |
|---|---|---|---|
| Google Firebase | Authentication, database, hosting, cloud functions | Email, license data (Stream A); anonymous telemetry (Stream B) | firebase.google.com/support/privacy |
| Payment processor / MoR | Payment processing — Merchant of Record; dispute handling | Email, order reference (processed independently by the payment processor / MoR) | paddle.com/legal/privacy |
| Google (OAuth) | Optional sign-in method | Display name, email, profile photo (only if you use Google sign-in) | policies.google.com/privacy |
| Groq | AI recovery assistant (in-app chat) | Query text you submit to the AI assistant. We recommend not including personal data, file names, or sensitive information in chat queries; if included, it is processed as support/query data only under Groq's privacy policy. | groq.com/privacy-policy |
| ipapi.co | IP-based geolocation for pricing and regional campaigns | Your IP address (one request per 24-hour window per device) | ipapi.co/privacy |
We do not share your data with any other third parties, except as required by applicable law or as part of a legitimate dispute resolution process as described in Section 9.
We honour data subject rights for all users regardless of location. The specific rights available to you depend on your jurisdiction:
| Jurisdiction | Applicable Law | Your Rights |
|---|---|---|
| India | DPDP Act 2023 · IT Act 2000 · Consumer Protection Act 2019 | Access, correction, erasure, grievance redressal (within 30 days), nomination of representative, right to withdraw consent for Stream B, right to file a complaint with the Data Protection Board of India |
| EU / EEA | GDPR 2016/679 | Access (Art.15), rectification (Art.16), erasure (Art.17), restriction (Art.18), portability (Art.20), objection (Art.21), right not to be subject to automated decision-making (Art.22), right to lodge complaint with your national supervisory authority |
| United Kingdom | UK GDPR · Data Protection Act 2018 | Same as EU GDPR above; right to complain to the Information Commissioner's Office (ICO) |
| United States (California) | CCPA / CPRA | No Sale / No Sharing: We do not sell or share your personal information with third parties for cross-context behavioural advertising. Rights: right to know, right to delete, right to correct, right to opt out of sale/sharing, right to limit use of sensitive personal information (none collected beyond what is disclosed), right to non-discrimination. GPC: We honour Global Privacy Control (GPC) signals where technically feasible. Response timeline: 45 days (extendable by a further 45 days where reasonably necessary, with notice). CCPA/CPRA |
| All other locations | Local applicable law | We will honour reasonable data requests under principles of transparency and fairness even where local law may not mandate it |
To exercise any right: email support@snowfairy.ai with your registered email address and the specific right you wish to exercise. We will respond within 30 days for most jurisdictions, or within 45 days for California residents under CCPA/CPRA (extendable by a further 45 days with notice). We may verify your identity before acting on your request and will not discriminate against you for exercising your rights.
Note on deletion of Stream A data: License records must be retained for up to 7 years for tax compliance. Recovery evidence is deleted after 90 days automatically. We cannot delete records that are subject to an active legal dispute or investigation.
The Software is not directed at children under the age of 18, or under the higher age threshold required by local law (e.g., under 18 under India's DPDP Act 2023 §9; under 16 in the EU under GDPR Art. 8; under 13 in the US under COPPA). We do not knowingly collect personal data from children. If you believe we have inadvertently collected data from a child, contact support@snowfairy.ai immediately and we will delete it without undue delay. DPDP Act 2023 §9 GDPR Art. 8 COPPA (US)
Our data is stored on Google Firebase infrastructure in the United States. Transfers from the EU/EEA are made pursuant to Google's Standard Contractual Clauses (SCCs) approved by the European Commission under GDPR Art. 46(2)(c). Transfers from the United Kingdom are made pursuant to Google's UK International Data Transfer Agreement (IDTA) or the UK Addendum to EU SCCs, as approved by the UK Information Commissioner's Office (ICO) under UK GDPR Art. 46. For Indian users, cross-border data transfers are conducted in accordance with DPDP Act 2023 §16 and applicable rules. We do not transfer data to jurisdictions lacking adequate protection without appropriate safeguards. GDPR Art. 46 UK GDPR Art. 46 DPDP Act 2023 §16
We may update this Privacy Policy from time to time. We will post the updated Policy on our website with a new "Last updated" date and notify you of material changes by email or in-app notification at least 14 days before they take effect. Continued use of the Software after the effective date constitutes acceptance of the revised Policy.
For any privacy question, data subject request, or grievance, contact our designated Privacy & Grievance Officer:
India DPDP Act grievance: If your grievance is not resolved within 30 days, you have the right to escalate your complaint to the Data Protection Board of India once the Board is operationally established under the DPDP Act 2023. DPDP Act 2023 §13
Language of notice (India): In accordance with the DPDP Act 2023, this Privacy Policy is provided in English. Upon request, we will endeavour to provide a summary of this notice in any language listed in the Eighth Schedule of the Indian Constitution. Contact us at support@snowfairy.ai to request a translated summary. DPDP Act 2023 §5(1)
EU/UK: If you are not satisfied with our response, you have the right to lodge a complaint with your national data protection supervisory authority (e.g., the ICO in the UK; your national DPA in the EU). GDPR Art. 77