Legal

Security

Last updated: February 2025

Our Commitment

Snooch handles access to your email accounts and stores extracted order data on your behalf. We take that responsibility seriously. Security is not an afterthought — it is built into how the service works at every level.

This page describes the specific technical and operational measures we use to protect your data. If you have questions not covered here, contact us at snoochllc@gmail.com.

Data Encryption

All data transmitted between your browser and Snooch is encrypted using TLS (HTTPS). We do not support unencrypted HTTP connections.

Data at rest — including your extracted order data, account information, and email access tokens — is encrypted using AES-256 encryption in our database (MongoDB Atlas).

Email OAuth tokens and IMAP credentials are stored encrypted and are never logged in plain text.

Access Controls

Access to production systems and customer data is restricted to authorized personnel only. All internal access is logged and audited.

Authentication to the Snooch application uses secure session tokens managed by NextAuth v5 (Auth.js). Sessions are cryptographically signed and expire after inactivity.

Team accounts with multiple users have role-based access. Team members can only access data within their organization.

Email Permission Scope

This is important. When you connect a Gmail account to Snooch using Google OAuth, we request read-only access. We cannot send emails, delete emails, or modify anything in your inbox.

Within that read-only access, Snooch only searches for and reads emails that match receipt and order confirmation patterns — specific subject lines and sender addresses associated with retailers. We do not scan your entire inbox indiscriminately.

For IMAP connections (non-Gmail), we use app passwords rather than your real account password where supported. App passwords can be revoked independently of your main account password.

You can revoke Snooch's access to any connected email account at any time from your account settings, or directly from your email provider's security settings.

Incident Response

In the event of a security incident that affects your data, we will notify affected users within 72 hours of becoming aware of the incident. Notifications will be sent to the email address on your account.

Our incident response process includes: immediate containment, root cause analysis, remediation, and a post-incident review to prevent recurrence.

Responsible Disclosure

If you discover a security vulnerability in Snooch, please report it to us at snoochllc@gmail.com before disclosing it publicly. We will acknowledge your report within 2 business days and keep you updated on our progress.

We ask that you:

  • Give us reasonable time to investigate and fix the issue before public disclosure
  • Not access or modify data that does not belong to you
  • Not perform denial-of-service attacks or social engineering

We appreciate responsible security researchers and will credit you (if desired) in our acknowledgments when the issue is resolved.

Security concerns? Contact our security team.