Privacy Policy

Last updated: April 9, 2026

sndev LLC (“sndev”, “we”) operates sndev.io and the sn-skills toolkit. This Privacy Policy explains what personal information we collect, why we collect it, who we share it with, and the choices you have. It is intentionally short because we intentionally collect very little.

1. What we collect

Account & billing data. When you subscribe we receive your email address, name (if provided), billing address, VAT or tax ID (if provided), and the last four digits of your payment card from Stripe. We store the email, your Stripe customer ID, your subscription ID, and your license JWT in a Cloudflare D1 database. We do not receive or store your full card number, CVC, or card expiration — those live only with Stripe.

Sign-in cookies. When you sign in at sndev.io/account we set a single HTTP-only, signed session cookie named sndev_session with a 7-day expiry. It is not shared with any third party and is not used for tracking across sites.

Magic-link tokens. Sign-in emails contain a short-lived token tied to your email address. Tokens are single-use and pruned by a daily cron job.

API usage telemetry. When an authenticated MCP request is made to /mcp or /live we log the tool name, the first 256 characters of the JavaScript query expression, the auth method (bearer or x402), the response status and latency, and an 8-character non-reversible fingerprint of the bearer token (SHA-256 prefix) — never the raw API key. For x402 payments we log the on-chain payer address. These are written to Cloudflare Analytics Engine and used to monitor service health and spot abuse.

IP addresses. Your IP is seen by Cloudflare as part of normal request routing and is used to rate-limit magic-link requests. We do not persist IP addresses in our own database.

2. What we do NOT collect or store

• ServiceNow credentials. When you use the /live proxy to query a real ServiceNow instance, your instance URL, username, and password (or bearer token) are passed through per-request and are never stored, logged, or written to any database. They exist only in the memory of a single Cloudflare Worker invocation.
• Your manifests or outputs. We do not receive copies of the ServiceNow configurations, manifests, or code you author with the sn CLI. The CLI runs on your own machine and connects directly to your ServiceNow instance.
• Full API keys. Analytics store an 8-character hash prefix only — it cannot be reversed into the original key.
• AI training data. Nothing you send through the Service is used to train AI models, ours or anyone else’s.

3. Who we share data with (sub-processors)

We use a small number of third-party services to operate sndev.io. Each processes personal data only as needed to deliver its function:

• Stripe, Inc. — payments, subscription management, tax calculation, Customer Portal. Stripe receives your billing details directly and is the source of truth for payment data. See stripe.com/privacy.
• Cloudflare, Inc. — hosting, Workers runtime, KV storage, D1 database, Analytics Engine, rate limiting. All sndev.io requests transit Cloudflare. See cloudflare.com/privacypolicy.
• Resend (Resend.com, Inc.) — sends transactional emails (welcome, renewal, magic sign-in link). Receives your email address and the email body. See resend.com/legal/privacy-policy.
• Discord Inc. — receives operator notifications via webhook when a payment event occurs. The payload contains your Stripe customer ID, subscription ID, amount, and (for x402) the on-chain payer address. Your email is included in these operator alerts so we can contact you about payment issues.

We do not sell personal data to anyone, and we do not use it for advertising or cross-site tracking.

4. Where your data lives

sndev.io runs on Cloudflare’s global network. Personal data is stored in Cloudflare D1 (account + license records) and Cloudflare KV (reference data). Cloudflare may replicate data across regions for availability. Stripe and Resend operate their own data infrastructure.

5. How long we keep it

• Active subscription data: for as long as your subscription is active.
• After cancellation: your account and license records are retained for up to 12 months for accounting, tax, and audit obligations, then purged.
• Session cookies: 7 days from issue.
• Magic-link tokens: expire on first use, or after a short TTL; pruned by a daily cron.
• Analytics events: retained according to Cloudflare Analytics Engine’s default retention.

6. Your rights

Depending on where you live you may have rights under the GDPR, the UK GDPR, the California Consumer Privacy Act (CCPA), or similar laws. These typically include:

• The right to access the personal data we hold about you
• The right to correct inaccurate data
• The right to deletion (“right to be forgotten”)
• The right to export your data in a portable format
• The right to object to processing or withdraw consent

To exercise any of these rights, email support@sndev.io from the address associated with your account. We will respond within 30 days. We will not charge you or retaliate for making a request.

7. Children

sndev.io is a developer tool sold to businesses. It is not directed to children and we do not knowingly collect data from anyone under 16. If you believe we have, contact us and we will delete it.

8. Security

We use HTTPS everywhere, store secrets in Cloudflare’s secret store, sign session cookies, use HttpOnly + Secure + SameSite=Lax flags, hash API keys before writing them to analytics, and rotate Stripe webhook secrets without downtime. No system is perfect, but we try. If you discover a security issue, email security@sndev.io.

9. Changes to this policy

If we change this policy materially we will update the “Last updated” date and, for material changes affecting existing subscribers, notify you by email.

10. Contact

Privacy questions or data requests: support@sndev.io. For security reports: security@sndev.io.