Privacy Policy
Effective date: 30 June 2026
This Privacy Policy explains how Screencap.site (“Screencap”, “we”, “us”) — a website screenshot and thumbnail API operated by Website Holding — collects, uses, shares and protects personal data when you visit this site, create an account, or call the API. We aim to collect as little as possible and to be specific about what we do collect.
1. Data we collect
- Account data. Your email address and a securely hashed password (we never store your password in plain text).
- API keys. A key name and a one-way hash of each key, plus the time it was last used. The full key is shown to you once at creation and is not recoverable from us.
- Target URLs. The URLs you submit to the
/api/captureendpoint, used solely to render the screenshot you requested. - Generated screenshots. The image we return to you. Images are streamed back on each request and are not retained as a long-term archive; they may be cached transiently to speed up identical repeat requests.
- Usage metadata. For each capture we record the target URL, the output format, the response status code and a timestamp, so your dashboard can show usage and recent captures and we can monitor usage against your plan.
- Support messages. If you use our contact form, we store the name, email, subject and message you send so we can respond and keep a record of the request.
- Technical data. Standard server logs (IP address, user agent, request time) generated when you use the site or API, retained for security and abuse prevention.
2. Cookies
We use a single essential, http-only session cookie (sc_session) to keep you signed in. It is not used for advertising and we do not embed third-party advertising or cross-site tracking pixels. A separate local preference stores your light/dark theme choice in your browser only.
3. How we use your data
- To provide the screenshot API and your developer dashboard.
- To authenticate requests and track your usage against your plan.
- To take payment for any paid plan and manage your subscription, through Website Holding as merchant of record.
- To respond to support requests you send us.
- To keep the service secure — including blocking attempts to capture private or internal addresses (SSRF protection) and preventing abuse.
4. Legal bases (GDPR)
Where the GDPR applies, we rely on: performance of a contract (running your account and the API), legitimate interests (securing the service, preventing abuse, basic product analytics from server logs), legal obligation (tax and accounting records for payments), and your consent where specifically requested.
5. Who we share data with
We do not sell your personal data. We share it only with processors that help us run the service:
- Website Holding — our parent operator and merchant of record, which handles billing and subscriptions for paid plans, and account administration.
- Rendering provider. To render a screenshot, the target URL you submit is sent to a third-party rendering service (Automattic's WordPress.com mShots service). It receives the URL in order to produce the image.
- Cloud hosting (AWS). The application and database run on Amazon Web Services infrastructure.
- Payment processing. If you buy a paid plan, card payments are processed by Website Holding's payment provider as merchant of record; we never see or store full card numbers.
6. Data retention
We keep account data for as long as your account is active. Capture usage metadata is kept to power your usage history and is then periodically pruned (generally within about 12 months). Generated images are not retained long-term. Support messages are kept while we handle them and for a reasonable period afterwards as a record. Server logs are rotated on a short cycle. When you delete your account, we delete or anonymise associated personal data except where we must keep records for legal or accounting reasons.
7. International transfers
We and our processors may process data in the United States and the European Union. Where data is transferred across borders, we rely on appropriate safeguards such as Standard Contractual Clauses.
8. Your rights
Depending on where you live, you may have the right to access, correct, delete, export, restrict or object to our processing of your personal data (GDPR), and the right to know, delete and opt out of the “sale” of personal information (CCPA) — though we do not sell personal information. To exercise any of these, contact us via our contact page. You also have the right to lodge a complaint with your local data protection authority.
9. Security
Passwords are hashed with a salted scrypt function, API keys are stored only as hashes, traffic is served over TLS, and the capture endpoint blocks requests to private and loopback addresses. No system is perfectly secure, but we work to protect your data in transit and at rest.
10. Children
Screencap.site is a developer tool intended for adults and is not directed at children under 16. We do not knowingly collect data from children.
11. Changes to this policy
We may update this policy as the service evolves. When we make material changes we will update the effective date above and, where appropriate, notify you by email.
12. Contact
Questions about privacy or a data request? Reach us through our contact & support page, operated by Website Holding.