Get started

Legal

Privacy Policy

How Reshot collects, uses, retains, transfers, and protects personal data.

Effective: May 10, 2026

Summary

Reshot collects the information needed to provide documentation screenshot automation, run accounts and billing, secure the Service, provide support, and improve reliability. We do not sell personal data. We do not share personal data for cross-context behavioral advertising. We do not use Customer Content to train AI models.

When we process personal data that you put into Reshot or that appears in screenshots, capture configurations, or published assets, we usually act as your processor under our Data Processing Agreement. When we process account, billing, support, security, and product-usage information for our own business operations, we act as an independent controller.

This summary is for convenience only. The full policy below controls.

1. Who we are

Reshot is operated by The Plain Works Co., Ltd. (주식회사 더플레인웍스), a Korean company. This Privacy Policy applies to reshot.dev, the Reshot application, the Reshot CLI and API, support communications, and related services (the "Service").

This Privacy Policy is incorporated into the Terms of Service. If we process Customer Personal Data on your behalf, the Data Processing Agreement applies and controls over this Privacy Policy to the extent of any conflict.

2. Our roles

We are a controller for personal data we process for our own business purposes, including account administration, security, billing metadata, support, product analytics, legal compliance, and communications.

We are a processor for Customer Personal Data contained in or derived from Customer Content, such as screenshots, capture configurations, webhook payloads, documentation references, published assets, or other materials you submit to the Service.

Paddle acts as an independent controller for payment information it collects as merchant of record; Paddle’s privacy notice governs that processing. Customer-selected integrations may also act as independent controllers or processors under their own terms.

3. Information we collect

Account data

We collect account and workspace information such as name, email address, organization name, role, workspace name, authentication information, session information, plan, seat role, and account settings.

Passwords, where used, are stored as hashes. API keys and CLI tokens are stored using protective controls appropriate to their purpose, such as hashing, encryption, or restricted access.

Customer Content

Customer Content may include capture configurations, screenshot images, baselines, diffs, version history, approval decisions, project names, repository metadata, documentation references, published asset metadata, webhook configuration, exports, and files or metadata you submit through the Service.

Screenshots may contain personal data or confidential information depending on what you choose to capture. We do not decide what appears in your screenshots or capture scenarios.

CLI, API, and technical data

When you use the CLI, API, or integrations, we may collect technical information such as API request metadata, IP address, user agent, CLI version, command result metadata, project identifiers, workspace identifiers, error messages, performance metrics, rate-limit counters, and security logs.

Usage data

We collect information about how account users interact with the Service, such as pages visited, features used, capture workflows run, errors encountered, approximate location derived from IP address, browser and device information, and performance metrics.

Payment data

Paddle collects and processes payment information as merchant of record. We receive limited transaction metadata, such as customer email, plan, subscription status, billing period, invoice identifiers, tax jurisdiction, and limited payment metadata. We do not receive complete card numbers or bank account details.

Support and communications

If you contact us, we collect the information in your message, contact details, attachments, support history, and related metadata. Please avoid sending secrets, credentials, or sensitive personal data in support requests.

Cookies and similar technologies

We use cookies and similar technologies as described in the Cookie Policy.

4. Information we do not intentionally collect

Reshot is not designed to collect government identifiers, payment card numbers, bank account numbers, precise geolocation, biometric data, protected health information, children’s data, or GDPR Article 9 special-category data.

Because screenshots reflect the environment and application state you choose to capture, Customer Content may still contain these categories if you capture or upload them. You are responsible for avoiding or lawfully safeguarding sensitive information in Customer Content.

5. How we use information

We use information to:

  • provide, operate, maintain, and secure the Service;
  • create and manage accounts, workspaces, plans, roles, and access controls;
  • process captures, screenshots, diffs, approvals, exports, and published assets;
  • run APIs, CLI workflows, webhooks, and integrations you configure;
  • send transactional communications, security alerts, product notices, and support responses;
  • process billing metadata and subscription status through Paddle;
  • debug errors, measure reliability, prevent abuse, and protect the Service;
  • improve product functionality, usability, and performance using aggregated or de-identified data;
  • comply with law, enforce agreements, and defend legal claims; and
  • send marketing communications where permitted by law or with consent.

We do not use Customer Content to train AI models. We do not sell personal data. We do not share personal data for cross-context behavioral advertising.

Where GDPR, UK GDPR, or Swiss data protection law applies, our legal bases include:

  • Contract performance: to provide the Service, manage accounts, process subscriptions, and send transactional notices.
  • Legitimate interests: to secure the Service, prevent abuse, debug errors, improve functionality, analyze aggregate usage, communicate product updates, and protect legal rights.
  • Consent: for optional marketing, non-essential cookies where required, or other processing where consent is required.
  • Legal obligation: for tax, accounting, regulatory, sanctions, and compliance obligations.

You may object to processing based on legitimate interests by contacting privacy@reshot.dev.

7. How we share information

We share information only as needed for the purposes in this Privacy Policy:

  • Subprocessors and service providers. We use vendors to host, secure, support, analyze, email, and operate the Service. The current list is maintained at reshot.dev/legal/subprocessors.
  • Paddle. Paddle handles checkout, billing, tax, invoicing, and payment operations as merchant of record and independent controller.
  • Customer-selected integrations. If you connect a third-party service, we share information as instructed by your configuration.
  • Workspace administrators. Workspace owners and administrators may access Customer Content, usage, billing status, and user information within the workspace.
  • Legal and safety recipients. We may disclose information to comply with law, enforce agreements, prevent fraud or abuse, protect rights and safety, or respond to lawful requests.
  • Business transfers. Information may be transferred in connection with a merger, acquisition, financing, reorganization, or sale of assets, subject to appropriate protections.

We do not sell personal data or rent personal data to third parties.

8. International transfers

We are based in Korea and use service providers in Korea, the United States, the European Union, and other countries. The primary managed application infrastructure may process data in the United States unless your plan or written agreement provides a different storage boundary.

For transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, we rely on appropriate safeguards such as the EU Standard Contractual Clauses, the UK International Data Transfer Addendum or IDTA, Swiss adaptations, and contractual safeguards described in the DPA.

For Korean users, cross-border transfer details are described in this Privacy Policy and the Subprocessor List.

9. Retention

We retain information only for as long as reasonably necessary for the purposes described above, unless law requires or permits a longer period.

Category Typical retention
Account data While the account is active, plus up to 30 days after deletion, unless needed for legal, security, or billing records
Customer Content While the workspace is active, plus the export window described in the Terms, then deleted or anonymized
Published assets Until unpublished, deleted, or the workspace is terminated, plus applicable cache, backup, and export windows
CLI/API/security logs Typically up to 90 days, longer where needed for security, abuse prevention, or legal claims
Usage analytics Up to 24 months in identifiable or pseudonymous form, then aggregated or deleted
Support communications Typically up to 36 months after the last interaction
Billing and tax records For the period required by applicable tax and accounting law, typically 5–7 years
Backups Encrypted backups are typically purged within 35 days of deletion from live systems

Aggregated or de-identified information that does not identify you, your organization, or an individual may be retained longer.

10. Your privacy rights

Depending on where you live, you may have rights to access, correct, delete, restrict, object to, or export personal data, and to withdraw consent where processing is based on consent.

To exercise rights, email privacy@reshot.dev. We may need to verify your identity and may route processor-side requests to the relevant customer if your data is in Customer Content controlled by that customer.

We generally respond within 30 days, unless applicable law provides a different timeline. California requests may take up to 45 days where permitted. Korean PIPA requests are handled within applicable PIPA timelines.

You may also have the right to complain to a data protection authority.

11. California privacy notice

We do not sell personal information. We do not share personal information for cross-context behavioral advertising. We honor Global Privacy Control signals as opt-out signals where required by law.

California residents may request access, deletion, correction, portability, and information about categories of personal information collected, sources, purposes, and disclosures. We will not discriminate against you for exercising these rights.

We do not use or disclose sensitive personal information for purposes requiring a right to limit under the CCPA/CPRA unless we provide the required notice and choice.

12. Cookies and Global Privacy Control

Our Cookie Policy explains the cookies and similar technologies we use. We do not use third-party advertising cookies or cross-site behavioral advertising pixels.

We honor Global Privacy Control (GPC) signals where required. We do not respond to browser Do Not Track signals because there is no consistent legal or technical standard for them.

13. Security

We use technical and organizational measures designed to protect personal data and Customer Content, including encryption in transit, encryption at rest where supported by our infrastructure providers, access controls, administrative MFA, logging, monitoring, incident response, and vendor review.

No system is perfectly secure. You are responsible for securing your accounts, access tokens, CLI environments, CI/CD systems, capture targets, and integrations.

Report vulnerabilities to security@reshot.dev.

14. Children

The Service is intended for business use by adults. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided personal data to us, contact privacy@reshot.dev.

15. Korean PIPA notices

For Korean privacy-law purposes:

  • Personal Information Protection Manager (개인정보 보호책임자): Jake Kim (김진용), CEO
  • Contact: privacy@reshot.dev
  • Categories, purposes, and retention: Sections 3, 5, and 9
  • Cross-border transfers: Section 8 and Subprocessors
  • Rights requests: Section 10

Korean residents may also contact the Personal Information Protection Commission or the KISA Personal Information Infringement Report Center.

16. EEA, UK, and Swiss notices

Our privacy contact for EEA, UK, and Swiss matters is privacy@reshot.dev. If we are legally required to appoint an EU or UK representative, we will publish the representative’s contact information on this page or in a linked notice.

17. Changes

We may update this Privacy Policy. We will post the updated version and provide at least 30 days’ notice of material changes by email or in-product notice, unless legal, security, or operational urgency requires faster action.

18. Contact

The Plain Works Co., Ltd. (주식회사 더플레인웍스) Cheonan, Chungcheongnam-do, Republic of Korea

Privacy and DPA inquiries: privacy@reshot.dev General and billing support: support@reshot.dev Security reports: security@reshot.dev