Legal
Privacy Policy
How Shield Management Inc handles personal data in and around SnitchOS — what we collect, what we deliberately never collect, why, and the rights that go with it.
1. Who we are
SnitchOS is a multi-tenant employee-monitoring and workforce-analytics product operated by Shield Management Inc (“Shield”, “we”, “us”). Shield self-hosts SnitchOS on infrastructure it controls and licenses it to managed service providers, who deploy the SnitchOS agent to company-owned Windows endpoints and view the resulting data through the SnitchOS dashboard.
This policy explains how personal data flows through SnitchOS, the roles each party plays, and how the people whose data is processed can exercise their rights. For questions about this policy, contact privacy@snitchos.com.
1.1 Key terms
- Customer — the managed service provider that licenses SnitchOS from Shield.
- Client Tenant — a downstream client organization of the Customer whose workforce is monitored within an isolated tenant in SnitchOS.
- Monitored User — an individual employee or worker whose company-owned, managed device is monitored by the SnitchOS agent.
- Administrator — a person the Customer authorizes to sign in to the SnitchOS dashboard to view or manage data.
- Endpoint data — the monitoring data the agent collects from a managed device, described in Section 4.
2. Controller and processor roles
The parties’ roles depend on the category of data.
2.1 Endpoint data (Shield as processor)
For endpoint data collected from Monitored Users, the Customer and/or its Client Tenant is the data controller and Shield acts as a data processor on the Customer’s documented instructions. The Customer decides which devices are monitored, configures categorization and retention within available settings, and is responsible for the lawfulness of the monitoring. Shield processes endpoint data only to provide and support the service, as set out in the Data Processing Addendum (see the DPA & sub-processors page) and consistent with Article 28 GDPR where applicable.
2.2 Account and billing data (Shield as controller)
For a limited set of data — Administrator identities used to authenticate, account and support records, and billing information — Shield acts as an independent controller. We use this data to operate the Customer relationship, secure the platform, and bill for the service. This policy governs that processing directly.
3. What data is collected
The SnitchOS agent samples a defined set of workplace-activity signals from managed devices, and the platform records the data needed to run multi-tenant accounts.
3.1 Endpoint data collected by the agent
- Active window — foreground process name and window title.
- Idle and active state, and idle duration.
- Application usage — which applications ran and for how long.
- Website activity — scheme, host, and path only. Query strings and fragments are removed on the endpoint and again on ingest.
- Input counts only — keystroke count, mouse-click count, and mouse-distance totals. The content of what is typed is never recorded.
- Screenshots — one deduplicated frame per minute, skipped while the device is idle.
- Device and operating-system metadata — hostname, OS version, agent version, and the session or user the sample belongs to.
- Administrator identity — name, email, and the immutable object identifier returned by Microsoft Entra ID at sign-in.
- Microsoft 365 usage — only if the Customer connects its Microsoft 365 tenant: Entra sign-in activity and Teams and Outlook usage signals retrieved through the Microsoft Graph API.
3.2 What is explicitly not collected
SnitchOS is not a keylogger and does not read content. It never collects:
- Keystroke content — the keys or text typed.
- Clipboard contents.
- File contents.
- Message, email, or chat bodies.
- Audio or microphone input.
- Webcam or camera images.
- Saved passwords or credentials.
- URL query strings and fragments — so SSO tokens, magic-link credentials, and OAuth state are never stored.
4. Why we process this data
Endpoint data is processed for the workforce-monitoring purposes the Customer configures, including:
- Showing real-time and historical activity, idle time, and application and website usage.
- Classifying activity as productive, neutral, or unproductive and producing management reports.
- Raising per-tenant alerts and recording admin actions in an audit trail.
- Providing evidence for the Customer’s own compliance, workforce-management, and security needs.
Account and billing data is processed to authenticate Administrators, operate and secure the platform, provide support, and invoice for the service.
5. Legal bases
Where the GDPR or comparable law applies, processing relies on the following bases.
5.1 Where the Customer is controller
For endpoint data, the Customer (and/or its Client Tenant) determines and documents the legal basis for monitoring its own workforce. This is commonly the controller’s legitimate interests in managing and securing its business, performance of the employment relationship, or compliance with a legal obligation, and — where local law requires it — the informed consent of Monitored Users. The Customer is responsible for identifying and meeting the correct basis in each jurisdiction. Shield processes this data only on the Customer’s instructions.
5.2 Where Shield is controller
For account, support, and billing data, Shield relies on performance of its contract with the Customer, its legitimate interests in operating and securing the service, and compliance with legal obligations such as tax and accounting requirements.
6. How data is shared
Shield does not sell personal data and does not share it for cross-context behavioral advertising. Endpoint data stays within the Customer’s isolated tenants and is accessible only to the Administrators the Customer authorizes. We disclose personal data only to the sub-processors below, to the Customer that controls it, and where required by law or to protect the security and integrity of the service.
6.1 Sub-processors
We engage a small number of vendors to run the service. Each is bound by contractual data-protection terms. The current list is maintained on the DPA & sub-processors page; a summary is below.
| Sub-processor | Purpose | Data involved |
|---|---|---|
| Stripe | Payment processing and billing | Customer billing and payment details |
| Microsoft | Entra ID authentication, and Microsoft 365 Graph usage only when the Customer connects it | Administrator identity; connected Microsoft 365 usage signals |
| NotifyBell | Operational and alert notifications | Alert metadata routed to the Customer |
| Hosting / data-center provider | Underlying compute, storage, and network for the self-hosted deployment | All service data at rest on the dedicated infrastructure |
7. International transfers
SnitchOS is self-hosted by Shield on a single dedicated server under Shield’s control. Where personal data is transferred across borders — for example to a sub-processor or where the Customer or its Monitored Users are located outside the hosting region — such transfers are made under an appropriate safeguard, including the European Commission’s Standard Contractual Clauses (SCCs) and, where relevant, the UK International Data Transfer Addendum, together with any supplementary measures required by law. Details of the hosting location are available to Customers on request.
8. Retention
We keep personal data only as long as needed for the purposes above, then delete it on the following schedule.
| Data | Retention |
|---|---|
| Screenshots | Hot storage for 30 days, then cold storage through day 365, then hard-deleted. |
| Audit log | Retained 3 years in an append-only store. |
| Other endpoint data | Retained per the Customer’s configuration and purged when a tenant is offboarded. |
| Account and billing records | Retained for the life of the account and as required by legal and accounting obligations. |
When a Client Tenant is offboarded, its endpoint data is purged from the platform. On termination of the Customer relationship, data is disposed of in line with the DPA.
9. Security measures
Shield protects personal data with technical and organizational controls, including:
- TLS 1.3 encryption for data in transit between the agent, dashboard, and API.
- Tenant isolation enforced at the database row, object-store key, and API scope layers, so cross-tenant access is refused.
- A code-signed agent and MSI (Azure Trusted Signing, CN=Shield Management Inc), with signed-manifest verification before updates apply.
- Microsoft Entra single sign-on for Administrators, with no local passwords.
- An append-only audit log recording actor, IP, target, and outcome for every authenticated change.
Off-site backup copies are encrypted in transit. They are not additionally encrypted at rest; access to the backup target is restricted to authorized Shield operators. No system can guarantee absolute security, and the Customer remains responsible for securing its own Administrator accounts and devices.
10. Your rights
Depending on where they live, Monitored Users and other individuals may have rights to access, correct, delete, or restrict personal data, to object to or limit certain processing, to data portability, and — under US state laws such as the California Consumer Privacy Act as amended by the CPRA — to know what is collected, to request deletion or correction, and to opt out of any “sale” or “sharing” (SnitchOS does neither). Exercising a right will not lead to discriminatory treatment.
10.1 How to exercise a right
For endpoint data, the Customer or Client Tenant is the controller. If you are a Monitored User, direct your request to your employer or the organization that manages your device; they decide how data about you is handled. If a Customer receives a request it needs help fulfilling, or if you are unsure who to contact, email privacy@snitchos.com and we will route or support the request and assist the responsible controller. We may need to verify identity before acting, and we respond within the timeframes applicable law requires.
11. Customer responsibility for employee notice
The Customer (and, where relevant, its Client Tenant) is responsible for providing Monitored Users with lawful notice of monitoring and for obtaining any consent required in the applicable jurisdiction. Several US states — including New York, Connecticut, and Delaware — require advance written notice of electronic monitoring, and other jurisdictions impose their own notice or consent rules. SnitchOS is intended only for company-owned, MSP-managed devices used with appropriate notice; it is not designed for personal devices and is not designed to be undetectable.
12. Children’s data
SnitchOS is a workplace product for company-owned devices used by adult workers. It is not directed to children and is not intended to collect data from anyone under the age of majority. We do not knowingly process children’s personal data.
13. Changes to this policy
We may update this policy to reflect changes in the service, our sub-processors, or the law. When we make a material change, we will update the effective date above and, where appropriate, notify the Customer. Continued use of SnitchOS after an update means the revised policy applies.
14. Contact us
For privacy questions or to exercise a right, contact privacy@snitchos.com. For legal notices, contact legal@snitchos.com. For general product support, contact support@snitchos.com. Postal contact for Shield Management Inc is available on request.
Data processing
Reselling SnitchOS to your clients?
The Data Processing Addendum sets out the Article 28 terms, the sub-processor list, and how endpoint data is handled on your instructions.