subThis

Privacy Policy

Effective 2026-04-21 · v1.0.0

Effective: 2026-04-21 · Version: 1.0.0

subThis is a personal-utility app that helps you track your subscriptions by forwarding confirmation emails to a single address. This policy explains what data we hold, how long, and what we deliberately do not do.

Status: v1 placeholder. Content will be reviewed by counsel prior to Phase 3 public launch (per PRD §10.4). Pre-public-launch users (Phase 1 / Phase 2) operate under the terms below.

What we collect

  • Your email address — used as your account identifier and as the sender we recognize when you forward.
  • Parsed subscription records — vendor, amount, frequency, next renewal date, plan name if present — extracted from your forwarded emails.
  • Forwarded email content — temporarily, for the parsing step only. Deleted within 24 hours of receipt. A log row confirming deletion persists indefinitely (we keep the record of that we deleted, not the content itself).
  • Basic auth / support logs — IP address, user agent, timestamps around sign-in events, support tickets. Used for security and support.

What we do NOT do

  • We do NOT connect to your bank. No Plaid, no credential access.
  • We do NOT read your inbox. We only receive what you forward.
  • We do NOT sell your data. Ever.
  • We do NOT use your data to train AI. Vendor templates are built from anonymized aggregate parse failures, never from specific user content.
  • We do NOT retain forwarded email content beyond 24 hours — except a narrow operator-review case (max 30 days, with explicit user consent per message).

How long we keep things

DataRetention
Forwarded email content (raw)24 hours, then purged
Parsed subscription recordsUntil you delete them or close your account
Account + profile90 days after account closure, then permanently deleted
Login audit events365 days
AI usage logs (paid tier only)730 days (cost analytics)
Error logs180 days

Your rights

You can at any time:

  • Export your data — full JSON dump from settings.
  • Delete individual subscription records.
  • Close your account (full data deletion 90 days later).
  • Request a data subject access report — email support@subthis.app.

Sub-processors

  • Supabase — database + auth + file storage
  • Resend — transactional email + inbound webhook
  • Google (Gemini API) — AI parsing fallback + monthly insights (paid tier only)
  • Stripe — payments (paid tier only)
  • Vercel — hosting
  • Upstash — rate limiting

Each processor holds only the minimum data required to perform their role.

Contact

support@subthis.app