Privacy Policy

Last updated: May 16, 2026

Effective for users in the United States today. UK availability is rolling out — UK residents should read §7 (UK GDPR) which will apply from the date SubTidy is made available in the UK.

1. Information We Collect

Account information: email address, name, company name, and password (hashed, never stored in plaintext).

Subscription tracking data: the SaaS tools, prices, renewal dates, seats, departments, and notes you choose to enter.

Billing information: when you subscribe to a paid plan, our payment processor (Dodo Payments) collects your name, billing address, and card details on a PCI-compliant hosted checkout page. We never see or store full card numbers. We receive only the last four digits, card network, billing country, and a customer/subscription identifier.

Usage data: pages visited, features used, request IP, and approximate country (derived from IP at the edge). Used to operate, secure, and improve the service.

2. How We Use Your Information

Provide and operate SubTidy.
Process payments, send receipts, and recover failed renewals.
Send renewal reminders and lifecycle emails you have opted into.
Generate AI-powered savings recommendations. We send only subscription names and category tags to our AI provider — never prices, card numbers, employee names, or notes.
Detect and prevent abuse and fraud.
Comply with legal obligations (e.g. tax records).

We do not sell your data, share it for cross-context behavioural advertising, or use it to train AI models.

3. Service Providers (Subprocessors)

We share limited data with the providers below, each under a data-processing agreement that prohibits unauthorized use:

Provider	Purpose	Data shared
Supabase	Database + auth	All account & app data
Vercel	Hosting + CDN + logs	Request metadata, IP, error logs
Dodo Payments	Payment processing	Name, email, billing address, card
OpenRouter	AI recommendations	Tool names + category tags only
ZeptoMail	Transactional & lifecycle email	Email address, name, message body

4. Data Storage & Security

Data is stored in Supabase (PostgreSQL, US region) with row-level security enforcing strict per-user isolation. All traffic is encrypted with TLS 1.2 or higher; data is encrypted at rest. Passwords are hashed using industry-standard algorithms. Access to production systems is restricted to authorized personnel and audit-logged.

5. Data Retention

Data type	Retention period
Account + app data	Until you delete your account
Payment records	7 years after each charge (US tax / IRS requirement, 26 U.S.C. § 6501). Linked to a name + email snapshot, not to a live account.
Backups	Up to 30 days
Server logs	90 days

When you delete your account, all personal data is removed within 30 days except payment records, which we are legally required to retain. Those records are anonymized to the maximum extent we can while preserving the ability to respond to chargebacks, refunds, and tax audits.

6. Your California Privacy Rights (CCPA / CPRA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act and the California Privacy Rights Act:

Right to know what personal information we collect, use, and share.
Right to delete your personal information (subject to retention exceptions listed in §5).
Right to correct inaccurate information.
Right to opt out of sale or sharing of personal information. We do not sell or share your information for cross-context behavioural advertising, so there is nothing to opt out of — this right is honoured by default.
Right to limit use of sensitive personal information. We do not use sensitive personal information for purposes beyond what is necessary to provide the service.
Right to non-discrimination for exercising any of the above.

To exercise any of these rights, email contact.iodevz@gmail.com from the address on your account. We will respond within 45 days. We may request additional information to verify your identity before fulfilling a request.

7. Your UK Privacy Rights (UK GDPR / Data Protection Act 2018)

This section applies to users in the United Kingdom from the date SubTidy is made available in the UK. It supplements (and where conflicting, overrides for UK residents) the rest of this policy.

Controller

SubTidy operates as the data controller for personal data processed about UK users. Contact: contact.iodevz@gmail.com. We will appoint a UK representative under Art. 27 UK GDPR before commencing UK service if our processing meets the monitoring/large-scale threshold; until then, the controller email above is the primary contact.

Lawful bases for processing (Art. 6)

Contract (Art. 6(1)(b)) — to provide the account, subscription tracking, and billing features you signed up for.
Legitimate interests (Art. 6(1)(f)) — to secure the service against abuse, debug errors, and send essential operational emails (renewal reminders, price alerts). You may object at any time.
Legal obligation (Art. 6(1)(c)) — to retain payment records for tax/audit purposes (see §5).
Consent (Art. 6(1)(a)) — only where we ask for it explicitly, e.g. optional product announcements. Withdrawable any time without affecting prior processing.

Your rights (Art. 13, 15–22)

Right of access — a copy of the personal data we hold about you.
Right to rectification — correct inaccurate or incomplete data.
Right to erasure (“right to be forgotten”) — subject to the retention exceptions listed in §5 (e.g. payment records held for UK tax-record obligations under the Finance Act).
Right to restrict processing — pause use of your data while a query is resolved.
Right to data portability — receive your account + subscription data in a machine- readable JSON or CSV export.
Right to object — to processing based on legitimate interests, including direct marketing (we honour this absolutely).
Rights relating to automated decision-making — we do not make decisions that produce legal or significant effects about you using solely automated means.

Email contact.iodevz@gmail.com from the address on your account. We will respond within one calendar month (the UK GDPR default), extensible by two further months for complex requests with notice.

International transfers

Our infrastructure (Supabase, Vercel) and subprocessors are primarily based in the United States. Where we transfer UK personal data outside the UK, we rely on the UK International Data Transfer Agreement (IDTA) or the EU Standard Contractual Clauses with the UK Addendum, in each case combined with the safeguards required by the ICO. A copy of the relevant transfer mechanism is available on request.

Right to complain

You have the right to lodge a complaint with the UK supervisory authority, the Information Commissioner's Office (ICO). We'd appreciate the chance to address your concern first — email contact.iodevz@gmail.com and we'll respond before you escalate.

8. Cookies

We use only essential cookies for authentication and session management. We do not use tracking cookies, advertising cookies, or third-party analytics that profile you across sites.

9. Children

SubTidy is a B2B service not directed to children under 13. We do not knowingly collect information from children. If you believe we have, contact us and we will delete it.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be notified by email or in-app banner at least 14 days before they take effect.

11. Contact

Privacy questions, CCPA requests, UK GDPR requests, or data-deletion requests: contact.iodevz@gmail.com.