Privacy Policy
Last updated: June 2026
1. What we collect
- Anonymous sessions: a session ID stored in your browser, plus detected subscription results (merchant names, amounts, dates) retained for 7 days.
- Registered accounts: your email address, linked to your session data above.
- We never store raw bank transaction descriptions, account numbers, card numbers, or bank credentials.
2. How we process your data
Your bank statement CSV is parsed in memory on our servers. Raw transaction data is never written to disk or database. Only the detected subscription results (merchant name, amount, date) are stored.
3. Data storage and security
Data is stored in Supabase (PostgreSQL on AWS). All connections are encrypted in transit using HTTPS/TLS. Data at rest is encrypted using AES-256 by Supabase.
4. Data retention
Anonymous session data is automatically deleted after 7 days. Account data is retained until you delete your account.
5. Third parties
We use Supabase for database and authentication, Vercel for frontend hosting, and Railway for API hosting. We use PostHog for anonymous product analytics. No financial data is shared with any third party.
6. Your rights
You can delete your account and all associated data at any time by emailing privacy@sub-audit.com. Anonymous sessions expire automatically after 7 days.