Privacy Policy

a) Account Information. When you create a SubSleuth account, we collect your name, email address, and a securely-hashed password.

b) Email Receipt Data (via Nylas). When you connect Gmail, Outlook, or Yahoo, we use Nylas (a third-party email provider) to access your inbox in READ-ONLY mode. We extract only subscription receipts and billing emails — we never read, send, modify, or delete personal correspondence. The OAuth tokens granting this access are stored encrypted on our servers.

c) Subscription Information. Subscription names, amounts, billing cycles, renewal dates, and provider names extracted from your receipts or entered manually.

d) Payment Information. Payments are processed by Stripe. SubSleuth never sees or stores your card number, CVV, or full bank details. We retain only the Stripe customer ID, the last 4 digits, and the brand of the card.

e) Device & Usage Information. IP address, browser/device type, app version, crash logs, and basic usage analytics (button clicks, page views) used solely to improve the product.

• Detect, classify, and display your subscriptions.
• Send renewal reminders, weekly digests, and price-change alerts (you can disable any of these in Settings).
• Process subscription payments to SubSleuth via Stripe.
• Provide customer support when you contact us.
• Improve and secure the product (debugging, analytics, fraud prevention).
• Comply with applicable laws and respond to lawful requests.

SubSleuth uses Google Gemini AI to analyze subscription receipts and classify usage patterns (e.g., active vs. unused). Receipt content is sent to Gemini's API on a per-request basis. Per Google's API terms, Gemini does NOT use your data to train its models. Receipt data is processed transiently and is not retained by Google.

We do NOT sell your data. Period. We have no advertising business model.

We share data only with the following service providers, strictly to operate SubSleuth:

• Nylas — Email OAuth provider (Gmail, Outlook, Yahoo connections).
• Google Gemini — AI receipt analysis (transient, no model training).
• Stripe — Payment processing for SubSleuth subscriptions.
• Resend — Transactional email delivery (renewal alerts, password resets, etc.).
• MongoDB Atlas — Encrypted database hosting.

We may disclose information when legally required (e.g., subpoena, court order) or to protect the rights, safety, or property of SubSleuth or its users.

SubSleuth's use of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements:

• Gmail data is used only to provide the subscription-detection features visible in SubSleuth's user interface.
• We do not transfer Gmail data to third parties unless necessary to provide or improve user-facing features, comply with applicable law, or as part of a merger/acquisition with user consent.
• We do not use Gmail data to serve advertisements.
• We do not allow humans to read Gmail data unless we have your explicit consent for specific messages, it is necessary for security purposes (such as investigating abuse), or as required by law.

• Account data: retained for as long as your account is active.
• Subscription records: retained while your account is active. Deletion request available anytime via Settings → Profile → Delete Account.
• Email OAuth tokens: retained until you disconnect the inbox or delete your account, then permanently deleted within 30 days.
• Crash logs / analytics: 90 days.

You have the right to:

• Access a copy of your data — email admin@subsleuth.online.
• Correct inaccurate data — update via Settings → Profile.
• Delete your account and all associated data — Settings → Profile → Delete Account.
• Disconnect any connected inbox at any time — Connections tab.
• Opt out of notifications — Settings → Notifications.
• Export your subscription data — email admin@subsleuth.online for a CSV export.

If you are in the EEA, UK, or California, you have additional rights under GDPR / UK GDPR / CCPA respectively. Contact us to exercise them.

We implement industry-standard security measures including TLS 1.3 encryption in transit, encryption at rest (AES-256), hashed passwords (bcrypt), two-factor authentication (optional), and least-privilege access controls. No system is 100% secure, but we treat your data with the same care we'd want for our own.

SubSleuth is not intended for users under 13 (or 16 in the EU). We do not knowingly collect data from children. If you believe a child has provided us information, please contact us and we will delete it.

SubSleuth is operated from Canada. By using SubSleuth, you consent to your data being processed in Canada and the United States (where some of our service providers operate).

We may update this Privacy Policy from time to time. Material changes will be notified via email or in-app banner at least 30 days before they take effect. The "Last Updated" date above always reflects the most recent revision.

Questions, requests, or concerns? Email admin@subsleuth.online.