Legal

Privacy Policy

Last updated: May 3, 2026  ·  Effective: May 3, 2026

Contents

  1. Overview
  2. Data We Collect
  3. Email Access & Processing
  4. How We Use Your Data
  5. Data Sharing
  6. Data Retention
  7. Security
  8. Your Rights
  9. Children's Privacy
  10. Changes to This Policy
  11. Contact Us

1. Overview

SubTrack ("we", "us", or "our") is a subscription tracking application that helps you automatically detect and manage your recurring charges by reading email receipts from your connected email account.

This Privacy Policy explains what data we collect, how we use it, and the controls you have. We are committed to data minimisation — we collect only what is strictly necessary and discard email content immediately after processing.

Key principle: We never store the body of your emails. We extract only structured data (merchant name, amount, date) and delete the raw content immediately after parsing.

2. Data We Collect

Account Information

  • Email address (used as your account identifier)
  • Display name (optional, from your OAuth provider profile)
  • Account creation date and last login timestamp

Email Account Connection

  • OAuth access token and refresh token (encrypted at rest with AES-256)
  • Connected email address
  • Provider name (Gmail or Outlook)
  • Token expiry and last sync timestamp

Extracted Subscription Data

We store only the structured output of our parsing — never the raw email content:

  • Merchant name, domain, and category
  • Subscription amount and currency
  • Billing frequency (monthly, annual, etc.)
  • Billing date and next renewal date
  • Trial status and trial end date
  • Subscription status (Active, Trial, Cancelled)
  • Source email message ID (for deduplication only)

Device & Usage Data

  • Device token (for push notifications, if enabled)
  • Notification preferences
  • App version and platform (iOS or Android)

3. Email Access & Processing

SubTrack connects to your email account using OAuth 2.0 — the same standard used by apps like Notion, Zapier, and Calendly. We request read-only access scoped to receipt and payment-related emails.

What we read

We search for emails matching receipt and subscription-related patterns (e.g., sender domains like billing@netflix.com, subjects containing "receipt", "invoice", "subscription"). We do not read personal correspondence, drafts, sent mail, or any email outside these filters.

How we process email content

  1. The email body is fetched temporarily into server memory
  2. Our parsing engine extracts structured fields (merchant, amount, date)
  3. The raw email body is immediately discarded — it is never written to disk or database
  4. Only the extracted structured data is stored

What we never do

  • Store full email bodies or subject lines long-term
  • Read emails outside receipt/payment categories
  • Share email content with third parties
  • Use email content to train external AI models
  • Access contacts, calendar, or any other account data

You can revoke email access at any time — from within the app under Settings → Connected Accounts, or directly through Google Account Permissions or your Microsoft account settings.

4. How We Use Your Data

  • Subscription tracking: To create, update, and display your subscription list
  • Notifications: To send trial expiration and billing reminders
  • Analytics: To generate your personal spending insights (processed locally, not shared)
  • Sync: To keep your subscription list up to date as new receipts arrive
  • Security: To detect and prevent unauthorised account access
  • Product improvement: Aggregated, anonymised usage statistics only (e.g., how many users have active subscriptions — never individual data)

We do not use your data for advertising, sell it to data brokers, or share it with marketing platforms.

5. Data Sharing

We do not sell, rent, or trade your personal data. We share data only in the following limited circumstances:

Infrastructure providers

We use third-party cloud infrastructure to host the application. These providers process data on our behalf and are bound by data processing agreements:

  • Cloud hosting and database (servers located in Canada)
  • Push notification delivery (Apple APNs, Google FCM)
  • Error monitoring (aggregated, anonymised crash reports)

Legal requirements

We may disclose data if required by law, court order, or to protect the rights and safety of SubTrack users.

Business transfers

In the event of a merger or acquisition, user data may transfer to the new entity. You will be notified before any such transfer and given the option to delete your account.

6. Data Retention

  • Email content: Never retained — discarded immediately after parsing
  • OAuth tokens: Retained until you disconnect the account; deleted within 24 hours of disconnection
  • Subscription data: Retained for the lifetime of your account; deleted within 30 days of account deletion
  • Account data: Deleted within 30 days of account deletion request
  • Backups: Purged within 90 days of account deletion

7. Security

  • OAuth tokens encrypted at rest using AES-256
  • All data transmitted over HTTPS/TLS 1.3
  • API authentication via short-lived JWT tokens
  • Rate limiting and request validation on all endpoints
  • Secure credential storage on device using iOS Keychain / Android Keystore
  • Regular security reviews and dependency audits

No system is 100% secure. If you discover a security vulnerability, please report it to support@1618digital.ca.

8. Your Rights

Depending on your location, you may have rights under GDPR, CCPA, or other applicable privacy laws:

  • Access: Request a copy of all data we hold about you
  • Correction: Request correction of inaccurate data
  • Deletion: Request deletion of your account and all associated data — see our Account Deletion page
  • Portability: Export your subscription data as CSV from the app
  • Restriction: Pause email syncing at any time from Settings
  • Objection: Opt out of any analytics data collection

To exercise any of these rights, contact us at support@1618digital.ca. We will respond within 30 days.

9. Children's Privacy

SubTrack is not directed at children under the age of 13 (or 16 in the EU). We do not knowingly collect personal information from children. If you believe a child has provided us with personal data, contact us at support@1618digital.ca and we will delete it promptly.

10. Changes to This Policy

We may update this policy from time to time. When we make material changes, we will notify you via in-app notification and update the "Last updated" date at the top of this page. Continued use of SubTrack after changes take effect constitutes acceptance of the revised policy.

11. Contact Us

For privacy-related questions, data requests, or concerns:

We aim to respond to all privacy requests within 30 days.