Privacy Policy

Introduction

At Substash, we're committed to protecting your privacy. This privacy policy explains how we collect, use, and safeguard your information when you use our subscription tracking browser extension, available for Chrome, Firefox, Brave, Edge, Opera, Vivaldi, and other Chromium-based browsers.

Data controller information

Substash is operated by Chris Lim (chrisl.im), who is the data controller responsible for your personal information. Substash is developed as an independent project.

Types of personal data we collect

Legal basis for data processing

We process your personal data based on:

• Consent: You provide explicit consent when signing up and using our service
• Contractual obligations: Processing necessary to provide the subscription tracking service
• Legitimate interest: Improving our service through anonymous analytics

How we use your data

• Provide and maintain the subscription tracking service
• Sync your subscription data across devices via cloud database
• Send automated email alerts about upcoming renewals and trial expirations (if enabled)
• Convert subscription costs between 30+ currencies using real-time exchange rates
• Improve the extension based on anonymous usage patterns
• Measure campaign effectiveness through UTM tracking (GDPR-compliant, no personal identifiers)
• Provide customer support and respond to inquiries

Email communications

We send the following types of emails:

• Authentication emails: One-time password (OTP) codes for secure login (6-digit codes, expire in 5 minutes)
• Welcome emails: Onboarding message sent once when you create your account
• Subscription alert emails: Automated notifications for upcoming renewals and trial expirations, sent daily at 9:00 AM UTC based on your configured alert preferences (1, 3, or 7 days before events)

All emails include campaign tracking links (UTM parameters) to help us understand which communications are most helpful. These parameters do not contain personal information and are GDPR-compliant.

You can control email alert frequency through your subscription settings. Authentication and welcome emails are essential for service operation and cannot be disabled.

Data sharing and third parties

We only share your data with essential service providers:

• Supabase: Backend infrastructure for authentication, PostgreSQL database storage, and serverless Edge Functions. All subscription data and user authentication data is stored on Supabase cloud infrastructure.
• Amazon SES (Simple Email Service): Email delivery service for OTP codes, welcome messages, and subscription alerts. We share your email address, subscription names, and billing dates for alert notifications.
• Frankfurter API: Currency conversion service. We only share currency codes (USD, EUR, etc.) with this service—no personal data is transmitted.
• PostHog: Product analytics platform (EU region). Configured for minimal tracking with anonymous pageview events only. No user identification or personal data is sent.
• DuckDuckGo: For fetching subscription logos via their public icon API using user-provided website URLs.

We do not sell, rent, or share your personal data with any other third parties for marketing or commercial purposes.

Your rights

You have the following rights regarding your personal data:

• Right to access: View all your subscription data through the extension UI
• Right to rectification: Update subscription information at any time through the extension
• Right to erasure: Delete individual subscriptions or your entire account. Account deletion triggers immediate cascade deletion of all subscriptions and email alerts from our database.
• Right to object: Control email alert preferences or disable alerts entirely
• Data portability: Access your subscription data through the extension UI (no built-in export feature currently available)
• Right to withdraw consent: Delete your account at any time to withdraw all consent

Data security

We implement appropriate security measures to protect your data:

• HTTPS-only communication enforced across all services
• Passwordless authentication using one-time passwords (6-digit codes, 5-minute expiry)
• Row Level Security (RLS) at the PostgreSQL database level ensures complete data isolation between users
• Browser session tokens encrypted by your browser's local storage
• No plaintext storage of sensitive data
• Host permissions restricted to essential domains only (Supabase, Frankfurter API)

Data retention

We retain your data only as long as necessary to provide our service. You can delete your account and all associated data at any time through the extension settings. Deleted data is permanently removed immediately through cascade deletion—when you delete your account, all subscriptions and email alerts are automatically and instantly removed from our database.

Cached data (such as exchange rates and form drafts) stored in your browser local storage expires automatically: exchange rates after 1 hour, OTP flow data after 5 minutes.

Service evolution

Substash is 100% free with no paid plans, premium tiers, in-app purchases, or advertisements. The service is provided at no cost for both personal and work subscription tracking.

Any significant changes to our service model will be communicated well in advance with existing users through the extension or our website.

Children's privacy

Substash is intended for users aged 18 and older. We do not knowingly collect personal data from individuals under 18. If you are under 18, please obtain parental consent before using our service. If we become aware that we have collected data from someone under 18 without parental consent, we will delete it promptly.

Changes to this privacy policy

We may update this Privacy Policy from time to time. We'll notify users of any significant changes through the extension or our website. We encourage you to review this policy periodically.

Contact us

If you have questions about this Privacy Policy or want to exercise your rights, please email Email us.