Legal

Privacy Policy

Last updated: January 1, 2025 · Effective date: January 1, 2025 · Version 1.0

Subsaver is a subscription tracking app that connects to your bank via Plaid to detect recurring charges. To use Subsaver, you create an account with your email address and verify it with a one-time code. This policy explains exactly what data we collect, how we use it, and what rights you have over it.

1. Who We Are

"Subsaver", "we", "our", "us" refers to the team that operates the Subsaver mobile application. Our service helps you identify and manage recurring subscription charges by reading your bank transaction data through Plaid, a regulated third-party financial data platform.

Contact: Subsaver_feedback@outlook.com

2. Account Registration & Authentication

To use Subsaver, you create an account using your email address. Account registration involves two steps:

Email and password: You provide your email address and set a password. Passwords are stored as a one-way bcrypt hash — we never store your password in plain text.
Email verification (MFA): After submitting your email and password, we send a 6-digit one-time code (OTP) to your email address. You must enter this code to complete registration and sign in. This constitutes multi-factor authentication (MFA): something you know (password) plus something you have (access to your email).

Your account email is the primary identifier we use to associate your subscription data and bank connections with your account. If you delete your account, all associated data is permanently removed from our systems within 30 days.

If you delete the Subsaver app without first deleting your account, your Plaid bank connections may remain active. We recommend disconnecting your bank accounts in-app before uninstalling. You can also manage all Plaid connections at my.plaid.com.

3. Information We Collect

3.1 Financial Data — Accessed Through Plaid

When you connect a bank account, Subsaver receives the following data from Plaid's API on your behalf. This is the complete list:

Data Type	Accessed?	Why	Where Stored
Transaction records Merchant name, amount, date, category	✓ Yes	Core function: identify recurring subscription charges	Subscription metadata stored locally on device only
Account display name & type e.g. "Chase Checking"	✓ Yes	Show which account each subscription is billed to	Locally on device
Account balance	✓ Yes	Show upcoming subscription cost in context of available balance	Not persisted — fetched on demand only
Bank login credentials	✗ Never	You authenticate on Plaid's screen — credentials never reach Subsaver	Never
Full account / routing numbers	✗ Never	Not needed for subscription detection	Never
Investment, loan, or mortgage data	✗ Never	Outside scope of subscription management	Never
SSN, government ID, personal identity	✗ Never	Not required for our service	Never
Data sold to third parties	✗ Never	Your financial data is yours. We do not sell, share, or monetize it.	—

By linking a bank account, you also agree to Plaid's End User Privacy Policy. You can review and revoke all Plaid-connected apps at my.plaid.com.

3.2 Account & Authentication Data

Email address: Used to identify your account, send email OTP verification codes, and deliver renewal alerts and service notifications.
Password hash: Your password is stored as a bcrypt hash only. We cannot reverse or read your password.
Email OTP codes: One-time verification codes sent to your email at login. Codes are stored temporarily in our system and expire automatically after 10 minutes or upon first use.
Authentication logs: Records of successful and failed login attempts, including timestamp and device type. Retained for 90 days for security monitoring purposes.

3.3 Device & App Usage Data

App usage analytics: Features used, screen views, session duration — collected in aggregated, anonymized form only.
Crash reports and error logs: Technical data about app failures, used solely for debugging.
Device type and OS version: Used for compatibility and support purposes.

3.4 Waitlist & Support Communications

Waitlist: If you joined our pre-launch waitlist, we have your email address, used only to notify you about the Subsaver launch. This is separate from your in-app account and can be unsubscribed at any time.
Support inquiries: If you email us, we retain your email address and the content of your message to resolve your issue.

4. How We Use Your Information

Account authentication: Verify your identity at login using email and OTP to protect access to your financial data.
Subscription detection: Analyze transaction data to identify and categorize recurring charges.
Renewal alerts: Send push notifications and email reminders before upcoming subscription renewals.
Price change detection: Identify when a recurring charge amount changes and alert you.
Spend summaries: Generate breakdowns of your recurring subscription costs.
App stability & improvement: Use crash reports and anonymous usage data to fix bugs and improve features.

We do not use your financial data for advertising, profiling, credit scoring, or any purpose unrelated to providing you with the Subsaver service.

5. Plaid — Third-Party Financial Data Access

Subsaver uses Plaid, Inc. to connect to your bank accounts. When you tap "Connect Bank", you are presented with Plaid Link — Plaid's own secure interface. Your bank credentials are entered directly on Plaid's interface and are never transmitted to or stored by Subsaver.

Plaid exchanges your credentials for a secure access token, which is stored locally on your device. Subsaver uses this token to request only the transaction data described in Section 3.1 above.

In accordance with Plaid's requirements, by using Subsaver you grant Plaid the right, power, and authority to act on your behalf to access and transmit your personal and financial information from your financial institution according to Plaid's End User Privacy Policy.

6. Data Sharing

We do not sell, rent, or trade your data. We share data only in the following limited circumstances:

Plaid: To retrieve your transaction data as described above, under Plaid's own privacy policy.
Cloud infrastructure providers: Backend hosting services process data on our behalf under strict data processing agreements and may not use your data for any other purpose.
Analytics providers: Only aggregated, anonymized, non-financial usage statistics.
Legal requirements: If required by law, court order, or to prevent fraud or security threats.
Business transfer: In the event of an acquisition or merger, we will notify you before any transfer of personal data occurs.

7. Data Storage, Retention & Security

Most of your data — including the Plaid access token and detected subscription details — is stored locally on your device. For any data that passes through our backend, we implement:

AES-256 encryption for data at rest
TLS 1.2+ encryption for all data in transit
Access controls limiting data access to authorized personnel only
Regular security monitoring and vulnerability management

We retain your account data and subscription metadata only as long as your account is active. If your account has not been used for 12 months, we will notify you before purging associated data. Data you delete in-app is removed immediately, and account deletion requests are completed within 30 days.

Key retention periods at a glance: Plaid access tokens are held only for the duration of your active bank connection. Transaction metadata is retained for the life of the linked account plus 30 days. Email OTP codes expire after 10 minutes. Auth logs are purged after 90 days. Backup copies are rotated and deleted within 30 days.

For full details on data categories, retention schedules, disposal methods, and the step-by-step deletion process, see our Data Retention and Disposal Policy.

8. Your Rights & Controls

Delete your account: Go to Settings → Account → Delete Account. This permanently deletes your email address, password hash, and all associated subscription data from our systems within 30 days.
Disconnect bank account: Tap Settings → Connected Accounts → Disconnect. This immediately revokes the Plaid access token and stops all transaction data collection, without deleting your account.
Manage via Plaid Portal: Review and revoke all Plaid-connected apps at my.plaid.com.
Update or correct your email: Contact Subsaver_feedback@outlook.com to request a correction to your account information.
Request a data export: Email Subsaver_feedback@outlook.com to request a copy of all personal data we hold associated with your account.
Opt out of analytics: Toggle off analytics in Settings → Privacy.
Waitlist unsubscribe: Use the unsubscribe link in any waitlist email we send.

9. California Privacy Rights (CCPA)

If you are a California resident, you have the following rights under the California Consumer Privacy Act:

The right to know what personal information we collect, use, and disclose
The right to request deletion of your personal information
The right to opt out of the sale of personal information — we do not sell personal information
The right to non-discrimination for exercising your CCPA rights

To exercise any of these rights, email Subsaver_feedback@outlook.com from the email address associated with your Subsaver account so we can verify your identity and locate your data.

10. Children's Privacy

Subsaver is not directed at children under 13. We do not knowingly collect personal information from children under 13. If you believe a child has provided financial data through the app, please contact us at Subsaver_feedback@outlook.com and we will promptly delete it.

11. Changes to This Policy

We may update this Privacy Policy. We will notify you of material changes via in-app notification or, if you are on our waitlist, by email, at least 30 days before changes take effect. Continued use of the app after the effective date constitutes acceptance.

12. Contact

Privacy inquiries & data requests

For all privacy questions, data requests, or concerns about this policy:

📧 Subsaver_feedback@outlook.com

We respond to all privacy requests within 30 days.