Privacy Policy

1. Who We Are

SubSavvy ("we", "us", "our") operates subsavvy.ca, a service that helps Canadians identify and cancel forgotten subscriptions. This Privacy Policy explains how we collect, use, and protect your personal information in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy laws.

2. Information We Collect

Bank Statement Content: When you upload a PDF or CSV file, we extract transaction text solely to identify subscription charges. We do not store, transmit, or retain the original file or any raw transaction data.

Detected Subscription Data: The subscription names, amounts, and frequencies identified by our AI are stored temporarily (up to 24 hours) to display your results.

Email Address: If you choose to set reminders, we collect your email address to send reminder notifications.

Session Identifier: We use a cookie-based session ID to associate your scan results with your browser session without requiring account registration.

Payment Information: Stripe processes all payments. We receive only a confirmation token; no card numbers or banking details are stored on our servers.

3. How We Use Your Information

To analyze your bank statement and identify recurring subscriptions.

To display your results and provide cancel guides.

To send reminder emails if you opt in.

To process payments via our payment processor, Stripe.

We do not use your information for marketing, advertising, or profiling. We do not sell your data to third parties.

4. Data Retention

Uploaded files are deleted immediately after text extraction — they are never written to disk.

Scan results (detected subscriptions) are automatically deleted 24 hours after creation.

Email addresses for reminders are retained until you unsubscribe using the link in any reminder email.

Payment records are retained for 7 years as required by Canadian tax law.

5. Data Security

All data is transmitted over HTTPS (TLS 1.3). Data at rest is stored in Supabase (hosted in North America) with encryption enabled. We apply the principle of least privilege — only the minimum data required to provide the service is retained.

6. Third-Party Service Providers

Anthropic (Claude API): Transaction text is sent to Anthropic's API for analysis. Anthropic does not use API data for model training.

Stripe: Handles all payment processing. Stripe is PCI-DSS compliant.

Resend: Sends transactional emails. Email content is limited to reminder details.

Supabase: Hosts our database in North America.

Vercel: Hosts our application on edge infrastructure.

7. Your Rights Under PIPEDA

You have the right to access the personal information we hold about you.

You have the right to request correction of inaccurate information.

You have the right to withdraw consent and request deletion of your data.

To exercise any of these rights, contact us at privacy@subsavvy.ca.

8. Cookies

We use a single session cookie (subsavvy-session) to associate your scan with your browser. This cookie is essential for the service to function and does not track you across other websites. It expires at the end of your browser session.

9. Children's Privacy

SubSavvy is not directed to individuals under the age of 18. We do not knowingly collect personal information from minors.

10. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated by updating the effective date at the top of this page. Your continued use of the service after any changes constitutes acceptance of the updated policy.