Privacy Policy

The controller responsible for processing your personal data is: Innopulse Consulting GmbH Zug, Switzerland Commercial Register: CH-170.4.021.748-3 UID/VAT: CHE-219.727.921 Email: datenschutz@subtracker.io For all data protection matters, please contact: datenschutz@subtracker.io

2.1 Account Data When you register, we collect: your email address and display name. If you sign in with Google, we receive your name and email from Google. 2.2 Subscription Data You manually enter subscription information: service names, amounts, billing dates, categories and notes. We do not connect to banks, payment accounts or any third-party financial services. 2.3 Usage Data We collect minimal technical logs for security and debugging: IP address (anonymised after 24 hours), browser type, and page requests. We do not build user profiles or track behaviour across sessions. 2.4 Payment Data Payments are processed by Stripe. We never store credit card numbers, bank details or payment credentials. Stripe's privacy policy applies to payment processing.

We process your data on the following legal bases (GDPR Art. 6): • Contract performance (Art. 6(1)(b)): Account management, providing the subscription tracking service, sending transactional emails (confirmations, renewal reminders). • Legitimate interests (Art. 6(1)(f)): Security, fraud prevention, service improvement, minimal analytics. • Legal obligation (Art. 6(1)(c)): Compliance with Swiss and EU law, accounting and tax obligations. • Consent (Art. 6(1)(a)): Only for optional features such as marketing emails (which we do not currently send).

4.1 Hosting SubTracker is hosted on Vercel (Vercel Inc., USA). Vercel acts as a processor under a Data Processing Agreement. Traffic is routed through Vercel's global edge network; however, application data does not persist on edge nodes. 4.2 Database Your subscription data, profile and account information is stored in a database operated by Supabase (Supabase Inc., USA). Our database instance is located in the EU West (London, United Kingdom) region, within the European Economic Area. Supabase acts as a processor under a Data Processing Agreement. 4.3 Email Transactional emails (welcome email, renewal reminders, workspace invitations) are sent via Resend (Resend Inc.). Resend acts as a processor under a Data Processing Agreement. 4.4 Payments Payment processing is handled by Stripe (Stripe Inc., USA / Stripe Payments Europe Ltd., Ireland). Stripe is an independent controller for payment data and is PCI DSS Level 1 certified. 4.5 Data Transfer Outside the EEA Some of our processors are based in the USA (Vercel, Supabase Inc., Resend). All transfers are protected by EU Standard Contractual Clauses (SCCs) or other adequate transfer mechanisms as defined under GDPR Chapter V.

Account and subscription data is retained for as long as your account is active. If you delete your account, all personal data is permanently deleted within 30 days, except where retention is required by law (e.g., accounting records for 10 years under Swiss law). Server logs are retained for a maximum of 30 days and then deleted.

You have the following rights regarding your personal data: • Right of access (Art. 15): Request a copy of all data we hold about you. • Right to rectification (Art. 16): Correct inaccurate data. • Right to erasure (Art. 17): Delete your account and all associated data — available directly via Settings → Delete Account. • Right to restriction (Art. 18): Restrict processing in certain circumstances. • Right to data portability (Art. 20): Export your data as CSV or JSON — available via Settings → Export. • Right to object (Art. 21): Object to processing based on legitimate interests. • Right to withdraw consent: Where processing is based on consent, you may withdraw at any time. To exercise these rights, contact: datenschutz@subtracker.io You also have the right to lodge a complaint with your national data protection authority. In Switzerland: Federal Data Protection and Information Commissioner (FDPIC). In the EU: your local supervisory authority.

We use only technically necessary cookies: • Session cookie: A Supabase authentication token (sb-[project]-auth-token) to keep you signed in. This cookie expires after 30 days of inactivity and is essential for the service to function. We do not use advertising cookies, tracking cookies, or third-party analytics cookies. We do not use Google Analytics or similar tools.

We implement appropriate technical and organisational measures to protect your data: • All data is encrypted in transit using TLS 1.2 or higher • Database data is encrypted at rest (AES-256) • Access to production systems is restricted to authorised personnel • Passwords are never stored in plain text • We conduct regular security reviews Despite these measures, no internet transmission is 100% secure. If you discover a security issue, please contact us at hello@subtracker.io.

SubTracker is not directed at children under 16 years of age. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

We may update this Privacy Policy from time to time. Material changes will be communicated by email or in-app notification. The date at the top of this page indicates when this policy was last updated. Continued use of SubTracker after changes constitutes acceptance of the updated policy.

For privacy questions or data requests: Innopulse Consulting GmbH Zug, Switzerland Email: datenschutz@subtracker.io Commercial Register: CH-170.4.021.748-3