Privacy Policy

Last updated: 21 April 2026

SubScan helps you track your subscriptions by parsing billing receipts from your connected Gmail account. This policy explains what we access, where it goes, how long we keep it, and what we never do.

SubScan is operated by an independent developer resident in Belgrade, Serbia. For any privacy-related request, contact evgeny.shestakov.0x@gmail.com.

1. What we access

When you connect Gmail, SubScan requests the https://www.googleapis.com/auth/gmail.readonly scope. This is the narrowest Google scope that lets an application search and read Gmail messages. SubScan uses it only to find subscription-billing receipts (Netflix, Spotify, JetBrains, DigitalOcean, and similar services). SubScan does not, and cannot, send, modify, delete, or archive any Gmail message.

When you sign in with Google or Apple, we receive a verified identity token containing your stable user ID and email address. We use those to create your SubScan account.

2. What we store and where

• Your user ID, email address, timezone, and account-creation timestamp — on our server so you can sign in from multiple devices.
• The list of subscriptions SubScan has detected for you (service name, amount, currency, billing cadence, next billing date, category, source) — on our server and on your device.
• The list of Gmail addresses you have connected — on our server and on your device.
• Session tokens — on our server (hashed with Argon2id) and on your device (in the iOS Keychain).
• The scan cursor (Gmail message ID of the last scanned message) — on your device only, so scans stay incremental.
• Operational request logs (timestamps, request IDs, status codes, IP, user agent) on our server for debugging and abuse detection.

The full text of your Gmail messages is never stored on our servers. Parsing happens on your device. Attachments (invoice PDFs) are fetched on-device, parsed on-device, and discarded.

2.1 How long we keep it

• Account data (user row, subscriptions, mailbox connections, sessions): kept while your account is active; deleted immediately on account deletion.
• Request logs: 30 days, then auto-rotated.
• Database backups: none — the Postgres volume is the only copy. Deletions are permanent and cannot be restored from a backup.

3. Google API Services Limited Use disclosure

SubScan's use and transfer to any other app of information received from Google APIs will adhere to the Google API Services User Data Policy, including the Limited Use requirements. Specifically:

• SubScan's use of information received from Google APIs is limited to providing or improving user-facing features that are prominent in the SubScan user interface.
• SubScan will not transfer Google user data to third parties except: (a) as necessary to provide or improve user-facing features that are visible and prominent in the app, with user consent; (b) for security purposes such as investigating abuse; (c) to comply with applicable law; or (d) as part of a merger, acquisition, or sale of assets after obtaining explicit prior user consent.
• SubScan will not transfer or sell Google user data to third parties, advertising platforms, data brokers, or information resellers.
• SubScan will not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
• SubScan will not allow humans to read Google user data unless: (a) the user has given affirmative agreement to view specific messages; (b) it is necessary for security purposes such as investigating abuse; (c) it is required to comply with applicable law; or (d) the data is aggregated and anonymized for internal operations.
• SubScan will not use Google user data to develop, improve, or train generalized AI or machine-learning models.

4. Security

We use standard industry practices to protect your data:

• All traffic between the app and our server is encrypted in transit with TLS 1.2 or higher.
• Session refresh tokens are hashed with Argon2id before storage; raw tokens never touch disk on the server.
• Access tokens are short-lived JWTs bound to a specific session, revocable individually.
• Passwords are never stored because SubScan does not use password authentication — sign-in is delegated to Google or Apple.
• The server runs inside Docker on a dedicated Hetzner VPS in Germany; the Postgres database is reachable only from the server container over a private network.

No system is perfectly secure, and we cannot guarantee absolute security. If we learn of a breach that affects you, we will notify you at your account email within 72 hours of discovery, consistent with GDPR Art. 33.

5. Subprocessors

SubScan relies on the following service providers. Each operates under its own privacy terms and, where applicable, a data processing agreement (DPA):

• Hetzner Online GmbH (Germany, EU) — hosts our server and Postgres database.
• Google LLC — provides Gmail API access (on-device only) and Google Sign-In identity verification.
• Apple Inc. — provides Sign in with Apple identity verification, when you choose it.
• open.er-api.com — fetches daily currency exchange rates for display-currency conversion. No personal data is sent.

6. Legal bases for processing (GDPR Art. 6)

• Performance of a contract (Art. 6(1)(b)): creating your account, storing your subscription list, syncing between your devices.
• Consent (Art. 6(1)(a)): connecting a Gmail mailbox and scanning it for subscriptions. Withdraw anytime by disconnecting in Settings or revoking at Google Account Permissions.
• Legitimate interests (Art. 6(1)(f)): operational logging and abuse detection, balanced against your rights via short log retention and minimal fields.
• Legal obligation (Art. 6(1)(c)): responding to lawful requests from courts or regulators.

7. Your rights

Under the EU General Data Protection Regulation (GDPR) and Serbia's Law on Personal Data Protection (ZZPL), you have the right to:

• Access — request a copy of the data we hold about you.
• Rectification — correct inaccurate or incomplete data.
• Erasure ("right to be forgotten") — delete your account and all associated data from Settings → Account → Delete account. Deletion is immediate, cascading to every session, mailbox, and subscription tied to your user row. There is no grace period and no backup copy.
• Restriction — ask us to pause processing while a dispute is resolved.
• Portability — receive your data in a structured, machine-readable format.
• Objection — object to processing based on legitimate interests.
• Withdraw consent — for any consent-based processing, at any time.
• Lodge a complaint — with your local data protection authority. For EU residents this is your member-state authority (e.g., the EDPB members list). For Serbian residents this is the Commissioner for Information of Public Importance and Personal Data Protection.

To exercise any of these rights, email evgeny.shestakov.0x@gmail.com. We will respond within 30 days, as required by GDPR Art. 12.

8. International data transfers

Our server and database are hosted by Hetzner in Germany (EU). Data about users in the European Economic Area is therefore stored within the EEA and does not cross a transfer boundary for storage.

The developer is resident in Serbia. Administrative and debugging access to the server from Serbia constitutes a transfer of personal data outside the EEA. Serbia's Law on Personal Data Protection is closely aligned with the GDPR, but Serbia does not currently hold an EU adequacy decision. Where such access involves personal data of users in the EEA, we rely on the derogations in GDPR Art. 49(1)(b) (necessary for the performance of a contract with you) and Art. 49(1)(a) (your explicit consent when you create your account), and we minimize such access to what is necessary for operating the service.

When you use Google Sign-In, Sign in with Apple, or the currency-rate API, your interaction with those providers is governed by their own privacy terms and may involve transfers outside the EEA.

9. Cookies and local storage

SubScan has no website login and sets no cookies. The iOS app stores: session tokens in the iOS Keychain, the display-currency preference in UserDefaults, the scan cursor in UserDefaults, and a local copy of your subscription list in Core Data. No analytics or tracking SDKs are embedded.

10. Children

SubScan is not directed at children. We do not knowingly collect personal data from anyone under 16. If you believe a child has created an account, email us and we will delete the account and associated data on confirmation.

11. Changes to this policy

We may update this page as the service evolves. The "Last updated" date above reflects the most recent change. For material changes (new data types, new subprocessors, new scopes, ownership change) we will notify signed-in users at least 30 days before the change takes effect and will require in-app re-consent.

12. Revoking Gmail access directly

In addition to disconnecting inside SubScan, you can revoke SubScan's access to your Gmail at any time from your Google account permissions page.

13. Contact

Questions, requests, or complaints: evgeny.shestakov.0x@gmail.com.