Privacy Policy

Last updated: February 5, 2026

Introduction

Subcut ("we," "our," or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our iOS application ("App").

Please read this privacy policy carefully. By downloading, installing, or using the App, you agree to the collection and use of information in accordance with this policy. If you do not agree with the terms of this privacy policy, please do not access or use the App.

Our Privacy-First Approach

Subcut is designed with privacy as a core principle. We believe your financial data belongs to you, and we've built our app to minimize data collection while maximizing functionality.

Key Privacy Features:

  • Your subscription data is stored locally on your device
  • Optional iCloud sync keeps data within your personal Apple ecosystem
  • Email scanning for subscription detection is processed securely with AI
  • No third-party analytics or advertising SDKs
  • FaceID/TouchID protection available
  • No tracking of your activity across other apps or websites

Data We Collect

We are committed to transparency about the data we collect. Below is a comprehensive list of all data collected by the App:

1. Data You Provide Voluntarily

When you use Subcut, you may voluntarily enter subscription information including:

  • Subscription names and service providers
  • Billing amounts and currencies
  • Billing frequencies (weekly, monthly, yearly)
  • Billing dates and renewal information
  • Subscription categories
  • Notes you add to subscriptions
  • Email access permissions for subscription detection

Important: This information is stored locally on your device and optionally synced via your personal iCloud account (CloudKit). We do not have access to, nor do we collect, this data on our servers.

2. Automatically Collected Data

We collect minimal technical information necessary for app functionality:

Data Type Purpose Collection Method
Device type & iOS version App compatibility Automatic via iOS
App version Support & updates Automatic via iOS
Crash logs Bug fixes & stability Apple's crash reporting (anonymized)
Purchase receipts Subscription verification Apple StoreKit
Anonymous user ID Subscription management RevenueCat SDK

3. Data We Do NOT Collect

We explicitly do not collect:

  • Your name, email address, or contact information (unless you contact support)
  • Bank account numbers, credit card numbers, or financial credentials
  • Login credentials for any third-party services
  • Precise location data
  • Contacts, photos, or other personal data from your device
  • Browsing history or activity on other apps
  • Advertising identifiers (IDFA) or cross-app tracking data
  • Health or fitness data

Email Scanning and AI Processing

Subcut offers an optional feature to automatically detect subscriptions from your emails. This section explains exactly how this feature works and how your data is handled.

What Email Data is Read

When you enable email scanning, Subcut accesses your email inbox to identify subscription-related emails. Specifically:

  • Email subject lines
  • Email sender addresses
  • Email body content (text only)
  • Date and time of emails

Filtering: We apply filters to focus on emails likely to contain subscription information (e.g., receipts, billing notifications, welcome emails from services). We do not read personal correspondence, social emails, or other non-subscription-related messages beyond initial filtering.

How Email Data is Processed

Email content that may contain subscription information is processed using Google's Gemini API for intelligent extraction:

Processing Step Details
1. Email Retrieval Emails are fetched from your email provider using secure OAuth authentication
2. Content Filtering Only emails matching subscription-related patterns are selected for processing
3. AI Processing Selected email content is sent to Google Gemini API to extract subscription details (service name, price, billing cycle, renewal date)
4. Data Extraction Extracted subscription data is returned to the App
5. Local Storage Subscription details are stored locally on your device; raw email content is discarded

Google Gemini API

We use Google's Gemini API for AI-powered subscription extraction. Important details about this processing:

  • Data Sent: Email content (subject, sender, body text) of subscription-related emails
  • Data NOT Sent: Your email credentials, personal identification, or non-subscription emails
  • Processing Location: Google's secure cloud infrastructure
  • Data Retention by Google: Per Google's API terms, data sent for processing is not used to train models and is not retained beyond the processing request
  • Encryption: All data is transmitted via encrypted HTTPS connections

Google Gemini API processing is subject to Google's Privacy Policy and Google AI Terms of Service.

What Happens to Your Email Data

  • Extracted subscription details (service name, price, billing date) are stored locally on your device
  • Optionally synced to your personal iCloud via CloudKit if you enable sync
  • Raw email content is NOT stored by Subcut after processing
  • Email content is NOT stored on our servers
  • Email credentials are NOT accessed by Subcut (OAuth tokens are used)

Disabling Email Scanning

Email scanning is entirely optional. You can disable this feature at any time in the App's Settings. When disabled, no email data is accessed or processed. You can also revoke email access through your email provider's connected apps settings.

How We Collect Data

Data is collected through the following methods:

  • Direct Input: Information you manually enter into the App
  • Email Scanning: Subscription-related emails processed via Google Gemini API (when enabled)
  • Apple Services: Purchase verification through Apple's StoreKit APIs
  • RevenueCat SDK: Anonymous subscription status verification
  • Apple Crash Reporting: Anonymized crash data (if you've enabled sharing with developers in iOS Settings)

How We Use Your Data

The limited data we collect is used solely for the following purposes:

Purpose Data Used
Providing the App's core functionality Your subscription data (stored locally)
Automatic subscription detection Email content processed via Gemini API
Syncing across your devices Subscription data via CloudKit/iCloud
Processing in-app purchases Purchase receipts via Apple
Verifying Pro subscription status Anonymous user ID via RevenueCat
Fixing bugs and improving stability Crash logs, device info
Responding to support requests Information you provide
Complying with legal obligations As required by law

We do NOT use your data for: Advertising, marketing, user profiling, selling to third parties, training AI models, or any purpose not directly related to providing the App's functionality.

Third-Party Services & Data Sharing

We share data only with the following third parties, who provide the same or greater protection of your data:

Apple Inc. (CloudKit & iCloud Sync)

We use the following Apple services:

  • App Store: App distribution and in-app purchases
  • CloudKit: Optional iCloud sync for your subscription data
  • StoreKit: Subscription management and purchase verification
  • APNs: Push notifications (processed locally on your device)

CloudKit Sync Details:

When you enable iCloud sync, your subscription data is stored in Apple's CloudKit:

  • What's synced: Your subscription entries (names, prices, billing dates, categories, notes)
  • Where it's stored: Your personal iCloud account in Apple's data centers
  • Encryption: Data is encrypted in transit (TLS) and at rest
  • Access: Only accessible via your Apple ID; Subcut cannot access your iCloud data
  • Deletion: You can delete synced data via iOS Settings → [Your Name] → iCloud → Manage Storage → Subcut

Apple services are subject to Apple's Privacy Policy and iCloud Terms.

Google LLC (Gemini API)

We use Google's Gemini API for AI-powered email subscription detection:

  • Email content from subscription-related emails (when email scanning is enabled)
  • AI processing to extract subscription details (service name, price, billing cycle)

Important: Google Gemini API does not retain your email content after processing. Data is used solely for the extraction request and is not used to train AI models. No personal identifiers are sent to Gemini-only email content for analysis.

See Google's Privacy Policy and Google AI Terms of Service.

RevenueCat Inc. (Subscription Management)

We use RevenueCat to manage Subcut Pro subscriptions. Data shared with RevenueCat:

  • Anonymous App User ID: A randomly generated identifier not linked to your identity
  • Purchase Transaction Data: Receipt information from Apple for subscription verification
  • Subscription Status: Whether your Pro subscription is active, expired, in trial, etc.
  • Purchase History: Transaction dates and subscription periods

What RevenueCat Does NOT Receive:

  • ✗ Your subscription tracking data (the subscriptions you add to Subcut)
  • ✗ Your name, email, or any personal identification
  • ✗ Your email content or scanning data
  • ✗ Your CloudKit/iCloud data

RevenueCat is SOC 2 Type II certified and GDPR compliant. See RevenueCat's Privacy Policy and Data Processing Agreement.

No Other Third Parties

We do not share data with any other third parties. We do not use third-party analytics services, advertising networks, or tracking SDKs beyond what is explicitly listed above.

Data Storage and Security

Local Storage

Your subscription data is stored locally on your device using Apple's Core Data framework. iOS provides encryption at rest for all app data when your device is locked with a passcode.

CloudKit / iCloud Sync (Optional)

If you enable iCloud sync, your subscription data is stored in your personal iCloud account using Apple's CloudKit service:

  • Data synced: Subscription entries, categories, notes, and settings
  • Encryption in transit: TLS 1.3 encryption for all data transfers
  • Encryption at rest: AES-128 minimum encryption in Apple's data centers
  • Access control: Only accessible through your Apple ID credentials
  • Developer access: Subcut cannot read, access, or decrypt your CloudKit data
  • Data location: Stored in Apple data centers based on your Apple ID region
  • Compliance: Subject to Apple's security practices and certifications (ISO 27001, SOC 2)

Email Data

When you use email scanning:

  • Email content is processed in real-time via Gemini API
  • Raw email content is NOT stored by Subcut after processing
  • Only extracted subscription details are saved locally
  • Email access uses OAuth tokens-we never see your email password

Biometric Security

Subcut offers optional FaceID/TouchID protection. Biometric data is:

  • Processed entirely by iOS on the Secure Enclave
  • Never accessible to the App
  • Never transmitted off your device
  • Never stored by Subcut

Data Retention and Deletion

Retention Period

  • Local subscription data: Retained until you delete it or uninstall the App
  • CloudKit/iCloud data: Retained until you delete it or disable iCloud sync
  • Email content: NOT retained-processed in real-time and discarded immediately after extraction
  • Gemini API processing: Google does not retain data after processing the request
  • RevenueCat data: Retained as long as your subscription exists, plus as required by Apple for financial records
  • Support correspondence: Retained for 2 years after resolution

How to Delete Your Data

You have full control over your data and can delete it at any time:

Delete Individual Subscriptions:

  1. Open the Subcut app
  2. Navigate to the subscription you want to delete
  3. Tap "Delete" and confirm

Delete All Data:

  1. Delete the Subcut app from your device
  2. If using iCloud sync: Go to Settings → [Your Name] → iCloud → Manage Storage → Subcut → Delete Data

Request Data Deletion:

You can also request deletion of any data we may have by emailing [email protected]. We will process your request within 30 days.

Your Rights and Choices

Data Control Rights

You have the following rights regarding your data:

  • Access: View all your data within the App at any time
  • Portability: Export your data in CSV or JSON format (Pro feature)
  • Correction: Edit any subscription data directly in the App
  • Deletion: Delete individual subscriptions or all data
  • Withdrawal of Consent: Disable iCloud sync or any permissions at any time

How to Withdraw Consent

  • iCloud Sync: Go to iOS Settings → [Your Name] → iCloud → Apps Using iCloud → toggle off Subcut
  • Notifications: Go to iOS Settings → Subcut → Notifications → toggle off
  • FaceID/TouchID: Disable within the App's Settings

No Account Required

Subcut does not require you to create an account. Since we don't create accounts, there is no account to delete. Your data is controlled entirely through your device and iCloud settings.

Tracking and Advertising

Subcut does NOT track you.

  • We do not use the Advertising Identifier (IDFA)
  • We do not track your activity across other apps or websites
  • We do not display advertisements
  • We do not build user profiles for advertising purposes
  • We do not sell or share data with advertising networks
  • We will never request App Tracking Transparency permission

Children's Privacy

Subcut is not directed to children under 13 years of age (or the applicable age of consent in your jurisdiction). We do not knowingly collect personal information from children.

If you are a parent or guardian and believe that your child has provided us with personal information, please contact us at [email protected]. If we become aware that we have collected personal information from a child without parental consent, we will take steps to delete that information.

International Users

Subcut is available worldwide. Your data remains on your device or in your iCloud account, which may be stored in data centers in your region based on Apple's infrastructure.

For EU/EEA/UK Users (GDPR)

Under the General Data Protection Regulation, you have additional rights including:

  • Right to access your personal data
  • Right to rectification of inaccurate data
  • Right to erasure ("right to be forgotten")
  • Right to restrict processing
  • Right to data portability
  • Right to object to processing
  • Right to lodge a complaint with a supervisory authority

Legal Basis for Processing: We process your data based on:

  • Contract Performance: Providing the service you requested
  • Legitimate Interest: App functionality, security, and improvement
  • Consent: Optional features like iCloud sync and notifications

For California Users (CCPA)

Under the California Consumer Privacy Act, you have the right to:

  • Know what personal information is collected
  • Know whether your data is sold or disclosed and to whom
  • Say no to the sale of personal information (we do not sell data)
  • Access your personal information
  • Request deletion of your personal information
  • Equal service and price, even if you exercise your privacy rights

Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of any changes by:

  • Updating the "Last updated" date at the top of this page
  • Posting a notice within the App for material changes
  • Sending a push notification for significant changes (if you have notifications enabled)

We encourage you to review this Privacy Policy periodically. Your continued use of the App after changes become effective constitutes acceptance of the revised Privacy Policy.

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our privacy practices, please contact us:

Email: [email protected]

Website: subcut.xyz

We will respond to your inquiry within 30 days.

App Store Privacy Labels

In accordance with Apple's App Store requirements, we disclose the following privacy information:

Data Linked to You:

  • Purchases (for subscription verification via RevenueCat)

Data Not Linked to You:

  • Crash Data
  • Performance Data
  • Email Messages (processed via AI for subscription detection, not stored)

Data Used for App Functionality:

  • Email content (only for extracting subscription info, not retained)

Data Not Collected:

  • Contact Info
  • Health & Fitness
  • Financial Info (bank accounts, payment cards)
  • Location
  • Sensitive Info
  • Contacts
  • Photos or Videos
  • Browsing History
  • Search History
  • Identifiers (IDFA)