Subsie is a subscription tracking service developed and operated by Moolah Tech, based in the Netherlands. Subsie helps individuals identify, track, and manage their recurring subscriptions by reading email metadata from billing senders.
As the operator of this service, we are the Data Controller under the EU General Data Protection Regulation (GDPR). This means we are responsible for determining how and why your personal data is processed.
For any privacy enquiries, contact us at: privacy@subsie.app.
gmail.metadata OAuth permission scope. This is the most privacy-preserving Gmail permission available. Under this scope, Google's API physically prevents us from retrieving email body content β this is a technical restriction enforced by Google, not merely a policy commitment on our part. We cannot read your emails even if we wanted to.
When you connect a Gmail account, here is precisely what happens:
What we can access: The sender address (From field), subject line, and date/time of emails from billing senders on our whitelist.
What we cannot access: Email body content, attachments, emails from non-billing senders, your Sent or Draft folders, calendar data, contacts, or any other Google account data.
The whitelist: We maintain a list of approximately 200 known billing service email addresses and domains β Stripe, PayPal, Apple, Google, Netflix, Spotify, and similar services. Only emails from senders on this list are processed. All other emails are ignored at the query level β we do not even retrieve their metadata.
Data extraction: From the subject line of matched billing emails, we extract structured data β typically service name, billed amount, and renewal date β using pattern matching. Once extracted, the original subject line is discarded. We do not store raw subject line text.
What we store: For each identified subscription: service name, amount, currency, billing cycle, next renewal date, and category. Nothing more.
| Data | Why we collect it | Legal basis (GDPR) | Retention |
|---|---|---|---|
| Name | Display in your account | Contract performance | Until account deletion |
| Email address | Account identity, login, renewal alerts | Contract performance | Until account deletion |
| Password (hashed) | Authentication | Contract performance | Until account deletion |
| Subscription data Service name, amount, renewal date, category |
Core product functionality | Contract performance | Until deleted or account deletion |
| Gmail OAuth token | Maintaining Gmail connection for scanning | Explicit consent | Until you disconnect the account |
| Last seen timestamp | Beta analytics β understanding active users | Legitimate interest | 90 days rolling |
| Sign-up date | Beta cohort tracking | Legitimate interest | Until account deletion |
We do not collect: payment card details, location data, device fingerprints, browsing history, advertising identifiers, or any data beyond what is listed above.
We share your data with the following service providers, each acting as a Data Processor under our instruction:
| Provider | Purpose | Data shared | Location |
|---|---|---|---|
| Supabase | Database and authentication | Account data, subscription data | EU (Frankfurt) |
| Google (Gmail API) | Email metadata access | OAuth token only | USA (SCCs apply) |
| Vercel | Web hosting | None (static files only) | EU edge nodes |
We do not share your data with advertisers, data brokers, analytics companies, or any third party for commercial purposes. We do not sell your data under any circumstances.
We may disclose data if legally required to do so by a court order or applicable law. We will notify you of any such request where legally permitted to do so.
Your data is primarily stored in the EU (Supabase Frankfurt region). When data is processed by Google's Gmail API (located in the USA), the transfer is covered by Google's Standard Contractual Clauses (SCCs) approved by the European Commission, which provide an adequate level of protection equivalent to the GDPR.
We do not transfer your data to any other countries outside the EU/EEA, except as described above.
As a data subject under GDPR, you have the following rights. To exercise any of them, contact us at the address in Section 9.
If you are not satisfied with our response to a rights request, you have the right to lodge a complaint with the Dutch Data Protection Authority: Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl).
We take reasonable technical and organisational measures to protect your data:
Passwords are hashed using bcrypt before storage β we never store plain-text passwords.
Data in transit is encrypted using TLS 1.2 or higher for all connections between your browser, our servers, and Supabase.
Data at rest is encrypted by Supabase at the database level.
Gmail OAuth tokens are stored encrypted and scoped to metadata-only permission. They can be revoked at any time from your Google account settings at myaccount.google.com/permissions.
Beta limitation: In this current beta version, subscription data is stored in your browser's localStorage (not on our servers). This data is protected by your device's security but is not encrypted at rest. This will change in the production version where all data will be server-side and encrypted.
No security system is perfect. If you discover a security vulnerability, please report it responsibly to privacy@subsie.app before public disclosure.
Subsie does not use advertising cookies, third-party tracking pixels, or analytics services that profile your behaviour.
We use only a single session cookie to maintain your login state. This cookie is strictly necessary for the app to function and does not require consent under GDPR (ePrivacy Directive Article 5(3)).
We do not use Google Analytics, Meta Pixel, or any equivalent tracking technology.
We will update this Privacy Policy when our data practices change β particularly when we launch production Gmail OAuth scanning. We will notify all registered users by email at least 14 days before any material changes take effect and ask for fresh consent where required.
The version number and effective date at the top of this document always reflect the current version. Previous versions are available on request.
To exercise your rights, raise a concern, or ask any question about this policy:
Data Controller: Moolah Tech, Netherlands
Location: Netherlands
Email: privacy@subsie.app
Response time: We aim to respond to all privacy requests within 5 business days and will always respond within the 30-day GDPR deadline.
If you are not satisfied with our response, you have the right to complain to the supervisory authority in your country. For users in the Netherlands: Autoriteit Persoonsgegevens. For users in other EU countries, contact your national data protection authority.