Privacy Policy

Last updated: April 2026 · Effective: April 2026

Sub Scrub Me ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our service. We are GDPR and CCPA compliant.

1. Information We Collect

Information you provide directly:

• Email address (waitlist and account registration)
• Company name and size (optional, account setup)
• Billing information (processed by Stripe - we never store card numbers)

Information from connected accounts (read-only):

• Transaction records from bank feeds, Xero, QuickBooks, or Stripe
• Merchant names, transaction amounts, and dates
• Account names and identifiers (no account numbers stored)

Information collected automatically:

• Usage data (pages visited, features used, session duration)
• Device information (browser type, OS, screen size)
• IP address and approximate location
• Cookies and similar tracking technologies (see Section 7)

2. How We Use Your Information

• To provide, operate, and improve the Sub Scrub Me service
• To analyze transaction data and generate subscription audit reports for you
• To send you service updates, renewal alerts, and transactional emails
• To send marketing communications (you may opt out at any time)
• To detect fraud and ensure the security of our platform
• To comply with legal obligations

3. Data Sharing

We do not sell your personal data. We share data only with:

• Brevo - email delivery and contact management (waitlist and transactional emails)
• Plaid - bank feed connections (read-only, subject to Plaid's Privacy Policy)
• Stripe - payment processing (billing data only)
• Cloudflare - infrastructure and DDoS protection
• Law enforcement or government agencies when required by law

4. Data Security

We implement industry-standard security measures:

• AES-256 encryption for data at rest
• TLS 1.2+ for all data in transit
• Read-only API connections - we cannot move or modify your funds
• Regular security audits and penetration testing
• SOC 2 Type II certification in progress

5. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

• Right of access - Request a copy of your personal data
• Right to rectification - Correct inaccurate personal data
• Right to erasure - Request deletion of your personal data
• Right to portability - Receive your data in a machine-readable format
• Right to object - Object to processing based on legitimate interests
• Right to restrict processing - Request we limit processing in certain circumstances

To exercise these rights, email [email protected]. We will respond within 30 days.

6. Your Rights (CCPA - California Residents)

California residents have the right to know what personal information we collect, to request deletion, to opt out of the sale of personal information (we do not sell personal information), and to non-discrimination for exercising these rights. To submit a CCPA request, email [email protected].

7. Cookies

We use essential cookies (required for the service to function), analytics cookies (Google Analytics via GTM, anonymized), and preference cookies (to remember your settings). You can control cookies through your browser settings. Disabling essential cookies may impact service functionality.

8. Data Retention

We retain your account data for as long as your account is active. Transaction analysis data is retained for 36 months by default (configurable). Email addresses on the waitlist are retained until you unsubscribe or request deletion. After account deletion, we retain anonymized aggregate data for analytics purposes.

9. International Transfers

Sub Scrub Me is operated from the United States. If you are located outside the US, your data will be transferred to and processed in the US. We comply with applicable data transfer mechanisms including Standard Contractual Clauses for EEA-to-US transfers.

10. Children's Privacy

Sub Scrub Me is not directed to children under 16 and we do not knowingly collect personal information from children. If you believe we have collected data from a child, please contact us immediately.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by email at least 30 days before the change takes effect. Continued use of the Service after changes constitutes acceptance.

12. Contact

For privacy questions or to exercise your rights: [email protected]

Data Controller: Sub Scrub Me, Inc. For EU/EEA purposes, our representative can be reached at the same email.