Privacy Policy

Last updated: March 2026

1. Introduction

SubSight (“we,” “us,” or “our”) operates the website subsight.ca and the SubSight mobile application (together, the “Service”). We are committed to protecting your personal information in accordance with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and applicable provincial privacy legislation.

This Privacy Policy explains what personal information we collect, why we collect it, how we use and disclose it, and what choices you have. By using the Service you consent to the practices described below.

2. Information We Collect

2.1 Account Information

When you register through our authentication provider (Clerk), we collect:

  • Full name
  • Email address
  • Authentication identifiers (Clerk user ID)

2.2 Financial Information

When you connect a bank account through our open-banking provider, Plaid, we receive read-only access to:

  • Bank account type, institution name, and masked account number
  • Transaction history (up to 90 days) including merchant names, amounts, dates, and categories
  • Account balance

We never receive or store your bank login credentials. Plaid authenticates directly with your institution using OAuth or credential-based login flows. We cannot move, withdraw, or modify funds in any account.

2.3 Payment Information

Subscription payments are processed by Stripe. We store your Stripe customer ID and subscription status but never store full credit card numbers. All card data is handled exclusively by Stripe in PCI-DSS compliant systems.

2.4 Service Usage Data

  • Subscription tracking data (detected and manually-added subscriptions)
  • Cancellation requests and generated cancellation emails
  • Negotiation records, AI-generated analysis, negotiation emails, and AI phone call recordings/transcripts
  • Device push notification tokens (mobile app only)

2.5 Automatically Collected Information

  • IP address and approximate location
  • Browser type and device information
  • Pages visited and features used

3. How We Use Your Information

We use the information we collect to:

  • Create and manage your account
  • Detect recurring subscriptions from your transaction history using AI analysis (Google Gemini)
  • Generate personalized cancellation emails for unwanted subscriptions
  • Analyze bills for negotiation opportunities, generate negotiation emails, and initiate AI phone calls to providers on your behalf
  • Process subscription payments and commissions through Stripe
  • Send transactional emails (account notifications, negotiation updates) via Resend
  • Send push notifications to your mobile device (if enabled)
  • Improve and develop the Service
  • Prevent fraud and ensure security

4. AI-Processed Data

We use Google Gemini AI to analyze your transaction data and generate content on your behalf, including subscription detection, bill negotiation analysis, cancellation emails, negotiation emails, and AI phone call scripts. We also use Bland.ai to make AI-powered phone calls to service providers on your behalf. Call recordings and transcripts are stored securely and accessible only to you.

Transaction data sent to Google Gemini is processed under Google’s API terms and is not used by Google to train their models. We send only the minimum data necessary (merchant names, amounts, dates, and billing categories) for analysis. No banking credentials or full account numbers are ever sent to AI services.

5. Disclosure of Information

We share your personal information only with the following categories of third parties, and only as necessary to provide the Service:

  • Clerk — Authentication and account management
  • Plaid — Bank account connection and transaction retrieval (read-only)
  • Stripe — Payment processing for premium subscriptions and commissions
  • Google (Gemini AI) — Transaction analysis and email generation
  • Resend — Transactional email delivery

We do not sell, rent, or trade your personal information to any third party for marketing purposes. We may disclose information if required by law, regulation, legal process, or governmental request.

6. Data Storage and Security

Your data is stored on servers located in Canada. We employ industry-standard security measures including:

  • Encryption in transit (TLS/SSL) and at rest (AES-256)
  • Secure authentication via Clerk with support for multi-factor authentication
  • Regular security assessments and access controls
  • Database access restricted to authenticated and authorized requests only

While we take reasonable precautions, no method of electronic storage or transmission is 100% secure. We cannot guarantee absolute security.

7. Data Retention

We retain your personal information for as long as your account is active or as needed to provide the Service. Specifically:

  • Account data is retained until you delete your account
  • Transaction data is retained for the duration of your account
  • Payment records are retained as required for tax and legal compliance (up to 7 years)
  • AI-generated content (emails, analysis) is retained until you delete your account

When you delete your account, all personal data is permanently removed from our systems, except where retention is required by law.

8. Your Rights Under PIPEDA

Under PIPEDA and applicable Canadian privacy law, you have the right to:

  • Access — Request a copy of the personal information we hold about you
  • Correction — Request correction of inaccurate or incomplete information
  • Withdrawal of consent — Withdraw consent for the collection, use, or disclosure of your information (subject to legal or contractual restrictions)
  • Deletion — Request deletion of your account and associated data through the Settings page in the app or by contacting us
  • Complaint — File a complaint with the Office of the Privacy Commissioner of Canada if you believe your rights have been violated

To exercise any of these rights, contact us at [email protected]. We will respond within 30 days.

9. Cookies and Tracking

We use essential cookies for authentication and session management. We do not use third-party advertising cookies or cross-site tracking. Authentication cookies are managed by Clerk and are necessary for the Service to function.

10. Children’s Privacy

The Service is not intended for individuals under the age of 18. We do not knowingly collect personal information from children. If we become aware that we have collected information from a minor, we will take steps to delete it promptly.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the “Last updated” date. Your continued use of the Service after changes constitutes acceptance of the revised policy.

12. Contact Us

If you have questions or concerns about this Privacy Policy or our data practices, contact our Privacy Officer:

SubSight

Email: [email protected]

Website: subsight.ca