SubstractSubstract AI

Privacy Policy

Last Updated: February 4, 2025

TL;DR

  • We encrypt your statements using bank-level security
  • We delete your data within 48 hours automatically
  • We never sell your data to anyone
  • You can request deletion anytime
  • We're GDPR and CCPA compliant

Introduction

At Substract, your privacy is not negotiable. We built this service because we believe you should control your financial data—not advertisers, not data brokers, not us.

The short version: We only collect what we need to analyze your subscriptions, we encrypt everything, we delete your data within 48 hours, and we never, ever sell your information to anyone.

Questions? Email us: privacy@substract.co

What Data We Collect

1. Credit Card Statements (Uploaded by You)

When you upload your credit card or bank statements, we temporarily process:

  • Transaction dates
  • Merchant names
  • Transaction amounts
  • Payment methods (last 4 digits only, if visible)
  • Account types (credit card, debit card, etc.)

What we DON'T collect:

  • Full credit card numbers (we automatically strip these)
  • CVV codes (not present in statements anyway)
  • Banking login credentials (we never ask for these)
  • Social Security Numbers (not needed, not wanted)

2. Payment Information

We use Stripe to process payments. When you pay for the full report, Stripe handles your payment details—we never see or store your full credit card number.

What we receive from Stripe:

  • Confirmation that payment was successful
  • Last 4 digits of your card (for receipt purposes)
  • Billing email address
  • Transaction ID

3. Email Address (Optional but Recommended)

We ask for your email to:

  • Send you your report
  • Send a payment receipt
  • Allow you to request refunds or support

We do NOT share your email with third parties, add you to marketing lists without permission, sell your email to advertisers, or spam you.

4. Technical & Analytics Data

Like most websites, we collect minimal technical data:

  • IP address (for fraud prevention)
  • Browser type and version
  • Device type (mobile, desktop, tablet)
  • Pages visited and time spent

We use privacy-first analytics tools (no Google Analytics). Your browsing behavior is never sold to advertisers.

Security & Data Handling

Bank-Level Encryption

All data is encrypted using TLS 1.3 in transit and AES-256 at rest—the same encryption standards banks use.

48-Hour Auto-Delete

Your uploaded statements and transaction data are permanently deleted within 48 hours of report generation.

We Never Sell Data

We don't sell data to advertisers, share with data brokers, or monetize your financial information in any way.

Request Early Deletion

You can request early deletion anytime by emailing privacy@substract.co. We'll delete everything within 24 hours.

How We Use Your Data

  • To Analyze Your Subscriptions: Your statements are processed by our AI to identify recurring charges and generate your report.
  • To Provide Your Report: We use your email to send your free preview and full report (if purchased).
  • To Process Payments: We use Stripe to securely process payments.
  • To Provide Support: If you contact us, we may access your data to troubleshoot (only with permission).
  • To Improve the Service: We use anonymized, aggregated data to improve AI accuracy.

Data Sharing

We share data only with essential service providers (all SOC 2 compliant):

  • OpenAI — AI analysis of your statements (SOC 2 Type II compliant, data not used for training)
  • Stripe — Payment processing
  • Cloudflare — File storage (encrypted)
  • Resend — Email delivery

All AI providers we use are enterprise-grade and SOC 2 compliant. Your data is processed securely and is never used to train AI models.

We do NOT share data with advertisers, data brokers, social media platforms, credit bureaus, or any other third parties.

Your Rights

  • Right to Access: Request a copy of all data we have about you.
  • Right to Deletion: Request immediate deletion (before the 48-hour auto-delete).
  • Right to Opt-Out: Unsubscribe from any promotional emails.
  • Right to Correction: Request correction of any incorrect information.
  • Right to Data Portability: Request your data in a portable format.

To exercise these rights, email privacy@substract.co.

GDPR Compliance (EU Users)

If you're in the European Union, you have additional rights under GDPR. We process your data based on contract (to provide the service you paid for), consent (when you upload statements), and legitimate interest (to prevent fraud).

CCPA Compliance (California Users)

If you're in California, you have rights under CCPA. We do NOT sell your personal information. You can request access to your data, deletion, and will not be discriminated against for exercising your rights.

Children's Privacy

Substract is not intended for users under 18. We do not knowingly collect data from children. If you believe a child has uploaded data, contact us immediately.

Changes to This Policy

We may update this Privacy Policy occasionally. When we do, we'll update the "Last Updated" date and notify you via email if changes are significant.

Contact Us

Questions about your data? Email privacy@substract.co. We respond within 48 hours (usually faster).

For general support, email support@substract.co.

Your data, your control. Always.

← Back to Home