1. Introduction

SubKiller ("we", "us", "our") operates the website subkill.com and provides the SubKiller subscription management service (the "Service"). This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our Service.

We are committed to protecting your privacy and complying with the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws.

2. Data Controller

SubKiller is the data controller for the personal data processed through our Service. For questions about this policy or your data, contact us at support@subkill.com.

3. Information We Collect

3.1 Account Information

When you sign up via Google OAuth, we receive:

Your email address
Your name and profile picture (from your Google account)
OAuth access and refresh tokens (to access your email on your behalf)

3.2 Email Data

When you initiate an inbox scan, we access your email account to:

Search for subscription-related emails (receipts, invoices, billing confirmations)
Read email headers (From, Subject, Date, List-Unsubscribe)
Read email snippets for AI classification

We do not read the full body of your emails. We only access metadata and short snippets necessary to detect subscriptions. We do not store raw email content — only the extracted subscription data (merchant name, amount, frequency).

3.3 Payment Information

Payment processing is handled entirely by Stripe. We never see, store, or process your credit card number. We only store your Stripe customer ID to manage your subscription.

3.4 Usage Data

We collect basic usage information including scan timestamps, subscription counts, and feature usage to improve our Service.

4. How We Use Your Information

We use your information to:

Scan your inbox and detect recurring subscriptions
Classify subscriptions using AI (Anthropic Claude)
Send unsubscribe requests on your behalf
Create email filters to mute noisy senders (Gmail only)
Process payments and manage your premium subscription
Send transactional emails (scan results, account notifications)
Improve and maintain the Service

5. Legal Basis for Processing (GDPR)

We process your personal data based on:

Consent: When you connect your email account and initiate a scan, you explicitly consent to our processing of your email data.
Contract: Processing necessary to provide the Service you subscribed to.
Legitimate interest: Basic analytics to improve our Service, provided it does not override your rights.

6. Third-Party Services

We share data with the following third parties, only as necessary to provide the Service:

Supabase: Database and authentication hosting (EU/US servers)
Anthropic (Claude AI): Email classification — we send anonymized sender names and email subjects, never full email bodies or your personal email address
Stripe: Payment processing
Resend: Transactional email delivery
Google: Gmail API access (OAuth, email scanning, filters)
Vercel: Application hosting

We do not sell your personal data to any third party.

7. Data Retention

Account data is retained for as long as your account is active.
Subscription scan results are retained until you delete your account or run a new scan (which replaces old data).
OAuth tokens are stored encrypted and are deleted when you disconnect an account.
If you delete your account, all your data is permanently removed within 30 days.

8. Your Rights

Under GDPR and applicable privacy laws, you have the right to:

Access: Request a copy of the personal data we hold about you.
Rectification: Request correction of inaccurate data.
Erasure: Request deletion of your personal data ("right to be forgotten").
Portability: Request your data in a machine-readable format.
Withdraw consent: Disconnect your email accounts at any time from the dashboard.
Restriction: Request that we limit processing of your data.
Object: Object to processing based on legitimate interest.

To exercise any of these rights, email us at support@subkill.com. We will respond within 30 days.

9. Security

We implement industry-standard security measures including encrypted data transmission (TLS), encrypted storage of OAuth tokens, and regular security audits. However, no method of electronic storage is 100% secure, and we cannot guarantee absolute security.

10. Cookies

We use only essential cookies required for authentication and session management. We do not use advertising cookies or third-party tracking cookies.

11. Children's Privacy

Our Service is not directed to children under 16. We do not knowingly collect personal data from children. If you believe we have collected data from a child, contact us immediately.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes by posting the updated policy on this page and updating the "Last updated" date. Continued use of the Service after changes constitutes acceptance.

13. Contact Us

If you have any questions about this Privacy Policy or your personal data, contact us at:

Email: support@subkill.com
Website: subkill.com