Legal

Privacy Policy

Plain-English summary of how SubsRenewal collects, stores, and uses your data. Questions? Email support@subsrenewal.com.

Last updated: 2026-07-02.

What SubsRenewal is

SubsRenewal is a multi-tenant subscription-tracking service. You create an account, add the subscriptions you pay for, and we remind you before each one renews. There is a web app at subsrenewal.com and an Android app distributed via Google Play. Both share the same backend and the same data.

Data we collect

Account data (required)

  • Email address, used to sign you in and to deliver renewal reminders and product emails.
  • Name, optional, used as a display name.
  • Password, hashed with Argon2id by better-auth. We do not store or see the plaintext.

Subscription data (the product)

The subscriptions you add: name, cost, currency, billing cycle, category, color, icon, creation date, next billing date, manual order. Scoped to your user id.

Preferences

Notification toggle, reminder lead time, monthly budget goal, display currency, dark mode, card style, view mode, AI provider, AI API key (stored encrypted at rest), and opt-in flags for weekly digest, monthly summary, six-month nudge, and annual Wrapped.

Push notification tokens

If you enable push notifications on the mobile app, we store your Expo push token. You can disable this at any time in the mobile app's Settings; the token is deleted on sign-out.

Public subscription lists (opt-in)

If you opt in to a public list at /u/<handle>, we publish a privacy-preserving snapshot: the names, categories, colors, and billing cycles, plus a rounded monthly total. We do not publish exact costs, individual prices, or renewal dates. You can delete the public list at any time.

Cookies and session tokens

The web app uses better-auth session cookies (HTTP-only, SameSite=Lax) for sign-in. The mobile app exchanges a session cookie for a 30-day bearer JWT (stored in expo-secure-store). The JWT hash (sha256) is stored in our database; the plaintext is never persisted. Optional analytics cookies load only if you accept them. For the full breakdown, see our Cookie Policy.

Email deliverability

Renewal reminders and digest emails are sent via Resend. We pass the email content and your email address to Resend under our account. Resend's privacy policy applies to that data transit.

Android waitlist

The landing page has a form for the Android waitlist. Submitting adds your email to a Resend Audience. Stored until you unsubscribe.

Data we do NOT collect

  • We do not track you across other websites.
  • We do not sell your data.
  • We do not share your data with third parties for advertising.
  • We do not collect biometric data, health data, financial account credentials, or government identifiers.

How we use your data

  • To operate the service (sign-in, sync, push, reminders).
  • To deliver transactional email (renewals, summaries, opt-in digests).
  • To send you the Android waitlist confirmation if you sign up.
  • To respond to support requests when you email us.

Data retention

  • Account data: kept while your account is active. Deleted on account deletion, with cascading deletes to subscriptions, preferences, push tokens, public list, and mobile sessions.
  • Subscription data: kept while your account is active. Exportable to JSON or CSV at any time.
  • Email log: records that a reminder was sent (per user, per subscription, per renewal date). Used for dedup.
  • Public list snapshot: live as long as you keep the public list enabled. Removed when you delete the list.
  • Android waitlist: kept in the Resend Audience until you unsubscribe.

Your rights

  • Access: export your data as JSON or CSV from the web app.
  • Rectification: edit any subscription, preference, or your name in the web or mobile app.
  • Deletion:delete your account from the web app's Settings. Cascading deletes remove all associated data within 30 days.
  • Data portability: the export feature produces a JSON file compatible with re-import.
  • Opt out of emails: every email has a one-click unsubscribe link.
  • Opt out of push:toggle off in the mobile app's Settings.
  • Opt out of public list:delete the list in the web app's Settings.

Security

  • All data is transmitted over HTTPS.
  • Passwords are hashed with Argon2id.
  • Mobile JWTs are stored in expo-secure-store (Android Keystore).
  • The Postgres database is hosted on Neon with TLS required.
  • Bearer tokens are stored only as sha256 hashes.
  • Tenant isolation: every query is scoped by userId. Cross-tenant access returns 404, not 403.
  • Rate limits on auth and the Android waitlist.
  • Cron endpoints are bearer-gated with CRON_SECRET.

Children

SubsRenewal is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has created an account, contact support@subsrenewal.com and we will delete the account.

International transfers

The database is hosted on Neon. By using SubsRenewal, you understand your data may be processed in the region where Neon stores the database. Email is sent via Resend, which may process data in multiple regions per their privacy policy.

Changes to this policy

We will update this document when our practices change. The "Last updated" date at the top will reflect the change. For material changes, we will email registered users.

Contact

Email: support@subsrenewal.com