App Publisher: K&D Labs | Contact: hoang.tr.tr.2025@icloud.com
1. Purpose
This policy defines how SubCut collects, retains, and disposes of consumer data obtained through the Plaid API and related services. It is designed to protect user privacy, minimize data exposure, and ensure compliance with applicable data protection regulations and Plaid's Developer Policy.
2. Scope
This policy applies to all consumer data processed by SubCut, including:
- Financial transaction data retrieved via the Plaid API.
- Recurring subscription data derived from transaction history.
- User account information (email address, authentication identifiers).
3. Data We Collect
SubCut collects and stores only the minimum data necessary to provide its subscription tracking service:
| Data Type | Source | Purpose |
|---|---|---|
| Transaction descriptions | Plaid Transactions API | Identify recurring subscriptions |
| Transaction amounts | Plaid Transactions API | Display subscription costs |
| Transaction dates | Plaid Transactions API | Track billing cycles |
| Recurring transaction metadata | Plaid Recurring Transactions API | Categorize active subscriptions |
| User email address | User registration | Account authentication |
| Plaid access tokens | Plaid Link | Maintain bank connection |
We do not collect or store:
- Bank account numbers or routing numbers
- Login credentials for any financial institution
- Social Security Numbers or government-issued IDs
- Credit card numbers or CVV codes
- Any data beyond transaction scope (e.g. investment, identity, income data)
4. Data Retention Schedule
| Data Type | Retention Period | Justification |
|---|---|---|
| Transaction data | 12 months from date of transaction | Sufficient for subscription pattern detection |
| Recurring subscription records | Duration of active account + 30 days | Required for core app functionality |
| Plaid access tokens | Duration of active bank connection | Necessary to maintain Plaid link |
| User account data (email) | Duration of active account + 30 days | Required for authentication |
| Deleted account data | Purged within 30 days of account deletion | User right to erasure |
| Logs and diagnostic data | 90 days | Debugging and security monitoring |
5. Data Storage and Security
All retained data is stored in Supabase, a SOC 2 compliant managed cloud database platform (PostgreSQL). The following security controls are in place:
- Encryption at rest: All data is encrypted at rest using AES-256 by default via Supabase's managed infrastructure.
- Encryption in transit: All data transmitted between the app, API server, and database uses TLS 1.2 or higher.
- Access controls: Database access is restricted to the developer only via Supabase's authentication and API key system.
- Row-Level Security (RLS): Supabase RLS policies ensure users can only access their own data.
- No public database exposure: The database is not directly accessible from the public internet.
6. Data Disposal
When data reaches the end of its retention period or a user deletes their account, the following disposal procedures apply:
Automated Expiry
- Transaction records older than 12 months are automatically deleted from the database on a rolling basis.
Account Deletion
- Upon user request to delete their account, all associated data (transactions, subscription records, account info, and Plaid access tokens) is permanently deleted within 30 days.
- Plaid access tokens are revoked via the Plaid API at the time of deletion request, immediately terminating the bank connection.
Disposal Method
- Data is deleted via hard database deletion (not soft-delete/archiving). No copies are retained in backups beyond the standard Supabase backup window (7 days), after which deleted data is unrecoverable.
7. User Rights
Users have the right to:
- Access their data — users can view all stored subscription and transaction data within the app.
- Delete their data — users can request full account and data deletion at any time via the app or by emailing hoang.tr.tr.2025@icloud.com.
- Disconnect their bank — users can revoke Plaid access at any time, which stops further data collection.
- Data portability — users may request a copy of their data by contacting us at hoang.tr.tr.2025@icloud.com.
Requests will be fulfilled within 30 days of receipt.
8. Third-Party Data Processors
SubCut uses the following third-party processors that may handle consumer data:
| Processor | Role | Security Posture |
|---|---|---|
| Plaid | Bank connectivity and transaction data retrieval | SOC 2 Type II, PCI DSS |
| Supabase | Managed database and backend infrastructure | SOC 2 Type II |
| Apple App Store | App distribution | Apple platform security |
No consumer financial data is sold, shared, or transferred to any other third parties for marketing, advertising, or any purpose beyond the core subscription tracking functionality.
9. Data Breach Response
In the event of a confirmed or suspected data breach:
- The developer will assess the scope and impact within 24 hours of discovery.
- Affected users will be notified within 72 hours if their data is determined to be at risk.
- Plaid will be notified promptly in accordance with Plaid's Developer Policy.
- Appropriate remediation steps will be taken immediately.
10. Policy Review
This policy is reviewed and updated at least annually, or whenever there are material changes to the app's data handling practices. The effective date at the top of this document reflects the most recent revision.
11. Contact
For questions, data requests, or concerns about this policy, contact:
K&D Labs
App Publisher, SubCut
Email: hoang.tr.tr.2025@icloud.com
This policy applies to the SubCut mobile application and its associated backend services.