Privacy Policy

Last updated: 19 January 2026

Overview

Substash ("the Extension") is committed to protecting your privacy. This privacy policy explains our data practices in compliance with the General Data Protection Regulation (GDPR) and other applicable privacy laws.

Data controller

The data controller for this Extension is Chris Lim. For any privacy-related enquiries, please use the contact form.

Data we collect

Identity data

• Email address (for authentication via one-time password)
• User identifier

Subscription data

• Service names
• Costs and currencies
• Billing cycles and dates
• Trial periods
• Notes you add

Technical data

• Anonymous usage analytics via PostHog
• Email preferences

Data we do NOT collect

• Browsing history
• Personal files
• Banking details or credit card information
• Passwords to your subscription services

Legal basis

We process your data based on:

• Consent: You choose to create an account and enter subscription data
• Contract: Processing necessary to provide the service
• Legitimate interest: Anonymous analytics to improve the service

How we use your data

• Provide subscription tracking functionality
• Synchronise data across your devices
• Send renewal and trial-ending alerts (when enabled)
• Convert currencies using exchange rates
• Measure campaign performance via UTM tracking

Email communications

We send the following emails:

• Authentication codes (one-time passwords)
• Onboarding messages
• Renewal and trial-ending notifications (customisable)

All emails include campaign tracking links (UTM parameters) that are GDPR-compliant and contain no personal identifiers.

Third-party services

We use the following services to operate Substash:

• Supabase: Backend infrastructure and database
• Amazon SES: Email delivery
• Frankfurter API: Currency exchange rates
• PostHog: Anonymous analytics
• DuckDuckGo: Service logo retrieval

We do not sell, rent, or share your personal data with any other third parties.

Data security

• All data is transmitted over HTTPS
• Passwordless authentication via one-time passwords
• Row-level database security
• Encrypted session tokens

Your rights

Under GDPR, you have the right to:

• Access your data
• Rectify inaccurate data
• Erase your data
• Export your data (data portability)
• Withdraw consent

You can exercise these rights through the Extension settings or by contacting us.

Data retention

Your data is retained while your account is active. Upon account deletion, your data is permanently removed from our servers within 30 days.

Children

The Extension is not intended for children under 16. We do not knowingly collect data from children.

Changes to this policy

Any changes to this policy will be posted on this page with an updated date.

Contact

For questions about this privacy policy, please use the contact form.

Compliance

This Extension complies with the General Data Protection Regulation (GDPR), the Chrome Web Store Developer Program Policies, and applicable EU privacy laws.

Governing law

This privacy policy is governed by the laws of the European Union.