Privacy

We process the statements you upload, in memory, to find your recurring charges. We don’t ask for your name, email, or any account. The parsed contents are discarded within 10 minutes; the scan result is discarded within 24 hours. Nothing is sold, ever. This page explains exactly what happens.

What we collect

• The statement files you upload (PDF, CSV, OFX, QFX). Held only long enough to parse them.
• The transactions parsed from those files — merchant string, date, amount, currency, card type if present.
• The scan results we derive — a list of likely-recurring charges, an annualised cost estimate, opaque-biller totals, and warnings.
• Basic technical signals from the request: IP address, user agent. Used only to rate-limit abuse, never linked to a person.

What we don’t collect

• Your name, email, phone, or address.
• Your bank login or credentials. We never ask for them and there is no field to enter them.
• Your full card number. Stripe handles payment on their checkout page; we never see card details.
• Cookies for tracking. Plausible analytics is cookie-less by design.

How long we keep it

• Uploaded files: discarded as soon as the scan finishes, and no later than 10 minutes after upload.
• Scan results: stored in a short-lived key-value store with a 24-hour TTL. Auto-expires; we don’t need to do anything.
• Payment records: retained by Stripe per their policy. On our side, we keep only the mapping from scan ID to unlock token for 24 hours.
• Server logs: request-level logs (IP, path, status) are retained for 30 days for abuse prevention, then rotated out.

Who we share with

We use a small number of subprocessors. Each only sees what is strictly necessary:

• Anthropic — we send redacted merchant strings (uppercase, no card numbers, no PII) to refine recurrence detection. Anthropic does not train on API inputs by default; we operate under that flag.
• Stripe — handles payment. Receives the amount, currency, and your card details, which you enter on their checkout page. Sends the receipt email.
• Vercel — hosts the application and the short-lived KV store. Sees request metadata at the network layer.
• Google — only if you click Connect Google Calendar. We request the https://www.googleapis.com/auth/calendar.events OAuth scope, write the renewal events you authorised, and immediately discard the OAuth token. We never read your existing calendar events. Revoke at myaccount.google.com/permissions.
• Plausible — privacy-first analytics. Aggregated counts only. No cookies, no cross-site tracking, no personal identifiers. We attach a small set of bucketed custom properties to a few events so we can publish honest marketing claims (e.g. “we’ve helped users find $X in forgotten subscriptions”): file-count bucket, subscriptions-found bucket, forgotten-count bucket, months-covered bucket, potential-savings rounded to the nearest USD $10, and your statement currency. Buckets are coarse on purpose so no single submission can identify you.
• Resend — only used to deliver the weekly anonymous feedback digest to the founder. Receives the recipient address and the digest body. Does not see anything about you.
• Brave Search — only used to identify obscure card-statement descriptors that the static merchant list can’t match (e.g. payment-processor-prefixed entries like SQ *MERCHANT). Receives only the redacted descriptor string — never amounts, dates, card numbers, or anything that could identify you. Brave is a privacy-first search engine that doesn’t profile users or track queries across sessions.

We don’t sell or share your data with advertisers, brokers, or marketing partners. There is no list to sell — we don’t have you on a list.

Feedback you submit

If you use the “Did we help?” widget on the Done screen, your rating (yes/mostly/no) and any free-text suggestion are stored for up to 14 days in our short-lived key-value store, then included in a single weekly digest emailed to the founder via Resend. We do not collect or attach your name, email, or IP to the submission — the digest is anonymous by design. Submissions are deleted from our store once the digest is sent.

What we use it for

Strictly to deliver the scan and the optional calendar export. We don’t profile you, we don’t build a long-term picture of your spending, and we don’t use your data to “improve the model”.

Sharing the result

The shareable PNG generated at the end of a scan only ever contains the headline number ($X/yr) and the antisubscribe wordmark. It never includes merchant names, dates, or card last-4. This is a hard rule enforced in the code, not a soft promise — the OG image endpoint reads only the aggregated headline value.

Security

• All traffic is over TLS.
• Statement parsing runs inside a single function invocation, in memory. Nothing is written to disk.
• The KV key for each scan is randomly generated and unguessable; the unlock token is single-use and short-lived.
• We follow Stripe’s SAQ-A scope — card data never touches our servers.

International transfers

We are based in Hong Kong; the application runs on Vercel infrastructure (United States and edge locations). By using the service you consent to that processing.

Children

The service is not intended for anyone under 13. Don’t use it if you are under 13.

Your choices

• Don’t want anything indexed by Anthropic? Don’t run a scan. There is no path that bypasses the AI provider.
• Want your scan deleted before the 24-hour TTL? Email hi@antisubscribe.example with the scan ID. We’ll purge it on request.
• Want your Google Calendar token revoked? It already is — we drop it after use. Visit myaccount.google.com/permissions to be doubly sure.

Contact

hi@antisubscribe.example