$
SubCashFlow
Log InGet Started

Privacy Policy

Last updated: February 23, 2026

1. Introduction

SubCashFlow ("we", "us", "our") provides MRR and ARR analytics for businesses that use Stripe. This Privacy Policy explains how we collect, use, store, and protect your information when you use our service.

2. Information We Collect

Account Information

  • Email address and name (via Supabase Auth)
  • Authentication data from Google or GitHub OAuth (if used)
  • Organization name and membership details

Stripe Data

When you connect your Stripe account, we access and store:

  • Your Stripe API key (encrypted with AES-256-GCM at rest)
  • Subscription data (status, plan, billing interval, amounts)
  • Invoice data (amounts paid, discounts applied, payment status)
  • Customer metadata (email, name, Stripe customer ID)
  • Calculated metrics (MRR, ARR, churn data)

What We Do NOT Collect

  • Credit card numbers or payment card details — Stripe handles all card data
  • Bank account information
  • Social Security numbers or government IDs

3. How We Use Your Information

  • To calculate and display your MRR, ARR, and subscription analytics
  • To generate historical revenue snapshots and trend data
  • To identify failed payments and at-risk subscriptions
  • To provide data exports (Excel)
  • To authenticate you and manage your account
  • To send service-related communications

4. Stripe API Key Security

Your Stripe API key is encrypted using AES-256-GCM before being stored in our database. The key is only decrypted in memory during data sync operations and is never logged or exposed. You can remove your API key at any time from your dashboard settings, which will immediately delete it from our systems.

5. Data Storage and Security

  • Data is stored in PostgreSQL via Supabase with row-level security
  • All data is isolated per organization (multi-tenant architecture)
  • All connections use HTTPS/TLS encryption in transit
  • Authentication is handled by Supabase Auth with secure session management

6. Data Sharing

We do not sell your data. We share data only with:

  • Supabase — database hosting and authentication
  • Stripe — payment processing for your SubCashFlow subscription
  • Vercel — application hosting

We may also disclose data if required by law or to protect our rights.

7. Data Retention

We retain your data for as long as your account is active. When you delete your account or disconnect your Stripe API key, associated Stripe data is deleted. MRR snapshots may be retained in anonymized/aggregated form.

8. Your Rights

Depending on your location, you may have the right to:

  • Access the personal data we hold about you
  • Request correction or deletion of your data
  • Export your data
  • Object to or restrict processing
  • Withdraw consent at any time

To exercise these rights, contact us at the email below.

9. GDPR (EU Users)

We process data under the lawful basis of "contract performance" (to provide the service you signed up for) and "legitimate interest" (to improve our service). For EU customers processing personal data of their own end users, we act as a data processor. A Data Processing Agreement (DPA) is available upon request.

10. CCPA (California Users)

California residents have the right to know what personal information we collect, request deletion, and opt out of any sale of personal information. We do not sell personal information.

11. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes via email or an in-app notice.

12. Contact Us

If you have questions about this Privacy Policy or your data, contact us at nick@nickmartin.com.