Privacy Policy
Last updated: January 2026
We understand that bank statements contain some of your most sensitive personal information. That's why we've built Substop with privacy at its core. We are fully GDPR compliant and do not store your bank statements – your files are analyzed in real-time and immediately deleted. We have no use for your data beyond helping you find subscriptions. We're anti-big-data and believe you should control your information.
1. What We Collect
When you use Substop, we collect two types of data. First, the bank statements you upload (PDF or CSV) – these are processed to find your subscriptions and deleted immediately after. Second, if you create an account, we store your email address, the country you signed up from, how many scans you've done (to prevent abuse), and whether you're a paid user. If you reach the scan limit without abuse, just contact us and we'll reset it for you. We also collect anonymized aggregate statistics from scans (like average savings and number of subscriptions found) to show social proof on our website – this data cannot be traced back to you.
2. How We Process Your Data
Your bank statements are sent to our secure analysis system. This happens in real-time – we don't store your transactions or financial data on our servers. The system identifies recurring payments, and the results are returned to your browser. We never see your individual transactions.
3. Who Has Access
Your financial data is processed by our secure system infrastructure – we act as the data controller. We never share, sell, or give your personal data to any third parties. Payment processing is handled by Stripe, and we don't store your card details.
4. How Long We Keep Data
Your uploaded bank statements are deleted immediately after analysis – they never touch our storage. Analysis results exist only in your browser session. Your account data (email, country, scan count) is kept until you request deletion. We do store anonymous, aggregate statistics (such as total subscriptions found across all users) to improve our service – this data cannot be traced back to any individual user.
5. Your GDPR Rights
Under GDPR, you have the right to access, correct, or delete your personal data. You can also request a copy of your data or ask us to restrict processing. Since we don't store your financial data, there's nothing to delete there – but we'll happily remove your account data on request. You can submit a deletion request directly from your profile page, or contact us.
6. Cookies
We use essential cookies to keep you logged in and remember your preferences, plus basic analytics to understand how visitors find and use Substop. No advertising cookies, no sneaky third-party marketing stuff. See our cookies policy for the full details.
7. Security Measures
All data is transmitted over encrypted connections (SSL/TLS). We use industry-standard security practices and regularly review our systems. Since we don't store your financial data, there's no honeypot of sensitive information to steal.