Privacy Policy

1. Introduction

SubScout ("we", "us", or "our"), operated by Arven Digital, is committed to protecting your personal data. This Privacy Policy explains what information we collect, how we use it, who we share it with, and your rights regarding your data. It applies to all users of the SubScout web app, desktop app, and related services accessible at subscout.live.

This policy is designed to comply with the General Data Protection Regulation (GDPR) and the Turkish Personal Data Protection Law (KVKK — Kişisel Verilerin Korunması Kanunu, Law No. 6698).

2. Data Controller

The data controller responsible for your personal data is:

3. Data We Collect

We collect the following categories of personal data:

3.1 Account Data

• Email address (required for account creation and authentication)
• Display name (optional, provided by you)
• Password (stored as a secure hash using Argon2id; we never see your plaintext password)

3.2 Subscription Data

• Subscription names, amounts, billing cycles, renewal dates, and categories you add
• This data is end-to-end encrypted (E2EE) using TweetNaCl. It is encrypted on your device before being stored on our servers. We cannot read the content of your subscription records.

3.3 Payment Data

• Payment processing is handled entirely by Lemon Squeezy. We do not store your credit card numbers or banking details.
• We receive billing status, subscription plan, and transaction identifiers from Lemon Squeezy to manage your account tier.

3.4 Usage Analytics

• Aggregated usage data (e.g., feature usage, page views) to improve our service
• Log data such as IP addresses, browser type, and access timestamps, retained for security and fraud prevention purposes

3.5 Cookies and Local Storage

• Session cookies required for authentication
• Local storage for UI preferences (e.g., cookie consent choice, theme)
• Analytics cookies (only with your consent)

4. End-to-End Encryption

Your subscription data (names, amounts, notes) is encrypted on your device using TweetNaCl before transmission. The encryption keys are derived from your credentials using Argon2id and are never sent to our servers. This means even in the event of a data breach on our servers, your subscription content remains unreadable without your credentials.

5. Legal Basis for Processing

We process your personal data under the following legal bases:

• Contract performance: Account data and subscription data are processed to provide the service you signed up for.
• Legitimate interests: Log data and usage analytics are processed to ensure service security, prevent fraud, and improve the product.
• Consent: Analytics cookies and marketing communications are only processed with your explicit consent.
• Legal obligation: We may process data as required by applicable law.

6. Third-Party Service Providers

We share limited data with the following trusted third parties to operate our service:

We do not sell your personal data to third parties.

7. International Data Transfers

Our service providers (Vercel, Railway, Lemon Squeezy) may process data in the United States and other countries outside the European Economic Area (EEA) and Turkey. When required, we rely on Standard Contractual Clauses (SCCs) or equivalent safeguards to ensure an adequate level of data protection.

8. Data Retention

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion.
• Subscription data: Retained as long as your account exists. Deleted upon account deletion.
• Payment records: Retained for 7 years as required by Turkish tax law (Vergi Usul Kanunu).
• Log data: Retained for up to 90 days for security purposes.

9. Your Rights

Under GDPR and KVKK, you have the following rights:

• Right of access: Request a copy of the personal data we hold about you.
• Right to rectification: Request correction of inaccurate or incomplete data.
• Right to erasure: Request deletion of your data ("right to be forgotten").
• Right to data portability: Export your subscription data in a structured, machine-readable format via Settings → Export Data.
• Right to restriction: Request that we limit processing of your data in certain circumstances.
• Right to object: Object to processing based on legitimate interests.
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time.

To exercise any of these rights, contact us at hello@subscout.live. We will respond within 30 days. You also have the right to lodge a complaint with your local data protection authority (e.g., Kişisel Verileri Koruma Kurumu in Turkey, or your national EU supervisory authority).

10. Cookies

We use the following types of cookies:

• Essential cookies: Required for authentication and core functionality. Cannot be disabled.
• Analytics cookies: Help us understand how visitors use SubScout. Only set with your consent.
• Advertising cookies: Set by Google AdSense for free-tier users. Only set with your consent.

You can manage your cookie preferences at any time via the cookie consent banner or your browser settings.

11. Children's Privacy

SubScout is not directed to individuals under the age of 18. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

12. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of significant changes by email or by a prominent notice in the app. Continued use of SubScout after changes take effect constitutes acceptance of the updated policy.

13. Contact Us

For any privacy-related questions or to exercise your rights, please contact us: