Data Processing Agreement

Last updated: December 2, 2025

Introduction

This Data Processing Agreement ("DPA") describes how SubKicker processes user data in compliance with applicable data protection laws, including GDPR and CCPA.

Definitions

  • Data Controller: You (the user) are the controller of your personal data
  • Data Processor: SubKicker acts as a processor of your Gmail data
  • Personal Data: Any information relating to an identified or identifiable individual
  • Processing: Any operation performed on personal data (collection, analysis, storage, deletion)

Nature and Purpose of Processing

Data Categories Processed

  • Email metadata (sender, subject, date)
  • Email content (only subscription-related emails)
  • Account information (name, email, profile picture)
  • Usage data (scan history, features used)

Purpose of Processing

  • Identify recurring subscriptions and charges
  • Generate subscription reports
  • Calculate cost savings and renewal dates
  • Improve AI detection algorithms
  • Provide customer support

Data Processing Principles

We process your data in accordance with the following principles:

  • Lawfulness, Fairness, Transparency: We process data only with your explicit consent via OAuth
  • Purpose Limitation: Data is used only for subscription detection
  • Data Minimization: We collect only what's necessary for the service
  • Accuracy: We ensure data accuracy through regular validation
  • Storage Limitation: Data is retained only as long as necessary
  • Integrity and Confidentiality: We implement appropriate security measures

Data Retention

Email Content

Email content is processed in real-time and not permanently stored. We retain only extracted metadata (subscription details).

Subscription Data

Subscription metadata is retained while your account is active. Data is automatically deleted 30 days after account closure.

Account Data

Account information is retained for the duration of your account and 30 days thereafter for backup purposes.

Data Subject Rights

As a data subject, you have the following rights:

  • Right of Access: Request a copy of your data
  • Right to Rectification: Correct inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Restrict Processing: Limit how we process your data
  • Right to Data Portability: Export your data in a machine-readable format
  • Right to Object: Object to processing for specific purposes
  • Right to Withdraw Consent: Revoke Gmail access at any time

To exercise these rights, you can manage your data through your account settings. We will respond within 30 days.

Sub-Processors

SubKicker uses the following sub-processors to provide the service:

Vercel Inc.

Hosting and infrastructure

Location: United States

Google LLC

Authentication and Gmail API

Location: United States

Stripe Inc.

Payment processing

Location: United States

All sub-processors are contractually bound to data protection obligations consistent with this DPA.

International Data Transfers

Your data may be transferred to and processed in the United States. We ensure adequate protection through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Sub-processors with appropriate data protection certifications
  • Technical and organizational measures to protect data

Security Measures

We implement appropriate technical and organizational measures including:

  • Encryption in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication
  • Regular security audits and vulnerability assessments
  • Employee training on data protection
  • Incident response procedures

For full details, see our Security page.

Data Breach Notification

In the event of a personal data breach, we will:

  • Notify affected users within 72 hours of discovery
  • Provide details about the nature and scope of the breach
  • Describe measures taken to address the breach
  • Recommend steps users should take to protect themselves
  • Notify relevant supervisory authorities as required by law

Audit Rights

Upon reasonable notice, you may audit our compliance with this DPA. We will provide documentation demonstrating compliance with data protection obligations.

Changes to This Agreement

We may update this DPA to reflect changes in our processing activities or legal requirements. Material changes will be communicated via email.