Security

How we protect your data

Our Security Commitment

At SubKicker, security is not an afterthought—it's built into every layer of our service. We understand the sensitive nature of email data and implement industry-leading security practices to protect your information.

Data Encryption

In Transit

All data transmitted between your browser and our servers is encrypted using TLS 1.3, the latest and most secure version of the Transport Layer Security protocol.

At Rest

Your subscription data is encrypted at rest using AES-256 encryption. Database backups are also encrypted using the same standard.

Authentication & Authorization

  • Google OAuth 2.0 for secure authentication
  • No password storage—authentication is handled by Google
  • Read-only Gmail access scope (gmail.readonly)
  • Token-based session management with automatic expiration
  • Support for two-factor authentication (2FA) via Google Account

Gmail Access Policy

Read-Only Access

SubKicker requests only read-only access to your Gmail. We cannot and will not:

  • Send emails on your behalf
  • Delete or modify your emails
  • Access emails outside of subscription detection
  • Share your email content with third parties

Minimal Data Collection

We only extract subscription-related metadata (service name, amount, billing date). Full email content is processed in real-time and not permanently stored.

Infrastructure Security

  • Hosted on Vercel with SOC 2 Type II compliance
  • Database hosted on secure, encrypted infrastructure
  • Regular security patches and updates
  • Automated vulnerability scanning
  • DDoS protection and rate limiting

Access Controls

Internal access to user data is strictly limited:

  • Role-based access control (RBAC) for team members
  • Multi-factor authentication required for admin access
  • All access is logged and audited
  • Regular access reviews and revocations

Compliance

  • GDPR compliant (EU General Data Protection Regulation)
  • CCPA compliant (California Consumer Privacy Act)
  • Google API Services User Data Policy compliant
  • Regular third-party security audits

Incident Response

We maintain a comprehensive incident response plan. In the unlikely event of a security incident:

  • We will notify affected users within 72 hours
  • Immediate investigation and containment procedures
  • Transparent communication about the incident and resolution
  • Post-incident analysis and security improvements

Your Security Responsibilities

You can help keep your account secure by:

  • Enabling 2FA on your Google Account
  • Using a strong, unique password for Google
  • Reviewing account activity regularly
  • Revoking access if you no longer use SubKicker
  • Not sharing your account credentials

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly. We take all reports seriously and will respond promptly.

We do not currently offer a bug bounty program but appreciate responsible disclosure.