Starter draft. TidySubs is in closed pilot. This policy is a starter draft reviewed by the founder and will be reviewed by counsel before public launch. Material changes will trigger an email notification to users on the pilot.

Privacy Policy

Last updated: April 19, 2026

Who we are

TidySubs is a subscription-management platform operated by Rick Enrico at SlideGenius, San Diego, California. This policy describes what data TidySubs collects when you use our service, how we use it, and what rights you have over it.

Contact for privacy matters: privacy@tidysubs.com.

What data we collect

We collect only what we need to run the service:

Account data — your name, email address, and Google profile image, collected when you sign in with Google OAuth.
Financial account connections — when you connect a bank or card through Plaid Link, we receive a Plaid access token and item identifier. We do not see or store your bank credentials.
Transactions — the transactions Plaid returns for the accounts you connect, including merchant name, amount, date, and category. We store these to detect recurring charges.
Derived data — the recurring charges we detect, vendor normalizations, ground-truth review labels, and audit-log entries of every action you take.
Operational data — the usual web-app minimum: IP address, user agent, and basic request logs for abuse prevention, kept 90 days.

How we use your data

Detect which charges on your connected accounts recur on a schedule.
Show you those charges in your dashboard, with the amount, cadence, and next predicted date.
When you approve it: cancel, pause, downgrade, or renegotiate a subscription on your behalf.
Send you the weekly savings-recap email (you can opt out).
Maintain an audit log of every read, detection pass, and action for your transparency and ours.

We do not use your financial data for marketing, advertising, or lead generation. We do not sell your data to anyone. We do not use your data to train general-purpose or cross-customer AI models.

Third-party services (subprocessors)

We share data with a small number of vendors that process it on our behalf:

AWS — hosts our application, database (RDS Postgres), file storage, and sends transactional email (SES).
Plaid — provides the bank and card aggregation feeds. Plaid's own privacy policy also applies to the data we obtain through them: plaid.com/legal/#end-user-privacy-policy.
Anthropic — provides the LLM inference for natural-language features and cancellation automation, under a zero-data-retention contract.
Google — OAuth sign-in only. Google does not process your financial data.

When we add or remove a subprocessor we post the change at security.tidysubs.com at least 30 days before it takes effect. That page goes live once our SOC 2 Type 1 report is issued (targeted H1 2026).

Security

All Plaid access tokens, OAuth refresh tokens, and API keys are encrypted at rest using AES-256-GCM with a 32-byte key.
All data in transit is protected by TLS 1.2 or higher.
Our database storage is encrypted using AWS KMS; per-tenant envelope keys roll out in H1 2026.
We are pursuing SOC 2 Type 1 (H1 2026 close) and Type 2 (Q3 2027).
No security program is perfect. If you believe you've found a vulnerability, please email security@tidysubs.com.

Data retention

Transactions — rolling 24 months by default, or up to 7 years if you've connected an accounting integration that needs the longer history for audit purposes.
Plaid access tokens — kept for the life of the connection, deleted within 30 days of disconnection.
Detected recurring charges and vendor normalizations — kept for the life of your account, deleted on request.
Audit log — 7 years, consistent with financial-audit best practice.

Your rights

You can, at any time:

Disconnect an institution — the dashboard has a per-institution disconnect control. We revoke the Plaid item and delete the encrypted access token immediately. Derived data is purged within 30 days.
Delete your account — email privacy@tidysubs.com. We delete everything within 30 days (or within 5 business days on explicit request) and send a confirmation.
Request a copy of your data — same email address; we respond with a machine-readable export within 30 days.
Opt out of the weekly savings-recap email — use the unsubscribe link at the bottom of any email, or email us.
CCPA / California residents — you have the right to know, delete, and opt out of the sale of personal information. We do not sell personal information. Requests go to the same privacy address.

We currently operate in the United States only and do not accept users from outside the US. When we expand internationally we will add GDPR-specific flows before accepting non-US users.

Children

TidySubs is not intended for anyone under 18. We do not knowingly collect data from minors. If we learn a minor has signed up we will delete the account.

Changes to this policy

We may update this policy as the product evolves. Material changes get an email notice 30 days before they take effect; non-material changes (typos, clarifications) are posted with a new Last updated date at the top.

Contact

Questions about this policy, your data, or a privacy request: privacy@tidysubs.com.

TidySubs · Incubated at SlideGenius, San Diego, CA