Skip to content

Privacy Policy

Last updated: February 23, 2026

1. Data Controller

Vortx ("we", "us", "our"), operating SubManager, is the data controller for personal data processed through the SubManager application and website at submanager.ch. While Vortx is not required to appoint a Data Protection Officer under GDPR Article 37, all privacy-related inquiries can be directed to privacy@submanager.app.

2. Data We Collect

We collect and process the following categories of personal data:

  • Account information: Name, email address, and authentication credentials (password hash). We never store plaintext passwords.
  • Subscription data: Subscription names, costs, billing periods, categories, renewal dates, payment methods, and notes you add.
  • Family data: Family group membership, member roles, and invite codes used to join family groups.
  • Community content: Reviews, subscription stacks, poll votes, leaderboard entries, and tips you choose to share publicly.
  • Payment data: Premium purchases are processed by Stripe. We never store your credit card details. We only receive confirmation of payment status from Stripe.
  • Analytics data: Usage patterns, feature interactions, and app performance metrics collected via Firebase Analytics, only with your explicit consent.
  • AI feature data: When you use AI-powered features (insights, natural language parsing, cancellation guides, smart price monitoring), your subscription data is sent to Anthropic for processing. This only occurs when you actively enable or use AI features.
  • Device data: Firebase Cloud Messaging (FCM) tokens for push notifications, collected only with your consent.
  • Referral data: Referral codes you generate or use, and referral counts associated with your account.

3. Legal Basis for Processing (GDPR Article 6)

We process your personal data under the following legal bases:

  • Article 6(1)(b) — Contractual necessity: Processing necessary to provide the SubManager service, including account management, subscription tracking, family features, and payment processing.
  • Article 6(1)(a) — Consent: Processing based on your explicit consent, including analytics data collection, push notifications, AI-powered features, and community features. You may withdraw consent at any time without affecting the lawfulness of processing prior to withdrawal.
  • Article 6(1)(f) — Legitimate interest: Processing necessary for our legitimate interests, including security monitoring, fraud prevention, and service stability. These interests do not override your fundamental rights and freedoms.

4. Third-Party Processors (GDPR Article 28)

We engage the following third-party data processors, each bound by data processing agreements in accordance with GDPR Article 28:

  • Firebase / Google Cloud: Authentication, Firestore database, Analytics, and hosting. Data is stored with EU data residency. Google maintains Standard Contractual Clauses (SCCs) for any transfers outside the EEA.
  • Stripe: Payment processing for premium upgrades. Stripe is PCI DSS Level 1 certified and maintains Standard Contractual Clauses. We never store your card details.
  • Anthropic: AI features (savings insights, natural language parsing, cancellation guides, smart price monitoring) use Anthropic's Claude models. Your subscription data is sent to Anthropic only when you use AI features. Anthropic does not retain data beyond the request lifecycle and does not use your data to train models.
  • SendGrid: Email notifications and transactional emails. SendGrid maintains Standard Contractual Clauses for international data transfers.

5. International Data Transfers (GDPR Article 46)

Some of our third-party processors are based in the United States. For any transfer of personal data outside the European Economic Area, we rely on the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) adopted by the European Commission, ensuring that your data receives an adequate level of protection as required by GDPR Article 46.

6. Data Retention

  • Account and subscription data: Retained for as long as your account is active.
  • Community content: Reviews, stacks, and other shared content are retained until you delete them or delete your account.
  • Analytics data: Retained for up to 14 months in accordance with Firebase Analytics defaults.
  • AI insights cache: Cached AI-generated insights are retained for up to 90 days.
  • Account deletion: Upon account deletion, all personal data is permanently removed within 30 days.

7. Your Rights (GDPR Chapter III)

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): Request a copy of all personal data we hold about you. You can view your data via the Privacy & Data page in the app.
  • Right to rectification (Art. 16): Request correction of inaccurate personal data through your profile settings.
  • Right to erasure (Art. 17): Request deletion of your account and all associated personal data.
  • Right to restrict processing (Art. 18): Request that we restrict certain processing activities on your data.
  • Right to data portability (Art. 20): Export your personal data in a structured, commonly used, machine-readable format (JSON).
  • Right to object (Art. 21): Object to processing based on legitimate interests, including profiling.
  • Right to withdraw consent (Art. 7(3)): Withdraw consent for any consent-based processing at any time, without affecting the lawfulness of processing prior to withdrawal.
  • Right to lodge a complaint (Art. 77): Lodge a complaint with your local data protection supervisory authority if you believe your rights have been violated.

You can exercise these rights through your Privacy & Data settings or by emailing privacy@submanager.app. We will respond to your request within 30 days as required by the GDPR.

8. Security

We implement appropriate technical and organizational measures to protect your personal data. All data is encrypted in transit with TLS 1.3 and at rest using AES-256 encryption provided by Google Cloud infrastructure. We enforce strict access control through Firebase Security Rules. Payment data is handled exclusively by Stripe, which maintains PCI DSS Level 1 compliance, and never touches our servers.

9. Cookies

SubManager uses only essential cookies required for Firebase Authentication session management. We do not use tracking or advertising cookies. Analytics cookies (Firebase Analytics) are only set with your explicit consent and can be disabled at any time through your privacy settings.

10. Children's Privacy

SubManager is not directed at children under the age of 16, in accordance with GDPR Article 8. We do not knowingly collect personal data from children under 16. If you believe a child under 16 has provided us with personal data, please contact us at privacy@submanager.app and we will promptly delete the data.

11. Changes to This Policy

We may update this Privacy Policy from time to time. When we make changes, we will notify you via an in-app notification and update the "Last updated" date at the top of this page. Your continued use of SubManager after being notified of changes constitutes acceptance of the updated policy.

12. Contact

For any questions about this Privacy Policy or our data practices, contact Vortx at privacy@submanager.app.

To lodge a complaint with a supervisory authority, contact your local data protection authority (DPA). A list of EU data protection authorities is available on the European Data Protection Board website.

Terms of ServicePrivacy & Data SettingsHome