Privacy Policy
Submap (the “app”) is a subscription tracker that helps you keep an inventory of your recurring payments. This policy describes what data the app collects, why, who it is shared with, and how you can remove it. The data controller is Denis Dashchinsky, registered as an individual entrepreneur in Georgia.
1. Data we collect
1.1 Account identifiers
When you sign in, we receive an account identifier from your sign-in provider:
- Sign in with Apple — we receive a stable opaque user ID and, on the first sign-in only, the email address you choose to share (which may be a private relay address that forwards to your real inbox). We do not request your real name.
- Anonymous sessions — if you use the app without signing in, we generate a random anonymous user ID stored on your device. No personal identifier is sent to us.
1.2 Subscription data you enter
Submap stores the subscriptions, cards, and charges that you create in the app. This includes the service name, price, currency, billing cycle, next charge date, optional notes, and the card-label that you assigned to the subscription (for example the last four digits and a colour you chose — not a real payment instrument). The app does not collect, store, or have access to actual card numbers, CVC codes, or banking credentials.
1.3 Voice and screenshot input
When you add a subscription by voice or by capturing a screenshot, the audio recording or image is sent to a Google Gemini model through our backend in order to extract the structured fields (service name, price, billing cycle). The raw audio or image is not stored on our servers after the request completes; only the extracted structured fields are saved to your account.
1.4 Diagnostic data
For crash reporting and stability monitoring we use Sentry. Crash reports include the stack trace, device model, OS version, app version, and an opaque installation identifier. We do not enable Sentry’s default personally-identifiable-information (PII) capture, and Submap is not configured to send your name, email, or IP address to Sentry. Reports are not generated in development builds, only in published releases.
1.5 Data we do not collect
- We do not run third-party analytics SDKs, advertising SDKs, or marketing trackers.
- We do not access your contacts, calendar, photos, location, or microphone outside of the explicit voice-input flow you initiate yourself.
- We do not access your real bank, card, or App Store / Google Play purchase history.
2. How we use the data
- To render your subscription list, charges, and analytics inside the app.
- To send you optional push notification reminders before a charge, if you enabled them.
- To diagnose crashes and prevent regressions in future versions.
- To enforce the limits of free voice and screenshot processing per account.
We do not sell, rent, or share your personal data with advertisers.
3. Service providers
The app is built on top of the following sub-processors. Each receives only the minimum data they need to perform their function:
- Supabase (database, authentication, edge functions) — stores your subscription, card, and charge rows under a row-level-security policy keyed by your user ID, so a row is only ever readable by the account that owns it. Hosted in the European Union.
- Google Gemini API — receives the voice recording or screenshot you submit when adding a subscription, and returns the extracted structured fields. Per the Gemini API terms, prompts are not used to train Google models.
- Sentry — receives crash reports and performance traces from production app builds, scrubbed of PII.
- Apple — provides the Sign in with Apple identity service and the App Store distribution channel. Apple processes your sign-in event under its own privacy policy.
4. Data retention
Your data is retained for as long as your Submap account exists. When you delete your account from Settings → Delete account, the app calls a server function that removes your authentication record and cascades the deletion to all rows you own (subscriptions, cards, charges, preferences). Crash reports in Sentry and Edge Function logs are kept for 30 days as part of normal operational retention; these do not contain PII.
5. Your rights
You have the right to access, correct, export, and delete your personal data, and to withdraw consent at any time. The app provides in-product controls for the most common actions:
- Settings → Export data downloads a copy of every subscription, card, and charge you own as a portable file.
- Settings → Delete account erases all of your data permanently.
- Settings → Sign out ends the current session without deleting any data.
For any request that the in-app controls cannot satisfy — including a formal access or erasure request under GDPR or CCPA — email support@submap.cloud.
6. Children
Submap is not directed at children under 13 (under 16 in the EEA). We do not knowingly collect personal data from children. If you believe a child has used Submap, contact support@submap.cloud and we will erase the account.
7. International transfers
Submap may transfer your data to service providers located outside of your country, including the European Union and the United States. Where a transfer leaves the EEA, we rely on the European Commission’s Standard Contractual Clauses or an equivalent adequacy decision, as applicable to each provider.
8. Changes to this policy
Material changes to this policy will be announced inside the app before they take effect, and the “Last updated” date above will reflect the most recent revision.
9. Contact
Questions about this policy or your data: support@submap.cloud