Privacy Policy

Subsio acts as the data controller for personal data processed through our Service. We collect only the data necessary to provide the Service, and we never sell your personal data to third parties.

The legal bases we rely on under GDPR are:

• Contract performance — processing necessary to provide the Service you signed up for
• Legitimate interests — improving the Service, preventing abuse, and ensuring security
• Legal obligation — complying with applicable laws
• Consent — where we explicitly ask for it (e.g., marketing emails)

We collect the following categories of data:

Account Data

• Email address (required for account creation)
• Display name and profile picture (if signing in via Google/GitHub)
• Authentication provider and user ID

Payment Data

• Subscription plan and status (Free / Pro / Growth / Lifetime)
• Stripe customer ID and subscription ID — we do not store full card numbers; payment details are handled entirely by Stripe

Content Data

• Video files you upload for processing — stored temporarily on Cloudflare R2 and deleted after your retention period or upon account deletion
• Processed video files with generated subtitles — available for download and deleted after 30 days of inactivity

Usage Data

• Number of videos processed per month
• Caption styles selected
• Standard server logs: IP address, browser type, pages visited, timestamps — retained for up to 30 days

We use your data to:

• Create and manage your account
• Process your videos and generate captions
• Charge for paid plans and manage subscriptions
• Enforce usage limits (monthly video quotas)
• Send transactional emails: account confirmation, payment receipts, job completion notifications
• Respond to support requests
• Detect, prevent, and address technical issues or Terms violations
• Improve the Service — in anonymized, aggregated form only

We do not use your uploaded video content or transcriptions to train AI models without your explicit opt-in consent.

We use the following third-party processors who may receive your personal data:

All third-party processors are contractually bound to process data only as instructed by us and in compliance with GDPR.

• Account data: Retained for the duration of your account. Deleted within 30 days of account deletion request.
• Uploaded videos: Retained while your account is active. Automatically deleted 30 days after processing if not downloaded.
• Payment records: Retained for 7 years to comply with financial regulations.
• Server logs: Retained for up to 30 days, then automatically purged.

We implement industry-standard security measures to protect your data, including:

• HTTPS/TLS encryption for all data in transit
• Encryption at rest for stored files (Cloudflare R2 server-side encryption)
• Row-level security in our database (Supabase RLS policies)
• Signed, time-limited URLs for video downloads
• Regular dependency and security updates

No method of transmission or storage is 100% secure. If you discover a security vulnerability, please report it responsibly to security@subsio.org.

If you are located in the European Economic Area (EEA), you have the following rights under the GDPR:

• Right of access: Request a copy of the personal data we hold about you
• Right to rectification: Correct inaccurate or incomplete data
• Right to erasure: Request deletion of your personal data (“right to be forgotten”)
• Right to restriction: Limit how we process your data in certain circumstances
• Right to data portability: Receive your data in a structured, machine-readable format
• Right to object: Object to processing based on legitimate interests
• Right to withdraw consent: Where processing is based on consent, you may withdraw it at any time

To exercise any of these rights, email us at privacy@subsio.org. We will respond within 30 days. You also have the right to lodge a complaint with your national data protection authority.

We use a minimal number of cookies necessary for the Service to function:

• Authentication cookies: Set by Supabase to maintain your login session. These are strictly necessary and cannot be disabled.
• Preference cookies: Used to remember UI preferences (e.g., selected caption style). You can clear these via your browser settings.

We do not use advertising, tracking, or analytics cookies from third parties (e.g., Google Analytics) without your explicit consent.

The Service is not directed at children under the age of 18. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, please contact us immediately at privacy@subsio.org and we will delete that data.

Our infrastructure involves services that may transfer data outside the EEA (e.g., Cloudflare, Stripe). When such transfers occur, we ensure they are protected by appropriate safeguards, including the European Commission's Standard Contractual Clauses (SCCs) or adequacy decisions.

We may update this Privacy Policy from time to time. When we make significant changes, we will notify you by email or through a prominent notice on our website at least 14 days before the changes take effect.

For any questions, concerns, or data subject requests regarding this Privacy Policy, please contact us: