Privacy Policy
Recurrly ("we", "us", "our") is a subscription management app. This policy explains what information we collect, how we use it, and the choices you have. By using Recurrly you agree to this policy.
1. Information We Collect
Account information
When you sign up we collect your email address and name via our authentication provider, Clerk. Passwords, if used, are never stored by us — they are handled entirely by Clerk.
Subscription data you create
Names, prices, billing cycles, renewal dates, categories, currency, trial end dates, and status (active / paused / canceled) for any subscription you add manually or approve from a Gmail match.
Gmail data (only if you connect Gmail)
If you opt-in to Gmail sync, we access:
- Message metadata (sender, subject, date)
- Message bodies of receipt/billing emails that match our internal keyword filters (e.g. "invoice", "subscription", "receipt")
We do not read personal messages, attachments, or emails outside the billing-receipts filter.
Device and usage data
Anonymous usage events (screen views, button taps, feature usage) via PostHog analytics. We do not associate these events with your real name or email.
Diagnostic data
Crash reports and performance metrics via Expo / Google Play's standard diagnostic pipelines.
2. How We Use Your Data
- Provide the subscription-tracking service (detect recurring charges, calculate totals, surface upcoming renewals)
- Send local device notifications for trial and renewal reminders (7 / 3 / 1 day before)
- Improve the product based on aggregate, anonymous usage trends
- Detect abuse, security incidents, and fraud
We do not sell your data to third parties. We do not use your data for targeted advertising.
3. Gmail Access (OAuth Scopes)
Recurrly requests the following Google OAuth scope:
https://www.googleapis.com/auth/gmail.readonly
This scope is read-only. We cannot send email, delete messages, or modify your inbox. We limit our reads to messages matching our billing-receipts keyword filter.
A refresh token is stored in our database (Supabase, AWS us-east-2) so that Recurrly can periodically re-scan your inbox for new receipts. This token is encrypted at rest.
You can revoke Gmail access at any time:
- In Recurrly: Settings → Gmail Integration → Disconnect
- In your Google Account: myaccount.google.com/permissions → revoke access for Recurrly
Revoking from either location immediately invalidates our token and stops all future scans.
4. Data Storage and Security
- Where: Your data is stored on Supabase (Postgres, hosted on AWS).
- Access control: Row-Level Security ensures only your authenticated account can read or write your records.
- Encryption: Data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Gmail refresh tokens are additionally encrypted with an application-level key.
- Retention: We retain your data as long as your account is active. See Section 6 for deletion.
5. Third-Party Services
Recurrly uses the following third-party services. Each has its own privacy policy.
| Provider | Purpose | Privacy Policy |
|---|---|---|
| Clerk | Authentication | clerk.com/privacy |
| Supabase | Database hosting | supabase.com/privacy |
| Google (Gmail API) | Gmail read access (opt-in) | policies.google.com/privacy |
| PostHog | Anonymous product analytics | posthog.com/privacy |
| Expo | Build and crash diagnostics | expo.dev/privacy |
6. Your Rights and Choices
You can:
- Export your data — contact us at saad.mney1@gmail.com and we will send you a JSON export of your subscriptions within 30 days.
- Delete your account and all associated data — contact saad.mney1@gmail.com from the email on file. Deletion is permanent and completes within 30 days. Gmail refresh tokens are destroyed immediately.
- Disconnect Gmail at any time — from Settings or from your Google account.
- Turn off analytics — we will add an in-app toggle in a future release; in the meantime you can uninstall the app to stop all PostHog reporting.
Residents of the EEA, UK, California, or other jurisdictions with data rights laws have the right to access, correct, and delete their personal data. To exercise these rights, email saad.mney1@gmail.com.
7. Children
Recurrly is not directed to children under 13. We do not knowingly collect personal information from children. If you believe a child has provided us with personal information, email saad.mney1@gmail.com and we will delete it.
8. Changes to This Policy
We may update this policy from time to time. Material changes will be surfaced in-app and the "Last Updated" date at the top will reflect the change.
9. Google API Services User Data Policy (Limited Use Disclosure)
Recurrly's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements.
Specifically:
- Recurrly's use of Gmail data is limited to providing or improving the subscription-detection feature.
- Recurrly does not transfer Gmail data except as necessary to provide the service.
- Recurrly does not use Gmail data for serving advertisements.
- Humans do not read Gmail data except with the user's explicit consent, for security purposes (e.g. investigating abuse), to comply with applicable law, or as aggregated/anonymized data used for internal operations.
10. Contact
Email: saad.mney1@gmail.com
Data controller: Recurrly (operated by the Recurrly team)