Privacy policy

Account email. If you sign in, your email lives in Supabase Auth so we can authenticate you and send you transactional emails (magic-link sign-in, subscription alerts you opt into).

Subscriptions you add. When you add a subscription to your dashboard, we store the service name, category, price, next charge date, and any notes you write. Nothing else.

Notification preferences. Channel choices (email, push, SMS, calendar) and timing settings — whatever you configured on /notifications.

Notification history. Records of alerts we've sent you. Stored so you can see your own history; we don't analyse it for ads.

Anonymous analytics. Vercel Analytics records page views and aggregate visitor counts. No cookies, no IP fingerprinting, no tracking across sites.

• No bank or credit-card details — we don't handle payments at all.
• No location data beyond what Vercel logs server-side for routing.
• No data scraped from third-party services. If you tell us “I subscribe to Netflix”, we don't ping Netflix.
• No advertising identifiers.
• No third-party cookies. (We use only Supabase's own auth cookies on cancelhub.app.)

Three services act as processors on our behalf:

• Supabase — auth + Postgres database hosting (EU West region). Your subscriptions table lives here.
• Resend — transactional email delivery (magic-link sign-in, subscription alerts). They process your email address but don't store the content of your dashboard.
• Vercel — hosts the website and processes anonymous analytics.

We don't share your data with anyone else. We don't sell, rent, or trade it. We don't share it with the subscription services we write guides about.

You can, at any time:

• Export your data — write to us and we'll send you a JSON dump of everything we hold about you, within 7 days.
• Delete your account — wipes your row in Supabase Auth, your subscriptions, your settings, and your notification history. Cannot be undone.
• Opt out of any notification type via /notifications.

If you're in the EU/UK, you have additional rights under GDPR — including the right to lodge a complaint with your data-protection authority. We'll cooperate with any such request.

We use industry-standard practices: passwords are never stored (magic-link auth only; Google OAuth handled by Google), database access is gated behind row-level security so you can never see another user's rows, and connections are TLS-encrypted end-to-end.

We won't pretend we're unhackable. If we have a breach, we'll notify affected users by email within 72 hours, as required by GDPR Article 33.

CancelHub is for adults managing their own subscriptions. We don't knowingly collect data from anyone under 16. If you believe a minor has signed up, email us and we'll delete the account.

If we materially change what we collect or who we share data with, we'll update this page and email signed-in users. Minor edits (typos, clarity) will just be reflected in the “last updated” date at the top.

Questions, requests, or complaints: hello@cancelhub.app

We read every email and respond within 1 business day.