Your data, your control.

We collect only the data needed to operate SubCut for you:

• Transaction data — when you connect your bank, we receive a read-only feed of your recent transactions via TrueLayer. We use this exclusively to detect recurring charges and subscriptions.
• Email address — if you sign up, join the waitlist, or contact us, we store the email address you provide.
• Account preferences — if you create an account, we store your savings pot total, goal name, and dismissed-leak state so you don't lose progress.
• Anonymous usage data — standard server logs (IP, user agent, request paths) for security and debugging. We do not run third-party analytics that profile users.

We do not collect your bank credentials. Authentication happens directly with your bank via TrueLayer; we never see or store passwords.

We use the data above for exactly one thing: helping you find and cancel unwanted subscriptions.

Transaction data feeds the subscription detector, which surfaces recurring charges, duplicates, and price increases on your dashboard. Your email lets us send essential service messages, account emails, and — only if you opt in — product updates.

We do not sell, rent, or share your personal or financial data with third parties for advertising or profiling. Ever.

CSV uploads are processed entirely in your browser. The file is never uploaded to our servers.

Open banking data from TrueLayer is held in a short-lived, encrypted session cookie scoped to your browser. We do not persist raw transactions on our servers beyond what's needed to render your dashboard during your session.

Account data — if you sign in — is stored on UK/EU-hosted infrastructure (Supabase) with encryption at rest.

We use TrueLayer to connect securely to your bank. TrueLayer is authorised and regulated by the Financial Conduct Authority (FRN: 793171) as an Authorised Payment Institution.

TrueLayer acts as a data processor on our behalf. They handle the bank-grade authentication and transaction retrieval, and they are contractually bound by our data processing agreement to use your data only to provide the open banking service.

You can revoke TrueLayer's access at any time from the cancellation hub or directly with your bank.

You have the right to:

• Access — request a copy of all personal data we hold about you.
• Rectification — request that we correct any inaccurate data.
• Erasure — request that we delete your account and any associated data.
• Portability — request your data in a machine-readable format (JSON or CSV).
• Restriction — limit how we process your data while a request is being reviewed.
• Objection — object to particular uses of your data.

To exercise any of these rights, email hello@subcut.co.uk. We respond within 30 days as required by UK GDPR.

You also have the right to lodge a complaint with the UK Information Commissioner's Office at ico.org.uk.

We use a small number of cookies that are strictly necessary for the service to work — for example, the encrypted session cookie that holds your TrueLayer connection. We do not use third-party tracking or advertising cookies.

For any privacy questions, data requests, or concerns, email hello@subcut.co.uk.