Built so we can't hurt you, even if we wanted to.

We connect to UK bank accounts through TrueLayer, the UK's leading open banking provider. TrueLayer is authorised and regulated by the Financial Conduct Authority (FRN: 793171) as an Authorised Payment Institution.

You authenticate directly with your bank using their official app or login page. SubCut never sees, handles, or stores your bank credentials.

Your bank issues TrueLayer a short-lived, read-only access token. We use that token to fetch transaction history — nothing more.

Cancellation is always a manual step. SubCut walks you through it — you confirm it with the merchant directly.

CSV uploads are processed entirely in your browser. The file never leaves your device and is never uploaded to our servers.

Open banking data is held in an encrypted, short-lived session cookie scoped to your browser. We do not persist raw transaction data on our servers beyond what's required to show you the dashboard during your session.

We do not sell, share, or rent your data to third parties. Ever.

• TLS 1.3 on every connection between your browser, SubCut, and TrueLayer.
• 256-bit AES encryption for any data we cache at the edge.
• ISO 27001 aligned infrastructure practices.
• Bank credentials never touch SubCut servers — they're entered directly into your bank's authentication flow.

Under UK GDPR you have the right to access, correct, export, and delete the data we hold about you at any time.

You can disconnect your bank in a single click from the dashboard — that immediately revokes the access token and clears the session.

To delete your account and any associated data, email privacy@subcut.app. We respond within 7 days.