← Subly
Privacy Policy
Last updated: 6 May 2026 · Effective: 6 May 2026
The short version. Subly tracks subscriptions on your iPhone. We do not connect to your bank. We do not sell or share your subscription list with anyone. The list lives in SwiftData on your device and (if you opt in) in your private iCloud container. We don't have a copy.
1. Who we are
Subly is operated by Mohammed Alquraini ("we", "us"). You can reach us at hello@subly.app.
2. Data Subly handles, and where it lives
2.1 On-device only
- Your subscription list — names, amounts, currencies, billing cycles, renewal dates, categories, notes, icons. Stored in SwiftData on your iPhone. If you have iCloud signed in for this device, SwiftData syncs the list to your private iCloud container. Apple is the data controller for that container; we never see it.
- App preferences — preferred display currency, language, default reminder offset. Stored in
UserDefaults on the device.
- Apple-managed subscription detection — when StoreKit identifies a subscription you bought via the App Store, Subly reads it locally to add it to your list. The read happens entirely on-device.
2.2 Sent to our backend, then discarded
Three features call api.subly.apflowhq.com:
- Voice parsing. When you record a sentence about a subscription, the audio is transcribed locally on your iPhone via Apple's Speech framework. The resulting text — not the audio — is sent to our backend, parsed by an LLM, and a structured candidate is returned. We do not log the transcript or the parsed result.
- Bank-statement OCR. When you scan a bank statement, the image is uploaded to our backend, read once by an LLM to extract recurring charges, and the response is returned. The image is not stored server-side. The response (a list of merchant + amount + frequency tuples) is also not stored.
- FX rates. The app fetches a public exchange-rate snapshot (~166 currencies, sourced from open.er-api.com via our cache) so it can convert subscription amounts into your preferred display currency. The fetch is a plain GET; we don't transmit your subscription list to compute the rates.
Backend logs are restricted to anonymous request metadata (timestamp, status code, latency, anonymous device ID) for ~30 days for abuse and reliability monitoring. Subscription data and bank-statement images are not in logs.
2.3 Third-party services
- RevenueCat manages Pro entitlements. They receive an anonymous device identifier and the StoreKit transaction record so the in-app upgrade can be verified. They do not receive your subscription list.
- Apple App Store / iCloud are governed by Apple's privacy policy.
- iTunes Search API is queried (anonymously) when you type a service name, to fetch the official icon. The query carries the service name you typed; no other data.
3. Data Subly does NOT collect
- We do not collect your bank credentials. Subly has no Plaid integration. There is no "Connect bank" feature anywhere in the app.
- We do not collect your name, email address, phone number, postal address, or other personal identifiers. Subly has no account system.
- We do not embed third-party analytics SDKs. There is no Firebase Analytics, no Google Analytics, no Mixpanel, no Amplitude.
- We do not run advertising SDKs. Subly does not show ads.
- We do not access your contacts, photos library (beyond a single photo you explicitly pick for the bank-statement scan), location, microphone (beyond a single recording you explicitly start), or health data.
4. Children
Subly is rated 4+ in the App Store and is not directed at children under 13. We do not knowingly collect data from children. If you believe a child has used Subly to upload a bank statement, contact us and we will confirm the image was discarded post-OCR (the design guarantees it).
5. Your rights
- Access + portability. Settings → Export as JSON gives you a complete, machine-readable copy of every subscription on your device.
- Deletion. Long-press a subscription and pick Delete to remove it. To wipe the entire list at once, delete and reinstall the app — SwiftData clears with the bundle. iCloud copies clear via iOS Settings → Apple ID → iCloud → Manage Storage → Subly.
- Opt-out of cloud sync. iOS Settings → Apple ID → iCloud → Subly → off. The local list stays; the cloud copy is removed.
- EU / UK GDPR + California CCPA. Because we don't have a copy of your subscription list, there is nothing for us to disclose, correct, or erase server-side. To exercise rights against Apple's iCloud copy, see Apple's data-rights portal.
6. Security
The local SwiftData store inherits iOS file-system encryption (Data Protection Class C — accessible while unlocked or first-unlock). The iCloud copy is end-to-end encrypted by Apple. Our backend uses TLS 1.3, runs on Hetzner infrastructure in Frankfurt, and exposes only the three endpoints described in §2.2.
7. International transfers
If you are in the EU/UK and use the OCR or voice-parsing features, the request is processed by our backend in Frankfurt (EU). If you are outside the EU, your request still hits the same Frankfurt backend — we do not run regional pop-ups.
8. Changes
We will revise this policy if Subly's data handling changes. The "Last updated" date above will move; material changes will be highlighted via a banner inside the app. Changes do not retroactively claim any data that wasn't covered before.
9. Contact
Questions, deletion requests, or bug reports about this policy: hello@subly.app.