Subtly — Privacy Policy

Effective date: 15 April 2026 · Data controller: getsubtly Ltd (company number 17166772) · ICO registration: ZC135816

This policy explains what personal data getsubtly Ltd ("Subtly", "we", "us") collects when you use the Subtly mobile app, why we collect it, who we share it with, and the rights you have over it. We have written it in plain English deliberately. If anything is unclear, email privacy@getsubtly.com.

1. Who we are

getsubtly Ltd is a company registered in England and Wales (company number 17166772). Our registered office is Flat 21, Jubilee House, 126 Chapeltown Road. For data protection purposes we are the data controller of the information described below. You can contact us at privacy@getsubtly.com.

2. What the Subtly app does

Subtly is a habit-awareness app for small daily transactions. Everything you record is entered by you manually. We do not connect to your bank accounts, we do not use Open Banking, we do not aggregate transaction data from third parties, and we do not serve advertising inside the app.

3. What personal data we collect

3.1 Information you give us

• Account information: email address and, if you sign in via Apple or Google, the identifier provided by those services.

• Transaction entries you log: amount, currency, optional tag, optional note, and the time of the entry.

• Preferences you choose: default currency, quick-add tiles, theme override.

• Communications: if you email us for support we keep the message, your email address, and our reply.

3.2 Information we collect automatically

• Device and technical data: device model, operating system version, app version, language, time zone, and a random installation identifier. We do not collect your advertising ID, your location, or your contacts.

• Usage events: which screens you visit and which actions you take inside the app (for example, "entry_logged"). These events are pseudonymous — they are linked to the random installation identifier, not to your name.

• Diagnostic data: if the app crashes we collect the stack trace, the device model, and the OS version so we can fix the bug.

3.3 Information from third parties

If you purchase a subscription, Apple or Google tell us whether you are an active subscriber and what product you purchased. They do not share your name, address, or payment card details with us.

4. Why we use your data, and the legal basis

• To provide the Subtly service you signed up for — including storing your entries, syncing across your devices, and managing your subscription. Legal basis: performance of a contract with you.

• To keep the service secure, prevent abuse, and improve reliability. Legal basis: our legitimate interest in running a safe and functional product, balanced against your privacy.

• To understand how the app is used in aggregate so we can improve it. Legal basis: legitimate interest. You can opt out of analytics in Settings at any time.

• To respond when you contact us. Legal basis: legitimate interest and, where you contact us about your data protection rights, compliance with a legal obligation.

• To comply with our legal obligations, including tax, accounting, and responding to lawful requests from authorities. Legal basis: legal obligation.

5. Who we share your data with

We use a small number of vetted processors to operate Subtly. Each of them is contractually required to process your data only on our instructions.

• Supabase (hosted in London, United Kingdom) — stores your account, entries, tags, and preferences.

• RevenueCat — manages your subscription entitlement. Processes purchase receipts from Apple and Google.

• PostHog (EU region) — pseudonymous product analytics. You can disable this in Settings.

• Sentry — crash and error reporting.

• Resend — sends transactional emails (password reset, subscription receipts, account deletion confirmations).

• Apple and Google — operate the app stores, handle payment, and provide sign-in services where you choose to use them.

We do not sell your personal data. We do not share your personal data with advertisers. We have never done either of these things and have no plans to.

6. International transfers

Your Subtly account data is stored in the United Kingdom (London region). Some of our processors (Apple, Google, RevenueCat, Sentry, Resend, PostHog) may process limited data in the United States or other countries. Where this happens, transfers are protected by the UK International Data Transfer Addendum, Standard Contractual Clauses, or an adequacy decision.

7. How long we keep your data

• Account and entry data: for as long as your account exists. If you delete your account, we erase it within 30 days.

• Support emails: up to 3 years from the last message, then deleted.

• Diagnostic and analytics data: up to 12 months, after which it is deleted or irreversibly aggregated.

• Subscription and billing records: we keep the minimum required for tax and accounting purposes (currently 6 years in the UK), separately from your account data.

8. Your rights under UK GDPR

You have the following rights over your personal data:

• Access — get a copy of the personal data we hold about you.

• Rectification — correct data that is wrong or incomplete.

• Erasure — ask us to delete your data. You can do this yourself by deleting your account in Settings.

• Portability — get a machine-readable copy of the data you have given us. Subtly also offers CSV export in the app for free, so you do not need to ask us.

• Restriction — ask us to stop processing your data while a query is resolved.

• Objection — object to processing we do under legitimate interest (including analytics).

• Withdraw consent — where we rely on consent, you can withdraw it at any time.

To exercise any right, email privacy@getsubtly.com. We will respond within one month. Exercising a right is free.

9. Complaints

If you are unhappy with how we have handled your data, please email us first at privacy@getsubtly.com and give us a chance to put it right. You also have the right to complain to the Information Commissioner's Office (ICO), the UK supervisory authority. ICO helpline: 0303 123 1113. Website: ico.org.uk/make-a-complaint.

10. Children

Subtly is not directed to children under 13, and we do not knowingly collect personal data from anyone under 13. If you believe a child has created an account, email privacy@getsubtly.com and we will delete it.

11. Security

We use industry-standard measures to protect your data: encrypted transport (HTTPS/TLS 1.2+), encrypted storage at rest, row-level access controls so only you can read your own entries, and least-privilege access for our team. No system is perfectly secure; if we ever suffer a breach that affects your rights we will notify you and the ICO within 72 hours as required by UK GDPR.

12. Changes to this policy

We may update this policy from time to time. If the change is material we will notify you in the app and by email before it takes effect. The "Effective date" at the top of this policy always shows the current version.

13. Contact

getsubtly Ltd, Flat 21, Jubilee House, 126 Chapeltown Road. Email: privacy@getsubtly.com.