Privacy Policy

Effective Date: June 18, 2026 · Last Updated: June 18, 2026

    PeltaX is built on a simple principle: your financial data is yours. We access only what we need to detect and cancel unwanted subscriptions — nothing more.
  

1. Who We Are

PeltaX ("PeltaX," "we," "us," or "our") is a subscription management service that helps users detect upcoming subscription charges and cancel unwanted subscriptions before they are billed. Our mobile application is available on Android via Google Play. Our registered contact address is available at [email protected].

2. Information We Collect

Account Information

When you create an account, we collect your name and email address. If you sign in with Google, we receive your Google profile information (name, email, and profile photo) via Google OAuth.

Bank Transaction Data (via Plaid)

PeltaX connects to your bank accounts through Plaid, a regulated financial data provider. When you link a bank account:

You enter your banking credentials directly into Plaid's secure interface — PeltaX never sees, stores, or transmits your bank username or password.
Plaid provides us with read-only access to your transaction history (up to 90 days) and recurring transaction patterns.
We use this data exclusively to detect subscription charges and predict future billing dates.
We cannot initiate payments, transfers, or any financial transactions on your behalf.
Plaid access tokens (which authorize our read-only access) are stored encrypted using AES-256-GCM encryption.

Gmail Access (Optional — Tier 3 Cancellations Only)

If you sign in with Google, PeltaX requests the gmail.send scope. This permission is used exclusively to send cancellation request emails on your behalf to merchants that only accept email-based cancellation requests. We use this scope only when you explicitly initiate a cancellation. We do not read, index, store, or analyze the contents of your Gmail inbox.

Session Cookies (Temporary — Cancellation Only)

For automated cancellations, PeltaX may temporarily capture session cookies from a merchant website after you log in inside our in-app browser. These cookies allow our system to complete the cancellation on your behalf without storing your password. Session cookies are:

Encrypted with AES-256-GCM before storage.
Stored with a 7-day expiration and used only once.
Permanently deleted ("scrubbed") from our database immediately after the cancellation job is executed. Once consumed, the cookie data is irrecoverable even in the event of a future database breach.
Never used for any purpose other than the specific cancellation you authorized.

Push Notification Tokens

If you enable push notifications, we store your Expo push notification token to send you alerts about upcoming charges. You can disable notifications at any time in the app settings.

Usage and Feedback Data

We collect structured logs of detection, approval, and cancellation events to improve accuracy. If you submit in-app feedback, we store your rating and message.

3. How We Use Your Information

To detect subscription charges in your bank transaction history.
To predict upcoming billing dates and notify you before charges occur.
To execute cancellation requests on your behalf when you instruct us to.
To send cancellation emails via Gmail when you explicitly authorize a Tier 3 cancellation.
To send push notifications about pending approval requests and cancellation outcomes.
To improve the accuracy of our detection engine and cancellation scripts.
To maintain the security and reliability of our service.

4. How We Store and Protect Your Data

All data is stored in a hosted PostgreSQL database (Supabase) with Row-Level Security (RLS) enabled, meaning database queries are enforced at the database level so that users can only access their own data.

Sensitive data (Plaid access tokens, session cookies) is encrypted using AES-256-GCM with a 256-bit key and a unique random initialization vector per encryption operation. The authentication tag embedded in each ciphertext provides tamper detection.

Your bank credentials are never transmitted to PeltaX servers at any point. Login credentials submitted for manual cancellation assistance exist only in memory during job execution and are never written to disk or database storage.

5. Data Sharing

We do not sell your personal information. We do not share your data with advertisers. We share data only with the following service providers strictly necessary to operate PeltaX:

Plaid Inc. — bank connection infrastructure. Plaid's privacy policy governs their handling of your banking credentials. See plaid.com/legal/privacy-policy.
Supabase — hosted database and authentication infrastructure.
Expo / Expo Push Notification Service — push notification delivery.
Google LLC — authentication (Google OAuth) and Gmail API for email cancellations.
Railway — backend server hosting.

We may disclose your information if required by law, court order, or to protect the rights and safety of PeltaX, our users, or the public.

6. Data Retention

Bank transaction data is processed in real time for detection and is not stored beyond what is recorded in detected subscription records.
Session cookies are scrubbed from our database immediately after use.
Plaid access tokens are retained for as long as you have an active bank connection in the app. Disconnecting a bank removes the token.
Account data is retained until you delete your account.
You may request deletion of your data at any time by contacting [email protected].

7. Your Rights and Choices

Access: You may request a copy of the personal data we hold about you.
Deletion: You may request deletion of your account and all associated data.
Correction: You may update your account information within the app settings.
Disconnect Bank: You may disconnect any linked bank account at any time from the app settings. This revokes PeltaX's access token.
Revoke Gmail Access: You may revoke Gmail access at any time via your Google Account settings at myaccount.google.com/permissions.
Notifications: You may disable push notifications in app settings or your device settings.

8. Children's Privacy

PeltaX is not directed at children under the age of 13. We do not knowingly collect personal information from children under 13. If you believe we have inadvertently collected such information, please contact us at [email protected].

9. Changes to This Policy

We may update this Privacy Policy from time to time. When we do, we will update the "Last Updated" date at the top of this page. For material changes, we will notify you via in-app notification or email. Continued use of PeltaX after changes constitutes acceptance of the updated policy.

10. Contact Us

If you have questions about this Privacy Policy or your data, please contact us:

Email: [email protected]
Website: peltax.app