Privacy Policy

1. Introduction

Welcome to RecurLock ("we," "our," or "us"). RecurLock is a subscription tracking application designed to help you manage and monitor your recurring payments and subscriptions.

This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our mobile application (Android) and web application (collectively, the "Service"). Please read this Privacy Policy carefully. By using RecurLock, you agree to the collection and use of information in accordance with this policy.

If you do not agree with the terms of this Privacy Policy, please do not access or use the Service.

Data Controller

RecurLock is operated by Oren Vainshtok (the "Data Controller"). If you have any questions about this Privacy Policy or how we handle your data, you can contact us at support@recurlock.com.

2. Information We Collect

2.1 Information You Provide to Us

Account Information

• Email address (required for account creation)
• Display name
• Password (stored securely using industry-standard hashing; we never store plaintext passwords)

Profile Information

• Currency preference
• Timezone setting
• Notification preferences (push notifications, reminder timing)

Subscription Data

• Subscription names (e.g., Netflix, Spotify)
• Subscription costs and billing amounts
• Billing cycles (monthly, quarterly, annual, weekly)
• Categories (streaming, software, gaming, fitness, education, etc.)
• Billing dates and renewal dates
• Subscription status (active, cancelled, paused, expired)
• Personal notes you add to subscriptions
• Auto-renewal settings

2.2 Information Collected Automatically

Device Information

• Device type and model
• Operating system and version
• Application version
• Unique device identifiers

Usage Information

• Features accessed within the app
• Timestamps of app interactions
• Error logs and crash reports

Security and Audit Information

• Login and logout events
• IP addresses (for security purposes only)
• User agent information
• Data access and modification logs

2.3 Information from Third-Party Services

Google Sign-In (Optional)

If you choose to sign in using Google, we receive:

• Your Google account email address
• Your Google display name
• A unique identifier token

We do not receive or access your Google password, contacts, calendar, or any other Google account data.

2.4 Receipt Scanning (OCR)

When you use our receipt scanning feature:

• Receipt images are processed entirely on your device using Google ML Kit
• No receipt images are uploaded to our servers or any cloud service
• Only the extracted subscription information (name, cost, date) is saved to your account
• Original receipt images are not stored by RecurLock

3. How We Use Your Information

We use the information we collect to:

• Provide the Service: Create and manage your account, track your subscriptions, and display your spending analytics
• Send Notifications: Deliver renewal reminders, payment alerts, and important service updates based on your preferences
• Process Payments: Facilitate premium subscription purchases through our payment processor (Lemon Squeezy). We do not store or process your full payment card details; these are handled by Lemon Squeezy
• Improve the Service: Analyze usage patterns to enhance features and fix bugs
• Ensure Security: Detect and prevent fraud, unauthorized access, and other malicious activities
• Provide Support: Respond to your inquiries and resolve issues
• Comply with Legal Obligations: Meet applicable legal requirements and enforce our terms

4. Data Storage and Security

4.1 Where Your Data is Stored

Cloud Storage

• Your account data and subscriptions are stored securely on Supabase, our backend infrastructure provider
• Supabase employs industry-standard security measures including encryption at rest

Local Device Storage (Mobile App)

• Subscription data is cached locally on your device for offline access
• Local data is encrypted using AES-256 encryption (SQLCipher)
• Authentication tokens are stored in encrypted storage (EncryptedSharedPreferences on Android)

4.2 Security Measures

We implement comprehensive security measures including:

• Encryption in Transit: All data transmitted between your device and our servers uses HTTPS/TLS encryption
• Encryption at Rest: Data stored on your device and in our database is encrypted
• Row-Level Security (RLS): Database-level access controls ensure you can only access your own data
• Secure Authentication: Passwords are hashed using industry-standard algorithms; we support secure OAuth authentication
• Audit Logging: Security events are logged for monitoring and compliance

4.3 Data Breach Notification

In the event of a data breach that affects your personal information, we will notify you via email within 72 hours of becoming aware of the breach, as required by applicable law.

5. Third-Party Service Providers

We use the following third-party services to operate RecurLock:

5.1 Supabase

• Purpose: Backend database, user authentication, and real-time data synchronization
• Data Processed: Account information, subscription data, user preferences
• Privacy Policy: https://supabase.com/privacy

5.2 Google (Sign-In and ML Kit)

• Google Sign-In Purpose: Optional OAuth authentication
• Data Processed: Email address, display name, authentication tokens
• ML Kit Purpose: On-device OCR processing for receipt scanning
• ML Kit Data: Receipt images are processed locally and never sent to Google servers
• Privacy Policy: https://policies.google.com/privacy

5.3 Lemon Squeezy

• Purpose: Payment processing for premium subscriptions
• Data Processed: Email address, user identifier, selected plan
• Note: We do not store or process your credit card information; this is handled entirely by Lemon Squeezy
• Privacy Policy: https://www.lemonsqueezy.com/privacy

6. Data Sharing and Disclosure

6.1 We Do NOT:

• Sell your personal data to third parties
• Share your data with advertisers or advertising networks
• Use your subscription data for targeted advertising
• Share your data with data brokers

6.2 We May Share Your Information:

With Service Providers

• Only with the third-party providers listed in Section 5, solely for the purposes described

With Family Members (if applicable)

• If you create or join a family workspace, subscription data within that workspace is visible to other family members

For Legal Compliance

• When required by law, court order, or governmental authority
• To protect our rights, privacy, safety, or property
• To enforce our Terms of Service

Business Transfers

• In connection with a merger, acquisition, or sale of assets, your information may be transferred to the acquiring entity

7. Your Rights and Choices

7.1 Access Your Data

You can view all your personal data within the app at any time. Additionally, you can export a complete copy of your data in JSON format using the "Export Data" feature in Settings.

7.2 Update Your Information

You can update your profile information, preferences, and subscription data at any time through the app.

7.3 Delete Your Account

You can permanently delete your account and all associated data using the "Delete Account" feature in Settings. Upon deletion:

• All your personal data is immediately and permanently removed
• This action cannot be undone
• A minimal anonymized record may be retained for a limited period for legal and compliance purposes

7.4 Data Portability

You can export your data in standard formats (JSON for full data, CSV for analytics) for use with other services.

7.5 Notification Preferences

You can opt out of:

• Email notifications
• Push notifications
• Individual subscription reminders

You can customize reminder timing and frequency in your notification settings.

7.6 Withdraw Consent

You may withdraw your consent to data processing at any time by deleting your account.

8. International Data Transfers

RecurLock is operated from Israel. If you access the Service from outside Israel, your information may be transferred to, stored, and processed in Israel and in other countries where our service providers are located.

Users in the EEA, UK, and Switzerland

When we transfer your personal data outside the EEA, UK, or Switzerland, we use appropriate safeguards, such as:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions (including for Israel)
• Other lawful transfer mechanisms

If you are in the EEA, UK, or Switzerland, you have rights under applicable data protection laws, including the rights to access, rectify, delete, restrict or object to processing, and data portability. To exercise these rights, contact us at support@recurlock.com.

9. Data Retention

9.1 Active Accounts

We retain your personal data for as long as your account is active and as needed to provide you with the Service.

9.2 Audit Logs

Security and audit logs are retained for a limited period for security and troubleshooting purposes.

9.3 After Account Deletion

When you delete your account:

• All personal data is immediately deleted
• Subscription data is permanently removed
• A minimal anonymized log entry may be retained for a limited period for legal and compliance purposes

10. Children's Privacy

RecurLock is intended for users who are 18 years of age or older. We do not knowingly collect personal information from anyone under the age of 18.

If you are a parent or guardian and believe your child has provided us with personal information, please contact us at support@recurlock.com. If we become aware that we have collected personal information from a child under 18 without verification of parental consent, we will take steps to remove that information from our servers.

11. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. When we make changes:

• We will update the "Last Updated" date at the top of this policy
• For significant changes, we will notify you via:
  • Email to the address associated with your account
  • In-app notification
  • Prominent notice on our website

Your continued use of the Service after any changes indicates your acceptance of the updated Privacy Policy. We encourage you to review this Privacy Policy periodically.

12. Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us at:

Email: support@recurlock.com

13. Additional Information for Specific Jurisdictions

13.1 Israeli Users

We comply with the Israeli Privacy Protection Law, 5741-1981, and its regulations. You have the right to access, correct, and delete your personal information. To exercise these rights, contact us at support@recurlock.com.

13.2 California Users (CCPA)

If you are a California resident, you have additional rights under the California Consumer Privacy Act (CCPA), as amended by the CPRA:

• Right to Know: You can request information about the categories and specific pieces of personal information we have collected about you
• Right to Delete: You can request deletion of your personal information
• Right to Opt-Out of Sale or Sharing: We do not sell or share your personal information as those terms are defined under the CCPA/CPRA, so this right currently does not apply.
• Right to Non-Discrimination: We will not discriminate against you for exercising your CCPA rights

To exercise these rights, contact us at support@recurlock.com or use the in-app data export and deletion features.

14. Cookies and Similar Technologies

14.1 Web Application

Our web application uses essential cookies and local storage for:

• Authentication and session management
• Remembering your preferences
• Security purposes

We do not use advertising cookies or third-party tracking cookies for targeted advertising.

14.2 Mobile Application

Our mobile application uses local storage for:

• Caching subscription data for offline access
• Storing authentication tokens securely
• Saving your preferences

15. Automated Decision-Making

RecurLock does not use automated decision-making or profiling that produces legal effects or similarly significant effects on you.