App Privacy Policy

The data controller for personal data processed within the Subber mobile application is:

Tensai Studio s.c.
ul. Powstańców 5 / 160
05-800 Pruszków, Poland
Tax ID (NIP): 5342693345
Business ID (REGON): 541413217
Email: kontakt@tensai-studio.com

For matters related to the processing of personal data, including the exercise of user rights under applicable data protection laws, please contact us via the dedicated email address: privacy@subber.app.

The data controller has not appointed a Data Protection Officer, as there is no legal obligation to do so as of the date of publication of this Privacy Policy.

By using the Subber application, the user provides us with certain personal data and technical information related to the use of the app. These data are collected both directly from the user and automatically through integrated analytics and server services.

Data Provided Directly by the User:

During registration and while using the application, the user may provide the following information:

• Email address – used for login, communication, and account identification,
• Password – stored in encrypted (hashed) form via Firebase Authentication,
• Nickname (profile name) – used to identify the user within the app,
• Additional voluntary data – the user may optionally add content such as:
  • custom subscription names,
  • notes related to subscriptions,
  • other descriptions or labels related to subscription management,
• App preferences – including language, currency, and regional settings selected from a predefined list available in the app.

Data Collected Automatically:

To ensure proper app functionality, performance analysis, and enhancement of user experience, the app automatically collects certain technical data:

• Device information – including, but not limited to, device model, operating system version, app version, language and regional settings,
• User Identifier (UID) – a unique identifier generated in Firebase and assigned to the user,
• Crash and error data – automatically logged via Firebase Crashlytics to analyze app stability and resolve issues,
• Analytics data – collected through Google Analytics and Google Tag Manager, including but not limited to user activity data, number and type of clicks, session counts, app usage time, and behavior across specific screens.

The application does not use GPS location, does not collect geolocation data, does not process sensitive personal data, and does not access the user’s contacts, microphone, camera, or external storage.

Furthermore, advertising identifiers (such as IDFA or GAID) are not used – the app does not display ads or conduct marketing profiling of users.

Data from Google and Apple Sign-In:

Users have the option to log in using their Google or Apple accounts. During this process, the application receives only the following:

• User’s email address,
• First name or profile name (if available).

No other information is retrieved from Google or Apple accounts, such as profile pictures, friends lists, or contact details.

Data Related to Subscriptions and Payments:

If the user utilizes in-app purchases or subscription features (e.g., Subber Premium), the app may process information regarding:

• Transaction ID,
• Subscription status (active, expired, canceled),
• Type of plan or purchased feature.

This information is provided by Apple App Store and Google Play Billing and is used solely for managing access to premium app features. The application does not collect, process, or store any credit card data, bank account numbers, or billing information.

The personal data and technical information collected by the Subber application are processed for the following purposes:

A. Providing Core Application Functions

• User registration and login,
• Authentication and maintenance of an active user session,
• Assigning subscription data and notes to a specific user profile,
• Managing the user account and displaying subscription information,
• Handling payment features and assigning plan status (e.g., Premium).

Legal basis (GDPR): Article 6(1)(b) – processing is necessary for the performance of a contract for the provision of electronic services.

B. Application Maintenance and Development

• Monitoring app performance and proper functionality,
• Logging crashes and errors to improve stability (via Firebase Crashlytics),
• Diagnosing technical issues reported by users.

Legal basis (GDPR): Article 6(1)(f) – the legitimate interest of the controller in ensuring the security and proper functioning of the application.

C. Application Usage Analysis

• Collecting statistical data on app usage (via Google Analytics and Google Tag Manager),
• Analyzing feature popularity, number of active users, session duration,
• Making product decisions based on aggregated user behavior data.

Legal basis (GDPR): Article 6(1)(f) – the legitimate interest of the controller in optimizing the application and tailoring it to user needs. Users have the right to object to such processing.

D. User Communication

• Sending important technical or administrative notifications,
• Responding to inquiries submitted via email or contact forms.

Legal basis (GDPR): Article 6(1)(b) or (f) – depending on the nature of the interaction (performance of a contract or legitimate interest of the controller in maintaining user relations).

E. Compliance with Legal Obligations

• Storing proof of transactions (e.g., subscription purchases) for tax and accounting purposes,
• Fulfilling obligations imposed by applicable laws in the user’s country or the controller’s country of establishment.

Legal basis (GDPR): Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.

User data is not used for profiling or for making automated decisions that could produce legal effects concerning the user or similarly significantly affect them.

The processing of personal data of Subber application users is carried out in accordance with the provisions of the General Data Protection Regulation (GDPR), based on Article 6(1), under the following legal grounds:

Article 6(1)(b) GDPR – processing is necessary for the performance of a contract to which the user is party or in order to take steps at the request of the user prior to entering into a contract:

• Creating a user account,
• Logging in and authentication,
• Saving subscription-related data,
• Executing functions related to payments and subscriptions.

Article 6(1)(f) GDPR – processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party:

• Monitoring application performance and diagnosing errors (e.g., via Firebase Crashlytics),
• Compiling statistics and analyzing application usage (e.g., via Google Analytics),
• Communicating with users for support or service improvement purposes.

Article 6(1)(c) GDPR – processing is necessary for compliance with a legal obligation to which the controller is subject:

• Storing payment or subscription data for accounting and tax purposes,
• Fulfilling obligations under applicable national (e.g., Polish) or foreign laws, depending on the user’s jurisdiction.

Users have the right to request additional information regarding the specific legal basis applicable to each processing activity. To do so, they may contact the controller at privacy@subber.app.

To ensure the proper functioning, maintenance, and development of the Subber application, as well as to support features such as authentication, data storage, and usage analytics, we collaborate with external technology service providers. As a result, user data may be processed by these entities as data processors acting on behalf of the controller, in accordance with applicable contracts and legal regulations.

A. Firebase (Google LLC)

The application uses several services from the Firebase suite provided by Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA:

• Firebase Authentication – for handling user registration, login, and authentication (including Google and Apple account sign-ins),
• Cloud Firestore – for real-time storage of subscription and user account data,
• Firebase Crashlytics – for monitoring app stability and logging crashes and errors.

Data are stored on Google servers, which may be located outside the European Economic Area (e.g., in the USA). Google acts as a data processor and is committed to ensuring an adequate level of data protection in compliance with the GDPR and other applicable regulations. Data transfers are based on the European Commission’s Standard Contractual Clauses and/or participation in the EU–US Data Privacy Framework (where applicable).

More information about Google’s data processing policies:
https://policies.google.com/privacy
https://firebase.google.com/support/privacy

B. Google Analytics and Google Tag Manager

We use the following services to analyze app usage:

• Google Analytics for Firebase,
• Google Tag Manager.

These services collect statistical data about how the app is used, such as session count, visit duration, clicks, screen transitions, device type, country, and OS version. This information helps us understand user needs and improve app functionality. Data are pseudonymized and analyzed in aggregate form – they are not used to identify individual users.

Google acts as a data processor on our behalf. Data transfers may occur to third countries (e.g., the USA), with Google providing appropriate safeguards in accordance with GDPR and CCPA requirements.

C. Apple App Store and Google Play Billing

In-app purchases and subscriptions are handled via the official payment systems:

• Apple App Store (Apple Inc.),
• Google Play Billing (Google LLC).

All payment-related data (such as card numbers or billing addresses) are processed exclusively by Apple or Google, in accordance with their privacy policies and terms. The Subber app has no access to this information.

The app only receives limited technical information necessary to assign the purchase (e.g., transaction ID, subscription status, activation time), which is used solely to unlock premium features and manage the user account.

D. Google and Apple ID Sign-In

If the user chooses to log in using a Google or Apple account, basic identifying information (email address and first name or account name) is shared with the Subber app by the respective provider. This process follows the OAuth authorization standard and data are only transmitted after the user provides consent through the login interface.

Subber does not collect any additional information from the user’s Google or Apple profile (e.g., contacts, profile pictures).

All of the above-mentioned third parties process data solely on our behalf and in accordance with applicable data processing agreements. They are not permitted to use the data for their own marketing purposes.

Personal data of Subber application users may be processed on servers located outside the European Economic Area (EEA), particularly in the United States. This applies primarily to data processed through services provided by:

• Google LLC (Firebase, Google Analytics, Google Tag Manager),
• Apple Inc. (when using Apple ID or making purchases via the App Store),
• Google Ireland / Google LLC (when logging in via a Google account or making purchases through Google Play).

In all such cases, the transfer of data outside the EEA is carried out using appropriate legal mechanisms in accordance with applicable data protection laws, specifically:

• Standard Contractual Clauses (SCCs) approved by the European Commission,
• or, in the case of Google LLC, certification under the EU–US Data Privacy Framework, confirming an adequate level of data protection in the United States.

All service providers we work with are contractually obligated to implement appropriate organizational and technical safeguards to protect personal data and to process such data solely in accordance with our instructions and applicable laws.

Users have the right to obtain additional information regarding the safeguards in place for data transfers outside the EEA, as well as a copy of the applicable Standard Contractual Clauses. To do so, please contact us at: privacy@subber.app.

Personal data of Subber application users are retained only for as long as necessary to fulfill the purposes for which they were collected, unless applicable laws require longer storage (e.g., for tax or accounting purposes).

The specific data retention rules are as follows:

• User account data (email address, nickname, subscription data) – stored for the entire duration of the user’s active use of the app. If the user deletes their account, all associated data will be permanently deleted from our database as soon as possible, and no later than within 30 days.
• Login data (email, UID, authentication credentials) – stored for the duration of app usage and deleted along with the user account. Passwords are stored in encrypted (hashed) form.
• Analytics data (e.g., in-app activity, user events) – retained for up to 26 months or in accordance with the default settings of Google Analytics services, after which they are aggregated or anonymized.
• Error and crash data (Firebase Crashlytics) – retained for the time necessary to analyze and resolve technical issues, but no longer than 90 days from the time the error is logged, unless longer retention is required for application security.
• Transaction data (subscriptions) – purchase information is retained for the period required by applicable law, particularly for tax or accounting purposes, and not less than 5 years from the date of transaction (in accordance with regulations applicable in Poland and the EU).

After the expiration of the above-mentioned periods, data are deleted, anonymized, or retained solely in archived form, if required by law.

Depending on the user’s place of residence, certain rights apply with respect to the processing of personal data. The Subber application complies with all applicable laws and ensures that users can exercise their rights under the following legal frameworks:

• General Data Protection Regulation (GDPR) – applicable in the European Union and European Economic Area (EEA),
• California Consumer Privacy Act (CCPA/CPRA) – applicable in the State of California, USA,
• Lei Geral de Proteção de Dados (LGPD) – applicable in Brazil.

A. Rights of Users under the GDPR:

Users located within the EU and EEA have the right to:

• Access their personal data,
• Rectify inaccurate or incomplete data,
• Erase their data ("right to be forgotten"),
• Restrict the processing of their data,
• Transfer their data to another service provider,
• Object to processing based on the controller’s legitimate interest,
• Withdraw consent at any time (if processing is based on consent),
• Lodge a complaint with a supervisory authority (e.g., the Polish Data Protection Authority – UODO).

B. Rights of Users under the CCPA/CPRA:

Users residing in the State of California have the right to:

• Obtain information about the categories and sources of personal data collected in the past 12 months,
• Access specific personal data held about them,
• Request deletion of their personal data,
• Know whether their data has been sold or disclosed to third parties,
• Opt out of the “sale” of personal data (Subber does not sell user data),
• Not be discriminated against for exercising any of their rights.

C. Rights of Users under the LGPD:

Users residing in Brazil have the right to:

• Confirm whether their data is being processed,
• Access their personal data,
• Rectify incomplete, inaccurate, or outdated data,
• Anonymize, block, or delete unnecessary data or data processed unlawfully,
• Delete data processed based on consent, after consent is withdrawn,
• Be informed about the entities with whom their data has been shared,
• Refuse to provide consent and be informed of the consequences of such refusal.

Exercising Your Rights

To exercise any of the above rights, users may:

• Use the available in-app features (e.g., account deletion),
• Or contact the controller at: privacy@subber.app.

In case of requests concerning access, deletion, or correction of personal data, the controller may request identity verification to protect against unauthorized access.

A response to the request will be provided no later than 30 calendar days from the date of receipt.

Users of the Subber application have the right to permanently delete their account and all personal data associated with their profile. The account deletion process is carried out only upon explicit request submitted to the dedicated email address:

📩 privacy@subber.app

The message must clearly express the user’s intention to delete their account and include the email address used to register the account. If necessary, we may request additional information to verify the user's identity and protect their data.

Once the request has been successfully verified, the user's data will be permanently deleted from our systems within a maximum of 30 days, including:

• Account data (email address, UID, nickname),
• Subscription data and notes added by the user,
• Analytics and technical data associated with the account (if identifiable).

Exceptions:

Certain data, particularly transaction-related information (e.g., premium subscription status), may be retained for the period required by tax or accounting laws – no longer than 5 years from the date of the transaction. Such data will be stored in archived form and will not be used for any other purposes.

Please note: Once the account is deleted, it cannot be restored, and no data will be recoverable.

We make every effort to ensure that the personal data of Subber application users is protected against unauthorized access, disclosure, loss, alteration, or destruction.

To achieve this, we implement appropriate technical and organizational measures in line with current security standards and data protection regulations, including:

• Data transmitted between the app and Firebase servers is protected using TLS/SSL encryption (HTTPS),
• Data stored in Firebase databases (Firestore and Storage) is encrypted at rest and accessible only by authorized instances of the application,
• User accounts are secured through authentication based on unique identifiers and secure passwords (stored in hashed form),
• Access to data on the administrator’s side is strictly limited to authorized personnel and protected by additional control mechanisms (e.g., access logging, multi-factor authentication),
• The Firebase environment monitors system activity and takes preventive action in the event of detected threats (e.g., unauthorized access attempts),
• Crash and error data recorded by Firebase Crashlytics is used exclusively to improve the application's security and stability.

Despite employing advanced safeguards, it is important to remember that no system is completely immune to all threats. Therefore, we encourage users to take precautionary measures, such as:

• Choosing strong and unique passwords,
• Not sharing login credentials with third parties,
• Reporting any suspicious activity to: privacy@subber.app.

The Subber application does not use cookies in the sense commonly associated with web browsers, as it does not have a browser-accessible web version.

However, the mobile application uses tracking technologies of a similar nature, necessary for analyzing app usage and optimizing its performance. In particular, the app uses the following tools:

• Google Analytics for Firebase – for collecting statistical data on app usage, such as the number of sessions, time spent in the app, clicks, screen transitions, device type, operating system, etc.,
• Google Tag Manager – for managing analytics events.

These services collect, among other things, default session identifiers and device identifiers. However, this data is not used for advertising purposes or for creating user profiles. All data is processed in a pseudonymized and aggregated form.

Opting Out of Analytics

Users have the right to opt out of statistical analytics. To do so, the app includes an option to disable Google Analytics in the privacy settings section. Once this setting is turned off, no further statistical data will be collected or transmitted to Google Analytics.

The change is immediate and applies to the specific user account.

While enabled, analytics data is processed on the basis of the controller’s legitimate interest (Article 6(1)(f) GDPR), which consists of improving the quality and functionality of the application. The user has the right to object to such processing, which can be exercised by simply disabling this function in the app.

The Subber application is not intended for use by children under the age of 13. We do not knowingly collect personal data from children, nor do we allow them to create an account.

Use of the app is permitted only for individuals who are 13 years of age or older. Individuals aged 13–16 may only use the app with the consent of a legal guardian, where such a requirement is imposed by local law (e.g., under the GDPR in EU countries).

If we become aware that we are processing data of a child who does not meet the minimum age requirements, we will take immediate steps to:

• Delete the child’s account and any associated personal data,
• Block further access to the application.

This policy is aligned with the following legal frameworks:

• COPPA (Children’s Online Privacy Protection Act) – the app complies with U.S. regulations by not targeting or processing data of children under 13,
• GDPR – we observe country-specific legal age requirements for children’s consent (13–16 years),
• LGPD – we comply with Brazilian regulations regarding the processing of minors’ data.

If you are a parent or legal guardian and discover that your child is using the app without your consent, and you wish to report this, please contact us at: privacy@subber.app.

We reserve the right to make changes to this Privacy Policy at any time, particularly in response to changes in applicable laws, the introduction of new features in the application, or modifications in data processing practices.

Users will be appropriately informed of any material changes to this policy, for example through:

• Email notification (if the user has provided an email address during registration),
• In-app communication (e.g., in the form of a notification or pop-up),
• Or any other feasible means of direct communication.

The effective date of the updated version of this document will always be indicated at the end of the policy. We encourage users to review the current version of the Privacy Policy periodically.

Continued use of the application after the updated policy comes into effect constitutes acceptance of the changes. If a user does not agree with the updated policy, they may stop using the app at any time and request deletion of their account along with all associated personal data.

This Privacy Policy applies exclusively to the Subber mobile application available for iOS and Android systems. It does not apply to services, websites, or applications of third parties that users may access via external links (if any). We recommend reviewing the privacy policies of those third parties independently.

The application does not use automated decision-making or profiling that could produce legal effects or similarly significantly affect the user.

In the event of any discrepancies between the language versions of this document, the English version shall prevail. Translations are provided for informational purposes only and to facilitate understanding.

Any questions, concerns, or complaints related to this policy may be directed to: privacy@subber.app.