Legal
Privacy Policy
Last updated 1 July 2026
Subwise organizes your recurring payments and reminds you on WhatsApp before money leaves your account. This policy explains, in plain language, exactly what we access, what we store, who processes it, and the control you have over your data. It is aligned with India's Digital Personal Data Protection (DPDP) Act, 2023.
1. Who we are
Subwise (“we”, “us”) operates the website at subwise.co.in. For the purposes of the DPDP Act 2023 we are the Data Fiduciary for the personal data described below. You can reach us at hello@subwise.co.in.
2. Gmail access (read-only)
If you sign in with Google, we request the gmail.readonly scope. We search only for emails that match payment-related keywords (e.g. receipts, invoices, renewals, auto-pay/UPI mandates, trials) from roughly the last 6 months. For those matching emails we read the subject, sender, date, and message text to detect the service or merchant, amount, billing cycle, payment method (including bank auto-pay mandates), and renewal or trial dates.
We never read your whole inbox, never read non-matching emails, and never open attachments. We request read-only access — Subwise cannot send, delete, or modify any email.
Subwise's use and transfer of information received from Google APIs to any other app will adhere to the Google API Services User Data Policy, including the Limited Use requirements. We do not use Gmail data for advertising, do not sell it, and do not let humans read it except as needed for security, to comply with law, or with your explicit consent.
3. Email / password accounts
If you sign up with an email and password instead of Google, we never request Gmail access at all, and you add your commitments manually. Passwords are stored only as a salted hash (bcrypt) — never in plain text, and we cannot recover them.
4. What we store
We store the minimum needed to run the service:
- Your name and email address.
- The recurring commitments and one-time payments we detect or you add manually.
- Your optional WhatsApp number and reminder preferences.
- For Google accounts, the OAuth tokens needed to run your weekly automatic scan. The ~1-year refresh token is proportionate to, and used solely for, that weekly auto-scan — so you don't have to log in every week.
5. How we use AI to read payment emails
To turn a payment email into a structured commitment, the relevant email text is processed by a large-language-model provider (Groq, running Meta's Llama models), with Google's Gemini as an automatic fallback if the primary provider is unavailable. This is used purely to extract fields like merchant, amount and date, and only the extracted fields are stored — the raw email text is not retained. We do not use your data to train any AI model, and we do not send your data to consumer/free AI tiers.
6. Sub-processors
We rely on a small set of trusted providers to operate Subwise:
- Google — sign-in and read-only Gmail access.
- Supabase — encrypted database hosting.
- Vercel — application hosting.
- Groq — AI parsing of payment-email text (see above).
- Google (Gemini) — fallback AI parsing if the primary provider is unavailable.
- Meta (WhatsApp) — delivering your reminders.
- Resend — email reminders when WhatsApp isn't connected.
- PostHog — privacy-conscious product analytics to understand how features are used (no selling of data).
7. WhatsApp messages
If you opt in, we send renewal reminders and occasional summaries to your WhatsApp number. You confirm by replying YES, and you can reply STOP at any time to unsubscribe immediately (TRAI compliant), or PAUSE to snooze the weekly scan. We only message you about your own payments — never marketing for third parties.
8. What we never do
We never sell or rent your data, never read non-payment emails, never share your information with advertisers, and never use it to build profiles for anyone else.
9. Data retention & deletion
You can delete your account and all associated data at any time from Settings. Deletion is processed within 48 hours. Disconnecting Gmail revokes our access and removes the stored tokens. You can also revoke Subwise's access directly from your Google Account's security settings.
10. Your rights (DPDP Act 2023)
You have the right to access, correct, and erase your personal data, to withdraw consent, and to nominate another person to exercise your rights. To make a request or raise a grievance, email hello@subwise.co.in and we will respond within the timelines required by law.
11. Security
Data is transmitted over HTTPS and stored in access-controlled, encrypted databases. Access tokens and secrets are kept server-side and never exposed to your browser. No system is perfectly secure, but we work to protect your data using industry-standard measures.
12. Children
Subwise is intended for users aged 18 and above and is not directed at children.
13. Changes to this policy
We may update this policy as the product evolves. We'll revise the “Last updated” date above, and material changes will be communicated in-app or by email.