← NopeSub

Privacy Policy

Last updated: 2026-06-01 · Effective: 2026-06-01

NopeSub ("we", "us", "our") operates the NopeSub iOS app and the website at nopesub.com (together, the "Service"). This Privacy Policy explains what data we collect, how we use it, who we share it with, and the rights you have over it. Plain English first; legal precision second.

1. Who we are

NopeSub is operated by Ole Christian Nygjelten, sole proprietor, registered in Norway. Contact: [email protected].

For GDPR purposes, we are the data controller. For CCPA purposes, we are the business that determines the purposes and means of processing your data.

2. What we collect

2.1 Information you give us directly

• Account data: email address, password hash, optional display name.
• Payment data: processed entirely by Stripe and Apple In-App Purchase. We never see or store your full card number. We store only the last 4 digits, card brand, and a Stripe customer ID for receipts.
• Communications: emails you send us, in-app support messages.

2.2 Information collected via Plaid (bank transactions)

When you connect a bank account, you do so through Plaid Inc. ("Plaid"), our financial data provider. Plaid retrieves transaction history from your bank on your behalf. We receive from Plaid:

• Transaction descriptions, amounts, dates, and merchant names.
• Account type (checking, savings, credit card).
• Account masked identifier (last 4 digits).

We do not receive your bank login credentials. Those go to Plaid and never to NopeSub. Plaid's own privacy policy governs that relationship: plaid.com/legal.

Transaction data is retained for up to 30 days for subscription-detection processing, then automatically purged. You can purge it earlier any time from in-app Settings → Privacy → Delete transaction history.

2.3 Information collected automatically

• Device data: iOS version, device model, app version, locale, timezone.
• Usage data: screens viewed, features used, crashes. We use this to fix bugs and improve the app.
• IP address: stored for 30 days for security and fraud prevention.

We do not use third-party advertising trackers, fingerprinting libraries, or sell device IDs.

3. How we use your data

• Provide the Service: detect subscriptions in your transaction history, surface them in the app, execute cancellations on your behalf when you approve them.
• Cancel subscriptions: with your explicit consent per cancellation, we use one of three paths — (a) direct web automation against the provider's cancel page, (b) a pre-filled cancellation request form, or (c) an AI-assisted phone call to the provider's customer service line via Twilio and OpenAI. Calls are recorded only where legally required (one-party-consent US states by default; two-party-consent states with your prior in-app approval).
• Process payments: for app subscriptions ($9 one-shot or monthly tier) via Stripe (web) and Apple In-App Purchase (iOS).
• Communicate with you: transactional emails (receipts, cancellation confirmations) and optional product updates (you can opt out).
• Improve the Service: anonymized usage analytics to fix bugs and prioritize features.
• Comply with law: respond to legal requests, prevent fraud, enforce our Terms.

4. Legal basis (GDPR users)

• Contract: processing necessary to deliver the Service you signed up for (subscription detection, cancellation execution, payments).
• Consent: bank account connection, recorded phone calls in two-party-consent jurisdictions, optional marketing emails.
• Legitimate interest: fraud prevention, security logging, product analytics, communicating with paying customers about their service.
• Legal obligation: tax records, regulatory responses.

5. Who we share data with

We share the minimum necessary data with the following processors. All have contractual obligations to protect your data:

• Plaid Inc. (USA) — bank connection and transaction retrieval. Plaid Privacy Policy.
• Stripe, Inc. (USA, Ireland) — web payment processing. Stripe Privacy Policy.
• Apple Inc. (USA) — in-app purchases on iOS. Apple Privacy Policy.
• RevenueCat, Inc. (USA) — iOS subscription management. RevenueCat Privacy Policy.
• Twilio Inc. (USA) — phone calls and SMS. Twilio Privacy Policy.
• OpenAI, L.L.C. (USA) — AI voice assistant during cancellation calls (no transaction data sent to OpenAI; only call audio and cancellation script context). OpenAI Privacy Policy.
• Google Workspace (USA) — operational email ([email protected]). Google Privacy Policy.
• Cloudflare, Inc. (USA) — DNS, CDN, DDoS protection. Cloudflare Privacy Policy.

We do not sell your personal information. We do not share it with advertisers. We do not use it to train AI models that benefit anyone other than you.

6. International transfers

NopeSub is based in Norway (EEA). Our processors are largely US-based. Transfers to the US rely on Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework (DPF). You can request the relevant SCCs by emailing [email protected].

7. How long we keep your data

• Account data: while your account is active, plus 30 days after deletion.
• Bank transaction data: 30 days maximum, then purged automatically.
• Cancellation records: 24 months (so you can prove a subscription was cancelled if the provider disputes it).
• Payment records: 7 years (tax law).
• Call recordings: 90 days, then purged automatically.
• Server logs: 30 days.

8. Your rights

8.1 GDPR (EEA, UK, Switzerland)

• Right to access your data.
• Right to rectify inaccurate data.
• Right to erasure ("right to be forgotten").
• Right to restrict processing.
• Right to data portability.
• Right to object to processing.
• Right to withdraw consent at any time.
• Right to lodge a complaint with your data protection authority (in Norway: Datatilsynet, datatilsynet.no).

8.2 CCPA / CPRA (California residents)

• Right to know what personal information we collect and how we use it.
• Right to delete personal information.
• Right to correct inaccurate personal information.
• Right to opt out of sale or sharing (we do not sell or share).
• Right to limit use of sensitive personal information.
• Right to non-discrimination for exercising any of the above.

8.3 GLBA (US financial privacy)

Because NopeSub handles financial transaction data via Plaid, the Gramm-Leach-Bliley Act applies. We collect financial data only with your affirmative consent, share it only with the processors listed in Section 5, and protect it with industry-standard encryption (TLS 1.2+ in transit, AES-256 at rest).

8.4 How to exercise your rights

Email [email protected] from the email address on your account, or use in-app Settings → Privacy → Export / Delete my data. We respond within 30 days (GDPR) or 45 days (CCPA).

9. Security

• TLS 1.2+ for all data in transit.
• AES-256 encryption for all data at rest.
• Bank credentials never touch NopeSub servers — they go directly to Plaid.
• Internal access on a least-privilege basis with audit logging.
• Annual security review.

No system is 100% secure. If a breach affects your data, we will notify you within 72 hours of discovery as required by GDPR Article 33-34.

10. Children

NopeSub is not directed at anyone under 16. We do not knowingly collect data from children. If you believe a child has provided us data, email us and we will delete it.

11. Changes to this Policy

We will notify you of material changes by email and via in-app notice at least 30 days before they take effect. The "Last updated" date at the top reflects the most recent revision.

12. Contact

NopeSub
Ole Christian Nygjelten, sole proprietor
Norway
[email protected]