1. Introduction
Substacker ("we", "our", or "us") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, and safeguard your information when you use our AI cost intelligence platform.
Our Privacy Commitment
We never see your prompts, we don't sell your data, and free tier data is deleted immediately after analysis.
2.1 Information You Provide
- Account Information: Email address when you sign up or request analysis
- Usage Data Uploads: CSV or JSON files containing your AI API usage logs (model names, token counts, team names, timestamps)
- Payment Information: Processed securely through Stripe; we do not store credit card numbers
2.2 Information Automatically Collected
- Usage Analytics: How you interact with our platform (pages viewed, features used)
- Device Information: Browser type, operating system, IP address
- Cookies: Session cookies for authentication, analytics cookies (optional)
2.3 What We Do NOT Collect
What stays private:
- Actual prompt content from your AI API calls
- AI model responses
- Personal information contained in prompts
- Your API keys for OpenAI, Anthropic, Google, or other providers
3. How We Use Your Information
- Provide Services: Analyze your AI usage data and generate cost reports
- Improve Platform: Understand usage patterns to improve features
- Communications: Send analysis results, product updates (with opt-out)
- Aggregated Insights: Create anonymized industry benchmarks (never identifying individual users)
4. Data Retention
| Tier |
Retention Period |
| Free Analysis |
Deleted immediately after analysis (within 24 hours) |
| Starter Plan |
90 days |
| Growth Plan |
1 year |
| Enterprise Plan |
Custom (per agreement) |
5. Data Sharing
We do not sell your data. We may share data with:
- Service Providers:
- Supabase (database hosting) - EU/US
- Railway (application hosting) - US
- Stripe (payment processing) - US
- Legal Requirements: When required by law or to protect our rights
- Business Transfers: In case of merger or acquisition (with notice)
6. Your Rights (GDPR)
If you are in the EU/EEA, you have the right to:
- Access: Request a copy of your data
- Rectification: Correct inaccurate data
- Erasure: Request deletion of your data
- Portability: Receive your data in a machine-readable format
- Object: Object to processing of your data
- Withdraw Consent: Withdraw consent at any time
To exercise these rights, email: privacy@substacker.com
7. Security
- All data encrypted in transit (TLS 1.3)
- Data encrypted at rest (AES-256)
- Access controls and authentication (JWT tokens)
- Regular security audits
- SOC 2 compliance (roadmap - planned 2026)
For more details, see our Security page.
8. Cookies
We use:
- Essential Cookies: Required for authentication and basic functionality
- Analytics Cookies: To understand usage patterns (can be disabled)
You can control cookies through your browser settings.
9. Children's Privacy
Our service is not intended for children under 16. We do not knowingly collect data from children.
10. International Transfers
Data may be transferred to and processed in the United States. We use Standard Contractual Clauses (SCCs) for EU data transfers.
11. Changes to This Policy
We may update this policy periodically. We will notify you of material changes via email or in-app notification.