Last updated: April 4, 2026
1. Purpose
This Data Protection Policy describes how EDC Properties Inc. ("Company") protects the data processed through Subtrack ("Service"). We are committed to safeguarding the confidentiality, integrity, and availability of all data entrusted to us by our users.
2. Data Classification
We classify data into the following categories:
- Public: Marketing content, product documentation
- Internal: Usage analytics, aggregated metrics
- Confidential: User account information, subscription data, organization data
- Restricted: API credentials, authentication tokens, financial transaction data
Each classification level has specific handling, storage, and access requirements.
3. Data Collection Principles
- Minimization: We only collect data necessary to provide the Service
- Purpose limitation: Data is used only for the purposes stated in our Privacy Policy
- Accuracy: We take reasonable steps to ensure data is accurate and up to date
- Retention limits: Data is retained only as long as necessary for the stated purpose
4. Data Processing
4.1 Subscription Data
Subscription names, categories, renewal dates, costs, and ownership information are stored in Google Cloud Firestore with encryption at rest. This data is accessible only to the user who created it or members of their organization.
4.2 Integration Credentials
Third-party API credentials (Namecheap, Cloudflare, GoDaddy, etc.) are stored encrypted in Firestore. Credentials are only accessed server-side during sync operations and are never exposed to the client.
4.3 Financial Data
Financial account connections are processed by Plaid Inc. We receive only transaction-level data (merchant name, amount, date, category) necessary to identify subscriptions. We do not receive or store account numbers, routing numbers, or banking credentials. Financial data is processed in memory and only extracted subscription information is persisted.
4.4 Email Data
When Gmail scanning is enabled, emails are processed server-side in memory. We extract only subscription-relevant information (provider name, amount, billing cycle, renewal date). Full email content is not stored. Gmail access can be revoked at any time through Google Account settings.
5. Data Storage and Security
- All data is hosted on Google Cloud Platform (us-central1)
- Encryption in transit via TLS 1.3
- Encryption at rest via AES-256 (GCP default)
- Firestore security rules enforce row-level access control
- Server-side API routes verify Firebase ID tokens on every request
- No plaintext storage of passwords or API keys
6. Data Access
Access to production data is limited to authorized personnel on a need-to-know basis. All access is logged and auditable. Organization data is protected by role-based access controls (Owner, Admin, Member, Viewer).
7. Data Breach Response
In the event of a data breach, we will:
- Identify and contain the breach within 24 hours
- Assess the scope and impact of the breach
- Notify affected users within 72 hours of discovery
- Notify relevant authorities as required by applicable law
- Implement remediation measures to prevent recurrence
- Document the incident and review security practices
8. Data Deletion
Users may request deletion of their data at any time by contacting privacy@getsubtrack.com or deleting their account through the Service. Upon request, we will delete all personal data within 30 days, except where retention is required by law or for legitimate business purposes (e.g., fraud prevention).
9. Third-Party Data Processors
| Processor | Purpose | Data Processed |
|---|---|---|
| Google Cloud Platform / Firebase | Hosting, database, authentication | All application data |
| Plaid Inc. | Financial data aggregation | Bank transaction data |
| Namecheap / Cloudflare / GoDaddy | Domain and certificate data sync | Domain, SSL, hosting data via user-provided API keys |
10. Contact
For data protection inquiries:
EDC Properties Inc.
10301 Ranch Road 2222, Austin, TX 78730
Email: privacy@getsubtrack.com