Legal

Privacy Policy

Effective date: March 6, 2026

SubRobin, operated by appaaz ("we", "us", "our"), is committed to protecting your privacy. This Privacy Policy explains what data we collect, why we collect it, how we use and share it, and what rights you have. It applies to all users of the SubRobin platform: Business Owners, End Customers, and API users.

If you have any questions, contact us at privacy@subrobin.com.

1. What We Collect

Business Owners:

  • Business information: business name, description, location, website URL, Google Maps URL, business category, and any additional details you provide during onboarding.
  • Account information: email address, hashed password (managed by Supabase Auth), and your chosen storefront URL slug.
  • Billing information: Stripe customer ID, Stripe subscription ID, current plan tier, billing cycle, and GMV data. We do not store card numbers — these are held exclusively by Stripe.
  • Platform usage data: storefront state, package configuration, Stripe Connect account status, and webhook event records for idempotency.
  • Terms acceptance: the timestamp and version string of the Terms and Conditions you accepted.

End Customers:

  • Subscription information: full name, email address, subscribed package name and price, subscription status, Stripe subscription ID, and Stripe customer ID.
  • Payment information: handled exclusively by Stripe. SubRobin only receives tokenised identifiers.
  • Terms acceptance: the timestamp and version string of the Terms and Conditions accepted at checkout.

All users:

  • Technical data: IP address, browser type, operating system, pages visited, and timestamps — collected via Vercel Analytics.
  • Cookies: session authentication cookies (HttpOnly, SameSite=Strict) set by Supabase Auth. See Section 6 for details.

What we do not collect:

  • Credit card numbers, CVVs, or bank account details (these never touch SubRobin servers).
  • Government-issued ID numbers or passport numbers.
  • Biometric data of any kind.

2. Why We Collect It

DataPurposeLegal Basis
Business infoAI package generation, storefront display, Stripe Connect onboardingContract performance
Account email & passwordAuthentication and account managementContract performance
Payment identifiersBilling, subscription management, payout routingContract performance
Customer name & emailSubscription management, receipts, customer portalContract performance
Terms acceptanceLegal record of agreement to our TermsLegal obligation
Technical / analytics dataPlatform performance, error monitoring, fraud detectionLegitimate interest

3. Third-Party Processors

We share data with the following third-party processors strictly for the purpose of operating SubRobin. We do not sell your data to third parties and do not allow advertisers to access your data.

StripePayment Processing

All payment processing, subscription billing, Connect payouts, and transaction fee collection are handled by Stripe, Inc. Stripe receives your Stripe customer/subscription IDs, package pricing, and business Connect Account details. Stripe processes card data directly — SubRobin never sees raw card details. Stripe's own Privacy Policy applies to their processing.

SupabaseDatabase & Auth

All SubRobin application data (businesses, subscriptions, accounts) is stored in a Supabase-hosted PostgreSQL database. Supabase also manages authentication sessions. Data is stored on servers in the ap-southeast-1 (Singapore) region. Supabase's Privacy Policy applies to their processing.

Groq / AI Package GenerationAI Processing

When you onboard a business using the AI generation feature, your business name, description, location, and Google Maps data are sent to Groq Cloud for the purpose of generating subscription package suggestions. No customer personal data is sent to Groq. Groq's Privacy Policy applies to their processing.

VercelHosting & Analytics

SubRobin is hosted on Vercel. Vercel collects standard web server logs and provides privacy-friendly analytics (no cross-site tracking, no fingerprinting). Vercel's Privacy Policy applies.

Note: A future update to this Privacy Policy will add details about phone number / SMS verification processing when that feature is introduced.

4. Data Retention

Data TypeRetention Period
Draft (unactivated) business records24 hours from creation, then auto-deleted
Active business account dataUntil account closure + 90 days
Customer subscription records7 years (financial record compliance)
Terms acceptance records7 years (legal compliance)
Webhook event records90 days
Impersonation report records3 years from resolution
Analytics / server logs30 days (Vercel default)

5. Your Rights

Depending on your location, you may have the following rights regarding your personal data:

  • Access: Request a copy of the personal data we hold about you.
  • Correction: Request correction of inaccurate or incomplete data.
  • Deletion: Request deletion of your personal data. Note that some data must be retained for legal or financial compliance reasons (see Section 4).
  • Portability: Request your data in a machine-readable format.
  • Objection: Object to processing based on legitimate interest.
  • Withdrawal of consent: Where processing is based on consent, you may withdraw it at any time without affecting the lawfulness of prior processing.

To exercise any of these rights, contact us at privacy@subrobin.com. We will respond within 30 days.

If you are in the EU/EEA, you also have the right to lodge a complaint with your local Data Protection Authority.

6. Cookies

SubRobin uses a minimal set of cookies:

CookiePurposeType
sb-auth-tokenAuthentication session (Supabase Auth)Strictly necessary
ownership_tokenPre-activation ownership verification (HttpOnly, SameSite=Strict)Strictly necessary

We do not use advertising cookies, tracking pixels, or third-party marketing cookies. Vercel Analytics is privacy-friendly and does not use persistent cookies for analytics purposes.

7. Children's Privacy

SubRobin is not directed at children under 18 years of age. We do not knowingly collect personal data from anyone under 18. If you believe a child has provided us with personal data, contact us at privacy@subrobin.com and we will delete that data promptly.

8. International Data Transfers

SubRobin is operated from Bangladesh. Data is stored by Supabase in Singapore (ap-southeast-1). Payment data is processed by Stripe across their global infrastructure. AI processing is performed by Groq in the United States.

By using SubRobin, you consent to the transfer of your data to these locations. Where required, we rely on standard contractual clauses or equivalent safeguards for international transfers.

9. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify registered users by email at least 14 days before material changes take effect. The effective date at the top of this page will always reflect the most current version.

10. Contact Us

For any privacy-related questions, requests, or concerns:

Related

Read our Terms and Conditions for the rules governing your use of the platform.