Privacy Policy

1. INFORMATION WE COLLECT FROM CUSTOMERS

When you create a SubJolt account and use our portal, we collect:

• Account information: name, email address, company name, and billing details.
• Payment gateway credentials: API keys and OAuth tokens you provide to connect Stripe, Shopify, Chargebee, Recharge, or other gateways. These are stored securely on our servers to execute subscription actions on your behalf.
• Widget configuration: cancel flow settings, discount rules, reason choices, and button selectors.
• Usage data: how you interact with the SubJolt portal, including pages visited and features used.

2. INFORMATION PROCESSED THROUGH THE WIDGET

When the SubJolt widget operates on a Customer's website, it processes limited End User data to deliver the cancel flow and analytics:

• Subscription and customer identifiers (transient): subscription IDs and customer IDs from the applicable payment gateway are processed in real time to resolve identities and execute subscription actions. These identifiers are not persisted on SubJolt's servers.
• Session identifiers: anonymized, randomly-generated session IDs (UUID) created per page load. These are not linked to any personal identity and are stored in event logs for analytics.
• Event data: interactions with the cancel flow (e.g., reason selected, offer accepted, action taken) are stored in event logs associated with the Customer's account.
• Free-text responses: if an End User types a custom cancellation reason, that text is stored as part of the Customer's analytics data.
• Email addresses (transient only): End User email addresses may be used in real time to look up a subscription via the Customer's payment gateway API. Email addresses are not persisted on SubJolt's servers.
• Client-side caching: the widget may store subscription identifiers, customer identifiers, and related plan data in the End User's browser localStorage for performance. This cache expires automatically and can be cleared by the End User via browser settings.

3. INFORMATION COLLECTED AUTOMATICALLY

• Cookies and tracking: SubJolt.com uses cookies for session management and analytics. See our Cookie Policy for details.
• Server logs: IP addresses, browser type, and request metadata are logged by our hosting provider (Vercel) for security and operational purposes.
• Error data: when errors occur, we log diagnostic information (error messages, stack traces, and request context) to identify and fix issues. This data does not include payment credentials or End User personal information.

4. HOW WE USE DATA

We use the information we collect to:

• Deliver, operate, and improve the Service.
• Execute subscription actions (pause, cancel, discount, plan switch) through connected payment gateways.
• Provide analytics dashboards showing cancellation reasons and retention outcomes.
• Process payments via Stripe for SubJolt billing.
• Communicate with Customers about their accounts.
• Detect and prevent abuse, fraud, and security issues.
• Comply with legal obligations.

5. LAWFUL BASIS FOR PROCESSING (GDPR)

For individuals in the European Economic Area (EEA) and UK, we process personal data under the following lawful bases:

• Contractual necessity: processing Customer account data and End User subscription data is necessary to perform our contract with the Customer (the Terms of Service).
• Legitimate interest: analytics, error logging, and service improvement, where these interests are not overridden by data subject rights.
• Legal obligation: where processing is required to comply with applicable law.
• Consent: where required for non-essential cookies and analytics tracking on SubJolt.com (see our Cookie Policy).

6. SHARING AND DISCLOSURE

We share data only in the following circumstances:

• Service providers (subprocessors): we share data with providers who help us operate the Service, including Stripe, Shopify, Chargebee, Recharge, Neon (database), Vercel (hosting), Sentry (error monitoring), Google Analytics (website analytics), HubSpot (CRM), and Resend (email). See our Subprocessors page for the full list.
• Payment gateways: when executing subscription actions, we transmit identifiers to the Customer's connected payment gateway.
• Legal requirements: when required by law, legal process, or to protect our rights, property, or safety.
• Business transfers: in connection with a merger, acquisition, or sale of assets, your data may be transferred to the successor entity.
• We do not sell, rent, or trade personal information to third parties for their marketing purposes.

7. DATA RETENTION

• Customer account data is retained while your account is active and for 30 days after termination (to allow data export), then deleted.
• Event logs and analytics data (subscription identifiers, session data, cancellation reasons) are retained for the duration of the Customer's account plus 90 days, after which they are deleted unless legally required to retain.
• Error logs are retained for up to 90 days for debugging purposes.
• Client-side cached data (browser localStorage) expires automatically based on the widget's configured cache duration and can be cleared by the End User at any time.

8. INTERNATIONAL DATA TRANSFERS

SubJolt is based in the United States. If you are located outside the US, your data may be transferred to and processed in the US. For transfers from the EEA and UK, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission and the UK International Data Transfer Addendum (IDTA), as applicable. Details are provided in our Data Processing Addendum.

9. SECURITY

We implement appropriate technical and organizational measures to protect data, including: encryption in transit (TLS) and at rest, secure credential storage, access controls, rate limiting, input validation, and regular security reviews. Payment gateway credentials are stored server-side only and are never exposed to client-side code.

10. DATA BREACH NOTIFICATION

In the event of a personal data breach that is likely to result in a risk to data subjects' rights, SubJolt will notify affected Customers without undue delay and in any event within 72 hours of becoming aware of the breach. The notification will include the nature of the breach, categories of data affected, likely consequences, and measures taken or proposed to mitigate the breach.

11. YOUR RIGHTS

For EEA/UK Residents (GDPR)

You have the right to access, correct, delete, restrict processing of, and port your personal data. You also have the right to object to processing based on legitimate interest and to withdraw consent where processing is based on consent. To exercise these rights, contact privacy@subjolt.com. You also have the right to lodge a complaint with your local supervisory authority.

For California Residents (CCPA/CPRA)

California residents have additional rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to know: you may request the categories and specific pieces of personal information we have collected.
• Right to delete: you may request deletion of your personal information, subject to certain exceptions.
• Right to correct: you may request correction of inaccurate personal information.
• Right to opt out of sale/sharing: SubJolt does not sell or share personal information for cross-context behavioral advertising. No opt-out is required.
• Non-discrimination: we will not discriminate against you for exercising your privacy rights.

To submit a CCPA request, email privacy@subjolt.com.

12. CHILDREN'S PRIVACY

The Service is intended for businesses and is not directed to individuals under 16 years of age. We do not knowingly collect personal information from children. If we learn that we have collected information from a child under 16, we will delete it promptly. If you believe we have inadvertently collected such information, please contact privacy@subjolt.com.

13. CHANGES TO THIS POLICY

We may update this Privacy Policy from time to time. For material changes, we will provide at least 30 days' notice via email or a prominent notice on SubJolt.com. The "Last Updated" date at the top of this page reflects the most recent revision.