How Subrina stores, protects, and limits access to your company's data.
All email credentials — IMAP passwords, Gmail OAuth access tokens, Microsoft OAuth access tokens and refresh tokens — are encrypted at rest using AES-256 before being stored in the database. Encryption keys are managed via AWS Secrets Manager. Credentials are never returned in API responses or logged.
Gmail connections use the gmail.readonly scope only. Microsoft connections use Mail.Read only. Subrina will never request send, modify, or delete scopes. The email scan is incremental — only mail received since the last scan timestamp is processed. Raw email bodies are parsed in memory and never written to disk or the database; only extracted fields (vendor name, amount, currency, billing cycle, detected date) are stored.
Every database query is scoped to the authenticated organization's ID. No query ever accesses records across organization boundaries. Tenant isolation is enforced at the service layer on every read and write operation — it is not left to application-level checks in individual controllers.
All traffic between the browser and Subrina's servers is encrypted in transit via TLS 1.2+. The application is hosted on Railway with HTTPS enforced. HTTP requests are redirected to HTTPS.
Subrina uses PostgreSQL hosted with automated daily backups. Database credentials are never hardcoded; they are injected at runtime from environment variables. The database is not publicly accessible — connections are restricted to the application server.
Subrina supports Google OAuth2, Microsoft Entra SSO, and email/password login secured with Spring Security. Sessions are managed via JWT tokens. Passwords are hashed using bcrypt. The SSO login path requests identity-only scopes and does not gain mailbox access at login — that requires a separate, explicit consent step when connecting an email discovery mailbox.
Name, email address, organization name. Required to create and maintain your account. Not sold to third parties. Not used for advertising.
The SaaS subscriptions you enter or confirm via email discovery: vendor name, cost, billing cycle, renewal date, category, seat counts. This is your data — you entered it, you control it, you can export or delete it at any time.
When you connect a mailbox, Subrina processes incoming email to detect subscription-related invoices. Raw email body content is processed in memory only — it is never stored. Only the extracted structured fields from confirmed candidates are saved to the database. Email credentials are encrypted at rest and never returned to the client.
If you use the employee lifecycle features, you provide names, email addresses, departments, and dates for employees in your organization. This data is scoped to your organization, not shared, and can be deleted when an employee is fully offboarded.
Basic server-side logs (request times, error rates, feature usage counts). No third-party tracking scripts. No behavioral analytics. Logs are retained for 30 days for debugging purposes.
Subrina is designed for US small businesses but is accessible globally. We comply with GDPR requirements for EU/EEA users.
You can export all your subscription, employee, and account data from Settings → Export Data at any time.
You can delete your organization and all associated data from Settings → Danger Zone. Deletion is permanent and takes effect immediately.
Subscription and employee data can be exported as CSV. No proprietary format lock-in.
If your organization requires a signed DPA for GDPR compliance, contact us. We will provide one.
Subrina provides a SaaS subscription management service. You may use it for lawful business purposes. You may not use it to store or process illegal content, attempt unauthorized access to other accounts, or reverse-engineer the application.
You own your data. Subrina processes it only to provide the service. We do not sell it, share it with advertisers, or use it to train AI models.
Subrina is provided "as is" without warranty of any kind, to the extent permitted by law. We are not liable for lost data or business losses resulting from service interruptions, though we take reasonable precautions to prevent them.
We may update these terms with 30 days notice for material changes. Continued use after the effective date constitutes acceptance.
Governing law: State of Delaware, USA. Disputes are resolved by binding arbitration except for injunctive relief claims.
For the full terms, contact us to request the complete document.
If your organization requires a signed Data Processing Agreement for GDPR or internal compliance, we provide one. Contact us with your company name and we'll send it within 2 business days.
Request DPA