SubCash

Privacy

SubCash Privacy Policy

How SubCash collects, uses, and protects information from users of the SubCash website, free Pay-App Checker, $99 Cash-at-Risk Audit, and SubCash OS subscription.

Privacy Policy

Effective date: 2026-04-18 Last updated: 2026-04-18

This Privacy Policy explains how SubCash ("SubCash," "we," "us," "our") collects, uses, discloses, and protects information from users of the SubCash website at https://subcash.io (or any successor URL), the free Pay-App Checker, the $99 Cash-at-Risk Audit, and the SubCash OS subscription (together, the "Service").

This is a v1 policy. It will be updated as our practices evolve. Material changes will be communicated via email to active customers and dated in the Changelog at the bottom of this page.

This policy is companion to our Security & Data Handling page, which covers the technical detail of how we store and process customer data.

---

1. Who we are

SubCash is operated by Drew Kraken from Kentucky, United States.

Contact: drew@subcash.io

---

2. Information we collect

2.1 Information you provide directly

When you use the Service, we collect:

  • Contact information: name, email address, phone number,

company name, role/title — when you submit an audit request, schedule a call, or sign up for the SubCash OS subscription.

  • Customer artifacts: pay-app packets, lien waivers,

rejection emails, AR aging exports, certified payroll exports, change-order documentation, subcontract excerpts, and similar billing-workflow documents — when you upload them for an audit or as part of the OS subscription.

  • Payment information: processed directly by Stripe; we do

not store full card numbers, CVV, or bank account credentials on SubCash systems.

  • Communications: email, calendar, and call notes when you

communicate with us.

2.2 Information collected automatically

  • Usage data: anonymous usage logs (page views, free Pay-

App Checker invocations, finding counts returned, browser type, device type, approximate location based on IP).

  • Cookies and similar technologies: session cookies for

authentication on the OS subscription. We do not use third-party advertising cookies, retargeting pixels, or cross-site tracking.

2.3 Information from the free Pay-App Checker

The free Pay-App Checker processes packet text and PDFs in your browser. Packet content you paste or files you drop are not transmitted to our servers and are not retained. We log anonymous invocation events (no packet content) for product analytics.

---

3. How we use the information

We use the information to:

  • Provide the Service (deliver audits, run the OS subscription,

respond to inquiries, send transactional email).

  • Bill and process payments (via Stripe).
  • Improve the Service (anonymized rejection patterns inform our

rule library; never with customer-identifying detail).

  • Comply with legal obligations (tax reporting, subpoenas).
  • Communicate with you about your account, deliveries, and

Service updates.

We do not use customer artifacts to train AI models. Our language-model providers (Anthropic, OpenAI) contractually exclude API inputs from training.

---

4. How we share the information

We share information only as described below:

4.1 Subprocessors

We use the following subprocessors to operate the Service:

  • Stripe, Inc. - payment processing and hosted checkout.
  • OpenAI, L.L.C. - language-model API processing for audit

analysis and internal workflow automation.

  • Anthropic, PBC - language-model API processing for audit

analysis and internal workflow automation.

  • Resend, Inc. - transactional email delivery.
  • Vercel, Inc. - web hosting, deployments, and edge delivery.
  • Railway Corp. - application hosting for backend services,

workers, and related infrastructure when used.

We maintain this subprocessor list and update it before or when we add a material provider that processes customer personal information or customer artifacts.

We may disclose information if required by law (subpoena, court order, lawful regulatory request) or to protect SubCash's rights, property, or safety.

4.3 Business transfers

If SubCash is involved in a merger, acquisition, or asset sale, your information may be transferred. The acquirer will be bound to this Privacy Policy or you will be notified before any change in handling.

4.4 What we don't do

  • We do not sell or rent personal information to third parties.
  • We do not share personal information with advertisers or data

brokers.

  • We do not share customer artifacts with general contractors,

CPAs, or other intermediaries unless you explicitly request a CC on a deliverable.

---

5. Data retention

  • Free Pay-App Checker: zero retention (browser-local

processing).

  • $99 Cash-at-Risk Audit: customer artifacts retained for 90

days post-delivery, then deleted unless customer requests longer retention or upgrades to the OS subscription.

  • SubCash OS subscription: customer artifacts retained for

the duration of the subscription plus a 30-day post-cancellation export window.

  • Audit logs and access logs: retained 12 months for

security and incident-response purposes.

You may request deletion at any time by emailing drew@subcash.io. We confirm deletion within 5 business days.

---

6. Security

We protect information using reasonable administrative, technical, and organizational safeguards, including HTTPS/TLS in transit, provider-managed encryption at rest where supported, access controls, and least-privilege access discipline. Detailed security posture is described in our Security & Data Handling page.

No security control is perfect. If we discover a security incident affecting your data, we will notify you within 72 hours of confirmation.

---

7. Your rights

7.1 General

You may at any time:

  • Request a copy of your personal information (email

drew@subcash.io).

  • Request correction of inaccurate information.
  • Request deletion of your account and associated data.
  • Opt out of marketing email (every marketing email contains an

unsubscribe link).

  • Decline to provide information; understand that some Service

features may not be available.

7.2 California residents (CCPA)

Under the California Consumer Privacy Act, California residents have rights to know what personal information we collect, the right to delete personal information, and the right to opt out of the sale of personal information. We do not sell personal information. To exercise CCPA rights, email drew@subcash.io with "CCPA" in the subject line; we respond within 45 days.

7.3 Other states

We will respond to comparable requests from residents of other states with similar privacy laws (Virginia VCDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, etc.) on a good-faith basis.

---

8. Children's privacy

The Service is not directed to children under 16 and we do not knowingly collect personal information from children under 16. If you believe we have collected information from a child under 16, please contact drew@subcash.io and we will delete it.

---

9. International users

The Service is operated from the United States and customer data is stored in the United States. SubCash does not currently serve users outside the United States. If you access the Service from outside the United States, you consent to the transfer and processing of your information in the United States.

---

10. Changes to this policy

We may update this Privacy Policy from time to time. The "Last updated" date at the top reflects the most recent change. Material changes will be communicated to active customers via email at least 30 days before the changes take effect.

---

11. Contact

Privacy questions, data access requests, deletion requests, or opt-outs:

drew@subcash.io

SubCash Kentucky, United States

---

Changelog

  • 2026-04-18 - v1. Initial publication.