Privacy Policy

Last updated: February 2026

Data Controller

BillShrinkr is operated by Äctvli Responsible Consulting (ÄRC). We are the data controller for any personal data processed through this service.

Contact: reachout@actvli.com

What We Collect

We collect only what you provide:

  • Account information: Email address and password (stored securely via Supabase Auth)
  • Subscription data: Names, amounts, frequencies, categories, and notes you enter about your subscriptions
  • Profile data: Display name, currency preference, and optional avatar URL
  • Payment data: Stripe customer ID (we never store card numbers)

Legal Basis for Processing

Under the General Data Protection Regulation (GDPR), we process your personal data on the following legal bases:

  • Contract performance (Art. 6(1)(b)): Processing your account and subscription data is necessary to provide the BillShrinkr service you signed up for
  • Legitimate interest (Art. 6(1)(f)): Service security, fraud prevention, and service improvement
  • Consent (Art. 6(1)(a)): Optional features such as email renewal reminders
  • Legal obligation (Art. 6(1)(c)): Where required by law (e.g., financial record-keeping for payment transactions)

What We Don't Do

  • We don't connect to your bank accounts
  • We don't access your financial transactions
  • We don't sell your data to third parties
  • We don't use your data for advertising
  • We don't track you across other websites
  • We don't use analytics or tracking cookies
  • We don't profile you or make automated decisions that affect you

How We Store Your Data

Your data is stored securely:

  • All data is encrypted in transit (TLS/HTTPS) and at rest
  • Authentication is handled by Supabase (industry-standard security)
  • Database access is protected by Row Level Security (RLS) policies
  • Only you can access your own subscription data
  • Guest mode data is stored locally in your browser only and never sent to our servers

International Data Transfers

Your data may be processed by our sub-processors in countries outside the European Economic Area (EEA). Where this occurs, we ensure adequate safeguards are in place:

  • Supabase: Database and authentication. Data may be hosted in the EU or US. Supabase complies with SOC 2 Type II and supports EU data residency
  • Stripe: Payment processing. Stripe is certified under the EU-US Data Privacy Framework
  • Vercel: Hosting and deployment. Vercel processes data under Standard Contractual Clauses (SCCs)

Each transfer is protected by Standard Contractual Clauses (SCCs) or an adequacy decision as required under GDPR Chapter V.

Payment Information

When you upgrade to Premium:

  • Payment processing is handled entirely by Stripe (we never see your full card details)
  • We store only your Stripe customer ID (not card numbers, CVVs, or bank details)
  • Stripe handles all PCI DSS compliance requirements
  • You can manage your payment methods directly through Stripe's secure portal

Cookies and Local Storage

We use only essential cookies and browser local storage required for the service to function. We do not use any tracking, analytics, or advertising cookies.

For full details, please see our Cookie Policy.

Your Rights Under GDPR

Under the General Data Protection Regulation, you have the following rights:

  • Right of access (Art. 15): All your data is visible in your account dashboard at any time
  • Right to rectification (Art. 16): You can update or correct your subscriptions and profile at any time
  • Right to erasure (Art. 17): You can permanently delete your account and all associated data from the Account page
  • Right to data portability (Art. 20): Premium users can export all subscription data as CSV or PDF. Free users can request a data export by contacting us
  • Right to restrict processing (Art. 18): Contact us to request restriction of processing
  • Right to object (Art. 21): You can object to processing based on legitimate interest by contacting us
  • Right to withdraw consent: Where processing is based on consent, you can withdraw it at any time without affecting the lawfulness of prior processing

To exercise any of these rights, contact us at reachout@actvli.com. We will respond within 30 days as required by GDPR.

Data Retention

We retain your data only as long as necessary:

  • Active accounts: Data is retained for the lifetime of your account
  • Deleted accounts: All personal data (subscriptions, profile, authentication) is permanently deleted within 30 days of account deletion
  • Payment records: Stripe transaction references may be retained for up to 7 years as required by financial regulations
  • Guest mode data: Stored locally on your device only; deleted when you clear your browser data

Children's Privacy

BillShrinkr is not intended for use by anyone under the age of 16. We do not knowingly collect personal data from children. If you believe a child has provided us with personal data, please contact us and we will delete it promptly.

Right to Lodge a Complaint

If you are not satisfied with how we handle your personal data, you have the right to lodge a complaint with your local data protection supervisory authority. We encourage you to contact us first at reachout@actvli.com so we can try to resolve your concern.

Changes to This Policy

We may update this privacy policy to reflect changes in our practices or legal requirements. We will notify registered users of material changes via email. The "Last updated" date at the top shows when this policy was last revised. Continued use of the service after changes constitutes acceptance of the updated policy.

Contact Us

If you have questions about this privacy policy, your data, or wish to exercise your rights, contact us:

Äctvli Responsible Consulting (ÄRC)
Email: reachout@actvli.com

BillShrinkr is a solution by Äctvli Responsible Consulting (ÄRC).