Privacy Policy

The data controller for the Recurrently application is:

Nuvira Sagl
Via Carlo Maderno 23
6900 Lugano (LUGANO)
Switzerland
VAT: CHE-248.804.311

For any privacy-related enquiries please contact us at privacy@recurrently.app.

We collect only the data strictly necessary to provide the service:

• Account information — your name, email address, and profile photo provided by Google Sign-In (OAuth 2.0).
• Subscription data — the subscriptions you add manually or confirm from Gmail suggestions (name, amount, billing cycle, next billing date, category).
• Gmail metadata — when you choose to scan your inbox we request read-only access to retrieve sender addresses and email subjects from billing-related messages. We extract only structured metadata (sender domain, detected amount and currency). The full content of your emails is never read, stored, or transmitted to our servers.
• Usage data — basic technical logs (browser type, device type, error reports) collected automatically to maintain service quality.

Your data is used exclusively to:

• Authenticate you and display your personalised subscription dashboard.
• Store and retrieve your subscription list across sessions and devices.
• Detect billing-related emails in your inbox and surface subscription suggestions (Gmail scan feature). This processing happens entirely client-side; no email content is transmitted to our servers.
• Calculate spending summaries, burn-rate charts, and renewal reminders.
• Improve the reliability and performance of the application.

We do not use your data for advertising, profiling, or sale to third parties.

Processing is based on the performance of a contract (Art. 6(1)(b) GDPR) — providing you with the Recurrently service — and, where applicable, your explicit consent (Art. 6(1)(a) GDPR) for optional features such as Gmail scanning.

Your account and subscription data are stored in Google Firestore (EU region) and protected by Google's enterprise-grade security infrastructure. Authentication is handled by Firebase Authentication. Data in transit is encrypted via TLS. We apply the principle of least privilege and role-based access controls throughout.

Recurrently's use of the Gmail API is limited to read-only access (gmail.readonly) and is strictly limited to detecting subscription-related billing emails. We comply with the Google API Services User Data Policy, including the Limited Use requirements. Gmail data is never shared with third parties, used for advertising, or stored beyond the current session.

We retain your data for as long as your account is active. You may delete your account at any time from the Settings page, which permanently removes all your subscription data and profile information from our systems. Gmail access tokens are not persisted beyond the scan session.

Under the GDPR and Swiss nDSG you have the right to:

• Access the personal data we hold about you.
• Correct inaccurate data.
• Request erasure of your data ("right to be forgotten").
• Restrict or object to processing.
• Data portability.
• Withdraw consent at any time without affecting prior processing.

To exercise any of these rights, contact us at privacy@recurrently.app.

We use the following sub-processors:

• Google Firebase / Firestore — authentication and data storage (Google LLC, USA — EU Standard Contractual Clauses apply).
• Google Cloud Run — application hosting (Google LLC, USA — EU SCCs apply).
• Google Identity (OAuth 2.0) — sign-in and Gmail read-only access.

Recurrently uses only functional cookies and local storage strictly necessary for authentication session management. We do not use tracking, analytics, or advertising cookies.

We may update this Privacy Policy from time to time. Material changes will be communicated via an in-app notice. Continued use of the service after such notice constitutes acceptance of the updated policy.

Nuvira Sagl — Via Carlo Maderno 23, 6900 Lugano, Switzerland
privacy@recurrently.app