← Back to Recurrs
🔒 Legal Document

Privacy Policy

We believe privacy is a right, not a feature. Here's exactly what we collect and why.

Effective: May 24, 2026 Last updated: May 24, 2026 Applies to: Recurrs iOS App
The short version: Your subscription data lives on your device. We don't sell your data. We don't read your emails. Gmail scanning is fully opt-in and only reads sender addresses and subject lines. You can delete your account and all associated data at any time.
1

Who We Are

Recurrs ("Recurrs," "we," "our," or "us") is a subscription management application developed and operated by Varun Anand, an individual developer operating under the Figo brand. Our registered contact email is privacy@figo.app.

This Privacy Policy governs your use of the Recurrs iOS application and any related services, websites, or communications operated by us (collectively, the "Service"). By using the Service, you acknowledge that you have read, understood, and agree to be bound by this Privacy Policy.

This Policy is written in plain English wherever possible. Where legal language is necessary, we explain what it means.

2

Information We Collect

2.1 Information You Provide Directly

Data When collected Where stored
Name and email address When you create an account Supabase (encrypted at rest)
Subscription names, amounts, billing cycles, categories When you add a subscription On-device (SwiftData) + Supabase (Pro sync)
Usage ratings ("Daily", "Sometimes", "Rarely") When you rate a subscription On-device (SwiftData) + Supabase (Pro sync)
Free trial dates and commitment end dates When you add trial subscriptions On-device (SwiftData) + Supabase (Pro sync)
Custom subscription notes When you add notes to a subscription On-device (SwiftData) + Supabase (Pro sync)

2.2 Information Collected Automatically

  • Device identifiers: iOS version and device type, used only for compatibility and crash diagnostics.
  • Anonymous analytics: Which features are used (e.g., "AI Advisor opened"), aggregated and not linked to your identity. Collected via Google Analytics (gtag.js) on our website only — not in the app itself.
  • APNs device token: Apple Push Notification token, collected when you grant notification permission and stored in our database to enable push notifications. This is a device identifier assigned by Apple, not your personal data.
  • Currency exchange rates: Fetched from frankfurter.app. No personal data is sent.
  • App version and build number: Sent with API requests for compatibility checking.

2.3 Information We Do Not Collect

🚫
  • Payment card numbers or banking information
  • Bank account data or actual transaction records
  • Location data (GPS or network-based)
  • Contact list or calendar data
  • Photos or camera data (unless you explicitly choose a custom icon)
  • Your email inbox content (see Section 4 for Gmail details)
  • Social media data
  • Browser history
  • Data from other apps on your device
3

How We Use Your Information

We use the information we collect strictly to provide and improve the Service. We do not use your data for advertising.

Purpose Data used Legal basis
Providing the subscription tracking features Subscription data Contract performance
Cloud sync across your devices (Pro) Subscription data, account ID Contract performance
Sending renewal reminders Subscription dates, APNs token Contract performance / legitimate interest
Generating AI spending insights Subscription names, amounts, categories Consent (opt-in feature)
Verifying Pro subscription status Account ID, App Store receipt Contract performance
Preventing fraud and abuse Account ID, usage patterns Legitimate interest
Improving the Service Anonymised usage analytics Legitimate interest
4

Gmail Scanning Feature

📧
This feature is entirely optional. It requires explicit authorisation via Google's OAuth 2.0 flow. You can connect, disconnect, or revoke access at any time from Google's security settings at myaccount.google.com/permissions.

4.1 What we access

  • Only sender email addresses and email subject lines from your inbox — never email body content.
  • We query Gmail's API with a filter for billing-related senders (e.g., "receipt," "invoice," "subscription") to minimise the scope of access.
  • We only scan emails from the last 6 months.

4.2 What we store

  • A Google OAuth refresh token is stored in our secure Supabase database, encrypted at rest, protected by Row Level Security. This token is used to perform automatic background scans without requiring you to re-authorise each time.
  • The refresh token is stored server-side only. It never resides on your device. It is never returned to the app in any API response.
  • Detected subscription names, amounts, and billing cycles are cached locally on your device only (UserDefaults). They are not uploaded to our servers.
  • Email addresses or subjects that triggered a detection are not stored anywhere — only the derived subscription data (e.g., "Spotify — $9.99/month").

4.3 What happens when you disconnect

  • Your refresh token is immediately deleted from our database.
  • All locally cached Gmail suggestions are cleared from your device.
  • Any subscriptions you previously added from Gmail suggestions remain in the app — deleting them is your choice.

4.4 Google's policies

Use of data obtained through Gmail is governed by our compliance with the Google API Services User Data Policy, including the Limited Use requirements. We do not use Gmail data for any purpose other than detecting subscription billing emails for display within Recurrs.

Your Gmail data is not used to serve advertisements, is not shared with third parties for their independent use, and is not used to train AI models.

5

AI Features (Gemini)

When you use the AI Advisor or AI Assistant features (Pro only), the following data is sent to Google's Gemini API via our secure backend proxy hosted on Supabase:

  • Subscription names, amounts, billing cycles, and usage ratings
  • Aggregated spending totals
⚠️
Not sent to Gemini: Your name, email address, account ID, device information, or any other personally identifiable information. Your email inbox data is never sent to Gemini under any circumstances.

Google's processing of this data is governed by the Google Privacy Policy. AI-generated advice is for informational purposes only and does not constitute financial advice.

6

Data Storage & Security

6.1 On-device storage

Your subscription data is stored locally using Apple's SwiftData framework with optional CloudKit synchronisation. Data stored via CloudKit is encrypted by Apple both in transit and at rest using AES-256 encryption. This data is accessible only through your Apple ID.

6.2 Cloud storage (Supabase)

For cloud sync (Pro feature) and account management, we use Supabase, a PostgreSQL-based cloud database hosted on AWS infrastructure in the United States. All data is:

  • Encrypted in transit using TLS 1.2 or higher (HTTPS for all connections)
  • Encrypted at rest using AES-256
  • Protected by Row Level Security (RLS) — database-level policies that ensure each user can only read and write their own data. Even in the event of a database compromise, RLS prevents cross-user data access.

6.3 Network security

  • All network communication uses HTTPS. The app enforces Apple's App Transport Security (ATS) — plaintext HTTP connections are blocked at the OS level.
  • Google OAuth uses PKCE (Proof Key for Code Exchange) — a security extension that prevents authorisation code interception attacks.
  • Our Supabase anon key is embedded in the app as designed by Supabase — it is a public key that grants access only within the boundaries of our RLS policies. Your data cannot be accessed with this key alone; a valid authenticated session JWT is required.

6.4 What we cannot guarantee

⚠️
No method of electronic transmission or storage is 100% secure. While we implement industry-standard safeguards, we cannot guarantee absolute security. In the event of a data breach affecting your personal information, we will notify affected users as required by applicable law.
7

Third-Party Services

Service Purpose Data shared Privacy policy
Supabase Database, authentication, edge functions Account info, subscription data (Pro sync) supabase.com/privacy
Google Gemini API AI-generated spending insights Subscription names, amounts, categories (anonymised) policies.google.com/privacy
Google OAuth / Gmail API Gmail subscription detection (opt-in) Email sender addresses and subjects (processed server-side, not stored) policies.google.com/privacy
Apple / App Store Payment processing, push notifications, CloudKit sync Payment and receipt data (Apple only) apple.com/legal/privacy
frankfurter.app Live currency exchange rates None (public API, no auth) frankfurter.app
Google Analytics Website analytics (figoapp.net only, not in-app) Anonymous page-view data policies.google.com/privacy

We do not use any advertising networks, tracking SDKs, or analytics frameworks inside the iOS app itself.

8

Data Sharing

🔒
We do not sell, rent, lease, or trade your personal data to any third party, ever. We do not share data for advertising or marketing purposes.

We may share your information only in the following limited circumstances:

  • Service providers: The third parties listed in Section 7, solely for the purposes described.
  • Legal compliance: If required by applicable law, court order, or governmental authority, we may disclose information to comply with such legal requirements.
  • Protection of rights: To protect the rights, property, or safety of Recurrs, our users, or the public, where disclosure is necessary.
  • Business transfers: In the event of a merger, acquisition, or sale of assets, your data may be transferred. We will provide notice before your personal data is transferred and becomes subject to a different privacy policy.
  • With your explicit consent: For any other purpose, only with your prior written consent.
9

Authentication & Passwords

Recurrs supports three sign-in methods:

  • Email + Password: Passwords are hashed using bcrypt before storage. We never store or transmit plaintext passwords. Password hashing and verification is handled by Supabase Auth.
  • Sign in with Google: We receive only your name and email address from Google. We do not receive your Google password.
  • Sign in with Apple: We receive only your name and email address (or relay address). We do not receive your Apple ID password.

Authentication sessions use JWT (JSON Web Tokens) which are stored in the app's sandboxed storage and expire automatically. All authentication API calls are made over HTTPS.

10

Payments

All in-app purchases for Recurrs Pro are processed exclusively by Apple through the App Store. We never receive, process, or store your payment card numbers, bank account details, or any other financial credentials.

Apple acts as the merchant of record. Your payment data is subject to Apple's Privacy Policy. For refund requests, visit reportaproblem.apple.com.

We receive from Apple only a cryptographic receipt confirming whether a valid Pro subscription is active. This receipt does not contain your payment information.

11

Data Retention

  • Active account: We retain your data for as long as your account is active and the Service is in use.
  • Account deletion: When you delete your account through the app, all your personal data is permanently deleted from our Supabase database within 30 days. Subscription data on your device is deleted immediately when you delete the app.
  • Gmail refresh token: Deleted immediately upon disconnecting Gmail in Settings, or upon account deletion.
  • APNs push tokens: Deleted upon account deletion or when you revoke notification permissions.
  • Backup data: We do not maintain separate backups of user data beyond what Supabase retains for disaster recovery (retained for up to 7 days in rolling backups, not individually restorable by users).
  • Analytics data: Anonymised website analytics are retained per Google Analytics' standard retention settings (up to 14 months).

To request deletion of your data, use the account deletion option in the app (Settings → Account → Delete Account) or email privacy@figo.app.

12

Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

Right What it means How to exercise
Access Request a copy of the personal data we hold about you Email privacy@figo.app
Rectification Correct inaccurate or incomplete data Edit within the app or email us
Erasure Request deletion of your account and all associated data Settings → Account → Delete Account
Portability Export your subscription data in a machine-readable format Email privacy@figo.app
Restriction Request we limit processing of your data in certain circumstances Email privacy@figo.app
Objection Object to processing based on legitimate interests Email privacy@figo.app
Opt-out Opt out of notifications at any time iOS Settings → Notifications → Recurrs
Gmail disconnect Revoke Gmail access at any time App Settings or Google account settings

We will respond to verifiable requests within 30 days. In complex cases, we may extend this period by a further 60 days with notice.

If you are located in the European Economic Area (EEA), United Kingdom, or California, you have additional rights under GDPR, UK GDPR, or CCPA respectively. We honour these rights for all users regardless of location.

13

Children's Privacy

🚫
Recurrs is not directed to children under the age of 13 (or under 16 in the EEA). We do not knowingly collect personal information from children under these ages.

If you believe a child has provided us with personal information, please contact us immediately at privacy@figo.app. We will delete such information promptly upon verification.

Parents or guardians who have concerns about their child's use of the Service should contact us at the email address above.

14

International Users

Recurrs is operated from India. Our cloud infrastructure (Supabase) is hosted in the United States. If you are accessing the Service from outside India or the United States, be aware that your information may be transferred to, stored, and processed in the United States and India.

By using the Service, you consent to the transfer of your information to these countries, which may have data protection laws different from your country. We take appropriate safeguards to ensure your data remains protected regardless of where it is processed.

For users in the EEA or UK: We rely on your consent (for optional features) and contract performance as the legal basis for processing your data. Transfers to the US are made to Supabase, which operates under the EU-US Data Privacy Framework.

15

Push Notifications

Recurrs uses local notifications (processed entirely on your device) and, for some features, remote push notifications via Apple Push Notification Service (APNs).

  • Renewal reminders are local notifications — processed on-device, no data leaves your device.
  • Usage check-in notifications are local notifications.
  • Your APNs device token is stored in our database only to enable push delivery. It is not used for tracking or advertising.

You can revoke notification permissions at any time through iOS Settings → Notifications → Recurrs.

16

Changes to This Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technology, legal requirements, or for other operational reasons. We will notify you of material changes by:

  • Posting the updated policy at figoapp.net/recurr/privacypol.html
  • Displaying an in-app notification for significant changes
  • Updating the "Last updated" date at the top of this policy

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised Privacy Policy. If you do not agree with a change, you must stop using the Service and delete your account.

For changes that materially affect how we use your Gmail data, we will require you to reconnect Gmail explicitly and re-grant consent.

17

Contact Us

If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:

We aim to respond to all privacy-related enquiries within 5 business days.

Questions? We're here.

Privacy is important to us. If anything in this policy is unclear or you want to exercise your rights, reach out directly.

Contact Privacy Team