Privacy Policy
Last updated: March 6, 2026
This Privacy Policy explains how SubVix collects, uses, and protects your personal data. We believe in transparency and plain language — no legal jargon.
1. Data Controller
SubVix is operated by Mikovix s.r.o., Company ID (IČO): 24596477, with registered office at Dlouhá 3403/2b, Moravská Ostrava, 702 00 Ostrava, Czech Republic, registered in the Commercial Register maintained by the Regional Court in Ostrava, section C, file 103092.
For any data protection inquiries, contact us at: privacy@subvix.io
2. Data We Collect
We collect and process the following personal data:
- Account information: First name, last name, email address, company name.
- Subscription tracking data: Vendor names, annual costs, renewal dates, notice periods, currencies. This is data you enter about your SaaS subscriptions — it is not data about you personally.
- Billing data: Managed entirely by Stripe. We store only your Stripe Customer ID and subscription status. We never see or store your credit card number.
- Technical data: IP address, browser type (collected automatically by our hosting infrastructure for security and error diagnostics). We do not use analytics or tracking cookies.
3. Legal Basis for Processing
We process your data under the following legal bases (GDPR Article 6):
- Contractual necessity (Art. 6(1)(b)): Processing necessary to provide the SubVix service — managing your account, tracking subscriptions, sending renewal notifications.
- Consent (Art. 6(1)(a)): You give explicit consent when you register by agreeing to these terms. You can withdraw consent at any time by contacting us.
- Legitimate interest (Art. 6(1)(f)): Security monitoring, fraud prevention, and service improvement.
4. How We Use Your Data
- Providing and maintaining the SubVix service.
- Sending renewal reminder notifications via email (30, 14, and 7 days before cancel-by dates).
- Processing billing and payments through Stripe.
- Sending transactional emails (account verification, password resets).
- Diagnosing technical issues and ensuring service security.
We do not sell your data. We do not use your data for advertising. We do not profile you.
5. Third-Party Processors
We use the following third-party services to operate SubVix:
| Service | Purpose | Location | Privacy Policy |
|---|---|---|---|
| Microsoft Azure | Hosting, database, monitoring | EU (West Europe) | privacy.microsoft.com |
| Stripe | Payment processing | US (EU-US DPF) | stripe.com/privacy |
| SendGrid (Twilio) | Email delivery | US (EU-US DPF) | twilio.com/legal/privacy |
| Cloudflare | CDN, DNS, DDoS protection | US (EU-US DPF) | cloudflare.com/privacypolicy |
6. Data Retention
- Active accounts: Your data is retained for as long as your account is active.
- Deleted accounts: Upon request, we will delete or anonymize your personal data within 30 days. Subscription tracking data associated with your team is also removed.
- Billing records: Transaction records may be retained for up to 7 years for tax and legal compliance, as required by Czech law.
7. Your Rights
Under GDPR, you have the following rights:
- Access (Art. 15): Request a copy of your personal data.
- Rectification (Art. 16): Request correction of inaccurate data.
- Erasure (Art. 17): Request deletion of your personal data ("right to be forgotten").
- Data portability (Art. 20): Request your data in a machine-readable format.
- Restriction (Art. 18): Request that we limit processing of your data.
- Object (Art. 21): Object to processing based on legitimate interest.
- Withdraw consent (Art. 7(3)): Withdraw your consent at any time. This does not affect the lawfulness of processing before withdrawal.
To exercise any of these rights, contact us at privacy@subvix.io. We will respond within 30 days.
You also have the right to lodge a complaint with a supervisory authority. For the Czech Republic, this is the Office for Personal Data Protection (UOOU).
8. Cookies
SubVix uses only essential cookies required for the service to function:
| Cookie | Purpose | Duration |
|---|---|---|
.AspNetCore.Identity.Application |
Authentication session | Session / persistent (based on "Remember me") |
.AspNetCore.Antiforgery.* |
CSRF protection | Session |
We do not use analytics cookies, tracking cookies, or advertising cookies. Since these cookies are strictly necessary for the service, no consent is required under the ePrivacy Directive.
9. International Data Transfers
Your data is primarily hosted in the EU (Microsoft Azure, West Europe region). Some of our sub-processors (Stripe, SendGrid, Cloudflare) are US-based companies. These transfers are safeguarded by the EU-US Data Privacy Framework (DPF) and, where applicable, Standard Contractual Clauses (SCCs) approved by the European Commission.
10. Security
We implement appropriate technical and organizational measures to protect your data, including: encryption in transit (TLS), encrypted database connections, rate limiting, security headers, and regular dependency vulnerability scanning.
11. Changes to This Policy
We may update this Privacy Policy from time to time. For material changes, we will notify you via email. The "Last updated" date at the top of this page indicates the latest revision.
12. Contact Us
If you have any questions about this Privacy Policy or how we handle your data, contact us at:
- Email: privacy@subvix.io