Privacy Policy

SubUp is a Substack analytics product operated from Mexico. This policy applies to the SubUp web app at subup.app and the SubUp Chrome extension.

When you sign up:

• Your email address (for authentication via magic link).
• Your IP address and browser metadata (standard server logs).

When you connect your Substack via our Chrome extension:

• Your Substack session cookie (including substack.sid) — used to read your notes, comments, mentions, and stats on your behalf.
• The list of Substack publications you own.

We do not collect:

• Your Substack password.
• Browsing history outside substack.com.
• Cookies from any site other than substack.com.
• Payment data — Stripe handles that directly.

• Email — to send magic-link sign-in emails and product updates (you can opt out anytime).
• Substack session cookie — used server-side to call Substack's authenticated APIs and surface your activity, notes performance and creator search inside SubUp.
• Notes content (title, body snippet, engagement metrics) — passed to Anthropic's Claude API to generate AI insights for Pro users. Anthropic processes this data per their privacy policy and does not train on it.

We never share, sell, or otherwise transmit your Substack cookie to any third party. We never use it to post, comment, subscribe, or take any write actions on Substack except actions you explicitly trigger from the SubUp interface (e.g. liking a comment from the Activity Center).

Data is stored in Supabase (PostgreSQL on AWS). Encryption-at-rest is provided by the platform. Substack session cookies are stored alongside your account and are accessible only to SubUp servers via Supabase row-level security.

• Disconnect Substack from SubUp → Account → Disconnect. This deletes your stored cookie immediately.
• Uninstall the Chrome extension. This stops further cookie transmission, but does not delete the cookie already stored. Use Disconnect to remove it.
• Log out of Substack. This invalidates the cookie at the source.
• Delete your SubUp account by emailing hi@subup.app. All your data is removed within 24 hours.

We keep your data for as long as your account is active. When you delete your account, everything (including Substack session cookies, generated insights and stored history) is removed within 24 hours.

SubUp itself uses one cookie: an authentication session managed by Supabase. We do not use third-party tracking or advertising cookies.

SubUp is not intended for users under 16. If you believe a child has signed up, contact us and we'll delete the account.

We'll update this page when we make material changes and notify active users by email. The "Last updated" date at the top shows when it last changed.

Questions about this policy: hi@subup.app