Privacy Policy

On behalf of our business customers, stubkit processes: tenant application configuration, opaque end-user identifiers, email addresses (where a customer chooses to sync them), subscription status and history, product identifiers, transaction and purchase tokens, and raw webhook payloads received from Apple, Google, and Stripe. We do not store payment card numbers, billing addresses, or any other payment instrument data — those remain exclusively with Apple, Google, and Stripe.

We process this data solely to provide the subscription validation service our customers have contracted for. Under the EU and UK GDPR we act as a data processor, and our business customers remain the data controllers of end-user information. See the Data Processing Agreement for the full framework.

Active subscription and entitlement state is retained for the duration of the customer relationship. Immutable webhook archives are retained for two (2) years to support audit and replay. Hot event logs are retained for ninety (90) days and then purged. Deleted customer accounts are purged within thirty (30) days.

stubkit runs on a global edge platform with TLS enforced on every request. Data is stored in the United States by default, with optional regional replication available on request for enterprise agreements.

If you are an end user of an application that uses stubkit, your rights under the EU/UK GDPR, the California Consumer Privacy Act, and similar laws (access, correction, deletion, portability, objection) are honored through the application operator that collected your data in the first place. Please contact them directly. Escalations may be directed to privacy@stubkit.com.

We use a small number of vetted infrastructure and communication sub-processors to operate the Service. A current list is available to business customers on request via privacy@stubkit.com. Each sub-processor is bound by a written data protection agreement with security and confidentiality commitments at least as protective as those in our DPA.

The stubkit marketing website uses only strictly necessary cookies for session management and security. The stubkit dashboard uses session cookies required for authentication. We do not use third-party analytics or advertising cookies.

Questions about this Privacy Policy or requests about your personal data can be sent to privacy@stubkit.com or by mail to the registered office address above.