Subto.One

Privacy Policy

Last updated: January 16, 2026

This Privacy Policy explains how Subto.One (the "Service") collects, uses, and shares information. The description below is derived from an analysis of the application's source code and reflects the default behavior of the repository as provided.

Contact

For privacy inquiries or data removal requests contact: support@subto.one.

Information Collected

  • Account info: Google sign-in profile (uid, email, displayName, photoURL, lastLogin, createdAt) stored in Firestore.
  • Scan results: Runtime analysis, Lighthouse scores, JavaScript errors, API-check outputs, and optional base64-encoded video snapshots stored in-memory and optionally persisted.
  • Uploads: Attachments uploaded via /api/v1/attachments/upload are saved to public/uploads. Temporary upload payloads used for AI analysis are stored in a temp directory and cleaned up after 24 hours.
  • API key metadata: API key validation queries Firestore to map keys to user IDs; keys are compared using constant-time checks.

How We Use Data

  • To run scans and return results to users.
  • To validate API keys and enforce rate limits.
  • To generate AI analyses, create patched ZIP downloads, and provide the web UI features.
  • To send data to third-party services when those integrations are configured (e.g., VirusTotal, Google PageSpeed, Mozilla Observatory, OpenRouter).

Retention

  • In-memory scan data: retained up to 24 hours (server cleanup runs hourly).
  • Temp upload files: cleaned up after 24 hours.
  • Files under public/uploads: not automatically deleted by server code; implement a cleanup if required.

Security

The server sets strong security headers (CSP, HSTS, X-Frame-Options) and validates uploads for allowed extensions and sizes. API key comparisons use constant-time checks to reduce timing-attack risk.

Your Choices

To request account or data removal, contact support@subto.one. Avoid uploading sensitive regulated data unless you control retention and storage.

Data Subject Rights

Subject to applicable law, you may have the right to:

  • Request access to personal data we hold about you;
  • Request rectification of inaccurate or incomplete personal data;
  • Request deletion (the "right to be forgotten") where retention is not required by law;
  • Request portability of your personal data in a commonly used, machine-readable format;
  • Object to processing based on our legitimate interests where applicable; and
  • Lodge a complaint with your local supervisory authority if you believe your rights have been breached.

To exercise any of these rights please contact support@subto.one. We will verify identity and respond within applicable statutory timeframes.

Automated Decision-Making & AI

The Service includes optional AI analysis features that generate recommendations and suggested code changes. These outputs are generated by deterministic heuristics and optionally by third-party AI providers when configured. Decisions that have legal or similarly significant effects are not made solely on automated processing in the default configuration. Users should review AI-generated suggestions carefully and exercise professional judgment before applying changes.

Cookies & Client-Side Storage

The front-end may use local storage, session storage, or cookies for session management and UI state. These client-side storage mechanisms do not contain sensitive secrets or API keys. If you deploy additional analytics or tracking, document those separately.

International Data Transfers

Because the Service may call third-party APIs and because hosts/operators may run infrastructure in different regions, personal data may be transferred to and processed in jurisdictions other than your own. When transfers occur, the operator will take reasonable measures (contractual safeguards, data processing agreements) to protect transferred data.

Retention and Deletion Procedures

Operators should implement documented procedures for deletion of personal data. The codebase provides a 24-hour default retention for in-memory scans and temp files; attachments saved under public/uploads persist until removed. To request deletion, contact support@subto.one, and include identifying details (account email, scan id) to expedite verification.

Security Practices

We implement reasonable organizational and technical measures to protect personal data. These measures include strict Content Security Policy headers, HSTS, input validation, file type and size restrictions, and temporary storage purging. Operators are responsible for securing deployment secrets and production infrastructure (TLS certificates, secret managers, firewall rules, and access control).

Contact & Data Protection Officer

For privacy matters contact: support@subto.one. If your deployment requires a designated Data Protection Officer (DPO), provide the DPO contact information here.

Revision History

This document is maintained alongside the repository. Substantial policy changes will include an updated "Last updated" date and summary of changes.

Back to Home