← Back to home

Privacy Policy

Last updated: March 21, 2025

Overview

Subsurface (“we”, “our”, “us”) is an analytics platform for Substack publishers. This policy explains how we handle your data when you use our website at subsurface.app and our Chrome browser extension at Chrome Web Store.

Data We Collect

Account data

When you create an account we collect your email address and a hashed password. We use Supabase to store and authenticate this data securely.

Usage analytics

We use Vercel Analytics to collect anonymised page-view data (page URL, referrer, country) to understand how the product is used. No personally identifiable information is collected through analytics.

Chrome Extension

The Subsurface Chrome extension connects to your Substack account to export subscriber data and send it to the Subsurface web app running in your browser.

  • cookies — Your existing Substack session cookies are read locally to authenticate API requests. They are never sent to Subsurface servers.
  • tabs — Used to detect your Substack publication subdomain from open browser tabs.
  • storage — Your Substack subdomain and profile handle are cached locally in the extension to avoid repeated API calls.
  • scripting — Used to deliver the exported CSV data to the Subsurface tab via a local postMessage.

The extension does not transmit any subscriber data to external servers. All data flows directly from Substack to your local browser session.

Data Sharing

We do not sell, rent, or share your personal data with third parties. The only third-party services we use are:

  • Supabase — authentication and account storage
  • Vercel — hosting and anonymised analytics
  • Lemon Squeezy — payment processing for paid subscriptions

Data Retention

Account data is retained for as long as your account is active. You may delete your account at any time from the account settings page, which permanently removes your data from our systems. Subscriber CSV data is never persisted on our servers and requires no deletion.

Security

All data in transit is encrypted via HTTPS. Account credentials are managed by Supabase and never stored in plaintext. Subscriber data never leaves your browser.

Contact

Questions about this policy? Email us at hello@subsurface.app.