1. Introduction
Welcome to CostLoop. CostLoop is a subscription and recurring cost tracking application operated by Antevski ENK, a sole proprietorship registered in Norway with organisation number 934 334 507, at Harry Fetts Vei 5B, 0667 Oslo, Norway.
We are committed to protecting your personal data and respecting your privacy. This Privacy Policy explains what personal data we collect, why we collect it, how we use it, and what rights you have. CostLoop is designed for global use and is operated in compliance with major privacy regulations worldwide, including:
- GDPR — General Data Protection Regulation (European Union)
- UK GDPR — United Kingdom General Data Protection Regulation
- FADP — Federal Act on Data Protection (Switzerland)
- PIPL — Personal Information Protection Law (China)
- APPI — Act on the Protection of Personal Information (Japan)
- PIPA — Personal Information Protection Act (South Korea)
- PDPA — Personal Data Protection Act (Thailand & Singapore)
- DPDP — Digital Personal Data Protection Act (India)
Regardless of where you are located, we apply the same high standard of data protection to all users.
If you have any questions or concerns about this policy, please contact us at hello@costloop.app.
2. What Data We Collect
We collect only the data necessary to provide the CostLoop service. This includes:
Account data
When you register, we collect your email address and a securely hashed version of your password. We never store your password in plain text. We may also store a display name if you choose to provide one.
Subscription data you enter
CostLoop allows you to enter details about your software subscriptions and recurring costs, such as vendor names, costs, renewal dates, billing cycles, owner names, notes, document links, and cancellation URLs. This data is stored securely on your behalf to power the service.
Payment data
Payments for the Pro plan are processed by Stripe, Inc. We do not store your payment card number, CVV, or bank details on our systems. Stripe provides us with a tokenised record of your payment method and billing history. Please review Stripe's Privacy Policy for details on how they handle payment data.
Usage data
We collect basic technical data to operate and improve the service: IP address, browser type, operating system, pages visited, timestamps, and session information. This data is logged by our hosting infrastructure and is not used for advertising.
Marketing consent
We store a record of whether you have consented to receive marketing emails from us. This flag is set only if you actively opt in - we never pre-check marketing consent boxes.
3. How We Use Your Data
We use your personal data for the following purposes:
- Providing the service - to create and manage your account, store your subscription data, and allow you to access CostLoop features.
- Renewal reminders - to send you email notifications about upcoming subscription renewals. These are transactional emails tied to the service. You can configure the timing of reminders in your account settings.
- Billing and payments - to manage your Pro subscription, process payments via Stripe, and send receipts.
- Marketing communications - to send product updates, tips, and promotional emails, but only if you have given explicit consent. You can withdraw consent at any time.
- Service improvement and analytics - to understand how the service is used and to identify and fix issues. We use aggregated and anonymised data where possible.
- Legal obligations - to comply with applicable laws, respond to legal requests, and enforce our Terms and Conditions.
4. Legal Basis for Processing
We process your personal data under the following legal bases as defined in GDPR Article 6:
- Contract performance (Article 6(1)(b)) - processing your account data, subscription data, and billing information is necessary to provide the CostLoop service you have signed up for.
- Legitimate interest (Article 6(1)(f)) - we process usage and log data to maintain the security and reliability of the service, prevent fraud, and improve our product. We have assessed that these interests are not overridden by your rights.
- Consent (Article 6(1)(a)) - we send marketing emails only with your explicit, freely given consent. You can withdraw this consent at any time by updating your notification preferences in the app or by emailing us.
- Legal obligation (Article 6(1)(c)) - in some cases we may need to retain or disclose data to comply with Norwegian law or a legal order.
5. Data Retention
We retain your personal data for as long as your account is active. If you request account deletion, we will permanently delete your account data - including all subscription records, preferences, and profile information - within 30 days of your request.
Stripe retains billing and payment records in accordance with their own policies and applicable legal requirements (typically 7 years for financial records). We cannot delete this data on Stripe's behalf.
Log data is retained for a shorter period (typically 30-90 days) for security and debugging purposes.
6. Third-Party Subprocessors
We share your data only with trusted third-party service providers (subprocessors) who help us deliver CostLoop. All subprocessors are contractually required to protect your data and may only use it for the purposes we specify.
Our current subprocessors are:
- Stripe, Inc. - payment processing
- Supabase, Inc. - database, authentication, and storage
- Resend, Inc. - transactional email delivery
- Vercel, Inc. - web hosting and content delivery
For a full list including the types of data processed and the locations of each subprocessor, see our Subprocessor List.
7. Your Privacy Rights
Regardless of where you are located, you have the following rights over your personal data. You can exercise most of these directly within the CostLoop app or by contacting us at hello@costloop.app.
- Right of access — you can request a copy of the personal data we hold about you.
- Right to rectification / correction — you can correct inaccurate or incomplete data in your account settings at any time.
- Right to erasure / deletion — you can permanently delete your account and all associated data. See our Account Deletion page for instructions.
- Right to data portability — you can export all your subscription data in CSV format. See our Data Export page for instructions.
- Right to withdraw consent — if you have opted in to marketing emails, you can withdraw your consent at any time in Privacy Settings.
- Right to object / opt out — you can object to processing based on legitimate interest or direct marketing at any time.
- Right to lodge a complaint — you have the right to contact the relevant supervisory authority in your jurisdiction (see below).
Applicable regulations and supervisory authorities by region
| Region | Regulation | Supervisory Authority |
|---|---|---|
| European Union | GDPR | Datatilsynet (Norway) / your national DPA |
| United Kingdom | UK GDPR | Information Commissioner's Office (ICO) |
| Switzerland | FADP | Federal Data Protection and Information Commissioner (FDPIC) |
| China | PIPL | Cyberspace Administration of China (CAC) |
| Japan | APPI | Personal Information Protection Commission (PPC) |
| South Korea | PIPA | Personal Information Protection Commission (PIPC) |
| Thailand / Singapore | PDPA | PDPC (Thailand) / PDPC (Singapore) |
| India | DPDP | Data Protection Board of India |
8. Cookies
We use only functional cookies that are strictly necessary for the service to work - primarily for authentication (keeping you logged in) and storing basic preferences such as language and currency settings. We do not use advertising cookies or third-party tracking pixels.
For full details, see our Cookie and Tracking Notice.
9. International Data Transfers
CostLoop is operated from Norway, which is part of the European Economic Area (EEA). Your data is primarily processed within the EEA by Supabase. Where subprocessors are located outside the EEA (such as Stripe, Resend, and Vercel in the United States), we ensure that transfers are covered by appropriate safeguards — including the EU Standard Contractual Clauses (SCCs) — as required by GDPR Chapter V.
For users subject to other privacy regulations, we apply equivalent transfer safeguards:
- UK GDPR — transfers outside the UK are covered by the UK International Data Transfer Agreement (IDTA) or equivalent addendum to EU SCCs.
- FADP (Switzerland) — transfers are subject to the Swiss Federal Council's adequacy decisions or equivalent contractual protections.
- PIPL (China) — we do not transfer personal data of Chinese residents to third parties outside China without appropriate legal basis, user consent, or a security assessment as required under PIPL Article 38.
- APPI (Japan) — transfers to third countries are made only where equivalent data protection standards are confirmed, in line with PPC guidelines.
- PIPA (South Korea) — cross-border transfers are disclosed and only made with appropriate user notification and contractual safeguards.
- PDPA (Thailand & Singapore) — transfers are made only to jurisdictions with comparable protection standards or under binding agreements with equivalent protections.
- DPDP (India) — personal data of Indian residents is processed in accordance with the Data Protection Board's framework and applicable government notifications.
10. Changes to This Policy
We may update this Privacy Policy from time to time. If we make material changes - for example, if we start collecting new categories of data or change our legal basis for processing - we will notify you by email at least 14 days before the changes take effect. The updated policy will always be available at this page with a revised "Last updated" date.
Continued use of CostLoop after the effective date of a material change constitutes acceptance of the revised policy.
11. Contact Us
If you have any questions, concerns, or requests regarding this Privacy Policy or your personal data, please contact us:
Antevski ENK (CostLoop)Harry Fetts Vei 5B, 0667 Oslo, Norway
Org. No. 934 334 507
hello@costloop.app