Leakd is a privacy-first app. Your subscription data lives only on your device by default. Two advanced features (Cloud Sync, Email Reminders) are opt-in and transmit data only with your explicit consent — Cloud Sync uses your own Google Drive with end-to-end encryption, and Email Reminders go through our minimal server only to deliver the emails you requested.
For the purposes of the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the data controller is:
For any privacy-related question or request, write to us at the email above or reach out via our community channels.
Leakd is a Progressive Web App for tracking personal and business subscriptions. It runs entirely in your browser and stores your data locally in your device's localStorage, IndexedDB, and the Cache API. Without enabling these opt-in features, no part of your subscription data leaves your device.
All of the above is stored on your device. You can wipe everything instantly via Settings → Reset all data.
The following endpoints may be contacted from your device. We list each one and what (if anything) is sent.
| Service | When | What is sent |
|---|---|---|
| Google Fonts self-hosted (local) |
Never — fonts are served locally | No external request is made. Font files are bundled with the app. Your IP address is not exposed to Google for font loading. |
| Frankfurter API api.frankfurter.app |
Only if you have subscriptions in multiple currencies, max once per day | Anonymous GET for current exchange rates. No personal or subscription data is included. |
| Google Identity Services + Google Drive API accounts.google.com, googleapis.com |
Only if you turn on Cloud Sync | OAuth2 token + an end-to-end encrypted file (AES-GCM 256, key derived from your master password via PBKDF2 600 000 iterations). Stored in Google Drive's hidden appDataFolder tied to your Google account. Neither Google nor we can read the contents. |
| Leakd Reminder Worker reminders.leakd.app (Cloudflare) |
Only if you turn on Email Reminders | Your email address, the name of the subscription, expiry date, and language. The worker schedules a single email per reminder. |
| Brevo (Sendinblue) brevo.com (EU) |
Triggered by the Reminder Worker | Delivers the reminder email. Receives your email address and the email content for delivery purposes only. |
| Google Play Billing | Only if you subscribe or tip via the Play Store version | Handled by Google; we receive only a purchase confirmation token. |
You provide a master password that we never receive or store. From the password we derive a key via PBKDF2-SHA256 (600 000 iterations) and AES-GCM 256-encrypt your snapshot before upload. The ciphertext is stored only in your own Google Drive (appDataFolder). To remove the data, turn off sync in Settings and delete the file from your Google Drive.
Legal basis (GDPR Art. 6): Consent (Art. 6(1)(a)). You can withdraw consent at any time by turning sync off.
When enabled, the app sends to reminders.leakd.app: your email address, the subscription name, the expiry date, and your language. The worker stores this temporarily, sends one email near the expiry date, then deletes the record. No analytics, no marketing emails — you receive only the reminders you scheduled.
Legal basis (GDPR Art. 6): Performance of contract (Art. 6(1)(b)) — the reminder is the opt-in feature you enabled. To delete a pending reminder, use the in-app cancel action or write to hello@leakd.app.
If you enable in-app renewal reminders, your browser fires local notifications based on dates stored on your device. These do not pass through any server. The Service Worker may use Periodic Background Sync (Chrome only) to check timing while the app is closed — still entirely on-device.
Backup / export / Expense Export / Calendar features produce files that you download or share at your own discretion. We never see those files. Treat them as sensitive — anyone who opens them sees your subscriptions.
Leakd does not use cookies. We use the browser's localStorage, IndexedDB (as a backup when localStorage reaches its quota), and the Cache API to persist data on your device. These are required for the app to function and store no personal data accessible to anyone but you.
Leakd is not directed at children under 16. We do not knowingly process data from minors. If you believe a minor has used the app, contact us and we will assist with deletion of any locally-stored data.
As a data subject in the EU/EEA you have the right to:
For locally-stored data, you can exercise rights instantly: Settings → Backup & restore (portability), Settings → Reset all data (erasure). For Email Reminders or any other concern, contact hello@leakd.app and we will respond within 30 days.
Some third-party services we rely on may process data outside the EU/EEA:
Cloud Sync uses AES-GCM 256-bit encryption with a key derived via PBKDF2-SHA256 (600 000 iterations) from your master password. The master password never leaves your device. Email Reminder payloads are sent over HTTPS to a Cloudflare Worker that holds only the minimum data needed to deliver the email, then deletes it. We do not store credit card information — payments are handled by Google Play Billing.
We may update this policy as the app evolves. Material changes will be highlighted in-app. The "Last updated" date at the top reflects the most recent revision.
For privacy questions, data-subject requests, or any concerns related to this policy, contact us at hello@leakd.app or reach out via our community channels. We will respond within 30 days as required by GDPR.
Because Leakd does not maintain user accounts on its servers, there is no "account" in the traditional sense to delete. Instead, you can remove every piece of data the app touches through the following paths:
Settings → Reset all data wipes your subscription list, settings, history, activity log, cancellation registry, goals, budgets, income, streak data, and Pro license cache. Action is immediate and irreversible. You may also uninstall the PWA / clear site data via your browser to remove everything stored by the app.
If you enabled Cloud Sync, turn it off in Settings → Cloud Sync. When you disable sync, the app asks whether you'd also like to permanently delete the encrypted backup file from your Google Drive in the same step — a single confirmation calls Google Drive's files.delete API and the blob is gone for good.
If for any reason the in-app deletion fails, you can also remove the file manually:
We have no access to the contents of the file at any time.
Pending email reminders are stored briefly on our Cloudflare Worker until delivered. To delete an outstanding reminder before it is sent, use the in-app cancel action, or send a deletion request to hello@leakd.app identifying the email address and subscription name. Records are automatically deleted after delivery (or within 30 days if delivery fails).
Cancel auto-renewal at any time via your Google Play account → Subscriptions → Leakd Supporter → Cancel. Your Supporter badge status remains active until the end of the paid period. Cancellation does not delete any data; combine it with the steps above if you also want all data removed.
Any file you exported (backup JSON, expense report PDF/CSV, calendar .ics, share card image) is stored where you saved it. We never see those files. Delete them from your device or cloud storage if you no longer want them.
Even though we hold little to no personal data, you can always send a written deletion request to hello@leakd.app. We will acknowledge within 7 days and complete the action within 30 days, as required by GDPR.
Reports generated by Leakd (PDF expense reports, CSV exports, year-end summary) are for informational purposes only and do not constitute official tax or accounting advice. You are responsible for the accuracy of any data you submit and for verifying its suitability with your accountant or tax advisor.