← Back to Leakd

Privacy Policy

Last updated: 19 May 2026
TL;DR

Leakd is a privacy-first app. Your subscription data lives only on your device by default. Two advanced features (Cloud Sync, Email Reminders) are opt-in and transmit data only with your explicit consent — Cloud Sync uses your own Google Drive with end-to-end encryption, and Email Reminders go through our minimal server only to deliver the emails you requested.

1. Data Controller

For the purposes of the EU General Data Protection Regulation (GDPR, Regulation (EU) 2016/679), the data controller is:

Data Controller Petor Péter
Hungary 2233 Ecser Nádas Béla utca 10
Email: hello@leakd.app

For any privacy-related question or request, write to us at the email above or reach out via our community channels.

2. What Leakd is

Leakd is a Progressive Web App for tracking personal and business subscriptions. It runs entirely in your browser and stores your data locally in your device's localStorage, IndexedDB, and the Cache API. Without enabling these opt-in features, no part of your subscription data leaves your device.

3. Data we process locally (never sent to us)

All of the above is stored on your device. You can wipe everything instantly via Settings → Reset all data.

4. Data we DO NOT collect

5. Third-party services we connect to

The following endpoints may be contacted from your device. We list each one and what (if anything) is sent.

ServiceWhenWhat is sent
Google Fonts
self-hosted (local)
Never — fonts are served locally No external request is made. Font files are bundled with the app. Your IP address is not exposed to Google for font loading.
Frankfurter API
api.frankfurter.app
Only if you have subscriptions in multiple currencies, max once per day Anonymous GET for current exchange rates. No personal or subscription data is included.
Google Identity Services + Google Drive API
accounts.google.com, googleapis.com
Only if you turn on Cloud Sync OAuth2 token + an end-to-end encrypted file (AES-GCM 256, key derived from your master password via PBKDF2 600 000 iterations). Stored in Google Drive's hidden appDataFolder tied to your Google account. Neither Google nor we can read the contents.
Leakd Reminder Worker
reminders.leakd.app (Cloudflare)
Only if you turn on Email Reminders Your email address, the name of the subscription, expiry date, and language. The worker schedules a single email per reminder.
Brevo (Sendinblue)
brevo.com (EU)
Triggered by the Reminder Worker Delivers the reminder email. Receives your email address and the email content for delivery purposes only.
Google Play Billing Only if you subscribe or tip via the Play Store version Handled by Google; we receive only a purchase confirmation token.

6. Opt-in features — data transmission

6.1 Cloud Sync

You provide a master password that we never receive or store. From the password we derive a key via PBKDF2-SHA256 (600 000 iterations) and AES-GCM 256-encrypt your snapshot before upload. The ciphertext is stored only in your own Google Drive (appDataFolder). To remove the data, turn off sync in Settings and delete the file from your Google Drive.

Legal basis (GDPR Art. 6): Consent (Art. 6(1)(a)). You can withdraw consent at any time by turning sync off.

6.2 Email Reminders

When enabled, the app sends to reminders.leakd.app: your email address, the subscription name, the expiry date, and your language. The worker stores this temporarily, sends one email near the expiry date, then deletes the record. No analytics, no marketing emails — you receive only the reminders you scheduled.

Legal basis (GDPR Art. 6): Performance of contract (Art. 6(1)(b)) — the reminder is the opt-in feature you enabled. To delete a pending reminder, use the in-app cancel action or write to hello@leakd.app.

7. Notifications

If you enable in-app renewal reminders, your browser fires local notifications based on dates stored on your device. These do not pass through any server. The Service Worker may use Periodic Background Sync (Chrome only) to check timing while the app is closed — still entirely on-device.

8. Backup files, PDF and CSV exports

Backup / export / Expense Export / Calendar features produce files that you download or share at your own discretion. We never see those files. Treat them as sensitive — anyone who opens them sees your subscriptions.

9. Local storage and cookies

Leakd does not use cookies. We use the browser's localStorage, IndexedDB (as a backup when localStorage reaches its quota), and the Cache API to persist data on your device. These are required for the app to function and store no personal data accessible to anyone but you.

10. Children

Leakd is not directed at children under 16. We do not knowingly process data from minors. If you believe a minor has used the app, contact us and we will assist with deletion of any locally-stored data.

11. Your rights under GDPR

As a data subject in the EU/EEA you have the right to:

For locally-stored data, you can exercise rights instantly: Settings → Backup & restore (portability), Settings → Reset all data (erasure). For Email Reminders or any other concern, contact hello@leakd.app and we will respond within 30 days.

12. Data retention

13. International data transfers

Some third-party services we rely on may process data outside the EU/EEA:

14. Data security

Cloud Sync uses AES-GCM 256-bit encryption with a key derived via PBKDF2-SHA256 (600 000 iterations) from your master password. The master password never leaves your device. Email Reminder payloads are sent over HTTPS to a Cloudflare Worker that holds only the minimum data needed to deliver the email, then deletes it. We do not store credit card information — payments are handled by Google Play Billing.

15. Changes to this policy

We may update this policy as the app evolves. Material changes will be highlighted in-app. The "Last updated" date at the top reflects the most recent revision.

16. Contact

For privacy questions, data-subject requests, or any concerns related to this policy, contact us at hello@leakd.app or reach out via our community channels. We will respond within 30 days as required by GDPR.

17. Data Deletion & Account Termination

Because Leakd does not maintain user accounts on its servers, there is no "account" in the traditional sense to delete. Instead, you can remove every piece of data the app touches through the following paths:

17.1 Local data on your device

Settings → Reset all data wipes your subscription list, settings, history, activity log, cancellation registry, goals, budgets, income, streak data, and Pro license cache. Action is immediate and irreversible. You may also uninstall the PWA / clear site data via your browser to remove everything stored by the app.

17.2 Cloud Sync data

If you enabled Cloud Sync, turn it off in Settings → Cloud Sync. When you disable sync, the app asks whether you'd also like to permanently delete the encrypted backup file from your Google Drive in the same step — a single confirmation calls Google Drive's files.delete API and the blob is gone for good.

If for any reason the in-app deletion fails, you can also remove the file manually:

We have no access to the contents of the file at any time.

17.3 Email reminder records

Pending email reminders are stored briefly on our Cloudflare Worker until delivered. To delete an outstanding reminder before it is sent, use the in-app cancel action, or send a deletion request to hello@leakd.app identifying the email address and subscription name. Records are automatically deleted after delivery (or within 30 days if delivery fails).

17.4 Supporter subscription

Cancel auto-renewal at any time via your Google Play account → Subscriptions → Leakd Supporter → Cancel. Your Supporter badge status remains active until the end of the paid period. Cancellation does not delete any data; combine it with the steps above if you also want all data removed.

17.5 Backup, PDF and CSV files

Any file you exported (backup JSON, expense report PDF/CSV, calendar .ics, share card image) is stored where you saved it. We never see those files. Delete them from your device or cloud storage if you no longer want them.

17.6 Deletion request via email

Even though we hold little to no personal data, you can always send a written deletion request to hello@leakd.app. We will acknowledge within 7 days and complete the action within 30 days, as required by GDPR.

18. Disclaimer

Reports generated by Leakd (PDF expense reports, CSV exports, year-end summary) are for informational purposes only and do not constitute official tax or accounting advice. You are responsible for the accuracy of any data you submit and for verifying its suitability with your accountant or tax advisor.