Privacy Policy

Effective: 23 May 2026

Data Controller: EngageIT s. r. o., Malinová ulica 718/36, 930 41 Kvetoslavov, Slovak Republic · Company ID (IČO): 57152632

Contact: apps [at] engageit [dot] eu

We believe your data is yours and yours alone. Sori is private by design.

This policy covers the Sori: Subscription Tracker iOS app and this website (sorisubs.app). It explains what we collect (almost nothing), how the optional Sori Statement Scanner works, and your rights under EU GDPR.

At a glance

Data we collect: none, by default

Sori does not collect, store, transmit, or share any personal data about you when you simply use the app. There is no signup, no user account, no profile, no email gate. No analytics, crash-reporting, advertising or tracking SDKs are integrated into the app.

Data you enter into the app

Everything you create in Sori - subscription names, amounts, dates, categories, lists, payment methods, notes, and settings - is stored exclusively in a local database on your device using Apple's on-device storage. This data:

Sori Statement Scanner (optional, Sori Plus feature)

The Statement Scanner is an opt-in feature for Sori Plus users that helps you populate your subscription list quickly by analysing a bank statement.

If you never use the Statement Scanner, nothing about your statements ever leaves your device.

Private on-device scrubbing

Before any data leaves your device, Sori scrubs the statement text on-device to remove personal identifiers - names, postal addresses, IBANs and other account numbers, card numbers, phone numbers, email addresses, and similar banking identifiers. Only transaction lines (merchant name, date, amount, currency) reach the next stage.

Cloud AI processing

The scrubbed transaction text is sent over TLS to our backend for AI processing. The AI identifies likely subscription services from those transactions and returns structured candidates - merchant name, price, currency, billing cycle, estimated next charge date. The scrubbed text is never associated with you personally, and is processed ephemerally: neither we nor our service providers retain scan content beyond the request lifetime, and the content is not used to train any AI model.

Anti-abuse verification

Each scan request is signed by Apple's App Attest framework so we can verify it came from the genuine Sori app on a real Apple device. App Attest does not identify you personally - it identifies your install of Sori, for anti-abuse only. Your Sori Plus entitlement is verified using Apple's StoreKit2 signed transaction tokens; those tokens also do not identify you.

Your control

The candidates are returned to your device. You review and approve each one before anything is added to your subscription list. Nothing is added automatically.

Why this is a cloud feature

Bank-statement layouts vary enormously between banks, languages, and countries. The AI models capable of parsing them reliably are too large to ship and run on-device today. As on-device models for this task become practical, we intend to move the scanner fully on-device.

In-app purchases

Sori Plus is processed entirely through Apple's App Store. We do not see, handle, or store your payment information. Any data collected during the purchase is governed by Apple's Privacy Policy.

Notifications

If you enable renewal reminders, Sori schedules local notifications on your device. They are generated and delivered entirely on-device - no data is sent to any server. You can revoke notification permission at any time in iOS Settings.

Categories of third parties

We rely on the following categories of third-party services. We do not name specific providers because the providers may change over time without altering the data we share or how it is handled.

If you do not use the Statement Scanner, the only party Sori interacts with on the network is Apple itself.

The current sub-processors behind the categories above are reputable providers operating under GDPR-aligned data-processing agreements. We can disclose the specific providers on written request to apps [at] engageit [dot] eu.

Website (sorisubs.app)

This website is a static landing page. It sets no cookies, runs no analytics scripts, and does not track you. Your browser may share standard request information (IP, user agent) with our hosting provider purely to deliver the page - we do not record or analyse this.

Children's privacy

Sori is not directed at children under 13 (or under 16 in the EU/EEA). Because Sori has no accounts and collects no personal data, the app is safe for all ages, but the App Store rating and parental controls apply as usual.

Your rights under GDPR

We are based in Slovakia, in the EU. The EU General Data Protection Regulation (GDPR) and the Slovak Act 18/2018 on Personal Data Protection apply.

Sori holds almost no data about you, so for most rights there is nothing for us to act on - your data is already entirely under your control on your device. Specifically:

Data security

International transfers

Some sub-processors that handle Statement Scanner requests may operate data centres outside the EU/EEA. Where this happens, transfers rely on the European Commission's Standard Contractual Clauses and the providers' own GDPR compliance frameworks.

Changes to this policy

We may update this policy to reflect changes to Sori (new features, new third-party providers, etc.). We will update the Effective date at the top, and we will highlight material changes in the app or on the website before they take effect.

Contact

Questions, requests, or complaints about this policy:

This policy applies to Sori: Subscription Tracker on iOS and to the website sorisubs.app.