Privacy Policy

Last updated: June 2026 (revision 3)

1. Who we are

Subly is a student-only subleasing marketplace that connects verified university students looking for short-term housing. We require a .edu email address for all accounts to keep the community safe and trusted.

2. Information we collect

  • Account information: your name, .edu email address, and university (collected via Clerk authentication).
  • Profile preferences: vibe text, target university, rent budget, and minimum bedrooms you enter during onboarding. These are editable at any time from the Settings page.
  • Listing content: photos, descriptions, addresses, pricing, dates, bedrooms/bathrooms, and amenities you submit when posting a sublease.
  • Conversation content: message bodies, plus structured viewing proposals (proposed date/time, an optional note up to 280 characters, and status: pending, accepted, declined, or superseded), and read receipts.
  • Bookmarks: the listings you save and when you saved them.
  • Activity counters: an aggregate view count per listing, shown only to the listing's owner — not tied to which specific user viewed it.
  • Reviews: the rating and body text you submit.
  • Payment metadata: Stripe session ID, amount, currency, and confirmation timestamp — never your full card number.
  • Product analytics: see our Cookie Policy for the exact events we record.
  • Cookies: session cookies for authentication and an optional analytics cookie (see our Cookie Policy).

3. How we use your information

  • To verify your .edu status and create your account.
  • To power our AI matching engine, which compares your vibe profile against available listings using vector embeddings. Your profile text is sent to OpenAI solely for embedding generation and is not used to train their models under our API agreement.
  • To display your listings to other verified students.
  • To detect and prevent fraudulent listings using automated scoring.
  • To send transactional emails (match alerts, account notices) via your .edu address.
  • To let listers see aggregate view-count engagement on their own listings.
  • To power the in-thread viewing scheduler, which is visible only to the two participants in a conversation.

4. Who we share data with

We do not sell your personal information. We share data only with:

  • Clerk — authentication provider. Handles password hashing, session management, and .edu verification.
  • OpenAI — receives your vibe profile text to generate a search embedding vector. No personally identifying information is included in the prompt.
  • Pinecone — stores your embedding vector alongside a pseudonymous user ID for similarity search. No name or email is stored in Pinecone.
  • AWS S3 — stores listing photos you upload. Photos are accessible to all logged-in Subly users.
  • Stripe — processes match confirmation payments. When you pay, Stripe receives your card details directly; Subly never sees or stores your full card number. Stripe may collect billing address and device data per their own Privacy Policy. We store only the Stripe session ID and payment status in our database.
  • PostHog — when PostHog is enabled, it receives the product analytics events described in our Cookie Policy (page views, listing creation metadata, message length, match confirmations, review ratings, and payment confirmation metadata), plus your Clerk user ID and university when you sign in. See PostHog's Privacy Policy.
  • Sentry — when Sentry is enabled, it receives error monitoring data triggered only when an error occurs, which may include the page URL, your Clerk user ID, your browser and operating system, and a stack trace. See Sentry's Privacy Policy.

5. Data retention

We retain your account and listing data for as long as your account is active. If you delete your account, we remove your personal information within 30 days, except where retention is required by law.

Bookmarks, view counts, viewing proposals, and messages are retained as long as the related listing or conversation exists, and are removed automatically when the listing is deleted. If you delete your account, this data is removed within the same 30-day window described above.

PostHog analytics events (see our Cookie Policy for the full list) are retained for up to 12 months from when they are recorded. Sentry error-monitoring events are retained for up to 90 days. If you delete your account, we also request deletion of your PostHog distinct ID and Sentry user identifier within the same 30-day window described above.

6. Your rights

You may request access to, correction of, or deletion of your personal data at any time by emailing us. If you are in the EU or UK, you also have the right to data portability and to lodge a complaint with your local supervisory authority.

7. Security

All data is transmitted over HTTPS. Passwords are never stored by Subly; authentication is delegated entirely to Clerk. Listing photos are stored in a private S3 bucket and served via pre-signed URLs that expire after a short window.

8. Changes to this policy

We may update this policy as the product evolves. We will notify you of material changes via your registered email address at least 14 days before they take effect.

9. Contact

Questions? Email us at privacy@subly.app.