SubScrub Assistant

Productivity

Original Idea

Subscription Cancel Assistant A browser extension that detects subscriptions in your inbox and offers one-click cancel links.

Product Requirements Document: SubScrub Assistant (v1.0)

1. Executive Summary

SubScrub Assistant is a cross-browser extension designed to solve the "subscription trap" by automatically identifying recurring digital payments within a user's inbox and providing direct, one-click paths to cancellation pages. By leveraging high-performance email header parsing and a curated database of "direct-to-cancel" URLs, SubScrub eliminates the friction created by dark patterns and buried settings, empowering users to reclaim their financial and digital privacy.

2. Problem Statement

Managing digital subscriptions has become a cognitive and financial burden. Service providers often employ "dark patterns," hiding cancellation links deep within nested menus or requiring phone calls to terminate services. Current solutions require manual entry of data. Users need an automated way to detect what they are paying for and a "fast-track" to stop those payments without navigating through marketing-heavy retention loops.

3. Goals & Success Metrics

Goals

  • Automate Discovery: Identify 95% of active digital subscriptions via email metadata within the first 60 seconds of use.
  • Reduce Friction: Decrease the average time to reach a cancellation page from 5+ minutes to under 10 seconds.
  • Privacy-First: Ensure no sensitive email body content is ever stored on the backend.

Success Metrics (KPIs)

  • Detection Accuracy: % of detected subscriptions that are currently active.
  • Cancellation Success Rate: % of users who successfully reach the merchant's cancellation path via the extension.
  • Monthly Savings Tracked: Total USD saved by users through detected and cancelled subscriptions.
  • Sync Latency: Average time to process 90 days of email headers (Target: <15 seconds).

4. User Personas

1. "The Budget-Conscious Student" (Leo, 21)

  • Pain: Has dozens of small $5-$15 trials/subs. Forgets to cancel after the "free" month.
  • Goal: Quickly see everything charging him and stop the "leakage" of funds.

2. "The Privacy Advocate" (Sarah, 34)

  • Pain: Concerned about data brokers and services having her credit card info.
  • Goal: Wants to minimize her digital footprint and ensure her email data is handled with zero-retention policies.

3. "The Small Business Owner" (Marcus, 45)

  • Pain: Uses various SaaS tools for work; loses track of which tools the team is still using.
  • Goal: Audit monthly software spend without logging into every individual platform.

5. User Stories

  • As a user, I want to link my Gmail/Outlook account securely so that I don't have to manually type in my subscriptions.
  • As a user, I want to see a dashboard of my estimated monthly spend so that I can prioritize which services to cut.
  • As a user, I want a button that takes me directly to the "Confirm Cancellation" page so that I can avoid "Please don't go" marketing popups.
  • As a user, I want to be notified if a service increases its price so that I can decide if it's still worth the cost.

6. Functional Requirements

6.1 Email Integration & Sync

  • OAuth2 Connection: Support for Google (Gmail) and Microsoft (Outlook/Office 365) using limited-use scopes (gmail.metadata, Mail.ReadBasic).
  • Header-Only Scanning: Utilize PostalMime for zero-dependency streaming header parsing.
  • Regex Engine: Use re2 for linear-time matching of Merchant IDs (Stripe/Shopify) and subscription keywords in headers.

6.2 Subscription Management

  • Detection Dashboard: A React-based popup showing Service Name, Last Payment, Frequency, and Next Bill Date.
  • Registry Lookup: Match detected domains against a master ServiceRegistry containing direct-to-cancel URLs.
  • Manual Override: Allow users to flag a detected item as "Not a Subscription" or manually add a missing one.

6.3 One-Click Cancellation

  • Direct-to-Cancel Button: Navigates the user to the verified cancellation URL, bypassing the service's homepage.
  • Difficulty Scoring: Display a community-sourced score (1-5) on how hard a service is to cancel.

7. Technical Requirements

7.1 Tech Stack (2026 Standards)

  • Frontend (Extension): Plasmo Framework v0.90.4 with React v19.2.3 (Mandatory for React2Shell security patches).
  • Backend: NestJS 11.x (Modular Monolith architecture).
  • Database: PostgreSQL 18 (Primary Store) + Redis 7.x (Task Queuing via BullMQ).
  • ORM: Drizzle ORM (for SQL-first high-frequency sync performance).
  • Runtime: Node.js v24.13.0 (LTS) (Required for async_hooks DoS patches).
  • Authentication: Clerk with @clerk/chrome-extension (Sync Host enabled).
  • Infrastructure: Vercel (Dashboard/API) + AWS Lambda (Email Scanning workers).

7.2 Security & Compliance

  • Google CASA Tier 2: Annual security assessment compliance for Restricted Scopes.
  • Client-Side Hashing: Use SubtleCrypto (Web Crypto API) to hash sensitive metadata before transmission.
  • Encryption: AES-256 for OAuth tokens at rest; TLS 1.3 for all data in transit.

8. Data Model

User

  • id: UUID (Primary Key)
  • email: String (Encrypted)
  • provider: Enum (Google, Microsoft)
  • lastSyncAt: Timestamp

Subscription

  • id: UUID
  • userId: UUID (FK)
  • serviceName: String
  • domain: String
  • amount: Decimal
  • currency: String
  • frequency: Enum (Monthly, Yearly)
  • status: Enum (Active, Cancelled, Ignored)

ServiceRegistry

  • id: UUID
  • domainName: String (Indexed)
  • cancelUrl: String
  • difficulty: Integer (1-5)
  • ucpEnabled: Boolean (Universal Commerce Protocol support)

9. API Specification

POST /v1/sync/initiate

  • Auth: Clerk JWT
  • Payload: { provider: 'google', accessToken: '...' }
  • Response: 202 Accepted (Triggers SQS queue for AWS Lambda scanning)

GET /v1/subscriptions

  • Auth: Clerk JWT
  • Response: Array<Subscription>

GET /v1/registry/lookup?domain={domain}

  • Response: { cancelUrl: string, difficulty: number }

10. UI/UX Requirements

  • Shadow DOM Isolation: Use Plasmo's CSUI to prevent host website CSS from leaking into the extension popup.
  • Zero-State UI: Friendly onboarding flow explaining why we need email access.
  • Spend Visualization: A simple "Total Monthly Burn" header in the popup.
  • Status Indicators: Visual cues (Green/Yellow/Red) for cancellation difficulty.

11. Non-Functional Requirements

  • Performance: Background sync must not exceed 10% CPU usage on the client.
  • Scalability: AWS Lambda must handle 10,000 concurrent scan requests via SQS.
  • Availability: 99.9% uptime for the ServiceRegistry API.

12. Out of Scope

  • Automatic Cancellation Bot: We will not perform the cancellation on the user's behalf (too much legal/technical risk). We provide the path, the user performs the action.
  • Bank Account Linking: No Plaid/Yodlee integration in V1; email-only detection.

13. Risks & Mitigations

  • Risk: Google/Microsoft revoke API access.
    • Mitigation: Strict adherence to "Limited Use" policies; annual CASA audits.
  • Risk: React2Shell/Node DoS vulnerabilities (Jan 2026).
    • Mitigation: Enforce strict version pinning (React 19.2.3, Node 24.13.0) in CI/CD.
  • Risk: False positives in subscription detection.
    • Mitigation: User "Manual Override" feature and crowdsourced verification flags.

14. Implementation Tasks

Phase 1: Project Setup

  • [ ] Initialize Plasmo project v0.90.4 with TypeScript 7.0
  • [ ] Configure NestJS 11 backend with Drizzle ORM
  • [ ] Setup Dockerized PostgreSQL 18 and Redis 7
  • [ ] Configure ESLint and Prettier with React 19 security rules

Phase 2: Authentication & Identity

  • [ ] Integrate Clerk Auth with Chrome Extension SDK
  • [ ] Implement Clerk "Sync Host" for website-to-extension auth persistence
  • [ ] Set up Google/Microsoft OAuth 2.0 apps with restricted scope requests

Phase 3: Email Scanning Engine (AWS)

  • [ ] Deploy AWS Lambda worker for email parsing
  • [ ] Implement PostalMime for header extraction
  • [ ] Integrate re2 for high-performance Merchant ID regex matching
  • [ ] Set up Amazon SQS to decouple sync requests from Vercel frontend

Phase 4: Core Features & Registry

  • [ ] Ingest JustDeleteAccount dataset into ServiceRegistry
  • [ ] Build the Subscription Dashboard UI in React 19
  • [ ] Implement "One-Click" redirection logic in background scripts
  • [ ] Add "Difficulty Score" tooltips to the UI

Phase 5: Security & Compliance

  • [ ] Implement SubtleCrypto client-side hashing for email addresses
  • [ ] Audit code against CVE-2025-55182 (React2Shell)
  • [ ] Prepare documentation for CASA Tier 2 assessment

Phase 6: Launch & Optimization

  • [ ] Implement incremental syncing (only scan since lastSyncAt)
  • [ ] Add basic analytics (PostHog) for feature usage tracking
  • [ ] Submit to Chrome Web Store and Microsoft Edge Add-ons marketplace