Security

Built on your session.
Not your password.

Subreach runs as a Chrome extension inside your own browser. Your Reddit credentials never leave your device. Everything we do is visible, auditable, and reversible.

We never see your Reddit password

The Chrome extension acts on top of your existing Reddit login. Your credentials never leave your browser. We cannot log in to Reddit as you, and we wouldn't want to.

Your session, your control

All replies, DMs, upvotes, and posts are executed inside your own browser, from your real IP, with your real cookies. Close the tab and everything stops.

Ban Risk Monitor, always on

Every connected account gets a live 0–100 risk score computed from activity rate, karma age, and subreddit sensitivity. Past threshold, Subreach slows down automatically.

Full activity transparency

Every action taken by Subreach is logged, timestamped, and reviewable. Export the full audit trail at any time, no hidden behavior, no black-box automation.

Data minimization by default

We only store what the product needs to work: your subreddit/keyword configs, the actions the extension performed, and anonymized performance metrics. Nothing more.

Encryption in transit and at rest

TLS 1.3 everywhere. All data stored on managed databases with AES-256 encryption at rest. API keys are hashed and isolated per tenant.

Architecture

How the session model works

Traditional Reddit automation tools ask for your password, log in from a remote server, and impersonate you. Subreach doesn't. Here is the difference.

Step

Fake-account bot

Subreach

1. How you authenticate

You hand over Reddit password

You stay logged in on your browser

2. Where actions run

On their servers, from their IPs

On your device, from your IP

3. Session fingerprint

Shared across users, bot-like

Your real, unique browser fingerprint

4. If we shut down

They keep your credentials

Extension is removed, done

5. Auditability

Opaque server logs

Full timestamped action log

Data handling

What we store, and what we don't

What we store

Your email, billing identifier, plan
Your Subreach configuration (subreddits, keywords, rules)
Action history the extension executed
Aggregated per-account health metrics

What we never touch

Your Reddit username or password
Your Reddit session cookies or tokens
Reddit content you haven't asked us to process
Any third-party accounts outside Reddit

Transparent subprocessor list

We use a minimal set of cloud vendors. Their roles are documented in our DPA and updated whenever the list changes.

Read the DPA

Responsible disclosure

Found a vulnerability? Report it privately. We acknowledge within 48 hours, confirm within 7 days, and credit reporters when a fix ships.

security@subreach.io

Account controls

Pause any connected account with one click. Disconnect instantly, no retention grace period, no reactivation window.

Open docs

Security contact

See something off? We want to hear it.

Security researchers, paranoid customers, and curious engineers, all welcome. We respond to every report within 48 hours.