1-Click Pay Comes to SubGrab: Why We Save Your Card (and How You Stay in Control)

Starting this week, SubGrab supports 1-click repurchase. Once you've bought your first credit pack, your next purchase takes a single tap — no Stripe redirect, no card re-entry.

This is a transparency post. We want you to know exactly what changed, what we store, and how you stay in control.

What Changed

Before: Every credit purchase took you through Stripe Checkout — paste card, click pay, redirect back to SubGrab.

Now:

• First purchase: Same as before — Stripe Checkout, you enter your card. The card gets saved with Stripe (not with us).
• Every purchase after that: A single tap in the app. The "Buy" button charges your saved card immediately and adds credits to your account in under a second.

What SubGrab Stores About Your Card

We store four things, none of which can be used to charge your card directly:

1. Stripe Customer ID — a long opaque string like cus_NeGfWQyqOlk8eY. Identifies you to Stripe.

2. Stripe PaymentMethod ID — a string like pm_1NlIa1JQ3HrUPGDP9zk2hSGn. Refers to your saved card inside Stripe's vault.

3. Card brand — "Visa", "Mastercard", etc. Used to display "Visa •••• 4242" in your dashboard.

4. Last 4 digits — for the same display purpose.

We never see, store, or process your full card number, CVV, or expiry. Those go straight from your browser to Stripe (PCI Level 1 certified) and stay there.

How 1-Click Charging Works Under the Hood

When you click "Buy" with a saved card:

1. Your browser POSTs the pack you want to /api/stripe/repurchase on SubGrab.

2. SubGrab tells Stripe: "charge this customer's saved card for this amount, off-session."

3. Stripe runs the charge through the same fraud protection (Radar) and authentication (3-D Secure) systems as the original purchase.

4. If Stripe approves: credits land in your account in ~300ms.

5. If Stripe declines or requests authentication: you get redirected back to Stripe Checkout to complete the purchase.

The whole thing is built on Stripe's off-session payment infrastructure — the same primitive that powers Spotify, Uber, and most other apps with a "saved card" button.

How to Remove Your Saved Card

We made this exactly as easy as adding it:

1. Sign in.

2. Go to your Dashboard.

3. Below your credit count, you'll see "1-click enabled with Visa •••• 4242".

4. Click Remove.

When you remove the card:

• We tell Stripe to detach the PaymentMethod from your customer record.
• We clear the brand + last-4 from our database.
• We keep your Stripe Customer ID. This is intentional — if you ever buy again, we re-use the same customer record (so your payment history, invoices, and email receipts stay together).

If you want your Stripe Customer record fully deleted, email help@subgrab.com and we'll forward the request to Stripe.

What If My Card Gets Compromised?

Two safety nets:

1. You can remove the saved card any time from your dashboard (see above). Once removed, future purchases require re-entering card details.

2. Stripe's fraud protection still runs on every off-session charge. If Stripe Radar flags the transaction, the charge fails and you get redirected to Checkout for re-authentication. We never override Stripe's risk decisions.

Why We Built This

SubGrab's pricing model is "credit packs" — you buy a pack when you need credits, no subscription. The downside of that model is that the second purchase has more friction than the first (you've already entered card details once; doing it again feels redundant).

1-click pay removes that friction. The first purchase teaches Stripe (and SubGrab) about your card. Every subsequent purchase respects your time.

What This Doesn't Change

• No auto-renewal. SubGrab still has zero subscriptions and zero recurring charges. We will never charge your saved card without you clicking "Buy" first.
• No price changes from 1-click pay launch. Credit packs: $2.99 / $5.99 / $11.99 / $22.99 / $44.99 (prices last updated 2026-05-29).
• No new data collection. We added 4 columns to our database (customer ID, PM ID, card brand, last 4). We did not add tracking, analytics, or any other "telemetry."

FAQ

Is my card really secure?

Yes. Stripe is PCI Level 1 (the highest standard). Your card data never touches SubGrab's servers — your browser sends it directly to Stripe's vault, and we only get back opaque tokens.

Can I have multiple saved cards?

Not yet. The current implementation saves one card as your default. If you'd like multi-card support, let us know at help@subgrab.com.

What happens if my card expires?

The next 1-click purchase will fail with a "card declined" message and redirect you to Stripe Checkout, where you can update the card on file.

Does this work for the first purchase too?

The very first purchase always goes through Stripe Checkout (so you can enter the card). After that, 1-click is enabled automatically.

Why didn't you launch with this from day one?

Honesty answer: we didn't have it built. 1-click pay requires schema changes, a new payment-intent flow, off-session error handling for 3-D Secure, and webhook idempotency for the race between the synchronous DB write and the webhook fallback. Building it right took a focused sprint.

Where can I see all my past purchases?

Dashboard → Payment History. Every purchase has a Stripe-hosted receipt link.

---

Existing users with credits: nothing changes for you until your next purchase. The next checkout will save the card (you'll see a clear disclosure at the bottom of the Buy modal), and the purchase after that will be 1-click.

If you have questions about any of this, reply to any SubGrab email or write to help@subgrab.com.

Top up with 1-click — credit packs from $2.99.