Privacy Policy

Last updated: April 1, 2026

1. Information We Collect

When you use SpendGuard, we collect the following types of information:

  • Account Information: Email address and name provided during signup
  • API Usage Data: Check requests, authorization decisions, timestamps, agent identifiers, action types, amounts, and counterparty identifiers
  • Payment Information: Payment processing is handled entirely by Stripe. We never see, store, or process your credit card numbers or bank details

2. How We Use Information

We use the information we collect to:

  • Provide and operate the SpendGuard authorization service
  • Enforce rate limits and prevent abuse
  • Generate and maintain immutable audit logs
  • Process billing and manage your subscription
  • Improve the accuracy and performance of the Service
  • Communicate with you about your account or the Service

3. What We Do NOT Collect

SpendGuard is designed to process action metadata only. We do NOT collect, process, or store:

  • Financial account numbers or bank details
  • Credit card or debit card numbers
  • Social security numbers or government IDs
  • Customer personally identifiable information (PII)
  • Transaction contents or financial documents

The data we process consists of action metadata: amounts, action types, agent identifiers, policy identifiers, and counterparty identifiers. These are operational identifiers, not personal financial data.

4. Data Retention

Audit logs (check decisions and violations) are retained according to your plan tier:

  • Free: 30 days
  • Pro: 90 days
  • Growth: Unlimited retention

Account data is retained while your account is active. Upon account closure, we will delete your account data within 30 days, subject to any legal retention requirements.

5. Third-Party Services

SpendGuard uses the following third-party services to operate:

  • Supabase: Database hosting and management (PostgreSQL)
  • Stripe: Payment processing and subscription management
  • Railway: Application hosting and infrastructure
  • OpenAI: Text embeddings for semantic classification only — no financial data, amounts, or customer identifiers are sent to OpenAI. Only ambiguous action description text is processed

6. Security

We take security seriously and implement the following measures:

  • API keys are stored as SHA-256 hashes — raw keys are never stored
  • All data is encrypted in transit using TLS
  • Supabase provides encryption at rest for all database storage
  • Audit logs are append-only — they cannot be modified or deleted
  • Rate limiting prevents abuse and brute-force attacks
  • Raw API keys are never logged in application logs

7. Your Rights (GDPR)

If you are located in the European Economic Area, you have the following rights:

  • Right to Access: Request a copy of the data we hold about you
  • Right to Rectification: Request correction of inaccurate data
  • Right to Erasure: Request deletion of your data
  • Right to Portability: Request your data in a machine-readable format
  • Right to Object: Object to processing of your data

To exercise any of these rights, contact us at [email protected].

8. Your Rights (CCPA)

If you are a California resident, you have the right to:

  • Know what personal information we collect about you
  • Request deletion of your personal information
  • Opt out of the sale of personal information

We do not sell personal information to third parties.

9. Cookies

The SpendGuard website does not use cookies, tracking pixels, or analytics scripts. We do not track your browsing behavior across websites. The API itself does not use cookies.

10. Changes to This Policy

We may update this Privacy Policy from time to time. We will notify you of material changes via email or a prominent notice on our website. Continued use of the Service after changes constitutes acceptance of the updated policy.

11. Contact

For questions about this Privacy Policy or to exercise your data rights, contact us at [email protected].