Skip to main content
Spendrein
Sign inSign up

Privacy Policy

Last updated May 17, 2026

What we collect

  • Account data: email address, name (if provided), and password hash via our auth provider (Supabase).
  • Billing data: handled by Stripe. We store a reference to your Stripe customer and subscription — we never see or store your card details.
  • Statements you upload: transaction records extracted from bank/card statements you provide. We use these to detect recurring charges and generate audit reports.
  • Contracts (Operator and Business): metadata and text extracted from PDF contracts you upload or forward to your inbound address. We extract fields such as supplier, term, and notice window.
  • Usage data: basic server logs (IP, user agent, route, timestamp) for security and debugging.

How we use it

We use your data to run the service you signed up for: parse statements, detect subscriptions, generate recommendations, send reminders, and (for Operator users) track contract renewals. We use an LLM provider to classify transactions and extract contract fields — provider calls contain the specific rows or text needed to complete the task. Our LLM provider does not use API submissions to train models per their published data usage policy, and we do not enable any payload-logging features in the inference gateway.

When a bank statement arrives in a format our parsers don’t recognize, we can — with your explicit one-time consent — send a small redacted sampleto our LLM provider to identify the file’s column layout: the header line plus at most five example rows, with account numbers (IBANs), card numbers, names, email addresses, phone numbers, and long reference numbers replaced by placeholders before anything leaves our servers. The provider returns only a structural description of the columns; your actual amounts, dates, and counterparties are extracted by our own code and are never sent. You can decline (and email the file to support instead), and any workspace member can disable this fallback entirely under Settings → Security → Privacy & data.

Sharing

We share data only with the sub-processors required to run the service. The current list — with each provider’s role, region, and transfer mechanism — is published at /legal/subprocessors. Business customers can also reference our Data Processing Agreement. We don’t sell your data, and we don’t share it with advertisers.

Email and weekly digest

Transactional email (audit summaries, renewal alerts, contract notices, cancellation confirmations, workspace lifecycle) is part of the service — you can mute individual streams from Settings → Notifications or via the one-click unsubscribe link in any email.

The weekly digest — a Monday-morning summary of flagged charges, expiring contracts, and pending reminders — is a separate consent surface. You must affirmatively opt in via the settings toggle or the one-time prompt on your dashboard before we send it. The DB default is opted out; we do not enable the digest based on inactivity, dormancy, or product launches. Every digest carries a one-click List-Unsubscribe header (RFC 8058) so you can opt out from any mail client without visiting the app. The digest body contains only aggregate counts plus the vendor names you already see in-product — no raw statement strings or transaction descriptions.

Outbound email is sent through Resend (US-based; transfers covered by the Standard Contractual Clauses in our sub-processor agreement and DPA).

Retention

Raw statement files are removed from storage within minutes of processing on the happy path. If processing fails or stalls, an automated daily sweep removes the file within 7 days at the latest. Parsed transactions, subscriptions, and contracts are retained while your account is active. When you delete your account from Settings → Danger zone, we remove your data from our primary database within 30 days. Backup copies are purged on the next backup rotation.

Your rights

You can access, export, correct, or delete your data at any time from Settings. If you’d prefer us to handle a request directly — or you’re exercising rights under GDPR, UK GDPR, or CCPA — email privacy@spendrein.com.

Security

Data is encrypted in transit (TLS) and at rest on our hosting provider’s managed infrastructure. Access to production data is restricted to the engineers who need it to operate the service.

Changes

We’ll update this policy as our product and sub-processors change. Material changes are announced in-app or by email before they take effect. The “Last updated” date at the top always reflects the current version.