Privacy Policy

1. Introduction

Spendics (“we”, “us”, or “our”) operates the Spendics platform, which helps businesses identify wasteful software and subscription spend. This Privacy Policy explains what information we collect, how we use it, and your rights in relation to it.

By using our service you agree to the collection and use of information in accordance with this policy. If you have questions, contact us at privacy@spendics.com.

2. Information We Collect

We collect the following categories of data:

• ▸
  Account information — your name, email address, and business name when you sign up.
• ▸
  Bank connection tokens — encrypted access tokens from Plaid that allow us to retrieve your transaction data. We never see or store your bank username or password.
• ▸
  Transaction data — we retrieve up to 90 days of transactions from your connected accounts to identify recurring charges. Raw transaction records are not permanently stored; only the structured findings derived from them are retained.
• ▸
  Usage data — log data including your IP address, browser type, pages visited, and actions taken within the app for security and debugging purposes.
• ▸
  Billing data — subscription and payment status managed through Stripe. We do not store full card numbers; Stripe handles payment data in accordance with PCI-DSS.

3. How We Use Your Information

We use your information solely to:

• Generate your savings report and recurring-charge analysis
• Send renewal reminders and price-drift alerts you've enabled
• Manage your subscription and process billing
• Respond to support requests
• Detect fraud and secure the platform
• Send transactional emails (scan complete, account changes) — never marketing unless you opt in

We do not sell, rent, or share your financial data with third parties for marketing purposes.

4. Data Sharing and Third Parties

We share data with third-party service providers only as necessary to operate the service:

• Plaid — to retrieve bank transaction data. Governed by Plaid's privacy policy.
• Stripe — for payment processing. Governed by Stripe's privacy policy.
• Firebase / Google Cloud — for authentication, database, and hosting.
• Resend — for transactional email delivery.

We may disclose your information if required by law or to protect the rights, property, or safety of Spendics, its users, or the public.

5. Data Security

We take data security seriously and implement the following controls:

• All data in transit is encrypted with TLS 1.2 or higher
• All data at rest is encrypted by Firebase / Google Cloud
• Bank access tokens are never logged or displayed in plaintext
• Firestore security rules restrict every document to its owner
• Read-only Plaid access — we cannot initiate transfers or payments

No method of transmission over the internet is 100% secure. While we strive to protect your data, we cannot guarantee absolute security.

6. Your Rights and Choices

• ▸
  Access & portability — you can view your data at any time within the app.
• ▸
  Correction — you can update your name and business information in Settings.
• ▸
  Deletion — you can delete your account in Settings → Profile. This permanently removes all stored data including Plaid connections and your Firestore records.
• ▸
  Disconnect bank accounts — you can disconnect individual bank connections at any time in Settings → Accounts.
• ▸
  Email preferences — you can manage notification preferences in Settings → Notifications.

7. Data Retention

We retain your account data as long as your account is active. If you delete your account, all personal data is permanently removed from our systems within 30 days. Aggregated, anonymized data (with no personal identifiers) may be retained for product analytics.

Transaction records retrieved from Plaid are processed in memory and not stored long-term. Only derived findings (e.g., “$29/mo to Notion”) are persisted to your account.