Privacy Policy

1. Introduction

StackSpend ("we", "us", "our") is a cloud and AI cost tracking platform operated by StackSpend. This Privacy Policy explains how we collect, use, store, disclose, and protect information when you use our website at stackspend.app and our application (collectively, the "Service").

By accessing or using the Service, you agree to the practices described in this policy. If you do not agree, please discontinue use of the Service.

2. Information we collect

2.1 Account information

When you create an account, we collect:

• Email address (used for authentication, notifications, and communication)
• Organisation name
• User role within your organisation (admin or member)
• Timezone and currency preferences

2.2 Provider credentials

To retrieve cost data on your behalf, you provide read-only credentials for cloud and AI providers (such as AWS, GCP, Azure, Snowflake, Vercel, ClickHouse Cloud, OpenAI, Anthropic, Cursor, GitHub, Hugging Face, Grok (xAI), and Twilio). These credentials are encrypted at rest using AES-256-GCM and are used exclusively to fetch billing and usage data. We do not use provider credentials for any other purpose.

2.3 Cost and usage data

We collect billing and usage data from the providers you connect. This may include:

• Cost amounts, dates, and currencies
• Provider service names and regions
• Account and project identifiers
• Resource identifiers and model names (for AI providers)
• User-level usage data where applicable (e.g., team member email addresses for Cursor usage)
• Usage quantities and units

2.4 Billing information

Payments are processed by Stripe. We do not store full payment card numbers. We retain only the last four digits and brand of your payment method for display purposes. Stripe's handling of your payment data is governed by the Stripe Privacy Policy.

2.5 Automatically collected information

When you interact with the Service, we may automatically collect:

• IP address and user agent (recorded in audit logs for security purposes)
• Authentication session data (managed via secure, httpOnly cookies)
• Public website visit information, such as pages viewed and browser/device details, where advertising cookies or pixels are permitted by your region and choices

We use necessary cookies for authentication, security, and core service behavior. On the public marketing website, we may also use advertising cookies or pixels for retargeting and campaign measurement where permitted by law and your privacy choices.

3. How we use your information

We use your information to:

• Provide, operate, and maintain the Service, including fetching, aggregating, and displaying your cost data
• Authenticate you and manage your account
• Send transactional communications such as daily cost summaries, budget alerts, anomaly notifications, and team invitations
• Process payments and manage your subscription
• Categorise services using automated classification to improve cost breakdowns
• Convert costs between currencies using publicly available exchange rates
• Detect anomalies and alert you to unusual spending patterns
• Maintain audit logs for security and compliance
• Respond to support requests
• Comply with legal obligations

We do not use your connected provider credentials, cost data, usage data, budgets, reports, or dashboard activity for advertising, profiling, or selling to third parties. We do not train machine learning models on your cost data.

4. Third-party service providers

We share limited information with trusted service providers that help us operate the Service. These providers process data only on our behalf and in accordance with our instructions.

We may also use automated classification services to categorise provider services for cost breakdowns. Only the service name is shared for classification — no cost amounts, credentials, or personally identifiable information.

5. Data security

• Encryption at rest: Provider credentials and integration tokens are encrypted using AES-256-GCM with keys managed separately from application data.
• Encryption in transit: All connections use TLS (HTTPS). No data is transmitted in cleartext.
• Tenant isolation: All data is scoped to your organisation using row-level security policies at the database layer. One organisation's data is never accessible to another.
• Read-only access: Provider credentials are limited to read-only permissions. StackSpend does not modify your infrastructure or cloud resources.
• Audit logging: All sensitive operations — including authentication events, provider changes, team modifications, and data access — are recorded in an immutable audit log.
• Least privilege: Each provider integration requests only the permissions required to fetch billing data.

For more information, see our Security page.

6. Data retention

• Cost data: Retained for the duration of your active subscription. Monthly aggregates are retained indefinitely while your account is active. Daily data is retained for at least 12 months.
• Account data: Retained for as long as your account is active, plus a reasonable period to comply with legal obligations.
• Audit logs: Retained for a minimum of 12 months for security and compliance purposes.
• Provider credentials: Removed immediately when a provider connection is deleted.
• Account deletion: Upon account deletion, all associated data — including cost data, credentials, tags, budgets, and audit logs — is permanently removed within 30 days.

7. Your rights

Depending on your jurisdiction, you may have the following rights regarding your personal data:

• Access: Request a copy of the personal data we hold about you.
• Rectification: Request correction of inaccurate personal data.
• Erasure: Request deletion of your personal data and account.
• Data portability: Request an export of your data in a machine-readable format.
• Restriction: Request that we restrict processing of your personal data in certain circumstances.
• Objection: Object to processing of your personal data where we rely on legitimate interests.
• Withdraw consent: Where processing is based on consent, you may withdraw consent at any time.

To exercise any of these rights, contact us at privacy@stackspend.app. We will respond within 30 days.

8. Legal basis for processing

If you are located in the European Economic Area (EEA) or the United Kingdom, we process your personal data on the following legal bases:

• Performance of a contract: Processing necessary to provide the Service you have subscribed to (account management, cost data retrieval, notifications).
• Legitimate interests: Security monitoring, audit logging, fraud prevention, and service improvement, where these interests are not overridden by your rights.
• Legal obligation: Where we are required to process data to comply with applicable law.
• Consent: For optional integrations and for advertising cookies or pixels where consent is required by applicable law. You can withdraw consent at any time through cookie preferences.

9. International data transfers

Your data may be processed in countries outside your jurisdiction, including the United States, where our hosting providers operate. Where data is transferred outside the EEA or UK, we rely on appropriate safeguards such as Standard Contractual Clauses (SCCs) or the service provider's certification under an applicable data transfer framework.

10. Cookies

We use strictly necessary cookies to maintain authenticated sessions, secure the Service, remember core preferences, and operate essential website functionality. These cookies are required and cannot be disabled through cookie preferences.

On public marketing pages, we may use advertising cookies and pixels through Google Tag Manager and AdRoll / NextRoll to measure campaigns and show relevant StackSpend advertising on other websites. These tools may collect cookie identifiers, page visits, browser/device data, IP-derived location signals, and similar website interaction data. They do not receive your StackSpend cost data, provider credentials, budgets, reports, or dashboard activity.

In regions that require opt-in consent, advertising pixels are off unless you allow them. In regions that allow opt-out controls, advertising pixels may be enabled by default, but you can use "Cookie preferences" or "Do not sell/share" in the site footer to turn them off. If your browser sends a Global Privacy Control signal, we treat it as an opt-out for advertising pixels.

11. Children's privacy

The Service is not directed at individuals under the age of 16. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child, we will take steps to delete it promptly.

12. Changes to this policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by email or by posting a notice within the Service at least 14 days before the changes take effect. The effective date at the top of this page indicates when the policy was last revised. Continued use of the Service after changes take effect constitutes acceptance of the revised policy.

13. Contact

If you have questions about this Privacy Policy or our data practices, contact us at:

Email: privacy@stackspend.app

General inquiries: hello@stackspend.app