SpendCue Privacy Policy

1. Scope

This Privacy Policy applies when you:

• visit our website;
• create an account;
• use the Service;
• contact us for support, sales, or other inquiries;
• join our waitlist;
• subscribe to transactional or marketing communications; or
• otherwise interact with us.

2. Personal Data We Collect

We may collect the following categories of personal data:

a. Account and profile information

• name
• email address
• password or authentication credentials
• company or workspace membership information
• assigned role within a workspace

Passwords are not stored in plain text by us.

b. Company and workspace information

• company name
• preferred currency
• monthly budget
• default delivery address
• purchase categories
• user invitations and team membership data

c. Purchase request and workflow data

• request titles
• supplier names and related information entered by users
• quantities
• estimated and actual costs
• project or cost codes
• delivery addresses
• due dates and other dates
• notes and comments
• purchase order numbers
• approval and workflow history

d. Waitlist and inquiry information

• email address
• inquiry details
• limited anti-abuse data, such as a hashed or truncated IP-based signal where applicable

e. Usage and technical information

• IP address
• browser type
• device information
• operating system
• pages viewed
• actions performed in the Service
• session and log information

f. Error and performance information

• crash reports
• error traces
• performance diagnostics
• related technical metadata

g. Billing and payment information

• billing contact details
• subscription and invoice metadata
• payment status information
• limited payment-related details provided by our payment processor

Payment card data is processed by our payment provider and is not stored by us in full.

h. Communications

• support emails
• sales inquiries
• customer service messages
• responses to product communications

3. How We Collect Personal Data

We collect personal data:

• directly from you;
• from your employer or organisation if they create or manage your account;
• automatically when you use the Service;
• from service providers acting on our behalf, such as hosting, authentication, analytics, monitoring, and payment providers.

4. How We Use Personal Data

We use personal data to:

• provide, operate, and maintain the Service;
• create and manage accounts, workspaces, and subscriptions;
• process purchase requests, approvals, purchase orders, and related workflows;
• send transactional messages such as invitations, notifications, and password resets;
• respond to support requests and inquiries;
• improve the Service, user experience, and product functionality;
• monitor usage, detect errors, and troubleshoot issues;
• prevent fraud, abuse, security incidents, and unauthorised access;
• comply with legal obligations;
• enforce our Terms and protect our rights; and
• send product updates, service notices, and other communications related to the Service.

Where permitted by law, we may also send marketing or product update communications. You can opt out of non-essential communications at any time.

5. Legal Bases for Processing

Where the GDPR or similar laws apply, we rely on one or more of the following legal bases:

• Performance of a contract: to provide the Service, manage accounts, process subscriptions, and deliver support.
• Legitimate interests: to secure and improve the Service, detect abuse, communicate with customers, and operate our business.
• Legal obligation: to comply with applicable tax, accounting, legal, and regulatory obligations.
• Consent: where required, for example for certain analytics or marketing communications.

6. When We Act as a Data Processor

If you use SpendCue as part of a company or organisation workspace, we may process personal data on behalf of that organisation. In that case:

• the organisation is the data controller;
• we act as a data processor; and
• our processing is governed by the applicable customer agreement and DPA.

If you are an end user and want to exercise rights relating to data controlled by your organisation, you should contact that organisation first. We may assist the organisation where required by applicable law or contract.

7. How We Share Personal Data

We do not sell personal data.

We may share personal data with service providers and subprocessors that help us operate the Service, such as providers for:

• hosting and infrastructure
• database and authentication
• transactional email delivery
• analytics
• error monitoring
• payment processing
• application hosting and deployment

Our current service providers may include:

• Supabase
• Resend
• PostHog
• Sentry
• Stripe
• Vercel

We may also share personal data:

• where required by law, regulation, legal process, or governmental request;
• to protect the rights, safety, or property of SpendCue, our users, or others;
• in connection with a merger, acquisition, financing, reorganisation, sale of assets, or similar business transaction.

8. International Data Transfers

We may transfer personal data to countries outside the European Economic Area ("EEA"), the United Kingdom, or other jurisdictions with data protection laws that differ from those in your country.

Where required by applicable law, we use appropriate safeguards for such transfers, such as:

• adequacy decisions;
• standard contractual clauses; or
• other lawful transfer mechanisms.

9. Data Storage and Security

We use reasonable technical and organisational measures designed to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access.

These measures may include:

• encryption in transit;
• encryption at rest where provided by our infrastructure providers;
• row-level access controls;
• access restrictions based on user role;
• signed URLs or other controlled access methods for attachments;
• logging and monitoring for security and troubleshooting.

However, no method of transmission over the internet or electronic storage is completely secure, and we cannot guarantee absolute security.

10. Data Retention

We retain personal data for as long as necessary to:

• provide the Service;
• maintain business and accounting records;
• comply with legal obligations;
• resolve disputes;
• enforce agreements; and
• protect against fraud, abuse, and security threats.

If an account or workspace is closed, we will delete, anonymise, or otherwise remove personal data within a reasonable period, subject to backup, legal, accounting, fraud prevention, security, and compliance requirements.

Aggregated or anonymised information that does not identify you may be retained for analytics, reporting, or product improvement purposes.

11. Your Rights

Depending on your jurisdiction, you may have the right to:

• request access to personal data we hold about you;
• request correction of inaccurate or incomplete personal data;
• request deletion of your personal data;
• request restriction of certain processing;
• object to certain processing;
• request portability of your personal data;
• withdraw consent where processing is based on consent; and
• lodge a complaint with a supervisory authority.

To exercise these rights, contact us at privacy@spendcue.com.

If the relevant data is controlled by one of our business customers, we may direct you to that customer or assist them in responding as required by law.

12. Cookies and Similar Technologies

We use cookies and similar technologies for purposes such as:

• authentication and session management;
• remembering preferences;
• security;
• analytics and product improvement.

Some cookies or local storage mechanisms are necessary for the Service to function. Others may be used for analytics, depending on your settings and applicable legal requirements.

We do not use third-party advertising cookies for targeted advertising.

13. Children

The Service is intended for business users and is not directed to children. We do not knowingly collect personal data from children. If we become aware that we have collected personal data from a child in violation of applicable law, we will take reasonable steps to delete it.

14. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice by email, through the Service, or by other reasonable means before the updated version takes effect.

Your continued use of the Service after the effective date of the updated Privacy Policy constitutes acceptance of the updated Privacy Policy, to the extent permitted by law.

15. Contact

If you have questions about this Privacy Policy or our handling of personal data, you can contact us at:

SpendCue
Email: privacy@spendcue.com

If you are located in the EU/EEA and believe that our processing of personal data violates applicable law, you may also lodge a complaint with your local supervisory authority. If we are established in Sweden, the relevant supervisory authority is the Swedish Authority for Privacy Protection (Integritetsskyddsmyndigheten, IMY).