Privacy Policy

SpendGate ("we," "us," or "our") is committed to protecting your privacy. This Privacy Policy explains how we collect, use, disclose, and safeguard your information when you use our API proxy, policy engine, and AI agent control service (the "Service").

By using the Service, you consent to the data practices described in this policy. If you do not agree with this policy, please do not use the Service.

1. Information We Collect

We collect several types of information to provide and improve the Service:

1.1 Account Information

When you create an account, we collect:

• Email address
• Name (if provided)
• Password (stored in hashed form)
• Account preferences and settings
• Billing information (if applicable, processed by our payment provider)

1.2 Authentication and Session Data

To secure your account and provide the Service, we collect:

• Login timestamps and session identifiers
• IP addresses used for authentication
• Two-factor authentication enrollment status
• Session tokens and expiration data

1.3 Device and Browser Information

When you access the Service, we automatically collect:

• Browser type and version
• Operating system
• Device identifiers and characteristics
• Screen resolution and time zone
• Referring URLs and pages visited within the Service

1.4 API Usage and Transaction Metadata

To provide proxy, policy enforcement, and monitoring features, we collect:

• Request and response metadata (HTTP methods, status codes, timestamps, latency)
• Target URLs and upstream API endpoints you configure
• Request sizes and response sizes
• Policy evaluation results (allowed, blocked, flagged)
• Rate limiting and throttling events
• Agent identifiers and names you assign
• Transaction cost metadata for x402/payment-enabled requests (amounts, currencies)

Note: We do not log the full content of request or response bodies by default. However, certain debugging or audit features may capture request metadata. We do not store upstream API credentials in logs.

1.5 Upstream Credentials (Encrypted)

If you configure upstream authentication credentials (API keys, tokens, certificates), we store these securely:

• Credentials are encrypted at rest
• Credentials are never logged in plaintext
• Access to credentials is strictly limited to request proxying

1.6 Webhook Configuration Data

If you configure webhooks for alerts and notifications, we store:

• Webhook endpoint URLs
• Authentication headers or secrets you configure
• Delivery status and retry history

1.7 Communication and Support Data

If you contact us or use support features, we collect:

• Email correspondence and support tickets
• Feedback and survey responses
• Chat transcripts (if applicable)

2. How We Use Your Information

We use the information we collect for the following purposes:

2.1 Providing the Service

• Proxying API requests between your agents and upstream services
• Enforcing policy rules you configure (rate limits, spend caps, domain restrictions)
• Generating alerts and sending notifications
• Displaying dashboards, analytics, and transaction history
• Processing payments and managing billing (via our payment provider)

2.2 Security and Fraud Prevention

• Detecting and preventing unauthorized access
• Identifying suspicious activity and abuse
• Protecting the integrity of the Service
• Enforcing our Terms of Service

2.3 Service Improvement

• Analyzing usage patterns to improve features
• Debugging issues and fixing bugs
• Developing new features and services
• Conducting research and analytics (in aggregated or anonymized form)

2.4 Communications

• Sending service-related notifications (alerts, security notices, policy updates)
• Responding to support requests
• Sending product updates and announcements (you may opt out)

2.5 Legal Compliance

• Complying with applicable laws and regulations
• Responding to legal requests and court orders
• Protecting our legal rights and interests

3. Cookies and Local Storage

We minimize the use of cookies and rely primarily on browser local storage for non-essential preferences.

3.1 Essential Cookies (Authentication Only)

We use httpOnly cookies only for essential authentication and session management:

• Session tokens for secure login
• CSRF protection tokens

These cookies are strictly necessary for the Service to function securely and cannot be disabled.

3.2 Local Storage (Preferences)

We use browser local storage (not cookies) for non-essential UI preferences:

• Theme preference (light/dark mode)
• Sidebar collapsed/expanded state
• Dismissed notice states
• Session token backup (for authentication fallback)

Local storage data stays on your device and is not transmitted to our servers.

3.3 No Tracking Cookies

We do not use third-party advertising cookies, tracking pixels, or analytics cookies. Any future analytics we may implement will be disclosed in an updated version of this policy.

3.4 Managing Storage

You can clear local storage through your browser settings or developer tools. Essential authentication cookies are required for the Service to function; disabling them will prevent login.

4. Information Sharing and Disclosure

We do not sell your personal information. We may share your information in the following circumstances:

4.1 Service Providers and Subprocessors

We use third-party service providers to help operate the Service, including:

• Cloud infrastructure providers (hosting, storage, compute)
• Payment processors
• Email delivery services
• Analytics providers
• Customer support tools

A list of subprocessors will be made available upon request. Subprocessors are contractually obligated to protect your data.

4.2 Legal Requirements

We may disclose your information if required by law, court order, or government request, or if we believe disclosure is necessary to:

• Comply with legal obligations
• Protect and defend our rights or property
• Prevent fraud or illegal activity
• Protect the safety of users or the public

4.3 Business Transfers

If SpendGate is involved in a merger, acquisition, or sale of assets, your information may be transferred as part of that transaction. We will provide notice before your information is subject to a different privacy policy.

4.4 With Your Consent

We may share your information with third parties when you have given us explicit consent to do so.

5. Data Security

We implement industry-standard security measures to protect your information:

• Encryption in transit (TLS/HTTPS for all connections)
• Encryption at rest for sensitive data (credentials, personal information)
• Secure password hashing (bcrypt or equivalent)
• Access controls and least-privilege principles
• Regular security assessments and monitoring
• Incident response procedures

While we take reasonable precautions, no method of transmission or storage is 100% secure. You are responsible for maintaining the security of your account credentials.

6. Data Retention

We retain your information for as long as necessary to provide the Service and fulfill the purposes described in this policy:

• Account data: Retained while your account is active and for a reasonable period after closure
• Transaction logs: Retained according to your plan's history limits (e.g., 7 days, 30 days, 90 days)
• Audit logs: Retained for security and compliance purposes (typically 12-24 months)
• Backups: Retained for disaster recovery purposes and deleted on a rolling basis

After account deletion, we may retain certain information as required by law or for legitimate business purposes (fraud prevention, legal claims).

7. Your Rights

Depending on your jurisdiction, you may have the following rights regarding your personal information:

• Access: Request a copy of the personal information we hold about you
• Correction: Request correction of inaccurate or incomplete information
• Deletion: Request deletion of your personal information (subject to legal requirements)
• Portability: Request your data in a structured, machine-readable format
• Objection: Object to certain processing of your information
• Restriction: Request restriction of processing in certain circumstances
• Withdraw consent: Withdraw consent where processing is based on consent

To exercise these rights, contact us at support@spendgate.ai. We will respond within the timeframe required by applicable law.

Note: Specific rights may vary based on your jurisdiction (e.g., GDPR, CCPA). We will provide jurisdiction-specific disclosures as required.

8. Legal Bases for Processing

For users in jurisdictions that require a legal basis for processing (such as the EU/EEA), we process your information based on:

• Contract: Processing necessary to provide the Service you requested
• Legitimate interests: Processing for security, fraud prevention, service improvement, and analytics (where not overridden by your rights)
• Legal obligations: Processing required to comply with applicable laws
• Consent: Processing based on your explicit consent (which you may withdraw)

9. International Data Transfers

SpendGate operates globally, and your information may be transferred to and processed in countries other than your own. These countries may have different data protection laws.

When we transfer personal information internationally, we implement appropriate safeguards, which may include:

• Standard contractual clauses approved by relevant authorities
• Data processing agreements with service providers
• Other mechanisms permitted by applicable law

Specific transfer mechanisms will be documented as required by applicable regulations.

10. Children's Privacy

The Service is not intended for use by children under the age of 18 (or the applicable age of majority in your jurisdiction). We do not knowingly collect personal information from children.

If we become aware that we have collected personal information from a child, we will take steps to delete that information. If you believe we have collected information from a child, please contact us immediately at support@spendgate.ai.

11. Third-Party Links

The Service may contain links to third-party websites or services. We are not responsible for the privacy practices of these third parties. We encourage you to review the privacy policies of any third-party services you access.

12. Changes to This Policy

We may update this Privacy Policy from time to time. If we make material changes, we will notify you by:

• Posting the updated policy on our website with a new "Last updated" date
• Sending an email notification to the address associated with your account
• Displaying a notice within the Service

Your continued use of the Service after the effective date of any changes constitutes your acceptance of the revised policy.

13. Contact Information

If you have questions, concerns, or requests regarding this Privacy Policy or our data practices, please contact us:

• General inquiries and data requests: support@spendgate.ai
• Abuse reports and security concerns: abuse@spendgate.ai

We will respond to your inquiry within a reasonable timeframe and in accordance with applicable law.