Last updated: May 8, 2026
This document, herein referred to as the “Privacy Notice”, outlines the privacy practices of Spendbase (“We”, “us”, “our”, “Spendbase”) and governs the processing of your personal data (“Personal Data”) while you are using our website (“Site”)
Your continued use of the website constitutes your acknowledgment of the privacy practices described herein. In the event of any concern relating to this Privacy Notice or how we handle your Personal Data, feel free to contact us at:
Data Protection Officer, Spendbase Inc. Attn: Privacy and Compliance Email: privacy@spendbase.co
Nota bene! This Privacy Notice may be available in several languages. In the event of any discrepancies, the English version of this Notice shall prevail.
This Privacy Notice is written primarily in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), and where our processing falls within its territorial scope UK General Data Protection Regulation (“UK GDPR”) and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA“), Cal. Civ. Code § 1798.100 et seq. These frameworks share substantially identical substantive rules; where they diverge, we identify this expressly.
Additional rights. The supplemental sections do not constitute an exhaustive list of every jurisdiction in which we operate or every law that may apply to you. Applicable privacy laws are subject to frequent change. If you believe you are entitled to a right or remedy in respect of your personal data under any applicable law not expressly addressed in this Notice, we invite you to contact us at privacy@spendbase.co. We will assess your request in good faith and in accordance with applicable law, and we will not refuse a valid rights request solely because the specific right is not named in this Notice.
In accordance with applicable privacy laws, Spendbase operates as a Data Controller.
| Field | Description |
| Legal name | Spendbase Inc. |
| Registration No | 61-2064269 |
| Address | 16192 Coastal Highway, Lewes, DE 19958 |
| Email (privacy matters) | privacy@spendbase.co |
Under this Notice, you may act in the capacity of the Visitor and/or the User. Depending on your role, we process different categories of personal data.
Depending on whether you are a Visitor or a User, we may collect the following categories of data:
| Data Category | Description | Visitor\User |
| Registration data | First and last name, email | User |
| Support & Communication | If you contact us for support or send feedback, we retain the content of that communication and your contact details. | Visitor, User |
| Technical and device data | IP address; Browser type and version, operating system, device type; Date and time of access, pages visited, referring URL | Visitor, User |
If you visit our website without registering, the only personal data we collect is through cookies and similar tracking technologies placed on your device. Profound information about cookies and other tracking technologies is in Section “COOKIES & OTHER TRACKING TECHNOLOGIES”.
NB! We do not intentionally collect minors’ Personal Data or sensitive categories of Personal Data that may reveal health, ethnicity, nationality, gender, political or religious beliefs. Please try to avoid sharing sensitive personal data while using the Services. In the event you have mistakenly provided us with the data we have never requested, and you would like us to delete it, please do not hesitate to reach out to us at: privacy@spendbase.co
For California residents: The categories above correspond to the following CCPA/CPRA statutory categories: “Identifiers” (Registration, Technical and device data); “Internet or other electronic network activity” (Technical and device data); “Audio, electronic, visual, or similar information” (Support & Communication). We do not collect “sensitive personal information” as defined by Cal. Civ. Code § 1798.140(ae); the right to limit use of sensitive personal information under Cal. Civ. Code § 1798.121 is therefore not applicable.
We process personal data only where we have a valid legal basis under Article 6 of the GDPR. For California residents, the GDPR legal bases framework does not apply; we process your personal information for the business purposes identified in the table below in accordance with CCPA/CPRA.
| Purpose | Data processed | Lawful basis |
| Operating the Site | Registration data, some technical &device data | Contract performance |
| Support communications (security alerts, service updates) | Registration data, Support & Communication data | Contract performance/ Legitimate Interest |
| Platform security, fraud prevention, and abuse detection | Technical &device data | Legitimate Interest |
| Marketing communications by email* | Email address | Consent (where required by applicable law); Legitimate Interest (for existing customers in jurisdictions where this is permitted, subject to opt-out) |
* For EEA and UK residents, email marketing is sent only based on prior consent or the soft opt-in exemption for existing customers under applicable rules.
COOKIES & OTHER TRACKING TECHNOLOGIES
We use Cookiebot (provided by Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark) as our consent management platform. Cookiebot scans our website, identifies all cookies and trackers, and displays a consent banner on your first visit. It also maintains a real-time cookie declaration.
The complete and current cookie list is available within the Cookiebot banner, accessible from our website footer. Cookiebot’s privacy practices are available here. For your convenience, cookies fall into the following categories:
| Cookie type | Description | Lawful basis |
| Strictly necessary | They are essential for the website to function. | Contract provision |
| Analytics/performance | They help us understand how visitors use our site (e.g. Google Analytics). | Consent |
| Advertising/targeting | used to deliver relevant ads and measure campaign effectiveness (e.g., Google Ads, Meta Pixel, LinkedIn Insight Tag). | Consent |
You may accept, reject, or customise your cookie preferences at any time through the Cookiebot banner. To re-open the banner, click the cookie settings link in the website footer.
You may also control cookies through your browser settings. Please refer to the links below to manage it easily:
Do not track requests. We do not currently respond to Do Not Track signals, as no uniform technical standard exists. We do honour Global Privacy Control (GPC) signals as opt-out requests for the sharing of personal data for cross-context behavioural advertising, as required under applicable US state laws. Visit this page to enable GPC.
Do not sell or share requests. We do not sell your personal information. The use of Meta Pixel and LinkedIn Insight Tag on our website may constitute “sharing” of personal information for cross-context behavioural advertising within the meaning of Cal. Civ. Code § 1798.140(ah). California residents have the right to opt out of such sharing under Cal. Civ. Code § 1798.120. You may exercise this right via the Cookiebot banner, by enabling GPC, or by contacting us at privacy@spendbase.co with the subject line “California — Opt-Out of Sharing”. We will not discriminate against you for exercising this right. You may opt out of this sharing via the Cookiebot banner or by enabling GPC.
You will not be subject to decisions that will have a significant impact on you based solely on automated decision- making.
Except for AI providers mentioned in the Section above, we may share your Personal Data with the following categories of recipients:
| Provider category | Name | Privacy Notice | Description of processing |
| Service providers | AWS | AWS Privacy Notice | Cloud hosting infrastructure (Frankfurt, Germany). |
| Analytics providers | Google LLC | Google Privacy Notice | Analytics (Google Analytics), OAuth authentication. |
| Hubspot | Cookie Privacy Notice | Product analytics (tracks page views, visitors’ identities, and browsers) | |
| Advertising providers | Meta (Facebook) Pixel | Facebook Privacy Notice | Advertising conversion tracking and retargeting. |
| LinkedIn Insight Tag | LinkedIn Privacy Notice | B2B advertising and conversion tracking. |
We may also disclose your information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to comply with applicable laws and regulations, protect our rights, property, or safety, prevent fraud or illegal activities, or respond to valid legal requests. In the event of a merger, acquisition, reorganization, or asset sale, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your Personal Data.
For California residents: In the preceding twelve months, we have not sold personal information. We have disclosed personal information to the categories of third parties listed above for business purposes only. We have shared personal information (identifiers and internet activity data) with advertising providers (Meta, LinkedIn) for cross-context behavioural advertising; you may opt out as described in the Section “Cookies & Other Tracking Technologies”. We do not disclose personal information to third parties for their own direct marketing purposes.
As Spendbase operates globally, we may share Personal Data within our legal entities, which are located in the US, Ukraine, and other countries. For all transfers of personal data from the UK or EEA to third countries lacking an adequacy decision, we implement appropriate safeguards:
We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law, unless your consent is not withdrawn, where applicable.
| Data Category | Retention period |
| Registration | 3 years |
| Website log and technical data | 90 days |
| Cookie consent records | From 1 session to 1 year, depending on the cookie, unless consent is withdrawn |
| Support and communications data | 3 years from last interaction |
Where data is no longer required, it is securely deleted or irreversibly anonymised. Data may be retained longer where required by a competent regulatory or tax authority, or for the establishment, exercise, or defence of legal claims.
Depending on the lawful bases of the personal data processing and applicable law, you have the following rights:
| Right | EU/EEA & UK ¹ | California ² | Canada ³ |
| Access | ✓ | ✓ | ✓ |
| Rectification / Correction | ✓ | ✓ | ✓ |
| Erasure / Deletion | ✓ | ✓ | ✓ |
| Restrict processing | ✓ | — | — |
| Object to processing | ✓ | — | — |
| Data portability | ✓ | ✓ | — |
| Withdraw consent | ✓ | ✓ | ✓ |
| Non-discrimination | — | ✓ | — |
| Automated decision review | ✓ | ✓ | — |
¹ EU/EEA & UK: Rights are governed by the GDPR and UK GDPR, respectively. The right to erasure and the right to object are not absolute and may be limited where we have overriding legitimate grounds or legal obligations. You may also lodge a complaint with your national Data Protection Authority (see here) and for UK residents by referring to the Information Commissioner’s Office (contact data).
² California (CCPA/CPRA). The right to erasure is subject to statutory exceptions, including completing a transaction, detecting security incidents, and complying with legal obligations. The right to data portability arises where technically feasible. The right to non-discrimination means we will not deny services, charge different prices, or provide a different quality of service because you exercise a CCPA/CPRA right. Automated decision review applies where solely automated processing produces legal or similarly significant effects. Complaints may be directed to the California Privacy Protection Agency (contact data).
³ Canada. Under PIPEDA, the right of access entitles you to know what personal information we hold about you and how it is used, and to challenge its accuracy. The right to rectification allows you to request correction of inaccurate or incomplete information. There is no freestanding right to erasure under PIPEDA; however, you may withdraw consent at any time, which obligates us to cease processing for the purposes to which that consent related, subject to legal or contractual constraints. There is no general right to object to processing or to restrict processing as a standalone right; withdrawal of consent is the functional equivalent under PIPEDA. Data portability, automated decision review, and non-discrimination are not established rights under PIPEDA. Complaints may be directed to the Office of the Privacy Commissioner of Canada (OPC) at the link.
To satisfy any of your rights, please contact us using all the information provided in Section “ABOUT SPENDBASE”. We will do our best to answer your questions at our earliest convenience, but please note that time frames may vary from 10 to 45 days depending on the jurisdiction. Such periods can also be extended under the applicable law.
We have implemented technical and organisational measures proportionate to the risks of our processing: hosting on AWS infrastructure with ISO 27001 and SOC 2 certified facilities; role-based access controls and the principle of least privilege, DMARC, DKIM, and SPF email authentication, regular security assessments and vulnerability monitoring.
While using the Site, you may encounter third-party links.We are not responsible for the privacy practices of those sites. Before sharing your Personal Data with any of these parties, please read their privacy notices.
We may update this Notice from time to time. The “Last updated” date at the top reflects the most recent version. For material changes, we will provide prior notice via a banner on our website or by email to your registered address before changes take effect.
If you have concerns about how we handle your Personal Data, send us an email at: privacy@spendbase.co