Privacy Policy
Last updated: February 19, 2026
Acme Logic Works LLC, DBA Spendlayer ("Spendlayer," "we," "us," or "our"), values your privacy. This Privacy Policy describes how we collect, use, disclose, and safeguard your personal information when you use the Spendlayer web application, services, and related tools (collectively, the "Service").
This policy complies with the California Consumer Privacy Act (CCPA/CPRA), as well as privacy laws in other U.S. states with comparable frameworks (Colorado, Virginia, Connecticut, and Utah). If you are an EU or UK resident, this policy also incorporates disclosures required under the General Data Protection Regulation (GDPR).
1. Our Commitment to You
At Spendlayer, we are founders building for founders. We believe your data is yours. Our privacy commitments are grounded in three principles:
- No data selling: We never sell, rent, or share your personal information or financial data with advertisers, brokers, or marketers.
- Minimal collection: We only collect data strictly necessary to operate, secure, and improve our Service.
- Transparency: We clearly communicate what we collect and how it is used.
2. Categories of Personal Information Collected
The following table describes the categories of information Spendlayer collects, the sources, and purposes:
| Category | Examples | Source | Purpose |
|---|---|---|---|
| Identifiers | Name, email address, account credentials | Provided by you | Account registration, authentication, user communication |
| Financial Information | Billing address, subscription status, payment details (via third-party) | Provided by you / collected by payment processor | Subscription management, billing |
| Commercial Information | Purchase history, subscription tier | Collected automatically / from processor | Service provisioning, analytics |
| Internet Activity | Device type, usage analytics, IP address | Automatically collected | Improve features, maintain security |
| AI Provider Usage Data | API usage metrics, token counts, cost data from connected providers | Fetched from provider APIs with your authorization | Core application functionality — spend analytics, cost optimization |
Spendlayer does not knowingly collect or use personal information from children under 13.
3. Notice at Collection
We collect your information directly from you when you create an account, connect AI provider accounts, or interact with our Service. We also collect limited behavioral analytics in anonymized form.
We retain your personal data only as long as necessary to fulfill the business purposes described in this policy, including compliance with legal and contractual requirements. Data retention periods vary depending on account status, billing cycles, and security needs.
We do not sell or share your personal information as defined in Cal. Civ. Code § 1798.140. If that ever changes, we will provide an updated notice and the right to opt out.
4. How We Use Your Information
Your information is processed to:
- Provide, maintain, and improve the Spendlayer Service.
- Fetch and normalize AI provider usage data on your behalf.
- Manage subscription billing and payments.
- Communicate important service updates.
- Provide technical and customer support.
- Conduct aggregate, anonymized analytics to improve product features.
- Comply with legal obligations and enforce our Terms of Service.
5. Disclosure to Service Providers
We only share data with trusted third parties that assist in core operations, under binding data-protection agreements:
- Supabase — database, authentication, and backend infrastructure.
- Vercel — application hosting and edge network.
- Stripe — payment processing and billing management.
Each partner commits to maintaining security, confidentiality, and compliance with applicable data protection standards.
Spendlayer does not disclose personal data to advertising networks, data brokers, or social platforms.
6. AI Provider API Keys
When you connect an AI provider (Anthropic, OpenAI, OpenRouter), you provide an API key that grants Spendlayer read-only access to your usage and billing data. These keys are:
- Encrypted at rest using AES-256 encryption.
- Never exposed to client-side code or browser-accessible endpoints.
- Used exclusively to fetch usage data from the connected provider.
- Immediately and permanently deleted when you disconnect the provider or delete your account.
7. Data Security
We employ industry-standard safeguards, including:
- Encryption in transit (TLS 1.3) and at rest.
- Row-Level Security (RLS) ensuring strict tenant data isolation.
- Secure, access-controlled databases with no cross-tenant data access.
- Periodic security reviews, monitoring, and vulnerability mitigations.
If a security incident occurs, we will notify affected users and relevant authorities in accordance with applicable laws.
8. Your Rights and Choices
Under the CCPA/CPRA, and similar U.S. state privacy laws, you have the following rights:
- Right to Know — Request what categories and specific data we collect, use, and disclose.
- Right to Delete — Request deletion of your personal information, subject to legal exceptions.
- Right to Correct — Request correction of inaccurate personal information.
- Right to Opt Out — Opt out of data selling or sharing (not applicable currently as we do not sell/share).
- Right to Limit Use of Sensitive Data — Limit the use of sensitive information to service provision only.
- Right to Non-Discrimination — Spendlayer will not discriminate against you for exercising any of your rights.
How to Exercise Your Rights
You can submit verified requests by:
- Emailing privacy@spendlayer.ai
- Accessing account settings in the Spendlayer application
We will verify your identity and respond within 45 days, as required by law.
9. Data Access, Portability, and Deletion
Users can:
- Export all their usage data at any time (CSV, JSON formats).
- Delete their account and data through account settings or by emailing privacy@spendlayer.ai.
Upon deletion, all associated data will be securely erased from active systems within 30 days and from backups within a commercially reasonable time.
10. International Data Transfers
If you access the Service from outside the U.S., your data may be processed in the United States. Spendlayer implements appropriate safeguards for international data transfers consistent with GDPR Articles 46–49, including data processing agreements and standard contractual clauses where applicable.
11. Changes to This Policy
We may update this Privacy Policy from time to time. Substantial changes will be communicated via email and a prominent banner on our website. The "Last Updated" date will reflect the current version.
12. Contact Information
Acme Logic Works LLC, DBA Spendlayer
440 Monticello Ave Ste 1802 PMB 943606
Norfolk, Virginia 23510-2670 US
Email: privacy@spendlayer.ai
If you are a California resident, you may contact the California Privacy Protection Agency (CPPA) regarding this policy or our practices. EU/UK residents may contact their local data protection authority for inquiries under GDPR.
Version: 1.0 — Compliant with CCPA/CPRA and aligned with major U.S. and international privacy standards.