What we collect
Your email and a hashed password (handled by Supabase Auth). The API tokens you connect — encrypted at rest and only decrypted in memory while a sync runs. The cost data those tokens return (line items, dates, dollar amounts).
What we don't collect
We don't track your visits across the web, send your data to third-party analytics, or sell anything to advertisers.
Where it lives
Postgres on Supabase (EU/US region per the project setting). Backups encrypted at rest in Backblaze B2. Logs in Sentry, scrubbed of credentials.
Subprocessors
- Supabase — auth + database
- Vercel — frontend hosting
- DigitalOcean — backend VM
- Stripe — payments
- Infomaniak — email + DNS
- Backblaze B2 — backups
- Sentry — error tracking
- OpenAI, Anthropic — only when their cost APIs are queried on your behalf
Your rights
Email hello@startupspend.cloud to delete your account, export your data, or request a copy of what we hold.
Cookies
A first-party session cookie from Supabase. No marketing cookies, no ads, no third-party trackers.