Privacy Policy — SpendSentry

SpendSentry — Privacy Policy

Status: DRAFT — requires counsel review before publication. Owner: Founder Last updated: 2026-05-13

⚠️ This is not a substitute for legal advice. Every section below is a placeholder skeleton that mirrors what the policy needs to address. Before any of this is hosted at /legal/privacy and before any paid spend runs, a privacy attorney familiar with U.S. consumer subscription apps must review and sign off. Required reviewers: someone familiar with CCPA/CPRA, state-specific privacy laws (CO/VA/TX/FL/CT/UT and the rest of the 2026 patchwork), App Store guideline 5.1.1–5.1.2, FTC Section 5, and (if any EU traffic) GDPR.

Why this draft exists

To name every section we'll need, what data flows into each, and where the open questions are. When counsel reviews, they replace placeholder language with legally-binding text. Until then, this file is for engineering and product, not for users.

Sections required

1. Who we are

Legal entity name (TBD — open).
U.S. address (TBD).
Contact email for privacy inquiries (suggest: privacy@spendsentry.app).
EU representative (if EU traffic).

2. What information we collect

Account data:

Email (Supabase Auth).
Subscription/billing data via Stripe (customer ID, plan, payment status — we do not store full card numbers; Stripe does).

Email scan data (the wedge):

Gmail / Outlook OAuth tokens, scoped to read inbox metadata.
Subscription-related email metadata: sender, subject, date, parsed amount, parsed cadence.
We do not store full email bodies. We extract structured data and discard the rest.
OAuth tokens are encrypted at rest.

App usage data:

Events fired per docs/events.md — paywall views, screen views, button taps.
Device identifiers (per platform: IDFA on iOS subject to ATT consent, GAID on Android).
PostHog: product analytics.
Sentry: crash and error data.

Funnel data:

Quiz answers collected on apps/web (anonymous until purchase, then joined to user via PostHog distinct_id and Stripe Checkout Session metadata).
UTM source/medium/campaign + ad-platform click IDs (fbclid, gclid, ttclid).

3. How we use it

Provide the service (detect subscriptions, deliver app, run AI features).
Process billing via Stripe.
Measure marketing performance (ad-platform Conversion APIs — Meta, TikTok, Google).
Improve the product (PostHog analytics, Sentry crash data).
Send transactional email (Resend) and lifecycle messaging (CRM TBD — see [growth-stack.md](../growth-stack.md)).
Comply with legal obligations.

4. Who we share it with

Explicit list of sub-processors. Counsel should match this against actual integrations at launch:

Stripe — payment processing.
Supabase — hosting and authentication.
PostHog — product analytics.
Sentry — error tracking.
Anthropic — AI features (subscription analysis, Sentry tab). PII transmitted is the minimum necessary per request.
Tavily — web search backend for the AI features.
Resend — transactional email.
Meta / TikTok / Google — Conversions APIs receive *hashed* PII (email, phone) for ad attribution; full PII is never transmitted.
MMP (AppsFlyer / Adjust / Singular — pending) — attribution.
Lifecycle CRM (Customer.io / Iterable / Braze — pending) — behavioral messaging.
Inngest — workflow orchestration.
Doppler — secrets management (no user data).

5. Your rights (CCPA / CPRA + state privacy laws)

Required sections per California + most other 2026 state laws. Counsel to confirm specifics per state.

Right to know what we collect.
Right to delete.
Right to correct.
Right to opt out of "sale" or "sharing" (CCPA term of art; "sharing" specifically covers cross-context behavioral advertising — i.e. our Meta/TikTok pixel + CAPI activity).
Right to limit use of sensitive personal information.
Right to non-discrimination for exercising rights.

Mechanism: a "Do Not Sell or Share My Personal Information" link in the footer of all surfaces (App Store guideline 5.1.1 + state laws). Backed by a Consent Management Platform — see [growth-stack.md](../growth-stack.md). Pending CMP choice.

6. GDPR (if EU traffic)

If we accept EU traffic, this section is required. If we geo-block EU, this section can be a one-liner stating that.

Counsel to advise on launch posture: U.S.-only at first, then expand?

7. Children's privacy

We do not target users under 18. App Store age rating reflects this. We don't knowingly collect data from children. If we discover we have, we delete it.

8. Data retention

Account data: retained while the account is active. Deleted within 30 days of account deletion request.
Email scan data: retained while account is active. Deleted within 30 days of account deletion request.
Marketing data (CAPI, MMP): retained per the platform's own policies; we do not retain copies beyond what's needed for attribution.
Stripe data: retained per Stripe's policies (typically 7 years for financial records — counsel to confirm).
Crash data (Sentry): retained per Sentry's default (90 days unless extended).

9. Security

Encryption in transit (TLS 1.2+).
Encryption at rest (Supabase + Stripe both encrypt by default).
OAuth tokens encrypted with a separate key (Doppler-managed).
RLS policies on Supabase tables — see Track 5 launch-checklist gate.
Rate limiting on webhook + API endpoints.

10. Changes to this policy

Standard "we'll update; the date at top reflects the last revision; material changes get notified via email" language.

11. Contact us

Email + (if required by state) physical address.

Open questions for counsel

Are we U.S.-only at launch, or EU/UK too? (Decides whether GDPR section is required.)
Specific entity to use as the data controller / publisher of record.
Whether the CCPA "sale or share" link must be present on every page (App Store interpretation varies).
Are there state-specific addenda needed (e.g. Texas has its own framework as of 2026)?
What's the right retention period for OAuth tokens on account deletion (immediate vs. 30 days)?
Is our PostHog session-replay configuration considered "selling personal information" under any 2026 state law?
Does our Meta CAPI + TikTok EAPI + Google enhanced-conversion pipe require explicit consent in the U.S. (state-by-state), or is it covered by the "sharing" opt-out?

Pointers

[docs/env.md](../env.md) — what data flows through which integrations.
[docs/events.md](../events.md) — every event we fire.
[docs/architecture.md](../architecture.md) — code wiring.
[docs/growth-stack.md](../growth-stack.md) — sub-processor inventory.
[docs/legal/terms-of-service.md](terms-of-service.md)
[docs/legal/refund-policy.md](refund-policy.md)