PRIVACY NOTICE

This document, herein referred to as the “Privacy Notice”, outlines the privacy practices of Spendbase (“We”, “us”, “our”, “Spendbase”) and governs the processing of your personal data (“Personal Data”) in connection with the provision of  LLM API services in connection to both website and gateway AI service (“Services”).

Your continued use of the Services constitutes your acknowledgment of, and agreement to, the privacy practices described in this Privacy Notice. In the event of any concern relating to this Privacy Notice or how we handle your Personal Data, feel free to contact us at:

Data Protection Officer, Spendbase Inc. Attn: Privacy and Compliance Email: privacy@spendbase.com

Nota bene! This Privacy Notice may be available in several languages. In the event of any discrepancies, the English version of this Notice shall prevail.

This Privacy Notice is written primarily in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), and where our processing falls within its territorial scope UK General Data Protection Regulation (“UK GDPR”) and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA“), Cal. Civ. Code § 1798.100 et seq. These frameworks share substantially identical substantive rules; where they diverge, we identify this expressly.

Additional rights. The supplemental sections do not constitute an exhaustive list of every jurisdiction in which we operate or every law that may apply to you. Applicable privacy laws are subject to frequent change. If you believe you are entitled to a right or remedy in respect of your personal data under any applicable law not expressly addressed in this Notice, we invite you to contact us at privacy@spendbase.com. We will assess your request in good faith and in accordance with applicable law, and we will not refuse a valid rights request solely because the specific right is not named in this Notice.

In accordance with applicable privacy laws, Spendbase operates as a Data Controller.  

Under this Notice, you may act in the capacity of the Visitor and/or the User. Depending on your role, we process different categories of personal data. 

• Visitor — an individual who browses llmapi.ai  without creating an account. As to the Visitor, only cookie data is collected, as described in Section 5 of this Privacy Notice

User — an individual who creates an account and uses the LLM API gateway service. As to the User, all the Sections of this Privacy Notice apply in full.

Depending on whether you are a Visitor or a User, we may collect the following categories of data:

If you visit our website without registering, the only personal data we collect is through cookies and similar tracking technologies placed on your device. Profound information about cookies and other tracking technologies is in Section “COOKIES & OTHER TRACKING TECHNOLOGIES”. 

NB! We do not intentionally collect minors’ Personal Data or sensitive categories of Personal Data that may reveal health, ethnicity, nationality, gender, political or religious beliefs. Please try to avoid sharing sensitive personal data while using the Services. In the event you have mistakenly provided us with the data we have never requested, and you would like us to delete it, please do not hesitate to reach out to us at: privacy@spendbase.com 

*API Usage. By default, we do not collect or retain the content of your API requests (i.e., your prompts, instructions, or any data you submit to an AI model). You may enable or disable this setting again at any time in your dashboard. Disabling it stops future collection; it does not automatically delete previously retained content unless you submit a deletion request as described in Section “YOUR RIGHTS”. 

For California residents: The categories above correspond to the following CCPA/CPRA statutory categories: “Identifiers” (Registration & Identity, Technical and device data); “Commercial information” (Payment); “Internet or other electronic network activity” (API usage, Technical and device data); “Audio, electronic, visual, or similar information” (Support & Communication). We do not collect “sensitive personal information” as defined by Cal. Civ. Code § 1798.140(ae); the right to limit use of sensitive personal information under Cal. Civ. Code § 1798.121 is therefore not applicable.

We process personal data only where we have a valid legal basis under Article 6 of the GDPR. For California residents, the GDPR legal bases framework does not apply; we process your personal information for the business purposes identified in the table below in accordance with CCPA/CPRA.

* For EEA and UK residents, email marketing is sent only on the basis of prior consent or the soft opt-in exemption for existing customers under applicable ePrivacy rules.

We do NOT use your data to train AI models. We never use your API requests, prompts, or responses for machine learning training. The AI providers you access through our Service may have their own data usage policies, which we encourage you to review.

We use Cookiebot (provided by Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark) as our consent management platform. Cookiebot scans our website, identifies all cookies and trackers, and displays a consent banner on your first visit. It also maintains a real-time cookie declaration.

The complete and current cookie list is available within the Cookiebot banner, accessible from our website footer. Cookiebot’s privacy practices are available here. For your convenience, cookies fall into the following categories:

You may accept, reject, or customise your cookie preferences at any time through the Cookiebot banner. To re-open the banner, click the cookie settings link in the website footer.

You may also control cookies through your browser settings. Please refer to the links below to manage it easily:  

Do not track requests. We do not currently respond to Do Not Track signals, as no uniform technical standard exists. We do honour Global Privacy Control (GPC) signals as opt-out requests for the sharing of personal data for cross-context behavioural advertising, as required under applicable US state laws. Visit this page to enable GPC.

Do not sell or share requests. We do not sell your personal information. The use of Meta Pixel and LinkedIn Insight Tag on our website may constitute “sharing” of personal information for cross-context behavioural advertising within the meaning of Cal. Civ. Code § 1798.140(ah). California residents have the right to opt out of such sharing under Cal. Civ. Code § 1798.120. You may exercise this right via the Cookiebot banner, by enabling GPC, or by contacting us at privacy@spendbase.com  with the subject line “California — Opt-Out of Sharing”. We will not discriminate against you for exercising this right. You may opt out of this sharing via the Cookiebot banner or by enabling GPC.

Internal analytics. We use PostHog to collect internal product analytics that help us understand how the Services are being used and where they can be improved. PostHog is integrated only at the server (back-end) level. It is not installed in your browser and does not place cookies or access your device. As a result, browser-based consent mechanisms do not apply to this processing.

The legal basis for this processing is our legitimate interest in operating, monitoring, and improving the Service. We have assessed that this interest is not overridden by your rights, given the nature of the data involved (usage statistics) and the safeguards described below. PostHog receives aggregated and anonymised usage metrics — for example, feature adoption rates, error frequencies, and request volume trends. It does not receive your name, email address, or the content of your API requests.

You will not be subject to decisions that will have a significant impact on you based solely on automated decision- making.

LLM API acts as an API gateway. When you make an API request, your selected prompt and any associated data are transmitted through our servers to the relevant third-party AI model provider for inference processing. The full list of the AI providers is available here. 

For California residents: Such transmission to AI providers constitutes a disclosure to a third party for a business purpose under CCPA/CPRA, not a sale or sharing. You may request the specific AI providers to whom your data was transmitted by submitting a request as described in the Section “YOUR RIGHTS”.

NB! Each AI provider processes your data under its own terms and privacy policies, which we do not control. Once data is transmitted to a provider for inference, we act only as a conduit for that onward processing. Some providers may use prompt data for model improvement unless you opt out directly with them. We encourage you to review each provider’s privacy notices before use.

Where AI providers are located outside the EEA or UK, transfers are governed by the mechanisms described in Section 11 (Cross-Border Data Transfer), including EU Standard Contractual Clauses or the EU–US Data Privacy Framework where applicable. A list of AI providers and their applicable transfer mechanisms is available upon request at privacy@spendbase.com. 

Except for AI providers mentioned in the Section above, we may share your Personal Data with the following categories of recipients:

We may also disclose your information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to comply with applicable laws and regulations, protect our rights, property, or safety, prevent fraud or illegal activities, or respond to valid legal requests. In the event of a merger, acquisition, reorganization, or asset sale, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your Personal Data.

For California residents: In the preceding twelve months, we have not sold personal information. We have disclosed personal information to the categories of third parties listed above for business purposes only. We have shared personal information (identifiers and internet activity data) with advertising providers (Meta, LinkedIn) for cross-context behavioural advertising; you may opt out as described in the Section “Cookies & Other Tracking Technologies”. We do not disclose personal information to third parties for their own direct marketing purposes.

As Spendbase operates globally, we may share Personal Data within our legal entities, which are located in the US, Ukraine, and other countries. For all transfers of personal data from the UK or EEA to third countries lacking an adequacy decision, we implement appropriate safeguards:

• UK International Data Transfer Agreement (IDTA) — for transfers from the UK
• UK Addendum to EU Standard Contractual Clauses — where applicable
• EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914
• EU–US Data Privacy Framework — for certified US recipients
• Adequacy decisions — where the destination country holds an adequacy status
• Transfers to our legal entity in Ukraine are governed by EU Standard Contractual Clauses (Module 4, controller-to-processor, Commission Decision 2021/914), supplemented by additional technical and organisational measures as documented in our transfer impact assessment.

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law, unless your consent is not withdrawn, where applicable.

Where data is no longer required, it is securely deleted or irreversibly anonymised. Data may be retained longer where required by a competent regulatory or tax authority, or for the establishment, exercise, or defence of legal claims.

Depending on the lawful bases of the personal data processing and applicable law, you have the following rights:

¹ EU/EEA & UK: Rights are governed by the GDPR and UK GDPR, respectively. The right to erasure and the right to object are not absolute and may be limited where we have overriding legitimate grounds or legal obligations. You may also lodge a complaint with your national Data Protection Authority (see here) and for UK residents by referring to the Information Commissioner’s Office (contact data).

² California (CCPA/CPRA). The right to erasure is subject to statutory exceptions, including completing a transaction, detecting security incidents, and complying with legal obligations. The right to data portability arises where technically feasible. The right to non-discrimination means we will not deny services, charge different prices, or provide a different quality of service because you exercise a CCPA/CPRA right. Automated decision review applies where solely automated processing produces legal or similarly significant effects. Complaints may be directed to the California Privacy Protection Agency (contact data).

³ Canada. Under PIPEDA, the right of access entitles you to know what personal information we hold about you and how it is used, and to challenge its accuracy. The right to rectification allows you to request correction of inaccurate or incomplete information. There is no freestanding right to erasure under PIPEDA; however, you may withdraw consent at any time, which obligates us to cease processing for the purposes to which that consent related, subject to legal or contractual constraints. There is no general right to object to processing or to restrict processing as a standalone right; withdrawal of consent is the functional equivalent under PIPEDA. Data portability, automated decision review, and non-discrimination are not established rights under PIPEDA. Complaints may be directed to the Office of the Privacy Commissioner of Canada (OPC) at the link. 

To satisfy any of your rights, please contact us using all the information provided in Section “ABOUT SPENDBASE”. We will do our best to answer your questions at our earliest convenience, but please note that time frames may vary from 10 to 45 days depending on the jurisdiction. Such periods can also be extended under the applicable law.

We have implemented technical and organisational measures proportionate to the risks of our processing:

• Encryption of data in transit (TLS 1.2+/HTTPS) and at rest
• Hosting on AWS infrastructure with ISO 27001 and SOC 2 certified facilities
• Role-based access controls and the principle of least privilege
• Secure API key management (keys stored in hashed form only)
• DMARC, DKIM, and SPF email authentication
• Regular security assessments and vulnerability monitoring

NB! You are responsible for safeguarding your own account credentials and API keys while using the Services.

While using the Services, you may encounter third-party links, including links to AI provider documentation. We are not responsible for the privacy practices of those sites. Before sharing your Personal Data with any of these parties, please read their privacy notices. 

We may update this Notice from time to time. The “Last updated” date at the top reflects the most recent version. For material changes, we will provide prior notice via a banner on our website or by email to your registered address before changes take effect.

If you have concerns about how we handle your Personal Data, send us an email at: privacy@spendbase.com