Legal
Privacy Policy
Last updated: 16 February 2026
1. Introduction
This Privacy Policy explains how AI SpendOps Ltd ("we", "us", "our"), a company registered in England and Wales (company number 17046015), collects, uses, and protects personal data when you use the AI SpendOps platform and visit our website.
AI SpendOps is a B2B API proxy platform that provides usage tracking, cost attribution, and governance for AI API calls. We act in a dual capacity:
- Data Controller: for account, billing, and marketing data we collect directly from you.
- Data Processor: for usage metadata generated when your API calls pass through our proxy, processed on your behalf under our Data Processing Addendum.
2. What We Collect
| Category | Data | Role |
|---|---|---|
| Account data | Name, email address, company name, job title | Controller |
| Billing data | Payment method and billing details (collected and processed by Stripe) | Controller |
| Usage metadata | Token counts, cost calculations, model IDs, timing data, hashed API key identifiers, custom dimension headers | Processor |
| Technical data | IP address, browser type, device information (from the management portal) | Controller |
What We Do NOT Collect
- Prompts or input content sent to AI providers
- Completions or responses returned by AI providers
- Raw API keys (we store only irreversible HMAC-SHA-256 hashes)
- Any content from your AI interactions
3. How We Use Your Data
- Service delivery: operating the proxy, generating usage reports, and providing the management portal
- Billing: calculating charges, processing payments, and issuing invoices
- Security: authenticating requests, detecting abuse, and maintaining audit logs
- Service improvement: analysing aggregate usage patterns to improve platform reliability and features
- Communications: sending service notifications, security alerts, and (with consent) product updates
- Legal compliance: meeting regulatory, tax, and legal obligations
4. Legal Bases for Processing
Under UK and EU GDPR, we rely on the following legal bases:
- Contract performance: processing necessary to deliver our services under your subscription agreement
- Legitimate interests: improving our services, ensuring platform security, and preventing fraud, where these interests are not overridden by your rights
- Legal obligation: retaining billing records to comply with HMRC and other regulatory requirements
- Consent: where you opt in to marketing communications (you can withdraw consent at any time)
5. Data Sharing & Sub-processors
We share personal data only with the following categories of service providers, who process data on our behalf under appropriate contractual safeguards:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare | Proxy hosting, edge compute, KV storage | Global edge network |
| Microsoft Azure | Database hosting, application services, Azure Functions | UK / EU regions |
| Stripe | Payment processing, billing management | US / EU |
AI providers are not our sub-processors. When your API calls pass through our proxy to providers such as OpenAI, Anthropic, or Google, those providers process your data under your own agreement with them. We do not control or determine the purposes of that processing.
6. International Data Transfers
Your data may be transferred to and processed in the following jurisdictions:
- United Kingdom: our primary place of business
- European Economic Area: covered by UK adequacy regulations
- United States: transfers protected by Standard Contractual Clauses (SCCs) and, where applicable, the EU-US Data Privacy Framework
- Global edge locations: Cloudflare processes data at the nearest edge node; all data in transit is encrypted with TLS
7. Data Retention
| Data type | Retention period |
|---|---|
| Account data | Duration of your subscription + 12 months |
| Billing records | 7 years (HMRC requirement) |
| Usage metadata | 13 months (rolling) |
| System logs | 90 days |
8. Your Rights
Under UK and EU GDPR, you have the following rights with respect to personal data for which we are the controller:
- Access: request a copy of the personal data we hold about you
- Rectification: request correction of inaccurate or incomplete data
- Erasure: request deletion of your personal data, subject to legal retention requirements
- Restriction: request that we restrict processing of your data in certain circumstances
- Portability: receive your data in a structured, commonly used, machine-readable format
- Objection: object to processing based on legitimate interests
- Automated decision-making: we do not use your personal data for automated decision-making or profiling that produces legal effects
To exercise any of these rights, please contact us through our contact form. We will respond within one month.
9. Cookies
Marketing website: We use essential cookies only (e.g. security tokens). We do not use tracking cookies, analytics cookies, or advertising cookies on our marketing site.
Management portal: We use session cookies to maintain your authenticated session and preferences. These are strictly necessary for the portal to function.
10. Security
We implement appropriate technical and organisational measures to protect your data, including:
- HMAC-SHA-256 hashing of API keys (never stored in plain text)
- TLS encryption for all data in transit
- Encryption at rest for all stored data
- No storage of prompts, completions, or AI-generated content
- Enterprise-grade infrastructure (Cloudflare, Microsoft Azure)
- Role-based access control and audit logging
For more details, see our Security page.
11. Regional Supplements
European Union Residents
If you are located in the EEA, you have the right to lodge a complaint with your local supervisory authority. You may also contact the UK Information Commissioner's Office (ICO), which is our lead supervisory authority.
We are in the process of appointing an EU representative under Article 27 of the EU GDPR. Details will be published here once confirmed.
United States / California Residents
Under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):
- We collect the following categories of personal information: identifiers (name, email), commercial information (billing data), and internet/electronic activity (usage metadata, technical data).
- We do not sell your personal information.
- We do not share your personal information for cross-context behavioural advertising.
- You have the right to know, delete, and correct your personal information, and to opt out of the sale or sharing of personal information.
- We will not discriminate against you for exercising your CCPA rights.
To exercise your rights, please contact us through our contact form.
Australian Residents
Under the Australian Privacy Act 1988, your personal data may be transferred to the United Kingdom, the United States, and other countries where our sub-processors operate (see Section 5). We take reasonable steps to ensure overseas recipients handle your data in accordance with the Australian Privacy Principles.
If you are not satisfied with our handling of your data, you may lodge a complaint with the Office of the Australian Information Commissioner (OAIC) at oaic.gov.au.
Canadian Residents
We comply with the Personal Information Protection and Electronic Documents Act (PIPEDA) and Quebec's Law 25 (Act respecting the protection of personal information in the private sector). Our privacy officer can be contacted through our contact form.
You may lodge a complaint with the Office of the Privacy Commissioner of Canada (OPC) or, for Quebec residents, the Commission d'accès à l'information du Québec (CAI).
Brazilian Residents
Under the Lei Geral de Proteção de Dados (LGPD), you have rights including confirmation of processing, access, correction, anonymisation, portability, deletion, and information about sharing. The Autoridade Nacional de Proteção de Dados (ANPD) is the competent supervisory authority. To exercise your rights, please contact us through our contact form.
12. Changes to This Policy
We may update this Privacy Policy from time to time. Material changes will be notified via email to the address associated with your account and/or by a prominent notice on our website. The "Last updated" date at the top of this page indicates when the policy was last revised. Continued use of our services after changes take effect constitutes acceptance of the updated policy.
13. Contact & Complaints
If you have questions about this Privacy Policy or wish to exercise your rights:
Please contact us through our contact form.
Entity: AI SpendOps Ltd, registered in England and Wales (company number 17046015)
If you are not satisfied with our response, you have the right to lodge a complaint with the Information Commissioner's Office (ICO):
Website: ico.org.uk
Telephone: 0303 123 1113