Privacy Policy
The short version: in the default mode we never store your provider keys, and we never store your prompts or responses. This policy spells out exactly what we do collect, why, and for how long.
Effective July 5, 2026
Who we are
SlashSpend (“SlashSpend,” “we,” “us”) is operated by 0739517 BC Ltd, a company incorporated in British Columbia, Canada. This policy covers the SlashSpend website, dashboard, and API proxy (the “Service”).
What we collect
- Account data — the email address you sign up with, and authentication records, handled by our auth provider (Supabase).
- Billing data — processed by Stripe. We do not receive or store your full card number; we store a Stripe customer/subscription reference and status.
- Usage metadata — for each proxied request: model requested/used, token counts, latency, estimated cost, and cache/route flags. This is how the dashboard proves your savings.
What we do NOT store
- Your prompts or model responses. Content is never logged — it is enforced in code, not just policy: our request-log has no field for content.
- Your provider API keys, in the default Local Key Mode. They arrive as request headers, are used in memory for the single upstream call, and are discarded — never written to our database, logs, or any third party. (The opt-in Key Vault stores them encrypted with AES-256-GCM; see the security page.)
The semantic cache stores an embedding of your prompt — a fixed-length list of numbers that is a lossy fingerprint of meaning, not a readable copy of your text. We keep no copy of the original prompt, the vectors live in your own namespace, are encrypted at rest when an encryption secret is configured, and expire on a short TTL.
How we use it
To provide and operate the Service (routing, caching, failover, billing), to show you your own usage and savings, to send transactional email (receipts, dunning, rate-limit and spend alerts you configure), and to detect and prevent abuse. We do not sell your data, and we do not use your prompts or responses to train any model.
Subprocessors
We rely on a small set of subprocessors:
- Supabase — authentication + metadata storage
- Upstash — response cache + semantic vectors
- Stripe — billing and payment processing
- Resend — transactional email
In Local Key Mode, your provider keys and prompt text are sent to none of them — only to the model provider you chose, on your behalf.
Retention
- Usage metadata: 90 days, then automatically deleted by a scheduled job.
- Cached responses: short-lived (1-hour default TTL).
- Semantic vectors: short TTL, scoped to your account.
- Opt-in debug captures: 1 hour, then auto-expire.
- Account and billing records: for the life of your account plus any period required for legal, tax, and accounting obligations.
Security
All traffic is over TLS. Metadata is protected by Postgres row-level security. Cached response bodies and opt-in debug captures are encrypted at rest with a per-account key when an encryption secret is configured. Access to production systems is limited to authorized personnel.
Your rights & choices
You can export your configuration and full usage logs anytime via GET /v1/export, flush your cache with DELETE /v1/cache, and cancel in the Stripe billing portal at any time. Depending on where you live, you may have rights to access, correct, or delete your personal data — email support@slashspend.ai and we'll action it.
Data location
SlashSpend is operated by a Canadian company; our production infrastructure and most of our subprocessors are located in the United States, so your data may be processed in both Canada and the United States. If you are located in the EEA or UK and have questions about the safeguards applied to international transfers, contact us at support@slashspend.ai.
Children
The Service is for developers and businesses and is not directed to children under 16.
Changes
We'll update this policy as the Service evolves and revise the effective date above. Material changes will be communicated by email or an in-product notice.
Questions about privacy or your data: support@slashspend.ai. See also our Terms of Service and security & data handling page.