Privacy policy

Last updated: January 2026

This privacy notice for Spendbase Inc (“Company,” “we,” “us,” or “our”), explains how and why we gather, store, utilize, and potentially share (“process”) your information when you engage with our Services, including when you:

• Visit our website or any other website of ours that references this privacy notice;
• Interact with us through sales inquiries, marketing activities, demonstrations, or events.

Questions or concerns? Reviewing this privacy notice will help you understand your rights and options regarding your personal information. If you disagree with our policies and practices, please refrain from using our Services. For any remaining questions or concerns, please reach out to us at privacy@spendbase.co.

In Short: We gather personal information that you voluntarily submit to us.

We collect personal information that you willingly provide when you express interest in learning about our services, request a demonstration, submit inquiries through our website forms, or otherwise communicate with us.

Personal Information Provided by You. The specific personal information we gather depends on the nature of your interactions with us and our Services, your preferences, and the features you utilize. The personal information we may collect includes:

• first and last names;
• business email addresses;
• company name and job title;
• telephone numbers;
• country or region of interest;
• content of inquiries and messages you send to us.

We only gather the personal information necessary to deliver our Services, meet our contractual commitments, adhere to legal requirements, and pursue our legitimate business objectives. We do not collect personal information beyond what is reasonably needed for these purposes.

Sensitive Information. We do not process sensitive personal information.

All personal information you provide must be accurate, complete, and current. Please inform us of any changes to your personal information.

Information automatically collected

In Short: Certain information – such as your IP address and browser characteristics – is gathered automatically when you access our Services.

We automatically gather certain information when you visit, utilize, or navigate our Services. This information does not directly reveal your identity (such as your name or contact details) but may include device and usage data, including your IP address, browser and device specifications, operating system, language settings, referring URLs, device identifiers, location information, details about how and when you use our Services, and other technical data. This information is primarily required to maintain the security and functionality of our Services and for our internal analytics and reporting purposes.

Like many organizations, we also gather information through cookies and similar technologies.

The information we collect includes:

• Log and Usage Data. Log and usage data consists of service-related, diagnostic, usage, and performance information that our servers automatically capture when you access or use our Services. This may include your IP address, device information, browser type and settings, activity within the Services (such as timestamps associated with your usage, pages viewed, and actions taken), device event information, and hardware settings.
• Device Data. We gather device data about the computer, phone, tablet, or other device you use to access our Services. This may include your IP address (or proxy server), device and application identification numbers, location, browser type, hardware model, Internet service provider, operating system, and system configuration information.
• Location Data. We gather location data about your device’s position, which may be precise or approximate. The extent of information collected depends on your device type and settings. We may use technologies to determine geolocation based on your IP address. You can opt out by adjusting your device settings, though this may affect certain Service features.

In Short: We process your information to deliver, enhance, and manage our Services, communicate with you, ensure security, prevent fraud, and comply with legal requirements. We may also process your information for other purposes with your consent.

We process your personal information for various reasons, depending on how you interact with our Services, including:

• To respond to inquiries and provide information. We may process your information to address your questions about our services, schedule demonstrations, and provide relevant information about our offerings.
• To deliver and facilitate our services. We may process your information to provide you with the requested service and support.
• To send administrative communications. We may process your information to send you details about our services, policy updates, and other relevant information.
• To send marketing and promotional communications. We may process your personal information for marketing purposes if this aligns with your preferences. You can opt out of our marketing emails at any time. For details, see “WHAT ARE YOUR PRIVACY RIGHTS?” below.
• To deliver targeted advertising. We may process your information to present content and advertisements that match your preferences and interests on third-party platforms.
• To safeguard our Services. We may process your information as part of our efforts to maintain the security and integrity of our Services, including fraud monitoring and prevention.
• To analyze usage patterns. We may process information about how you use our Services to better understand usage patterns and improve our offerings.

To evaluate marketing effectiveness. We may process your information to understand which marketing and promotional campaigns resonate most with our audience.

In Short: We only process your personal information when we have a valid legal reason (i.e., legal basis) to do so under applicable law, such as with your consent, to fulfill contractual obligations, comply with laws, or pursue our legitimate business interests.

The General Data Protection Regulation (GDPR) and UK GDPR require us to explain the valid legal bases we rely on to process your personal information. As such, we may rely on the following legal bases:

• We may process your information if you have given us permission (i.e., consent) to use your personal information for a specific purpose. You can withdraw your consent at any time.
• Performance of a Contract. We may process your personal information when we believe it is necessary to fulfill our contractual obligations to you, including providing our Services or at your request before entering into a contract with you.
• Legitimate Interests. We may process your information when we believe it is reasonably necessary to achieve our legitimate business interests, provided those interests do not outweigh your rights and freedoms. For example, we may process your personal information to:
• Send users information about our services and special offers;
• Develop and display personalized and relevant advertising content;
• Analyze how our Services are used to improve user engagement;
• Support our marketing activities;
• Diagnose problems and prevent fraudulent activities.

Important: We do not rely on “legitimate interest” as a legal basis for setting analytics or marketing cookies or activating tracking technologies such as pixels. Such technologies are only activated after you have provided explicit consent through our cookie consent banner.

• Legal Obligations. We may process your information where we believe it is necessary to comply with our legal obligations, such as cooperating with law enforcement bodies or regulatory agencies, exercising or defending our legal rights, or disclosing your information as evidence in litigation.
• Vital Interests. We may process your information where we believe it is necessary to protect your vital interests or the vital interests of a third party, such as in situations involving potential threats to the safety of any person.

In Short: We may share information in specific situations described in this section and/or with the following categories of third parties.

Vendors, Consultants, and Other Third-Party Service Providers. We may share your data with third-party vendors, service providers, contractors, or agents (“third parties”) who perform services for us or on our behalf and require access to such information to do that work. We have contracts in place with our third parties designed to help safeguard your personal information. This means they cannot do anything with your personal information unless we have instructed them to do so. They will not share your personal information with any organization apart from us. They also commit to protect the data they hold on our behalf and to retain it for the period we instruct.

The categories of third parties we may share personal information with include:

• Customer Relationship Management (CRM) platforms (HubSpot);
• Data Analytics Services (Google Analytics);
• Advertising Networks (Google Ads, LinkedIn, Meta/Facebook);
• Website Hosting Service Providers (WordPress);
• Cookie Consent Management (Cookiebot).

We may also be legally obligated to share your information with other organizations or government agencies in the following circumstances:

• Business Transfers. We may share or transfer your information in connection with, or during negotiations of, any merger, sale of company assets, financing, or acquisition of all or a portion of our business to another company.
• We may share your information with our affiliates, in which case we will require those affiliates to honor this privacy notice. Affiliates include our parent company and any subsidiaries, joint venture partners, or other companies that we control or that are under common control with us.
• Business Partners. We may share your information with our business partners to offer you certain products, services, or promotions.
• Legal Requirements. We may share your information with government bodies, regulators, and other authorities when required by applicable laws and regulations or in response to legal process.

In Short: We may use cookies and other tracking technologies to collect information, but only after obtaining your consent for non-essential cookies.

We may use cookies and similar tracking technologies (such as web beacons and pixels) to access or store information. We use Cookiebot to manage cookie consent on our website.

Consent Requirement: In accordance with the General Data Protection Regulation (GDPR) and ePrivacy Directive, non-essential cookies and tracking technologies (including analytics and marketing pixels) are only activated AFTER you provide explicit consent through our cookie consent banner. No tracking scripts are loaded, and no data is transmitted to third parties, until you affirmatively opt in.

We use third-party tracking technologies, including Meta/Facebook Pixel, Google Analytics, Google Ads, and LinkedIn Insight Tag, for analytics and advertising purposes. When you consent to marketing cookies, personal data (such as IP address, device identifiers, browsing behavior, and hashed contact information) may be collected and transferred to these third parties’ servers in the United States. For information about safeguards for such transfers, see Section 7.

You may withdraw your consent at any time by clicking the cookie settings icon on our website or by contacting us at privacy@spendbase.co.

For detailed information about the specific cookies we use, their purposes, duration, and how to manage your preferences, please see our Cookie Policy.

In Short: We share certain personal information with advertising partners for targeted advertising. California residents have the right to opt out of this sharing.

Under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), “sharing” means disclosing personal information to a third party for cross-context behavioral advertising, regardless of whether money is exchanged.

We share personal information for advertising purposes. When you consent to marketing cookies, the following categories of personal information may be shared with our advertising partners (Meta/Facebook, Google, LinkedIn) for targeted advertising:

• Identifiers (IP address, device ID, cookie identifiers);
• Internet or network activity (browsing history, pages visited, interactions with our website).

Your Right to Opt-Out: If you are a California resident, you have the right to opt out of the sharing of your personal information for cross-context behavioral advertising. You may exercise this right by:

• Clicking the “Do Not Sell or Share My Personal Information” link in our website footer;
• Rejecting marketing cookies via our cookie consent banner;
• Enabling Global Privacy Control (GPC) in your browser — we honor GPC signals as valid opt-out requests;
• Contacting us at privacy@spendbase.co.

Note: We do not sell personal information for monetary consideration. However, the use of advertising pixels constitutes “sharing” under CPRA.

In Short: We may transfer, store, and process your information in countries other than your own.

When we share data, it may be transferred to and processed in countries other than where you reside. As a global company providing Employer of Record services, we operate across multiple jurisdictions including:

• European Union;
• United Kingdom;
• United States;
• Canada;
• Singapore;
• Hong Kong;
• India;
• United Arab Emirates;

These countries may have data protection laws that differ from those in your jurisdiction. However, where we disclose personal data to a third party in another country, we implement safeguards to ensure your personal data remains protected.

Transfers to Advertising and Analytics Partners. When you consent to marketing or analytics cookies, personal information collected through tracking technologies (Meta Pixel, Google Analytics, LinkedIn Insight Tag) is transferred to our partners’ servers in the United States. These transfers are conducted in reliance on:

• The EU-U.S. Data Privacy Framework (DPF), for partners that have self-certified;
• Standard Contractual Clauses (SCCs) approved by the European Commission;
• Your explicit consent to such transfers, provided through our cookie consent mechanism.

For individuals in the European Economic Area (EEA), this means your data may be transferred outside the EEA. Where your personal data is transferred outside the EEA, it will only be transferred to countries that have been identified as providing adequate protection for EEA data, or to a third party where we have approved transfer mechanisms in place, such as the European Commission’s Standard Contractual Clauses (SCCs).

For individuals in the United Kingdom, we use the UK’s International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as approved by the UK Information Commissioner’s Office, where appropriate.

For further information about international transfers, please contact us using the details provided in this notice.

In Short: We keep your information for as long as necessary to fulfill the purposes outlined in this privacy notice unless otherwise required by law.

We will only retain your personal information for as long as it is necessary for the purposes set out in this privacy notice, unless a longer retention period is required or permitted by law (such as tax, accounting, or other legal requirements).

For personal information collected through our website forms (such as demo requests and inquiries), the maximum retention period is three (3) years from your last interaction with us, unless you request deletion earlier or we have a legal obligation to retain it longer.

When we have no ongoing legitimate business need to process your personal information, we will either delete or anonymize such information, or, if deletion is not immediately possible (for example, because your personal information has been stored in backup archives), we will securely store your personal information and isolate it from any further processing until deletion is possible.

In Short: We aim to protect your personal information through a system of organizational and technical security measures.

We have implemented appropriate and reasonable technical and organizational security measures designed to protect the security of any personal information we process. These measures include encryption of data in transit using industry-standard TLS/SSL, access controls limiting data access to authorized personnel, and secure hosting infrastructure.

However, despite our safeguards and efforts to secure your information, no electronic transmission over the Internet or information storage technology can be guaranteed to be 100% secure. We cannot promise or guarantee that hackers, cybercriminals, or other unauthorized third parties will not be able to defeat our security and improperly collect, access, steal, or modify your information.

Although we will do our best to protect your personal information, transmission of personal information to and from our Services is at your own risk. You should only access the Services within a secure environment.

In Short: We do not knowingly collect data from or market to children under 18 years of age.

Our website and Services are designed for businesses and are not intended for individuals under the age of 18. We do not knowingly solicit data from or market to children under 18 years of age. By using the Services, you represent that you are at least 18 years old.

If we learn that personal information from users less than 18 years of age has been collected, we will take reasonable measures to promptly delete such data from our records. If you become aware of any data we may have collected from children under age 18, please contact us at privacy@spendbase.co.

In Short: Depending on your location, you may have rights that allow you greater access to and control over your personal information.

Rights for EEA and UK Residents

If you are located in the European Economic Area (EEA) or the United Kingdom (UK), you have certain rights under data protection laws in relation to your personal data:

• Right of Access: You have the right to request a copy of the personal information we hold about you.
• Right to Rectification: You have the right to request that we correct any inaccurate or incomplete personal information.
• Right to Erasure: You have the right to request that we delete your personal information in certain circumstances.
• Right to Restriction: You have the right to request that we restrict the processing of your personal information in certain circumstances.
• Right to Data Portability: You have the right to receive your personal information in a structured, commonly used, machine-readable format.
• Right to Object: You have the right to object to our processing of your personal information in certain circumstances, including for direct marketing purposes.
• Right to Withdraw Consent: Where we rely on consent to process your personal information, you have the right to withdraw that consent at any time.

You also have the right to lodge a complaint with your local data protection supervisory authority. For the UK, this is the Information Commissioner’s Office (ICO) at www.ico.org.uk. For EEA countries, you can find your local authority at: https://ec.europa.eu/justice/data-protection/bodies/authorities/ index_en.htm

Rights for California Residents

If you are a California resident, you have specific rights under the California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA):

• Right to Know: You have the right to request information about the categories and specific pieces of personal information we have collected about you.
• Right to Delete: You have the right to request deletion of your personal information, subject to certain exceptions.
• Right to Correct: You have the right to request that we correct inaccurate personal information.
• Right to Opt-Out: You have the right to opt out of the “sale” or “sharing” of your personal information for cross-context behavioral advertising.
• Right to Non-Discrimination: You have the right not to be discriminated against for exercising your privacy rights.
• Right to Opt-Out of Sharing: You have the right to opt out of the sharing of your personal information for cross-context behavioral advertising. To exercise this right, click the “Do Not Sell or Share My Personal Information” link on our website, enable Global Privacy Control (GPC) in your browser, or contact us at privacy@spendbase.co.

Withdrawing Consent and Opting Out of Marketing

Withdrawing your consent: If we are relying on your consent to process your personal information, you have the right to withdraw your consent at any time. You can withdraw your consent by contacting us using the details provided in this notice. However, please note that this will not affect the lawfulness of the processing before withdrawal.

Opting out of marketing communications: You can unsubscribe from our marketing and promotional communications at any time by clicking on the unsubscribe link in the emails we send or by contacting us. You will then be removed from marketing lists, but we may still communicate with you for service-related purposes.

How to Exercise Your Rights

To exercise any of your data protection rights, please contact us at:

Email: privacy@spendbase.co

We will acknowledge receipt of your request within 3 business days and respond substantively within 30 days (or within the timeframe required by applicable law). We may need to verify your identity before processing your request.

In Short: We do not respond to DNT browser signals, but we do honor Global Privacy Control (GPC) signals as valid opt-out requests.

Browser Do-Not-Track Signals: Most web browsers offer a Do-Not-Track (“DNT”) setting. As no uniform standard for DNT has been established, we do not currently respond to DNT browser signals.

Global Privacy Control (GPC): We honor Global Privacy Control signals as valid requests to opt out of the sharing of personal information for cross-context behavioral advertising, as required under CCPA/CPRA. If your browser or extension sends a GPC signal, we will treat this as an opt-out request. To enable GPC, visit https://globalprivacycontrol.org.

Cookie Preferences: You can manage your tracking preferences through our cookie consent tool (Cookiebot), accessible via the cookie settings icon on our website. For detailed instructions, see our Cookie Policy.

In Short: Yes, we will update this notice as necessary to stay compliant with relevant laws.

We may update this privacy notice from time to time. The updated version will be indicated by an updated “Last updated” date, and the updated version will be effective as soon as it is accessible. If we make material changes to this privacy notice, we may notify you either by prominently posting a notice of such changes or by directly sending you a notification. We encourage you to review this privacy notice frequently to be informed of how we are protecting your information.

Weʼre always keen to hear from you. If you’re curious about what personal data we hold about you or you have a question or feedback for us on this notice, our website, or our services, please get in touch.

If you have questions or comments about this notice, you may contact us at:

Spendbase Inc

Email: privacy@spendbase.co

If youʼre not happy with how we are processing your personal data, please let us know by getting in touch at privacy@spendbase.co. We will review and investigate your complaint and try to get back to you within a reasonable time frame.

You can also complain to your local data protection authority. They will be able to advise you how to submit a complaint.

Exercising Your Data Rights: To exercise any of your data protection rights (access, rectification, erasure, restriction, portability, or objection), please contact us at the email address above.

We will:

• Acknowledge receipt of your request within 3 business days;
• Respond substantively within 30 days;
• Verify your identity before processing the request;
• Provide our response in writing (via email).

If youʼre not satisfied with our response, you have the right to lodge a complaint with your local data protection authority.