1. About this policy
SpendLens AI is operated by Rangkash PTY LTD (ACN 643 391 226), of Doreen, Victoria, Australia (we, us or our). This policy applies to our website, SDK, APIs, dashboards, reports and support interactions.
We handle personal information in accordance with applicable Australian privacy law. Some Customer Data may not be personal information, but we apply the safeguards described here to Service data generally.
2. Information we collect
We may collect account and profile information, including your name, business email, organisation, authentication identifiers, preferences, subscription and plan details. Stripe processes card details; we receive transaction, customer and subscription references rather than complete card numbers.
We collect Service and device information such as IP address, browser, device, timestamps, login and security events, pages used, support correspondence and diagnostic logs.
The SDK may send AI operational metadata including provider, model, token counts, latency, calculated cost, project, endpoint, workload key, Python function, file and line number, prompt sampling mode, task override and customer-configured metadata.
3. Prompt privacy
SpendLens AI is designed not to collect complete message arrays or full user or customer prompts by default. In template_only mode, the SDK may send a system instruction or reusable prompt template to assist workload classification. In off mode, no prompt template is stored. A redacted_sample mode may be offered as an optional setting.
You control the information placed in endpoint labels, templates, task overrides and custom metadata. Do not include personal, confidential or sensitive information unless you have determined it is lawful and appropriate to do so.
4. How we collect information
We collect information directly from you when you register, configure the SDK, use the Service, contact us or pay for a plan; automatically from your browser, application and SDK; from authorised colleagues in your organisation; and from service providers such as authentication and payment providers.
If you provide personal information about another person, you must be authorised to do so and provide any notices required by law.
5. Why we use information
We use information to create and secure accounts; authenticate API requests; ingest and group events; calculate costs; classify workloads; generate reports, Prompt Waste Signals and recommendations; operate subscriptions; enforce plan limits; provide support and service notices; diagnose faults; prevent fraud and abuse; improve reliability and usability; and comply with legal obligations.
We may use business contact details to send relevant product communications where permitted by law. You can opt out of marketing messages, but we may still send essential security, billing and service communications.
6. Disclosure and service providers
We disclose information only where reasonably necessary to service providers supporting hosting, storage, authentication, security, email delivery, customer support, analytics and payments; to professional advisers; in connection with a genuine financing, restructure or sale subject to confidentiality protections; where you direct or authorise us; or where law, a court or regulator requires it.
Our providers may include Stripe for billing, Resend for email, cloud infrastructure providers and identity providers selected by you. Their own policies apply when they independently control personal information.
We do not sell personal information. We do not sell or use Customer Data to train public generative AI models.
7. Overseas processing
Some providers may store or process information outside Australia, including in the United States and other countries where they or their subprocessors operate. Locations may change as our provider arrangements evolve. We take reasonable steps appropriate to the circumstances to select reputable providers and protect information disclosed overseas, subject to applicable law.
8. Retention and deletion
Usage-event retention is determined by your plan and may be shorter where you delete data or close an account. We retain account, transaction, security and support records for as long as reasonably needed to provide the Service, resolve disputes, prevent fraud, maintain business records and comply with tax, accounting and legal obligations.
When information is no longer required, we take reasonable steps to delete or de-identify it. Residual copies may remain temporarily in secure backups and logs until routine rotation, or longer where law or a legitimate dispute requires preservation.
9. Security and data incidents
We use safeguards appropriate to the nature of the information, including access controls, encryption in transit, hashed API keys, tenant-scoped queries, logging and restricted operational access. You are responsible for securing your credentials, devices and source code.
No service can guarantee absolute security. If an eligible data breach occurs, we will assess and notify affected individuals and the Office of the Australian Information Commissioner where required by the Notifiable Data Breaches scheme.
10. Cookies and similar technology
We use cookies and similar browser storage for authentication, security, preferences and essential Service operation. We may use limited analytics to understand product performance. These technologies are not used to store LLM prompt content. Browser settings can restrict cookies, but essential features may then stop working.
11. Access, correction and deletion
You may ask to access or correct personal information we hold about you, or request deletion where applicable, by emailing [email protected]. We may verify your identity or authority and may refuse or limit a request where permitted by law, in which case we will explain why where required.
Organisation administrators may also be able to access or manage information associated with their workspace.
12. Privacy complaints
Send a complaint to [email protected] with enough information for us to investigate. We will acknowledge it and aim to respond within a reasonable period. If you are not satisfied, you may be entitled to contact the Office of the Australian Information Commissioner at oaic.gov.au.
13. Children
The Service is intended for businesses and adults and is not directed to children under 18. Do not knowingly submit children's personal information through the Service. Contact us if you believe this has occurred.
14. Changes and contact
We may update this policy to reflect changes in law, technology, providers or our practices. We will publish the current version and effective date and provide reasonable notice of material changes where appropriate.
Privacy enquiries may be sent to [email protected].