SpendCaddie Logo
SpendCaddie
LoginGet Started

Data Processing Agreement

Last Updated: January 11, 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between SpendCaddie (“Data Processor”, “we”, “us”) and you (“Data Controller”, “you”) and governs the processing of personal data on your behalf.

2. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person
  • “Processing” means any operation performed on Personal Data
  • “Data Subject” means the individual to whom Personal Data relates
  • “GDPR” means the General Data Protection Regulation (EU) 2016/679
  • “CCPA” means the California Consumer Privacy Act

3. Scope of Processing

3.1 Subject Matter

We process Personal Data solely to provide our financial management services as described in our Terms of Service and as instructed by you.

3.2 Categories of Personal Data

We may process the following categories of Personal Data:

  • Account credentials and authentication data
  • Financial account information (balances, transactions)
  • Contact information (email, phone)
  • Technical data (IP address, device information)

3.3 Data Subjects

Data Subjects include registered users and household members whose financial data is processed through the service.

4. Processor Obligations

We shall:

  • Process Personal Data only on your documented instructions
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Engage sub-processors only with your prior authorization
  • Assist you in responding to Data Subject requests
  • Delete or return all Personal Data upon termination
  • Make available information necessary to demonstrate compliance

5. Security Measures

We implement the following security measures:

  • Encryption of data in transit (TLS 1.3) and at rest (AES-256)
  • Access controls and authentication mechanisms
  • Regular security assessments and penetration testing
  • Employee security training
  • Incident response procedures
  • Data backup and disaster recovery

6. Sub-Processors

6.1 Authorized Sub-Processors

You authorize us to use the following sub-processors:

  • Supabase: Database hosting (United States)
  • Vercel: Application hosting (United States)
  • Plaid: Financial data aggregation (United States)
  • Stripe: Payment processing (United States)
  • Resend: Email delivery (United States)

6.2 Sub-Processor Requirements

We ensure all sub-processors are bound by data protection obligations no less protective than this DPA.

7. International Transfers

Personal Data may be transferred to and processed in the United States. For EU/EEA Data Subjects, we rely on Standard Contractual Clauses approved by the European Commission to ensure adequate protection.

8. Data Subject Rights

We will assist you in responding to Data Subject requests including:

  • Right of access
  • Right to rectification
  • Right to erasure
  • Right to restriction of processing
  • Right to data portability
  • Right to object

9. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay (within 72 hours)
  • Provide information about the nature and scope of the breach
  • Describe measures taken or proposed to address the breach
  • Assist you in notifying supervisory authorities and Data Subjects

10. Audit Rights

Upon reasonable notice and subject to confidentiality obligations, we will make available information necessary to demonstrate compliance with this DPA. Audits shall be conducted no more than once per year unless required by a supervisory authority.

11. Duration and Termination

This DPA remains in effect for the duration of your use of our services. Upon termination, we will delete or return all Personal Data within 30 days, unless retention is required by law.

12. Governing Law

This DPA is governed by the laws of the State of Colorado. For EU/EEA Data Subjects, this does not affect any mandatory consumer protection rights under applicable law.

13. Contact

For questions about this DPA or data protection matters:

  • Privacy Team: privacy@spendcaddie.com
  • Legal Inquiries: legal@spendcaddie.com
  • General Support: support@spendcaddie.com
  • Mailing Address: Bobby Built Ventures LLC (DBA SpendCaddie), 1500 N Grant St, Ste R, Denver, CO 80203