SpendCaddie Logo
SpendCaddie
LoginGet Started

Privacy Policy

Version: 2.0Effective Date: May 21, 2026Last Updated: May 21, 2026

Bobby Built Ventures, LLC d/b/a SpendCaddie ("SpendCaddie," "we," "us," or "our") provides a U.S.-only consumer debt planning and debt coaching service. This Privacy Policy explains how we collect, use, disclose, retain, and protect personal information when you use the SpendCaddie website, web application, iOS application, account features, communications, subscriptions, and related services (the "Service").

This Privacy Policy is designed for individual consumer users in the United States. It is not a business-to-business data processing agreement.

Plain-language summary

  • We collect account, debt, linked-account, subscription, device, usage, security, consent, support, and communication information to operate SpendCaddie.
  • SpendCaddie is a debt planning and debt coaching app. It does not move money, pay bills, lend money, repair credit, settle debts, or negotiate with creditors.
  • We use Plaid for read-only financial account connections. We do not receive or store your bank login credentials.
  • We store Plaid access tokens in encrypted form.
  • Web billing is processed by Stripe. iOS billing is processed by Apple. RevenueCat manages subscription and entitlement status. We do not store full payment card numbers.
  • AI explanation features currently use Anthropic. AI may receive structured debt-plan context, but AI does not calculate canonical balances, interest, payoff order, payment amounts, payoff dates, or strategy.
  • We do not sell personal information.
  • We do not currently share personal information for cross-context behavioral advertising.
  • We do not currently use advertising cookies, ad pixels, or retargeting pixels.
  • Vercel Analytics and Speed Insights are consent-gated in SpendCaddie-controlled code. Essential security, hosting, fraud-prevention, and operational logs may still occur.
  • We honor Global Privacy Control and similar universal opt-out signals for SpendCaddie-controlled cookie and preference settings where applicable and technically detectable.
  • You can access, correct, export, delete, and manage certain data and preferences, subject to verification and legal, security, billing, fraud-prevention, audit, dispute-resolution, and compliance exceptions.
  • Deleting your SpendCaddie account does not automatically cancel any active Stripe, Apple, or RevenueCat subscription.
  • SpendCaddie is intended only for U.S. residents who are at least 18 years old.

1. Personal information we collect

The information we collect depends on how you use the Service, your subscription tier, your settings, your device, and whether you connect financial accounts.

1.1 Account and profile information

We may collect:

  • name;
  • email address;
  • password or authentication credentials handled through our authentication provider;
  • optional phone number if you choose to provide it;
  • account settings;
  • profile preferences;
  • notification preferences;
  • goals or planning preferences;
  • optional profile image or avatar;
  • account status, subscription tier, and entitlement status;
  • consent records and policy acceptance records; and
  • support and communication preferences.

SpendCaddie does not currently send SMS/text-message alerts, SMS marketing, or SMS-based MFA. If we introduce SMS features in the future, we will update this Policy and applicable consent flows before enabling them.

1.2 Debt and planning information you provide

You may provide debt and planning information manually, including:

  • debt names and types;
  • balances;
  • APRs or interest rates;
  • minimum payments;
  • due dates;
  • statement close dates when relevant;
  • promotional APR or deferred-interest details;
  • payment logs;
  • payment dates and amounts;
  • strategy choices, such as avalanche, snowball, or custom order;
  • included, excluded, or track-only debt settings;
  • notes;
  • monthly debt commitment;
  • household/shared-debt settings where available; and
  • exports or reports you generate.

1.3 Financial account data from Plaid

If you choose to connect a financial account, SpendCaddie uses Plaid to receive read-only financial account data authorized by you. This may include:

  • institution name and metadata;
  • account names, masks, account type/subtype, and metadata;
  • account balances;
  • available credit;
  • transaction history, including transaction date, amount, merchant/name, category, and pending status;
  • credit card information, such as credit limits, APR information where available, payment due dates, minimum payment amounts, last payment information, and related liability data;
  • loan or liability information where made available by Plaid and your financial institution;
  • Plaid item IDs and account IDs; and
  • connection status, sync status, and webhook metadata.

We do not receive or store your bank login credentials. Plaid handles authentication directly with your financial institution.

We store Plaid access tokens in encrypted form and use them to retrieve authorized data, refresh account information, process webhooks, and maintain or remove your connection.

1.4 Payment and subscription information

For web subscriptions, Stripe processes payment card information and billing. SpendCaddie may receive and store payment-related metadata such as:

  • Stripe customer ID;
  • subscription ID;
  • plan, product, price, trial, renewal, cancellation, failed-payment, invoice, and payment-status metadata;
  • billing email;
  • transaction or event timestamps; and
  • limited payment method metadata where provided by Stripe.

For iOS subscriptions, Apple processes payments through Apple In-App Purchase. SpendCaddie uses RevenueCat to manage subscription and entitlement status. We may receive and store subscription-related metadata such as:

  • RevenueCat app user ID;
  • entitlement status;
  • product ID;
  • subscription status;
  • store/platform information;
  • purchase, renewal, cancellation, billing-issue, and expiration metadata; and
  • related event timestamps.

SpendCaddie does not store full payment card numbers.

1.5 AI explanation information

If you use AI-powered explanation features, we may send structured debt-plan context to Anthropic, including:

  • debt balances;
  • APRs or interest rates;
  • minimum payments;
  • payoff summaries;
  • promotional-period or deferred-interest risk;
  • strategy comparison summaries;
  • payment or progress summaries;
  • account or debt names;
  • account masks or last digits;
  • alert context;
  • monthly summary context;
  • sanitized user questions; and
  • related deterministic output fields generated by SpendCaddie's calculators.

AI features are used to explain deterministic outputs. AI does not calculate canonical balances, interest, payoff order, payment amounts, payoff dates, or strategy, and AI outputs do not change your saved plan unless you take a separate action in the Service.

We may store or cache AI outputs, model/provider metadata, usage logs, token/cost metadata, safety metadata, and related audit records to operate, secure, monitor, debug, and improve the feature. The code may store input hashes rather than full prompt text in some flows, but we do not promise that every AI-related record is free of personal information.

1.6 Device, usage, cookie, and local storage information

We may collect or process:

  • IP address;
  • browser type;
  • operating system;
  • device identifiers;
  • device type;
  • app version;
  • pages or screens visited;
  • features used;
  • timestamps;
  • interaction events;
  • performance and error data;
  • security and audit events;
  • rate-limiting metadata;
  • cookie and consent preferences;
  • session information;
  • localStorage or sessionStorage values;
  • mobile SecureStore, MMKV, or local app-cache data; and
  • push-notification tokens or endpoints if you enable notifications.

Some mobile app features may store limited data locally on your device for authentication, app functionality, caching, performance, or offline/near-offline use. SecureStore is used for certain authentication/PIN-related data. Other local app caches may store account, debt, or app-state information for functionality. Protecting your device with a passcode, operating system security features, and device-level encryption is important.

1.7 Communications and support information

We collect information you provide when you contact us, including:

  • support messages;
  • feedback;
  • email metadata;
  • attachments or screenshots you choose to provide;
  • privacy requests;
  • billing-support requests;
  • vulnerability reports; and
  • related internal notes, audit records, and response history.

Please do not send bank login credentials, full account numbers, Social Security numbers, unnecessary screenshots, or other highly sensitive information through support channels.

2. Sources of personal information

We collect information from:

  • you directly;
  • your device or browser;
  • your use of the Service;
  • Plaid and connected financial institutions when you authorize a connection;
  • Stripe for web billing;
  • Apple and RevenueCat for iOS subscriptions and entitlement status;
  • Supabase for authentication, database, and storage services;
  • Vercel for hosting, performance, and consented analytics;
  • Resend for email delivery;
  • Anthropic for AI explanations;
  • Upstash for rate limiting and infrastructure jobs;
  • Expo and browser push providers for push notifications where used;
  • service providers that help us operate, secure, support, and improve the Service; and
  • legal, security, or compliance sources where necessary.

3. How we use personal information

We use personal information for the following purposes.

3.1 Providing and operating the Service

  • create and maintain accounts;
  • authenticate users;
  • provide debt inventory, planning, payment logging, progress, alerts, exports, and household features;
  • connect financial accounts through Plaid;
  • retrieve and refresh authorized account data;
  • process plan calculations and deterministic outputs;
  • display balances, transactions, liabilities, and debt details;
  • process web and iOS subscription entitlements;
  • provide account settings and preferences;
  • deliver email and push notifications where enabled; and
  • provide support.

3.2 Billing, subscription, and entitlement management

  • start trials;
  • create checkout sessions;
  • manage subscription status;
  • process provider webhooks;
  • manage entitlements;
  • identify failed payments, cancellations, renewals, and expiration events;
  • send transactional billing notices; and
  • respond to billing support requests.

3.3 AI explanation features

  • generate optional AI explanations of deterministic plan outputs;
  • explain strategy tradeoffs;
  • explain payoff risk;
  • summarize plan changes, monthly progress, and alerts;
  • monitor abuse, errors, costs, and performance; and
  • debug and improve AI feature reliability and safety.

3.4 Communications

  • send account, security, service, policy, billing, and support messages;
  • send product updates or marketing emails if you have opted in or where permitted by law;
  • respond to requests;
  • provide customer support; and
  • notify you about material changes where appropriate.

3.5 Security, fraud prevention, and compliance

  • protect accounts and data;
  • detect abuse, unauthorized access, fraud, misuse, and policy violations;
  • enforce rate limits;
  • maintain audit and security logs;
  • validate webhooks and provider events;
  • comply with legal obligations;
  • respond to lawful requests;
  • enforce terms and policies;
  • protect rights, safety, and property; and
  • investigate and remediate security incidents.

3.6 Product improvement and analytics

  • understand feature usage;
  • troubleshoot errors;
  • improve performance and reliability;
  • maintain and improve user experience;
  • develop features;
  • perform aggregate analytics;
  • evaluate subscription and feature performance; and
  • improve security and abuse prevention.

Where required, analytics is subject to your consent and preferences.

4. How we disclose personal information

We do not sell personal information. We do not currently share personal information for cross-context behavioral advertising. We do not currently use advertising cookies, ad pixels, or retargeting pixels.

We may disclose personal information in the following circumstances.

4.1 Service providers

We disclose personal information to service providers that help us provide, secure, support, and improve the Service. These providers process information under their own terms and/or agreements with us and may include:

ProviderPurposeExamples of data involved
PlaidRead-only financial account connectionsaccount, balance, transaction, institution, and liability data authorized by you
StripeWeb billing and subscription managementbilling email, customer ID, subscription and invoice metadata
AppleiOS In-App Purchase billingApple-controlled purchase and subscription data
RevenueCatSubscription entitlements and purchase eventsapp user ID, entitlement status, product IDs, store event metadata
SupabaseAuthentication, database, storage, and backend infrastructureaccount, auth, profile, financial, consent, audit, and app data
VercelHosting, deployment, performance, and consented analyticshosting logs, performance data, analytics data where consented
ResendEmail deliveryemail address, transactional and support email content/metadata
AnthropicAI explanation generationstructured debt-plan context and user questions for AI features
UpstashRate limiting and infrastructure jobsrate-limit keys, job metadata, limited operational data
Expo and browser push providersPush notifications where enabledpush tokens/endpoints, notification payloads, device/app metadata

We may update our Service Providers & Subprocessors Notice as providers change.

4.2 User-directed disclosures

We disclose information when you direct us to do so, such as when you connect an account through Plaid, share an export, invite a household member, use device sharing features, or otherwise authorize a disclosure.

4.3 Legal, safety, security, and enforcement

We may disclose information if we believe disclosure is reasonably necessary to:

  • comply with law, legal process, subpoena, court order, regulatory request, or government request;
  • protect the rights, property, safety, and security of SpendCaddie, users, providers, or others;
  • investigate fraud, abuse, security incidents, or policy violations;
  • enforce our Terms and policies;
  • respond to claims or disputes; or
  • prevent harm.

4.4 Business transfers

If SpendCaddie is involved in a merger, acquisition, financing, reorganization, bankruptcy, sale of assets, or similar transaction, personal information may be disclosed or transferred as part of that transaction, subject to appropriate confidentiality and legal protections.

4.5 Aggregated or de-identified information

We may use or disclose aggregated or de-identified information that does not reasonably identify you, subject to applicable law. We will not attempt to reidentify de-identified information except as permitted by law, such as to test whether deidentification works.

5. Cookies, analytics, and tracking

Our Cookie Policy explains our use of cookies, local storage, analytics, and similar technologies.

In summary:

  • essential cookies and storage are used for authentication, security, sessions, preferences, and app functionality;
  • Vercel Analytics and Speed Insights are consent-gated in SpendCaddie-controlled code;
  • essential hosting, security, fraud-prevention, and operational logs may occur even if analytics is disabled;
  • Global Privacy Control and similar universal opt-out signals are applied to SpendCaddie-controlled cookie and preference settings where applicable and technically detectable; and
  • we do not currently use advertising cookies, ad pixels, or cross-context behavioral advertising technologies.

Third-party flows such as Plaid, Stripe, Apple, and RevenueCat may use their own cookies, device data, or tracking technologies according to their own policies.

6. Data retention

We retain personal information for as long as reasonably necessary to provide the Service, maintain your account, comply with legal obligations, resolve disputes, enforce agreements, prevent fraud or abuse, maintain security, and support business records.

When you delete your account, SpendCaddie deletes or deactivates configured app account data from active systems, subject to legal, security, billing, fraud-prevention, audit, dispute-resolution, and compliance exceptions. Some records may be retained for longer where reasonably necessary, including:

  • consent records;
  • data-rights request records;
  • audit and security logs;
  • billing, subscription, invoice, and tax records;
  • fraud, abuse, and incident records;
  • legal and dispute records;
  • email and support records; and
  • provider records, logs, and backups retained according to provider practices.

Account deletion does not automatically cancel Stripe, Apple, RevenueCat, or other payment-provider subscriptions. You must cancel active subscriptions through the applicable provider before deleting your account if you do not want future charges.

For more detail, see our Data Retention Notice.

7. Your privacy rights and choices

We make the following options available to all U.S. users as a product practice, subject to verification, legal exceptions, technical limitations, and applicable law:

  • access certain personal information;
  • update or correct certain account information;
  • request correction of inaccurate information;
  • export certain account and app data in JSON or other available formats;
  • delete your account;
  • disconnect linked financial accounts;
  • manage cookie preferences;
  • manage marketing email preferences;
  • manage push notification preferences;
  • opt out of certain processing where applicable;
  • submit a privacy request; and
  • appeal certain denied requests where state law provides that right.

You may exercise many rights in account settings. You may also contact privacy@spendcaddie.com.

We may need to verify your identity before fulfilling a request. We may deny or limit requests where permitted by law, such as when we cannot verify your identity, the request is excessive or unfounded, fulfilling the request would compromise security or trade secrets, the data is subject to legal retention obligations, or an exception applies.

Where required by applicable state law, we will respond within 45 days after receiving a verified request and may extend the response period by an additional 45 days when reasonably necessary, with notice to you.

8. State privacy notice

Residents of certain U.S. states may have additional rights under state privacy laws, including California, Colorado, Connecticut, Virginia, Utah, and other states with comprehensive consumer privacy laws, to the extent those laws apply to SpendCaddie. We also provide core access, correction, deletion, export, and preference controls to all U.S. users as described above.

8.1 Notice at collection and categories of information

The categories below describe personal information we may collect and disclose for business purposes. We do not sell personal information and do not currently share personal information for cross-context behavioral advertising.

CategoryExamplesSourcesPurposesDisclosed to service providers
Identifiersname, email, IP address, account IDs, device IDsyou, device, providersaccount, security, support, billingyes
Customer records / account dataaccount profile, subscription records, support recordsyou, providersservice delivery, billing, supportyes
Protected classification informationage eligibility self-certification; limited data only if voluntarily providedyoueligibility and compliancelimited
Commercial informationsubscription plan, billing status, invoices, product usageyou, Stripe, Apple, RevenueCatbilling, entitlement, supportyes
Financial account informationbalances, transactions, liabilities, due dates, APRs, limits, account masksPlaid, youdebt planning, alerts, explanationsyes
Internet or electronic network activitypages, screens, features, interactions, logsdevice, browser, servicesecurity, analytics, operationsyes
Geolocation dataapproximate location inferred from IP where availabledevice/browser/provider logssecurity, fraud prevention, analyticsyes
Audio/visual/electronic informationprofile image, screenshots you provide to supportyouprofile and supportyes
Inferencesplan summaries, strategy context, risk flags, usage preferencesservice calculationsplanning, recommendations, explanationsyes
Sensitive personal information, where applicableaccount login access handled by auth provider, financial account information, precise categories if voluntarily providedyou, Plaid, auth providerprovide requested Service, security, complianceyes, as needed

We use sensitive personal information only as reasonably necessary to provide the Service, secure accounts, process your requests, prevent fraud, comply with law, and otherwise as permitted by applicable law. We do not use sensitive personal information to infer characteristics about you for advertising.

8.2 California privacy rights

To the extent the California Consumer Privacy Act, as amended, applies to SpendCaddie, California residents may have rights to:

  • know/access categories and specific pieces of personal information;
  • delete personal information, subject to exceptions;
  • correct inaccurate personal information;
  • opt out of sale or sharing of personal information;
  • limit certain uses and disclosures of sensitive personal information; and
  • not be discriminated against for exercising privacy rights.

We do not sell personal information. We do not currently share personal information for cross-context behavioral advertising. We honor Global Privacy Control for SpendCaddie-controlled opt-out settings where applicable and technically detectable.

Because we do not currently sell or share personal information for cross-context behavioral advertising, we do not provide a separate financial incentive program tied to the sale or sharing of personal information.

8.3 Colorado privacy rights

To the extent the Colorado Privacy Act applies to SpendCaddie, Colorado residents may have rights to:

  • confirm whether we process personal data;
  • access personal data;
  • correct inaccuracies;
  • delete personal data;
  • obtain personal data in a portable format;
  • opt out of targeted advertising, sale of personal data, or certain profiling; and
  • appeal a denied request.

We do not sell personal data. We do not currently process personal data for targeted advertising. We honor Global Privacy Control and similar universal opt-out mechanisms for SpendCaddie-controlled opt-out settings where applicable and technically detectable.

We treat financial account data as highly sensitive personal information. Some information may be legally classified as sensitive data under applicable law if it falls within categories defined by that law. SpendCaddie does not intentionally collect many sensitive categories, such as racial or ethnic origin, religious beliefs, health diagnoses, citizenship status, sexual orientation, or biometric identifiers used for identification, as part of the core Service. If we process legally defined sensitive data where consent is required, we will seek consent as required by applicable law.

If we deny your Colorado privacy request and Colorado law gives you appeal rights, you may appeal by emailing privacy@spendcaddie.com with the subject line "Colorado Privacy Appeal." If your appeal is denied, you may contact the Colorado Attorney General.

8.4 Other state privacy rights

Residents of Connecticut, Virginia, Utah, Oregon, Texas, Montana, Delaware, Iowa, Nebraska, New Hampshire, New Jersey, Tennessee, Minnesota, Maryland, and other states with applicable comprehensive privacy laws may have additional rights depending on the law's effective date, scope, exemptions, and thresholds. These rights may include access, correction, deletion, portability, opt-out, appeal, or other rights.

We will process state privacy requests as required by applicable law and may voluntarily provide similar controls to all U.S. users as a product practice.

9. Security

We use reasonable administrative, technical, and organizational safeguards appropriate to the sensitivity of the data we process. These measures include, as applicable:

  • HTTPS/TLS for data in transit;
  • encrypted Plaid access tokens;
  • authentication controls;
  • MFA for supported account and admin flows;
  • row-level security controls;
  • access controls;
  • rate limiting;
  • webhook signature validation;
  • security headers and origin checks;
  • audit and security event logging; and
  • service-provider security review appropriate to our stage and risk.

No system is 100% secure. We cannot guarantee that unauthorized access, loss, misuse, or disclosure will never occur. We will notify affected users and regulators of security incidents as required by applicable law.

Do not send bank login credentials, full account numbers, Social Security numbers, or unnecessary highly sensitive information through support channels.

10. Children's privacy and age eligibility

SpendCaddie is intended only for users who are at least 18 years old. We rely on user self-certification at signup and do not currently perform date-of-birth or identity-based age verification.

SpendCaddie is not directed to children under 13 and is not intended for anyone under 18. We do not knowingly collect personal information from minors. If you believe a minor has provided personal information to SpendCaddie, contact privacy@spendcaddie.com. We will review the report and take appropriate action, which may include disabling the account and deleting or deactivating personal information, subject to legal, security, billing, fraud-prevention, audit, dispute-resolution, and compliance exceptions.

11. U.S.-only service and international access

SpendCaddie is intended only for residents of the United States. We do not intentionally offer the Service to non-U.S. residents. If you access the Service from outside the United States, you understand that your information may be processed in the United States and that the Service is not designed for non-U.S. privacy regimes.

12. Third-party websites and services

The Service may link to or integrate with third-party services, including Plaid, Stripe, Apple, RevenueCat, and financial institutions. Those third parties may collect and process information under their own privacy policies and terms. SpendCaddie is not responsible for third-party privacy practices.

13. Changes to this Privacy Policy

We may update this Privacy Policy from time to time. If we make material changes, we will provide notice through the Service, by email, by posting an updated policy, or by another reasonable method. Your continued use of the Service after the updated policy becomes effective means you acknowledge the updated policy.

14. Contact us

Bobby Built Ventures, LLC d/b/a SpendCaddie
1500 N Grant St, Ste R
Denver, CO 80203, USA

Privacy Inquiries: privacy@spendcaddie.com
General Support: support@spendcaddie.com