Service Providers & Subprocessors Notice
This Service Providers & Subprocessors Notice explains the third-party providers that Bobby Built Ventures, LLC d/b/a SpendCaddie uses to operate, secure, support, and improve the SpendCaddie service.
This page is not a consumer Data Processing Addendum. Individual consumer users are not controllers of SpendCaddie's consumer app processing. Any business or enterprise data processing agreement applies only if separately accepted or executed by an authorized business customer.
1. How SpendCaddie uses providers
SpendCaddie uses service providers for:
- authentication;
- database and storage;
- hosting;
- read-only financial account connections;
- web billing;
- iOS billing;
- subscription entitlement management;
- email delivery;
- AI explanation generation;
- analytics and performance measurement;
- rate limiting;
- infrastructure jobs;
- push notifications;
- security; and
- support.
Providers may process personal information only as needed to provide their services, comply with law, protect their systems, enforce their terms, and support SpendCaddie.
2. Current providers
| Provider | Purpose | Categories of data that may be processed |
|---|---|---|
| Plaid | Read-only financial account connection, account refresh, balances, transactions, liabilities, institution metadata | account metadata, balances, transactions, liability/credit card fields, institution data, Plaid item/account IDs, connection status |
| Stripe | Web billing, checkout, subscription management, customer portal, payment failure events | billing email, customer ID, subscription ID, invoice and payment metadata, limited payment method metadata |
| Apple | iOS In-App Purchase billing, subscription cancellation, renewal, refund handling | Apple-controlled purchase and subscription data |
| RevenueCat | Subscription entitlement/status management and purchase event processing | app user ID, entitlement status, product IDs, platform/store metadata, purchase/renewal/cancellation/billing events |
| Supabase | Authentication, database, storage, row-level security, backend infrastructure | account, auth, profile, financial, consent, subscription, audit, support, and app data |
| Vercel | Hosting, deployment, performance, and consented analytics | request logs, hosting metadata, performance data, analytics data where consented |
| Resend | Email delivery | email address, email content, transactional and support message metadata |
| Anthropic | AI explanation generation | structured debt-plan context, account/debt names or masks, balances, APRs, minimums, payoff summaries, alert context, user questions, AI usage metadata |
| Upstash | Rate limiting, infrastructure jobs, queue/scheduled job support | rate-limit keys, job metadata, limited operational data |
| Expo | Mobile push notification delivery and mobile platform services | push tokens, device/app metadata, notification payload metadata where enabled |
| Browser push providers | Web push notification delivery | browser push endpoints, encrypted notification payloads, device/browser metadata |
| Financial institutions | Source of linked-account data through Plaid | account data authorized through Plaid |
| App stores and device platforms | App distribution, device permissions, app updates, platform services | device/app metadata, purchase or platform data controlled by the provider |
3. Provider changes
Our providers may change over time. We may add, remove, replace, or change providers as needed for security, reliability, functionality, cost, legal compliance, product development, or user support.
If a provider change materially affects privacy practices, we will update our Privacy Policy or this notice as appropriate.
4. Third-party terms
Your use of certain features may be subject to third-party terms and privacy policies, including Plaid, Stripe, Apple, RevenueCat, and your financial institution.
SpendCaddie is not responsible for third-party services, provider outages, provider decisions, provider retention practices, or provider privacy practices except to the extent required by applicable law.
5. Security and provider review
SpendCaddie uses reasonable security and vendor-management practices appropriate to our stage, the sensitivity of data, and the services involved. Providers that process sensitive personal or financial information are expected to maintain reasonable security measures appropriate to the information they process.
6. Business/enterprise agreements
If SpendCaddie later offers business or enterprise services, those customers may be subject to separate written terms, including a data processing agreement if appropriate. Such agreements do not apply to individual consumer users unless expressly stated in a separately executed agreement.
7. Contact
Privacy Inquiries: privacy@spendcaddie.com
General Support: support@spendcaddie.com