Privacy Notice

VERSION 1.0

LAST UPDATED: May 4, 2026

INTRODUCTION

This document, herein referred to as the “Privacy Notice”, outlines the privacy practices of Spendbase (“We”, “us”, “our”, “Spendbase”) and governs the processing of your personal data (“Personal Data”) in connection with the provision of NEVO services in connection with both the website and gateway AI service (“Services”).

Your continued use of the Services constitutes your acknowledgment of, and agreement to, the privacy practices described in this Privacy Notice. In the event of any concern relating to this Privacy Notice or how we handle your Personal Data, feel free to contact us at:

Data Protection Officer, Spendbase Inc. Attn: Privacy and Compliance Email: privacy@spendbase.co

Nota bene! This Privacy Notice may be available in several languages. In the event of any discrepancies, the English version of this Notice shall prevail.

SCOPE OF APPLICABILITY

This Privacy Notice is written primarily in accordance with the Regulation (EU) 2016/679 (General Data Protection Regulation, “GDPR”), and where our processing falls within its territorial scope UK General Data Protection Regulation (“UK GDPR”) and the California Consumer Privacy Act of 2018 as amended by the California Privacy Rights Act of 2020 (collectively, “CCPA/CPRA“), Cal. Civ. Code § 1798.100 et seq. These frameworks share substantially identical substantive rules; where they diverge, we identify this expressly.

Additional rights. The supplemental sections do not constitute an exhaustive list of every jurisdiction in which we operate or every law that may apply to you. Applicable privacy laws are subject to frequent change. If you believe you are entitled to a right or remedy in respect of your personal data under any applicable law not expressly addressed in this Notice, we invite you to contact us at privacy@spendbase.co. We will assess your request in good faith and in accordance with applicable law, and we will not refuse a valid rights request solely because the specific right is not named in this Notice.

ABOUT SPENDBASE

In accordance with applicable privacy laws, Spendbase operates as a Data Controller.  

FieldDescription
Legal nameSpendbase Inc.
Registration No61-2064269
Address16192 Coastal Highway, Lewes, DE 19958
Website URLhttps://getnevo.ai/ 
Emailsupport@getnevo.ai 
Email (privacy matters)privacy@spendbase.co

ABOUT YOU

Under this Notice, you may act in the capacity of the Visitor and/or the User. Depending on your role, we process different categories of personal data. 

  • Visitor — an individual who browses https://getnevo.ai/ without creating an account. As to the Visitor, only cookie data is collected, as described in Section 5 of this Privacy Notice
  • User — an individual who creates an account and uses the NEVO services. As to the User, all the Sections of this Privacy Notice apply in full.

PERSONAL DATA WE PROCESS

Depending on whether you are a Visitor or a User, we may collect the following categories of data:

Data CategoryDescriptionVisitor\User
Registration & Identity First and last name, email, company or organisation name, Google account information, account credentialsUser
API usage* Unique account identifier, API key (used to authenticate request, stored in hashed form), number of API requests made, timestamps, model selected, token counts, response times; error logs and status codes; daily request data, cost breakdowns, provider routing statistics, etcUser
Payment We use Stripe, Inc. for payment processing. Please review their privacy practices here. We do not store your full card number, CVV, or banking credentials; Stripe stores this data in compliance with PCI-DSS. We receive only tokenised references and transaction records.User
Support & Communication If you contact us for support or send feedback, we retain the content of that communication and your contact details.Visitor, User
Technical and device dataIP address; Browser type and version, operating system, device type; Date and time of access, pages visited, referring URLVisitor, User

If you visit our website without registering, the only personal data we collect is through cookies and similar tracking technologies placed on your device. Profound information about cookies and other tracking technologies is in Section “COOKIES & OTHER TRACKING TECHNOLOGIES”. 

NB! We do not intentionally collect minors’ Personal Data or sensitive categories of Personal Data that may reveal health, ethnicity, nationality, gender, political or religious beliefs. Please try to avoid sharing sensitive personal data while using the Services. In the event you have mistakenly provided us with the data we have never requested, and you would like us to delete it, please do not hesitate to reach out to us at: privacy@spendbase.co 

*API Usage. By default, we do not collect or retain the content of your API requests (i.e., your prompts, instructions, or any data you submit to an AI model). You may enable or disable this setting again at any time in your dashboard. Disabling it stops future collection; it does not automatically delete previously retained content unless you submit a deletion request as described in Section “YOUR RIGHTS”. 

For California residents: The categories above correspond to the following CCPA/CPRA statutory categories: “Identifiers” (Registration & Identity, Technical and device data); “Commercial information” (Payment); “Internet or other electronic network activity” (API usage, Technical and device data); “Audio, electronic, visual, or similar information” (Support & Communication). We do not collect “sensitive personal information” as defined by Cal. Civ. Code § 1798.140(ae); the right to limit use of sensitive personal information under Cal. Civ. Code § 1798.121 is therefore not applicable.

PURPOSES AND LAWFUL BASES FOR PROCESSING

We process personal data only where we have a valid legal basis under Article 6 of the GDPR. For California residents, the GDPR legal bases framework does not apply; we process your personal information for the business purposes identified in the table below in accordance with CCPA/CPRA.

PurposeData processedLawful basis
Operating and delivering the NEVO servicesRegistration data, API key, usage dataContract performance 
Account creation and authenticationRegistration data, account credentialsContract performance
Routing API requests to third-party AI providersAPI key, request metadata ( content if opted in)Contract performance
Displaying usage analytics and cost dashboardsUsage data, account identifierContract performance
Payment processing and subscription managementPayment records (via Stripe)Contract performance
Transactional and support communications (security alerts, service updates)Registration & Identity data,
Support & Communication data
Contract performance/ Legitimate Interest
Platform security, fraud prevention, and abuse detectionIP address, usage data, API keyLegitimate Interest
Internal product analytics and performance optimisationAggregated, anonymised usage statistics (via PostHog)Legitimate Interest
Marketing communications by email*Email addressConsent (where required by applicable law);
Legitimate Interest (for existing customers in jurisdictions where this is permitted, subject to opt-out) 
Compliance with legal obligations (tax, regulatory)Registration & Identity data,
Payment records
Legal obligation

* For EEA and UK residents, email marketing is sent only based on prior consent or the soft opt-in exemption for existing customers under applicable rules.

We do NOT use your data to train AI models. We never use your API requests, prompts, or responses for machine learning training. The AI providers you access through our Service may have their own data usage policies, which we encourage you to review.

COOKIES & OTHER TRACKING TECHNOLOGIES

We use Cookiebot (provided by Cybot A/S, Havnegade 39, 1058 Copenhagen, Denmark) as our consent management platform. Cookiebot scans our website, identifies all cookies and trackers, and displays a consent banner on your first visit. It also maintains a real-time cookie declaration.

The complete and current cookie list is available within the Cookiebot banner, accessible from our website footer. Cookiebot’s privacy practices are available here. For your convenience, cookies fall into the following categories:

Cookie typeDescriptionLawful basis
Strictly necessary They are essential for the website to function.Contract provision
Analytics/performance They help us understand how visitors use our site (e.g. Google Analytics).Consent
Advertising/targeting used to deliver relevant ads and measure campaign effectiveness (e.g., Google Ads, Meta Pixel, LinkedIn Insight Tag). Consent

You may accept, reject, or customise your cookie preferences at any time through the Cookiebot banner. To re-open the banner, click the cookie settings link in the website footer.

You may also control cookies through your browser settings. Please refer to the links below to manage it easily:  

Google ChromeMicrosoft EdgeSafari (Mac)
Mozilla FirefoxOperaSafari (iPhone/iPad)

Do not track requests. We do not currently respond to Do Not Track signals, as no uniform technical standard exists. We do honour Global Privacy Control (GPC) signals as opt-out requests for the sharing of personal data for cross-context behavioural advertising, as required under applicable US state laws. Visit this page to enable GPC.

Do not sell or share requests. We do not sell your personal information. The use of Meta Pixel and LinkedIn Insight Tag on our website may constitute “sharing” of personal information for cross-context behavioural advertising within the meaning of Cal. Civ. Code § 1798.140(ah). California residents have the right to opt out of such sharing under Cal. Civ. Code § 1798.120. You may exercise this right via the Cookiebot banner, by enabling GPC, or by contacting us at privacy@spendbase.co  with the subject line “California — Opt-Out of Sharing”. We will not discriminate against you for exercising this right. You may opt out of this sharing via the Cookiebot banner or by enabling GPC.

Internal analytics. We use PostHog to collect internal product analytics that help us understand how the Services are being used and where they can be improved. PostHog is integrated only at the server (back-end) level. It is not installed in your browser and does not place cookies or access your device. As a result, browser-based consent mechanisms do not apply to this processing.

The legal basis for this processing is our legitimate interest in operating, monitoring, and improving the Service. We have assessed that this interest is not overridden by your rights, given the nature of the data involved (usage statistics) and the safeguards described below. PostHog receives aggregated and anonymised usage metrics — for example, feature adoption rates, error frequencies, and request volume trends. It does not receive your name, email address, or the content of your API requests.

AUTOMATED DECISION-MAKING

You will not be subject to decisions that will have a significant impact on you based solely on automated decision- making.

THIRD-PARTY AI PROVIDERS

NEVO acts as an API gateway. When you make an API request, your selected prompt and any associated data are transmitted through our servers to the relevant third-party AI model provider for inference processing. The full list of the AI providers is available _____

For California residents: Such transmission to AI providers constitutes a disclosure to a third party for a business purpose under CCPA/CPRA, not a sale or sharing. You may request the specific AI providers to whom your data was transmitted by submitting a request as described in the Section “YOUR RIGHTS”.

NB! Each AI provider processes your data under its own terms and privacy policies, which we do not control. Once data is transmitted to a provider for inference, we act only as a conduit for that onward processing. Some providers may use prompt data for model improvement unless you opt out directly with them. We encourage you to review each provider’s privacy notices before use.

Where AI providers are located outside the EEA or UK, transfers are governed by the mechanisms described in Section 11 (Cross-Border Data Transfer), including EU Standard Contractual Clauses or the EU–US Data Privacy Framework where applicable. A list of AI providers and their applicable transfer mechanisms is available upon request at privacy@spendbase.co

SHARING OF YOUR PERSONAL DATA

Except for AI providers mentioned in the Section above, we may share your Personal Data with the following categories of recipients:

Provider categoryNamePrivacy NoticeDescription of processing
Service providersStripe Inc., Stripe’s Privacy NoticePayment processing. We do not store your credit card information.
AWSAWS Privacy NoticeCloud hosting infrastructure (Frankfurt, Germany).
Analytics providersGoogle LLCGoogle Privacy NoticeAnalytics (Google Analytics), OAuth authentication.
PostHogPostHog Privacy Notice Product analytics
(self-hosted instance).
HubspotCookie Privacy NoticeProduct analytics (tracks page views, visitors’ identities, and browsers)
Advertising providersMeta (Facebook) PixelFacebook Privacy Notice Advertising conversion tracking and retargeting.
LinkedIn Insight TagLinkedIn Privacy NoticeB2B advertising and conversion tracking.

We may also disclose your information when required by law, court order, or governmental authority, or when we believe disclosure is necessary to comply with applicable laws and regulations, protect our rights, property, or safety, prevent fraud or illegal activities, or respond to valid legal requests. In the event of a merger, acquisition, reorganization, or asset sale, your information may be transferred to the acquiring entity. We will notify you of any such change and any choices you may have regarding your Personal Data.

For California residents: In the preceding twelve months, we have not sold personal information. We have disclosed personal information to the categories of third parties listed above for business purposes only. We have shared personal information (identifiers and internet activity data) with advertising providers (Meta, LinkedIn) for cross-context behavioural advertising; you may opt out as described in the Section “Cookies & Other Tracking Technologies”. We do not disclose personal information to third parties for their own direct marketing purposes.

CROSS-BORDER DATA TRANSFER

As Spendbase operates globally, we may share Personal Data within our legal entities, which are located in the US, Ukraine, and other countries. For all transfers of personal data from the UK or EEA to third countries lacking an adequacy decision, we implement appropriate safeguards:

  • UK International Data Transfer Agreement (IDTA) — for transfers from the UK
  • UK Addendum to EU Standard Contractual Clauses — where applicable
  • EU Standard Contractual Clauses (SCCs) — Commission Decision 2021/914
  • EU–US Data Privacy Framework — for certified US recipients
  • Adequacy decisions — where the destination country holds an adequacy status
  • Transfers to our legal entity in Ukraine are governed by EU Standard Contractual Clauses (Module 4, controller-to-processor, Commission Decision 2021/914), supplemented by additional technical and organisational measures as documented in our transfer impact assessment.

PERSONAL DATA RETENTION

We retain personal data only as long as necessary for the purposes for which it was collected, or as required by law, unless your consent is not withdrawn, where applicable.

Data CategoryRetention period
Registration & Identity 3 years after your account is deleted
API key (hashed)Invalidated immediately upon key rotation or account deletion
API usage metadata 90 days
AI request/response content (if opt-in enabled)90 days or as soon as we receive a data deletion request
Website log and technical data90 days
Payment and transaction recordsAs required by law (minimum 5 years after your account is deleted)
Cookie consent recordsFrom 1 session to 1 year, depending on the cookie, unless consent is withdrawn
Support and communications data3 years from last interaction
Cached request data (if caching enabled)30 days or until cache invalidation

Where data is no longer required, it is securely deleted or irreversibly anonymised. Data may be retained longer where required by a competent regulatory or tax authority, or for the establishment, exercise, or defence of legal claims.

YOUR RIGHTS

Depending on the lawful bases of the personal data processing and applicable law, you have the following rights:

RightEU/EEA & UK ¹California ²Canada ³
Access
Rectification / Correction
Erasure / Deletion
Restrict processing
Object to processing
Data portability
Withdraw consent
Non-discrimination
Automated decision review

¹ EU/EEA & UK: Rights are governed by the GDPR and UK GDPR, respectively. The right to erasure and the right to object are not absolute and may be limited where we have overriding legitimate grounds or legal obligations. You may also lodge a complaint with your national Data Protection Authority (see here) and for UK residents by referring to the Information Commissioner’s Office (contact data).

² California (CCPA/CPRA). The right to erasure is subject to statutory exceptions, including completing a transaction, detecting security incidents, and complying with legal obligations. The right to data portability arises where technically feasible. The right to non-discrimination means we will not deny services, charge different prices, or provide a different quality of service because you exercise a CCPA/CPRA right. Automated decision review applies where solely automated processing produces legal or similarly significant effects. Complaints may be directed to the California Privacy Protection Agency (contact data).


³ Canada. Under PIPEDA, the right of access entitles you to know what personal information we hold about you and how it is used, and to challenge its accuracy. The right to rectification allows you to request correction of inaccurate or incomplete information. There is no freestanding right to erasure under PIPEDA; however, you may withdraw consent at any time, which obligates us to cease processing for the purposes to which that consent related, subject to legal or contractual constraints. There is no general right to object to processing or to restrict processing as a standalone right; withdrawal of consent is the functional equivalent under PIPEDA. Data portability, automated decision review, and non-discrimination are not established rights under PIPEDA. Complaints may be directed to the Office of the Privacy Commissioner of Canada (OPC) at the link

To satisfy any of your rights, please contact us using all the information provided in Section “ABOUT SPENDBASE”. We will do our best to answer your questions at our earliest convenience, but please note that time frames may vary from 10 to 45 days depending on the jurisdiction. Such periods can also be extended under the applicable law. 

PERSONAL DATA SECURITY

We have implemented technical and organisational measures proportionate to the risks of our processing:

  • Encryption of data in transit (TLS 1.2+/HTTPS) and at rest
  • Hosting on AWS infrastructure with ISO 27001 and SOC 2 certified facilities
  • Role-based access controls and the principle of least privilege
  • Secure API key management (keys stored in hashed form only)
  • DMARC, DKIM, and SPF email authentication
  • Regular security assessments and vulnerability monitoring

NB! You are responsible for safeguarding your own account credentials and API keys while using the Services.

While using the Services, you may encounter third-party links, including links to AI provider documentation. We are not responsible for the privacy practices of those sites. Before sharing your Personal Data with any of these parties, please read their privacy notices. 

CHANGES TO THIS PRIVACY NOTICE

We may update this Notice from time to time. The “Last updated” date at the top reflects the most recent version. For material changes, we will provide prior notice via a banner on our website or by email to your registered address before changes take effect.

DON’T HESITATE TO CONTACT US

If you have concerns about how we handle your Personal Data, send us an email at: privacy@spendbase.co

Sign Up