Privacy Policy
Last updated: 29 June 2026 · ACHVMNT Ltd
1. Who we are
Spend is operated by ACHVMNT Ltd, a company registered in England and Wales. In this policy "we", "us" and "our" refer to ACHVMNT Ltd.
For privacy enquiries, contact us at privacy@getspend.co.uk.
2. What we collect and why
We collect only what is necessary to provide the service:
| Data | Purpose |
|---|---|
| Email address | Account creation and authentication |
| Parsed transaction data | Subscription detection and spending analysis |
| Detected subscriptions | Matching against our deals database |
| Action items and plan | Tracking your saving progress |
| IP address and basic device info | Security, fraud prevention |
| Stripe payment details | Billing for Pro/Family plans (held by Stripe, not us) |
What we never collect: your raw CSV bank export files, bank credentials, sort codes, or account numbers. CSV files are parsed entirely in your browser or on your device — only the structured transaction rows are transmitted to our servers when you choose to save them.
3. How your data is stored
Your data is stored in Supabase (hosted on AWS eu-west-1, Ireland). Row-level security policies ensure your data can only be accessed by you. We use encrypted connections (TLS 1.2+) for all data in transit.
Payment processing is handled by Stripe, Inc. We never store card details on our servers.
Mobile in-app purchases are processed by Apple App Store or Google Play via RevenueCat. We receive only a subscription status token, not payment details.
4. How long we keep your data
We keep your data for as long as your account is active. You can delete all transaction data or your entire account at any time from Settings. Account deletion removes all personal data from our systems within 30 days.
5. Third parties
We share minimal data with the following trusted processors:
- Supabase — database and authentication hosting
- Stripe — web subscription billing
- RevenueCat — mobile in-app purchase management
- Resend — transactional email delivery (email address only)
We do not sell your data, share it with advertisers, or use it to train AI models.
6. Your rights under UK GDPR
As a UK resident, you have the right to:
- Access — request a copy of the personal data we hold about you
- Rectification — ask us to correct inaccurate data
- Erasure — delete your account and all associated data
- Portability — receive your data in a machine-readable format
- Objection — object to processing based on legitimate interests
- Restriction — ask us to restrict processing while a dispute is resolved
To exercise any of these rights, email privacy@getspend.co.uk. We will respond within 30 days. You also have the right to lodge a complaint with the Information Commissioner's Office (ICO).
7. Cookies
We use a single first-party session cookie to keep you signed in (Supabase auth token). We do not use advertising cookies, tracking pixels, or third-party analytics scripts.
8. Changes to this policy
We may update this policy from time to time. Material changes will be notified by email. The "Last updated" date at the top of this page reflects the most recent revision.