Privacy Policy

1. Who we are

SpendWeave (operator details at /impressum) operates the website spendweave.com and the related API at api.spendweave.com. Contact: [email protected].

2. Our BYON architecture — what we never see

SpendWeave is built on a Bring-Your-Own-Network (BYON) principle:

• Free Audit (CSV upload): your Capacity Metrics CSV is parsed 100% inside your browser using client-side JavaScript. The raw file bytes never leave your device and are never transmitted to our servers.
• SpendWeave Monitor (Tier 2): the monitor uses Azure Entra ID delegated OBO (on-behalf-of) tokens scoped to your own Microsoft Fabric tenant. Your capacity telemetry is read directly from your tenant and written only to a Kusto vault you control. We never receive, store, or process your raw capacity data in our infrastructure.

3. What we do collect

When you submit the audit lead form we collect and store:

• Your email address
• Aggregated summary metrics you choose to share (e.g. estimated recoverable spend, current SKU name) — never raw telemetry rows
• Anonymous page-level event counters (e.g. number of audit uploads per day) stored in Cloudflare KV — no personal identifiers attached
• Cookieless web analytics via Cloudflare Web Analytics — aggregate page views, referrers, and load-performance metrics. It sets no cookies, uses no client-side storage, performs no cross-site tracking or fingerprinting, and does not use your IP address to identify or profile you. See our Cookie Notice.

4. How we use your data

• To send you your audit report and product updates (transactional email via Brevo)
• To add you to our product mailing list (you can unsubscribe at any time)
• To improve our product based on aggregated usage patterns

5. Sub-processors

We use the following third-party processors:

• Brevo (Sendinblue SAS) — transactional and marketing email. Data transferred to Brevo is limited to email addresses and aggregated audit summary fields. Brevo is EU-based and GDPR-compliant (Brevo Privacy Policy).
• Cloudflare — CDN, Pages hosting, Workers (our API), and privacy-first, cookieless Web Analytics. Cloudflare processes request metadata in accordance with its privacy policy.

6. Cookies and storage

We use essential browser storage only. See our Cookie Notice for details.

7. Data retention

Email addresses and associated summary data are retained for as long as your account is active or as needed to provide the service. You may request deletion at any time (see §8).

8. Your rights (GDPR)

If you are located in the EEA or UK you have the right to:

• Access the personal data we hold about you
• Rectification of inaccurate data
• Erasure ("right to be forgotten")
• Data portability
• Objection to processing for direct marketing
• Restriction of processing

To exercise any of these rights, email [email protected]. We will respond within 30 days.

9. Changes to this policy

We may update this Privacy Policy from time to time. Material changes will be communicated via the email address on file or a prominent notice on this page.