Privacy Policy

Last updated: July 9, 2026

1. Data controller

The data controller responsible for the processing described in this policy is:

Space Cadet d.o.o.

Ulica Ivana Šibla 17, 10000 Zagreb, Hrvatska (Croatia)

Registered at the Commercial Court in Zagreb · MBS: 081627179

OIB: 36241253193

A limited liability company (d.o.o.) established in Croatia, represented by its founder Dino Sakoman.

Contact: hello@spendict.com

2. Information we collect

Voluntarily provided — your name and email address when you sign up, and the content you submit for assessment (ad creatives, campaign structures, performance metrics, targeting briefs).

Automatically collected — IP address, browser type and version, device type and operating system, log data (pages visited, timestamps, error details), and API usage metrics (request counts, endpoints, response times, error rates).

API keys — stored as cryptographic hashes (SHA-256). The raw key is shown only once, at creation time, and is never stored or recoverable by us.

Assessment results — scores, verdicts, and the model used are stored so your dashboard can show your account history.

3. Why we process it

We process this data to provide the Service you signed up for (performance of contract), to bill you (contract and legal obligation), and to keep the Service secure, prevent abuse, and improve it (legitimate interest). We do not sell personal data and we do not use it for advertising.

4. Third-party processors

The Service runs on a small set of providers acting as processors on our behalf:

  • Clerk — authentication and user management
  • Convex — database and backend hosting
  • Polar — payment processing and subscriptions (we never see or store your card details)
  • OpenRouter — model inference (the content you submit for assessment is sent to a model provider to be scored)
  • Vercel — application hosting and edge network

Each provider processes only what it needs for its function. Where a provider processes data outside the EEA, the transfer rests on recognized safeguards such as the EU Standard Contractual Clauses.

5. How long we keep it

  • Account data (name, email, settings): for the duration of your account, plus 30 days after deletion
  • Billing and financial records: 7 years (Croatian/EU accounting law)
  • API usage logs: 90 days
  • Server logs: 90 days
  • Assessment history (scores, verdicts): while your account is active

6. Security

We protect personal information with technical and organizational measures appropriate to the risk, including hashed credentials and least-privilege access. That said, no method of electronic transmission or storage is 100% secure, and no one can guarantee absolute data security.

7. Children's privacy

We do not aim any of our products or services directly at children under the age of 13, and we do not knowingly collect personal information about children under 13.

8. Your rights

Under the GDPR (and the UK GDPR where applicable) you have the right to:

  • access the personal data we hold about you, and receive a copy in CSV or another machine-readable format;
  • rectify inaccurate or incomplete data;
  • erase your data (account deletion completes within 30 days, subject to legal retention duties);
  • restrict or object to processing based on legitimate interests;
  • port your data to another provider where technically feasible.

We respond to data subject access requests within 30 calendar days, and we will never discriminate against you for exercising any of these rights. To exercise them, email hello@spendict.com. You can also lodge a complaint with a supervisory authority — in Croatia, the Personal Data Protection Agency (AZOP).

9. Cookies

Spendict uses only cookies that are strictly necessary for authentication and session management. Details are in the Cookie Policy. We do not respond to browser “Do Not Track” signals.

10. Third-party links and business transfers

Our site may link to external sites and services that have their own privacy policies; this policy does not apply to your activities after you leave our site. In the unlikely event of an acquisition, restructuring, or bankruptcy, personal data may be among the assets transferred to the acquiring party, which must honor commitments equivalent to this policy.

11. Changes

We may update this policy as the Service evolves; material changes will be announced on this page with an updated date.