Summit SpendSummit Spend

Privacy Policy

Last updated: February 27, 2026

1. Information We Collect

We collect information you provide directly, information generated through your use of our services, and information from third-party integrations.

Account Information

When you create an account, we collect your name, email address, organization name, and role. If you are invited by an administrator, we receive your email address from the inviting user.

Financial Data

When you connect bank accounts or corporate cards via Plaid, we receive transaction data including merchant names, amounts, dates, and account identifiers. We do not store your bank login credentials — these are handled entirely by Plaid's encrypted infrastructure.

Receipt Data

When you upload receipts or forward them via email, we process the images using OCR to extract merchant names, amounts, dates, and line items. Receipt images are stored securely in encrypted cloud storage.

Corporate Card Data

When your organization enrolls in the Summit Spend card program, we collect cardholder name, email, billing address, and phone number to facilitate card issuance through our banking partner (Evolve Bank & Trust). Full card numbers, CVVs, and PINs are stored by Stripe and are never retained in the Summit Spend database. We process transaction data, authorization decisions, and spending control configurations. Card sensitive details are subject to role-based access controls and audit logging.

2. How We Use Your Information

  • Provide, maintain, and improve our expense management services
  • Process and categorize transactions, match receipts, and generate reports
  • Use AI services to improve categorization accuracy (see Section 3a below for details)
  • Sync data with your connected ERP system (e.g., Sage Intacct)
  • Send transactional emails (invitations, approvals, reports)
  • Detect and prevent fraud, anomalies, and duplicate transactions

3. Data Sharing

We do not sell your personal or financial data. We share data only with:

  • Plaid — to facilitate secure bank connections and transaction sync
  • Sage Intacct — when you authorize the integration, to sync dimensions and export transactions
  • Stripe — for payment processing and card issuance
  • Infrastructure providers — Supabase (database), Vercel (hosting), and cloud storage providers, all under strict data processing agreements

3a. Third-Party AI Services

Summit Spend uses third-party AI services to provide optional automated features. These services act solely as data processors — we retain full control over your data and determine the purposes and means of processing. AI features are optional and require your explicit consent before activation.

Anthropic (Claude AI)

Purpose: Receipt text extraction (OCR) and transaction GL account categorization suggestions.

Data sent: Receipt images, transaction merchant names, transaction amounts, and transaction descriptions. For email-forwarded receipts, the email body text is also sent.

Data retention: Anthropic does not use API inputs to train models. Data is processed in real-time and not retained beyond the request lifecycle, per Anthropic's commercial API terms.

Voyage AI

Purpose: Merchant similarity matching to improve transaction categorization accuracy.

Data sent: Normalized merchant names, transaction amounts, Plaid category labels, and transaction description keywords.

Data retention: Voyage AI processes embedding requests in real-time. No user data is retained beyond the request lifecycle.

What is never shared with AI services:Your name, email address, personal identity information, bank account numbers, bank credentials, full credit card numbers, or your organization's employee data.

4. Data Retention

We retain your data for as long as your account is active. Transaction and receipt data is retained for 7 years to comply with financial record-keeping requirements. When you delete your account, we remove personal information within 30 days and anonymize remaining records for compliance retention.

5. Your Rights

Depending on your jurisdiction, you may have the right to:

  • Access and export your personal data
  • Request correction of inaccurate data
  • Request deletion of your data
  • Opt out of AI-powered processing via the AI Features toggle in the app's Settings, or by contacting us

To exercise these rights, contact us at privacy@summitspend.com.

6. Cookies

We use essential cookies for authentication, session management, and theme preferences. We use Vercel Analytics for aggregate usage statistics. We do not use third-party advertising cookies or trackers.

7. Contact

For questions about this policy, contact us at privacy@summitspend.com.